[HN Gopher] Dark patterns after the GDPR: consent pop-ups and th... ___________________________________________________________________ Dark patterns after the GDPR: consent pop-ups and their influence Author : DyslexicAtheist Score : 111 points Date : 2021-03-05 16:44 UTC (6 hours ago) (HTM) web link (dl.acm.org) (TXT) w3m dump (dl.acm.org) | glsdfgkjsklfj wrote: | permanent fix: learn to use your uBlock-Origin quick element | picker. | | Every time you open a site and it shows a popup for picking your | cookies, just open uBlockOrigin from your browser toolbar, click | the quick element picker (eye dropper icon), click the popup. | | Done. Now you will never see the popup for that site (even if you | do not save cookies, or clear your cookies), and you are | technically guarantee to not accept any non-essential cookies | ever (if they follow spec) | K0nserv wrote: | This is the PDF: https://arxiv.org/pdf/2001.02479.pdf I couldn't | understand how to find it on the linked site. Maybe the | submission URL should be changed? | angrais wrote: | If you click "Get Access" you'll be asked to lot into a | university account or such | Bakary wrote: | Who came up with the term dark patterns? It's psychological | manipulation and fraud, pure and simple | hnuser123456 wrote: | Because there are shades of gray | Bakary wrote: | There's a spectrum of gray in the effect and scale of the | manipulation, but deciding to manipulate the user or not is a | binary choice. | SpicyLemonZest wrote: | Is it? It's comforting to think so, but I'm not convinced | there's a meaningful dichotomy that can be drawn. I add a | "save this card" functionality to my store so users don't | have to type it in every time they buy something: am I | offering a neat convenience feature, or am I manipulating | them by reducing the psychological barrier of a sale? | Bakary wrote: | >Is it? It's comforting to think so, but I'm not | convinced there's a meaningful dichotomy that can be | drawn. I rework my store's checkout workflow, making it | simpler so users only have to click a couple buttons to | buy a product: am I making their lives easier, or am I | manipulating them by reducing the psychological barrier | of a sale? | | "making their lives easier" implies that the purchase is | the default outcome that the user needs to improve their | lives, when the purchase could simply not be made at all. | As long as the intention is to make more money, and that | the effort expended does not improve the nature of what | is purchased in some way, I'd say it technically | qualifies even if the consequences are the lightest of | grays. | | That said, your example is thoughtful, and you are | probably right overall. We could look at the broader | context of all these systems encouraging consumption, but | that would be moving the goalposts on my part. | | edit: just to clarify an edit took place while I was | replying | SilasX wrote: | So "dark pattern" is a dark pattern? | slabity wrote: | > Who came up with the term dark patterns? | | Harry Brignull | | https://en.wikipedia.org/wiki/Dark_pattern | s_dev wrote: | Would you consider the fact that bread and fruit and veg are | always at the start of a supermarket journey a dark pattern? | | Supermarkets have gotten customers to spend more than they | intended with all their patterns as well -- just like social | media sites get customers to spend more time online. It's just | what they optimise for. The concept is much older than the | coined word. | ben509 wrote: | Most of a supermarket's layout is determined by hard | requirements like refrigeration, stocking heavy items and | handling payments. | | If you're wondering why, for instance, the milk is in the | back, it's because it needs to stay cool and it's heavy. | Silhouette wrote: | _Most of a supermarket 's layout is determined by hard | requirements like refrigeration, stocking heavy items and | handling payments._ | | That hasn't been generally true for a long time. The big | chains spend a fortune deciding how their stores should be | presented and optimising the layout of different products, | and there is a lot of sophisticated analysis going on | behind the scenes. There are certainly recurring themes in | the results, but for example there are several major stores | near me that have totally different layouts in many | respects including all of the ones you mentioned, and it | would be surprising if any of those differences was an | accident. The stores don't run all those loyalty card | schemes, nor rearrange their products from time to time, | just for fun! | perl4ever wrote: | The whole concept of the placement of the milk being | suspicious and _needing_ an explanation never made sense to | me. Why would they or should they optimize for people who | go to the supermarket just to buy milk? It makes perfect | sense to me from the point of view of _usually buying more | than one thing per trip_. | | If in a "normal" grocery store trip you go through most of | the store then _of course_ you want to get refrigerated and | frozen foods last, just before you go to the checkout. So | they don 't warm up too much. | | By the way, frozen stuff is _not_ all on the perimeter in | my experience of US supermarkets. It 's funny how something | can be so mundane and everyday you never really look at it. | Bakary wrote: | >Would you consider the fact that bread and fruit and veg are | always at the start of a supermarket journey a dark pattern? | | No, because the term seems superfluous or euphemistical to | me. But yes in the sense that it is psychological | manipulation. | | Is an entity intentionally deceiving or manipulating the | customer/user/etc. using their understanding of psychology? | Psychological manipulation | | >The concept is much older than the coined word | | Indeed, we already have a name for it as I've been trying to | say! | Semaphor wrote: | but they aren't? Fruit and veggies are first for our | (Germany) two largest chains, bread isn't second for either. | Aldi has neither at the beginning. | maweki wrote: | Highly depends on the Aldi. Mine does indeed start with | bread but has Veg at the end of the first aisle across the | refridgerated goods. I would guess that the position of the | bread depends on the infrastructure, specifically where the | baking station can be built. | kspacewalk2 wrote: | Your comment lacks any explanation at all. Why is the term | 'dark patterns' 'psychological manipulation and fraud'? | Bakary wrote: | Every time I see the term 'dark pattern', it's always a case | of one or the other, with the delineation into fraud varying | depending on the relevant laws. In this case, they mention | how websites skirt the minimum GDPR requirements and trick | the users to do what they want, so it looks to be both. | | The term is in the best case superfluous, in the worst case a | harmful euphemism. | hinkley wrote: | Your top level post reads as if people who use 'dark | patterns' as a term have an agenda, and that agenda is | fraud and psychological manipulation. | Bakary wrote: | I don't think everyone who uses that term has an agenda. | I'm sure most have good intentions, or just are naturally | attracted to new buzzwords. It just so happens the term | does play into the agenda of those who have one and who | manipulate others psychologically in this way. | | The whole topic is a sensitive one. I'm sure a sizeable | number here on HN derive some direct or indirect profit | from such practices (running, being employed in or having | stock in a company that does this sort of thing, | especially FAANGs) while also having some dissonant | misgivings about how the internet and technology is | evolving. Terms like 'dark patterns' only serve to deepen | this confusion and create additional moral distance | between such tech workers and the consequences of their | work, even if they are not necessarily intended to be | nefarious: therefore, we ought to discourage it whenever | possible. | | Of course, in the grand scheme of things, none of what I | say here will actually have an effect on any of this, but | it's fun to discuss these topics all the same. | | In any case, I don't see how any of this can be inferred | from that single original sentence, but I'll take your | word for it. | hinkley wrote: | I think if someone puts the pauses at different spots | than you, the grammar changes substantially. Reading your | replies I figured it out, but it reads like not everyone | caught that so I thought it might help you sort out some | of the reactions you're getting. | Bakary wrote: | As a non-native speaker, I appreciate the feedback. I | have yet to master the intricacies of this language :) | harrybr wrote: | The term "dark pattern" refers to user interface design | patterns. That's where the "pattern" bit comes from. | There was already a term for anti-pattern which referred | to mistakes. I wanted a term that had a Machiavellian | tone to it, so I chose "dark" (Star Wars, Harry Potter, | why not?). | | I'm not quite sure why this term proved to be so popular. | I think it is helpful to have a term that is a little | vague though, as it can be a lot of work to pin down | whether something is truly deceptive with an outcome of | harm - or just an annoying attempt to nudge. | Bakary wrote: | Thanks for letting me know. Looking through the thread | again after my initial off-the-cuff reaction, I'm | starting to think that I may be reading too much into the | term due to my own biases and assigning interpretations | to people that they might not have. There's certainly | more to say on this topic. | | >I'm not quite sure why this term proved to be so | popular. | | Well, it does sound cool and memorable on its own... | perl4ever wrote: | I read it as primarily saying that the _thing which 'dark | patterns' refers to_ is more plainly called "fraud and | psychological manipulation, not so much that merely | _using 'dark patterns' as a euphemism_ is itself | "fraud...etc." Suspicious perhaps, but as an indirect | second-order thing. | | It can be seen as ambiguous, but a lot of language relies | on assumptions about what a reasonable person would be | thinking. Which causes trouble if you're trying to | express a contrary or startling opinion. | diffeomorphism wrote: | That is not what the sentence says at all. It simply says | that "dark pattern" is a euphemism/harmless wording for what | is done. | rapnie wrote: | Another alternative proposed to IETF inclusive terminology | draft is 'deception pattern'. | | https://github.com/ietf/terminology | Bakary wrote: | I can't say I completely agree with the philosophical outlook | behind this list, but this specific term you cite seems like | a clear improvement | dominotw wrote: | > fraud | | then take them to court and make a killing. | Bakary wrote: | I sincerely doubt that much financial reward will come for | any random individual doing this to any randomly selected | website in that sample that does not meet the GDPR | requirements. | | On one hand, you've technically got the right idea that I | ought to put some skin in the game. On the other, it's a | reasoning meant to shut down criticism on the same level as | the infamous "yet you participate in society, curious!" comic | dominotw wrote: | > I sincerely doubt that much financial reward will come | for any random individual doing this to any randomly | selected website in that sample that does not meet the GDPR | requirements. | | Then whats the point of GDPR if its not worth taking them | to court. Is the idea that only govt can bring them to | justice? | Bakary wrote: | This topic is above my paygrade since I lack the relevant | legal knowledge. But some things I've noted so far: | | - GDPR shone a light on these practices that is visible | to the casual user. This highlights some examples long | term counter-productive thinking: people blaming GDPR for | showing those practices instead of the practices | themselves. A symptom of the messed up ways in which all | this has been developed over the years | | - Even single governments alone aren't enough in some | cases (see France's measly series of fines against Google | that probably evoked laughter in the boardroom) | | - As a user, the prospect of being able to download my | data from FAANGs seemed so miraculous and unrealistic at | first that it made me realize I complacent I had gotten | to unequal practices and to these websites and companies | just doing whatever they wanted whenever they wanted. | That specific point alone is worth the entirety of GDPR | to me | | - Baby steps. GDPR is already a step in the right | direction, they are still figuring these things out | (especially enforcement) whereas the private sector has | decades of experience in anti-user practices, honed by | some of the finest minds. The next step is to get a | better share of the deal for Europeans as a whole. | Silhouette wrote: | _Is the idea that only govt can bring them to justice?_ | | Mostly, yes. The main enforcement authority is the | government regulator in each member state (and the UK, | which retains the system post-Brexit). | shadowgovt wrote: | Precisely why the new term was devised: dark patterns are | not, in general, _technically_ fraud. | | They are playing completely within the rules but taking | advantage of human psychology to tilt the outcome in the | direction the website owner wants (and, it is assumed, | against what the average user wants). | neltnerb wrote: | Well, an interpretation of the rules that their lawyers | said was at least justifiable enough to make a legal | argument out of. It's hard to write rules when the readers | are incentivized strongly to use any ambiguity as a weak | spot to attack and use as a workaround rather than | following intent. | | Following intent isn't a good legal framework either, of | course, better to make the people with legal training work | hard to write them correctly once rather than making them | complicated to interpret. | nickt wrote: | Slightly OT, but for anyone using Safari "Hush Nag Blocker" is | highly recommended. | | https://apps.apple.com/us/app/hush-nag-blocker/id1544743900 | Causality1 wrote: | As someone who's blocked cookies and ads for years, the result of | the GDPR has a been a parade of unblocked pop-ups. Frankly I | liked it better when pop-ups had naked women in them. | ddddfdohvsyknn wrote: | These regulations seem worse than nothing. We already have | browsers, we can block and filter cookies based on our individual | preference and adjust depending on our tolerance for privacy vs | functionality. How has this changed the data collection practices | of Facebook or Google in any meaningful way? Not enough people | are asking what effect the many new regulatory burdens will have | for the internet. It entrenchs the existing players (know who has | the money to hire 20 compliance officers for every Tuscan villa?) | and makes the barrier to entry to compete more difficult. Plenty | of proto facebooks have fallen by the wayside. Remember AOL? | Remember Myspace? Now the big players have a hand in writing the | law that potential competitors will have to comply with. | [deleted] | planb wrote: | Why is this downvoted? This is exactly what happend. Speaking | with non tech savvy users here in Germany, they feel safe and | secure on Facebook and fear the ,,world wide west" that the | open Web has become, where you need to click 20 consent | messages on every website without knowing what all that stuff | means. This is just like EULAs - one more annoying thing they | simply accept with a slightly bad gut feeling. | Thlom wrote: | One thing I don't understand is why in the good lords name do | I have to consent to being tracked every day when I have | already agreed to the goddamn cookie jar? Often several times | per day as well! | bombcar wrote: | On iPhone at least Safari seems to throw away cookies with | wild abandon resulting in the stupid popups continually | popping up. | xtracto wrote: | I think the GDPR and other sites would have better results if | they approached these in a similar manner as how the | "nutrition warning labels" are done in Mexico ( | https://mexiconewsdaily.com/news/new-warning-labels-now- | requ... ): | | Make it so every page that contains a tracking element MUST | permanently display a large-ish (say, 1% of the screen for | each) seal/label indicating that it is tracking you (like | ESRB labels). That way, website will be pushed to remove the | tracking elements so that they can remove the offending | banners. | okamiueru wrote: | I for one welcome it. If a website has this popup, and it | doesn't default to disabled tracking, and there are | "legitimate interest" bullshit that cannot be turned off, I | close down the website. I even uninstall apps (chess.com, | here's looking at you). | | Just because website purposefully give a terrible UX in an | effort circumvent the law does not mean the law is wrong. | It's the implementation. | unix_fan wrote: | I feel like this is a point the HN crowd likes to ignore when | it calls for governments to regulate certain aspects of tech. | Do regulations like this really protect consumers, or just make | their experience worse? | PurpleFoxy wrote: | The GDPR added a data export feature to many websites. I have | used it so much. I think the pressure is being felt by | companies. Otherwise walled off platforms like apple are | starting to open up. | Nextgrid wrote: | The GDPR covers more than cookies though. The GDPR regulates | data collection and processing regardless of which technical | means are used to do so. Disabling cookies in-browser doesn't | change anything when it comes to tracking IP addresses or | browser fingerprinting. | macinjosh wrote: | GDPR is a textbook example of how government intetvention in our | business never ends in the way the technocrats desire/promise. It | simply makes things more convoluted and difficult for everyone | including those they claim to be protecting. | slacktide wrote: | GDPR consent buttons and statements are as worthless as the | California Proposition 65 cancer warning that gets slapped on | every consumer product. Any plugins to strip them out or | automatically consent? | ericra wrote: | ublock origin takes care of most of them. You will want to go | to settings > filters and make sure that you have EasyList, | EasyPrivacy, and EasyCookie all enabled. I would also recommend | Fanboy's Annoyances filter list enabled, as it contains quite a | few nice cosmetic filters to block out similar annoying web | elements. | bombcar wrote: | Thank you for this! In Chrome it was "right click on UO | shield, Options -> Filters, expand and find the ones | mentioned." | Zak wrote: | Yes: I don't care about cookies | | https://www.i-dont-care-about-cookies.eu/ | ganzuul wrote: | An Android version would be great. The mobile web is becoming | harder and harder to use. | Zak wrote: | You can use it on Android with Kiwi Browser, a Chromium | derivative. It used to work with Firefox, but it looks like | Firefox _still_ hasn 't un-broken extensions on Android. | tobasq wrote: | Looking at the source code suggests that Kiwi is based on | Chromium 77. A shame; it's a great idea. We need a mobile | browser with extensions. | Zak wrote: | I suppose that's getting a bit dated, but I'd have to be | actively experiencing _significant_ breakage to give up | extensions for a browser update. I am not. | Nextgrid wrote: | It's different from the Prop 65 warnings. Unlike those, the | GDPR explicitly bans annoying/misleading consent prompts. | Merely disclosing tracking isn't enough to comply, consent | needs to be: | | * explicitly opt-in, so no action from the user means they | shouldn't be tracked - pre-ticked checkboxes are not allowed | | * it should be as easy to opt-in as to opt-out, so approaches | like a big "accept tracking" button but a "learn more" or | putting the deny option in the fine print isn't allowed | | * needs to be "informed consent", so the user should be made | fully aware of what data will be collected and how it will be | used | | * needs to be granular, so the user should be allowed to decide | what data to provide and for what purpose | | * optional - you are not allowed to deny/degrade the service if | the user does not consent to tracking | | The problem is that the GDPR is not being enforced properly. | The annoyances you are facing would not be a thing if the law | was enforced. It explicitly learned from the earlier "cookie | law" which merely enforced disclosure and led to stupid & | useless cookie banners with no easy way for the user to | actually act on them. | mLuby wrote: | Whether something is "legal" is a fuzzy computation that runs in | the minds of average citizens on a jury, though it's more | commonly simulated by judges and lawyers. The text is not | absolute. | | So what if an accept-only contract (like a ToS, EULA, or consent | pop-up) did what average users _think_ they agreed to, regardless | of what the text says? | | This would shift the _burden of understanding_ from the user, | where it currently lies, to the company. If it 's essential to a | company's business model that users agree to something complex | that most users don't understand, the company will just have to | help the users understand, deploying all those marketing and UX | patterns they've perfected over the years to do so. | | (Yes I know this isn't how contracts currently work; it's just a | harmless little thought experiment.) | Silhouette wrote: | FWIW, legal systems are sometimes closer to what you're | describing there than you might realise. Obviously this varies | with jurisdiction, but contracts of adhesion often do carry | less weight in the event of litigation, for example | automatically giving any benefit of the doubt to the party that | didn't write the contract. Often there are relevant consumer | protection rules as well, for example a general requirement | that the terms of any B2C agreement must be reasonable or they | will be unenforceable. More generally still, contract law is | usually based on the basic idea of a meeting of minds, with an | implication that all parties understand the contract they are | entering into. | | When we drew up the Ts & Cs for my first business that was | selling online, we took advice from a lawyer who specialised in | this kind of work, and one of the first points they made was | that if there was anything at all surprising or unusual in what | we wanted for our terms, it should be emphasized prominently | and early, not buried in small print at the back, for exactly | the kind of reasons above. | | I once saw an anecdote (possibly apocryphal, I don't know) | about a consumer rights lawyer who said they never bothered | reading the small print in these situations. When someone | expressed surprise that even a lawyer wouldn't check what they | were signing up to, they replied that either the terms offered | would be reasonable, in which case the lawyer would have no | problem with them, or they wouldn't, in which case the | unreasonable aspects would be unenforceable anyway. | pixelpoet wrote: | What absolutely infuriates me is this "legitimate interest" crap | that is almost always hidden away, and often you have to scroll | through literally hundreds of opt-outs with no way to disable | them all in a single click. | | If I'm so damn "legimately interested", why is it on by default | and basically impossible to turn off? Find me _one person on this | earth_ who is legitimately interested in being tracked by | marketing companies who sell their information on to whatever | giant collections. This should be illegal. | simpss wrote: | It's usually a good hint that it really isn't a legitimate | intrest case if they allow you to turn it off. | | A legitimate intrest does not require an opt in (or an opt | out). Consent does. If the page mixes those two up they're | either clueless or trying to walk in the gray area and don't | really understand(or don't want to understand) what either of | those terms mean. | secondcoming wrote: | Legitimate Interest has a legal definition as a Legal Basis. | It's a list of Purposes and Special Features that a Vendor | declares to the IAB that they claim to need [0]. A User | absoultely has the right to Object to Consent and Legitimate | Interest. | | Any CMP that does not allow you to opt-out is on shaky GDPR | legal ground. | | [0] https://vendor-list.consensu.org/v2/vendor-list.json (see | 'vendors' object) | MaxBarraclough wrote: | As the paper states, the GDPR is comically unenforced. I doubt | these 'legitimate interest' cookies are compliant with the law. | In practical terms, they don't need to be. Nothing happens to | websites that break the rules. | | > _The processing must be necessary._ | | https://ico.org.uk/for-organisations/guide-to-data-protectio... | detaro wrote: | While I agree it's often bullshit, "legitimate interest" is not | trying to argue it to be your interest, but the sites. | xg15 wrote: | "legitimate interest" is a legal term with specific definitions | in the GDPR. (And indeed it refers to the interest of the | _site_ , not yours) | | IANAL, but as I understand, it refers to data collection that | is _inherently_ needed to perform a service. | | E.g., a pizza delivery service has a _legitimate interest_ to | know the address of the place where it should deliver the pizza | to - because, well, otherwise they can 't deliver the pizza. | | In such a case, the GDPR wouldn't require the pizza place to | get consent. (the GDPR requires that a service is performed | even if consent is denied, so without the legitimate interest | exception, the pizza place could end up in a legal catch-22 if | someone ordered a pizza but denied consent to collect the | address.) | | The basic idea seems perfectly reasonable to me, but of course | sites always tried to stretch the "legitimate interest" | definition as wide as they could get away with, and this seems | to be the latest iteration of that. | | I have no idea where the latest fad of claiming all kinds of | ridiculous things as legitimate interest as long as there is an | "object" button comes from, but I imagine there was some court | case that decided this was borderline legal. If anyone else | knows more about this, I'd really like to know as well. | | But at least I think this is why many consent popups ask the | exact same questions twice, once as "consent", off by default | and once as "legitimate interest", on by default: They are | simply trying their luck on two separate legal avenues. (Not | that this would make any sense from a UX point of view or from | the intent of the law. But I guess it does make sense from a | "scummy lawyer" point of view) | MereInterest wrote: | Interesting that this site itself may use one of the described | dark patterns. The banner on the main page has options "Got it" | and "Learn more". There is no indication as to whether the "Got | it" button is taken as consent for tracking, nor is there a | "Reject all non-essential tracking" option on the main banner. | | Whether or not this site is compliant depends on whether the "Got | it" button is taken as affirmative consent for non-essential | tracking or not. | sandgiant wrote: | This is just a regular journal page. Not surprised they're | tracking their users. A better place to link would probably | have been the arXiv: https://arxiv.org/abs/2001.02479v1. | ectopod wrote: | The best way to let a site know that you don't want tracking | cookies is to disable cookies. Most sites work fine. This one | redirects you to: | | https://dl.acm.org/action/cookieAbsent | [deleted] | danShumway wrote: | The site itself completely stops working if cookies are | disabled, it just forwards me to a "cookie absent" error page. | | Their privacy policy says: | | > Other than in the restricted-access portions of the Web Site | that require an ACM Web Account, ACM does not log the identity | of visitors. However, we may keep access logs, for example | containing a visitor's IP address and search queries. We may | analyze log files periodically to help maintain and improve our | Web Site and enforce our online service polices. ACM only uses | analytical cookies and does not use any user-specific targeting | cookies. | | > A cookie is a small file of letter and numbers that is placed | on your device. Cookies are only set by ACM when you visit | restricted portions of our Web Site and help us to provide you | with an enhanced user experience. Raw log files are treated as | confidential. | | So... not sure why a public portion of their website straight- | up won't load without them. They're clearly not only | checking/setting cookies on certain pages, otherwise they | wouldn't know that my cookies were disabled. | shadowgovt wrote: | It took some digging, but if you go to | https://www.acm.org/privacy-policy, the "this website uses | cookies" banner at the bottom includes a selector to choose | which ones are used, and "necessary" is auto-selected. | Expanding the "Show details" panel along the selector shows | which cookies are considered necessary, and it looks like | it's part of their Cloudflare attack protection system | (__cfduid), their load balancing schema (AWSALBCORS), the | cookie storing the status of your cookie consent (hah, | ironic) (CookieConsent). But then there are some that _I_ | wouldn 't personally consider necessary, such as two | Bloomberg-vended cookies that appear to mirror the consent | information to Bloomberg's servers, a Swiftype tracking | pixel, a YouTube cookie to estimate the user's bandwidth for | optimizing video loading, and some suspiciously-opaque | BACKEND and sessionState cookies. | | In general, it's unfortunate their page doesn't degrade | gracefully if cookies are disabled (though that's not always | possible; for example, you can't assume that traffic | Cloudflare can't analyze for trust is trusted... but those | BACKEND and sessionState cookies being mandatory feels lazy). | 1vuio0pswjnm7 wrote: | "Interesting that this site itself may use one of the described | patterns." | | Is it really interesting, though. For example, we have seen | this as a very common retort in HN comments every time an | author is critical of advertising, tracking/analytics, etc. | Someone points out the author's site itself uses the thing | being critiqued. | | Is that supposed to detract from the argument being made by the | author. That does not make much sense. | | It is a bit like another common retort we see in discussing | tech company behaviour: "But everyone else is doing it." Does | that make it OK. Or one we see when discussing regulatory | action: "They should be focusing on X not Y." Don't look here, | look over there. | | I am highly skeptical of comments that try to leverage these | tactics. The message is what it is. Whether or not it is valid | does not depend on who is voicing it, where it appears, or | what's going on somewhere else. This is pure misdirection. | | This paper might be a worthwhile read. It makes little sense to | pre-judge it before reading, simply because it appears on ACM's | website, and ACM's website developers try to get users to | enable cookies. What if the paper is re-posted on a site with | no Javascript and that does not try to set cookies. Does the | content of the paper then become "legitimate". Why or why not. | | It is easy to retrieve this paper without using cookies, from | another site. For example, | | https://web.archive.org/web/20210305175101/https://dl.acm.or... | | PDF: | https://web.archive.org/web/20200701025846if_/https://dl.acm... | | Not trying to single out this one comment. It's fine. The paper | is not really arguing for or against banners and other notice | and consent mechanisms, just studying their use. I cannot even | see the banner because I use a text-only browser. | | The most interesting paragraph in the paper IMO is the last | one. They ask why the client, e.g., through browser settings, | cannot be in control of the legal consent mechanism. What if | clients were to sed an additional HTTP header to indicate | whether or not the user consent to cookies. For example, Allow- | Cookies: no. | | The online advertising companies have apparently fought against | this, e.g., the DNT header. If you enable DNT in one popular | browser deployed by an advertising company you get this | ridiculous warning message. Why the heck is it a big deal if | the user controls the headers sent and the server has to honour | them. When you read RFCs about www development they always make | it sound like clients and servers on are equal footing. The | reality is quite different. These companies want to control how | a user "consents". | yholio wrote: | The whole landscape of tracking and user consent is such a | clusterfuck that I can't even bother anymore to care about | cookies. | | I use Brave in private mode (analogue with incognito in Chrome) | and have a GDPR consent killer extension. It's annoying that some | sites (ex. Youtube) pester you to login or signup on first visit | but there are definitely less than the GDPR consent spam. I will | login to the sites I have a relationship with, only when I need | it, using the password manager. | | At the end of the session I just close the browser and be done | with it, it's irrelevant what the extension agreed on my behalf | since all those cookies are gone. I know about browser | fingerprinting but I hardly think my browsing is valuable enough | for that. | rwcarlsen wrote: | For me personally - all these popup banners and modal walls for | websites about cookies and stuff just really make the internet a | worse place. I suspect that empirically, they don't accomplish | what the GDPR intended to - and they make the internet less | enjoyable. Thanks GDPR. | Nextgrid wrote: | The problem is that the GDPR is not being enforced properly. | The GDPR explicitly bans annoying/misleading consent prompts, | so this shouldn't be an issue if the law was enforced. It | explicitly learned from the earlier "cookie law" which merely | enforced disclosure and led to stupid & useless cookie banners | with no easy way for the user to actually act on them. | harrybr wrote: | Exactly. It's amazing that this is not widely known. The | deceptive GDPR pop-ups we all hate are not GDPR compliant! | sefrost wrote: | Same here. I would be interested to know from people outside | the GDPR area - do you ever see cookie banners? Do you know | what they are? | | Sometimes I hit a USA based news website which simply denies | access, because I'm in the UK, on GDPR grounds. Which seems an | overreaction. | celestialcheese wrote: | US companies started implementing it as a result of CCPA. So | it's everywhere now | bombcar wrote: | EVERY WEBSITE I visit from my location in the USA seems to | have these stupid cookie popups. We added one to OUR WEBSITE | even though nothing is hosted in the EU - simple cargo- | culting "everyone is doing it so we must do it also". | | I doubt it actually does a @#$@$ darn thing. | layoutIfNeeded wrote: | I don't have a cookie banner on my website. You know why? | Because I don't track my users with (or without) cookies. | Maybe you should stop doing it on your website, and then | the cookie banner can be removed. | josefx wrote: | > We added one to OUR WEBSITE even though nothing is hosted | in the EU | | Location of the host is irrelevant, it depends on the | target audience. Serve pages to the EU? You get to follow | it. | | > simple cargo-culting "everyone is doing it so we must do | it also". | | If your site is cargo culting everything it probably also | has a ton of third party trackers for the same reason. | strictnein wrote: | > Location of the host is irrelevant, it depends on the | target audience. Serve pages to the EU? You get to follow | it. | | This is completely false. Your laws do not follow you | around on the internet. | Zak wrote: | > _Serve pages to the EU? You get to follow it._ | | What can the EU do about it if the company has no | physical or legal presence in the EU? Have there been any | serious attempts at such enforcement? | bombcar wrote: | I have decreed that anyone who serves pages into my | machines owes me $billion. | strictnein wrote: | It's weird how people keep claiming this. | | No one says that all sites should honor China's laws for | visitors from China. No one claims that all sites should | honor Saudi Arabia's laws for visitors from Saudi Arabia. | | But magically the GDPR must be followed by the entire | world if a visitor shows up from France. | josefx wrote: | China has the great firewall, the EU tried something | similar under the "think of the children" excuse, which | promptly failed. | | Also a lot of people speaking out against China had to | find out the hard way what some western companies will do | when you speak out against a cash cow that will happily | kick them out if its rules are enforced. | josefx wrote: | If it has no presence, no money, no sales, no partners, | basically absolutely nothing in the EU then it may be in | the clear. But that is a large difference to just not | having hosts in the EU. | shadowgovt wrote: | We've had them up long enough for somebody to have | generated some hard numbers by now. I wonder what the | numbers look like on percentage of users that modify the | settings from the default? | wuliwong wrote: | I was just thinking about that the other day. The billions of | extra clicks and taps and wasted seconds. And for what gain? I | think that this can be discussed outside of the basic "should | we regulate" or not. Specifically looking at these modals that | have spread all over, what actual protection does the average | user get from this modal? | ratww wrote: | The modals don't exist to protect the user. Their goal is | merely to annoy users to the point they just give up and | blindly click "Accept". They only exist for the benefit of | companies, and most of them violate GDPR. | rwcarlsen wrote: | Right. I'm not saying the intent of GDPR was to provoke | them. But empirically, they are an effect of the GDPR. An | undesirable one - that does _not_ fulfill its intent. I 'd | say we are in agreement here. | Bakary wrote: | That's like accusing the flashlight of making rats scurry under | the floorboard | robgibbons wrote: | You keep using this when people complain about GDPR consent | banners. We get it, cookies are bad and privacy needs to be | protected. | | It's just a really disingenuous and dismissive comparison. | Nobody is complaining about flashlights. | | GDPR may have been necessary, but the complete garbage heap | of an experience the popups have turned the web into is worth | lamenting. | yohannparis wrote: | You mean developer or website manager who do not apply the law | properly. All those deceptive patterns are not part of the | GDPR, they should clearly label accept and refuse. I think it | will take time for people to stop gathering so much information | from users. Once a competitors start to figure it out, users | might start using them (i.e. New York Times & GitHub.) | dominotw wrote: | > . All those deceptive patterns are not part of the GDPR | | GP isn't talking about deceptive patterns. Point is that no | one really understand what these popups are for and everyone | just blindly clicks ok. | | I don't think i've ever declined a cookie popup. have you? | Semaphor wrote: | pretty much every time. If I can't find it or it's too much | work, I load the page in chrome or just close it | yohannparis wrote: | Every time I see one I go to the options to refuse all, if | they do not allow me this option, I leave the page and add | their domain name to my no cookie blacklist. It's | strenuous, but I prefer to do so. | butz wrote: | How about introducing a standard way to declare and categorize | cookies and let browser take care of consent? On first start set | your default cookie preferences for all websites and adjust per | website, when needed. It could be quickly build as an extension | first and later moved to browser core. | zarq wrote: | This would be so easy for shady tracking websites to circumvent | scotu wrote: | My favorite deceptive pattern I encountered is "double click the | checkbox to disable". Literally a checkbox but it wouldn't do | anything. I got a little frustrated and started clicking | furiously just to discover that a double click would reliably | disable the items... | | (I don't remember if this was on desktop or mobile, on mobile | s/click/tap/g) | | Also, I personally lean towards being in favor of GDPR and cookie | law (wish there were some improvements though); I'd like to say | it just because every opinion you find is "GDPR useless", "cookie | law bad" | Guest42 wrote: | Yes, seems as though those opinions are the loudest and perhaps | it encourages the dissenters to stay quiet for fear of down- | votes. Ive noticed that with certain viewpoints and have | adjusted towards censoring myself a bit. The crowd seems | bimodal but perhaps that's the nature of the conversations and | the voting tool reinforces that. | Bakary wrote: | Much of the audience benefits from this sort of manipulation | and tracking, so it's normal they would be hostile to any | cookie law | MaxBarraclough wrote: | The paper is paywalled. Is it freely available anywhere? _edit_ | arxiv 's preprint: https://arxiv.org/pdf/2001.02479.pdf | | Also, off-topic: it's annoying that acm.org has now added a | horizontal progress bar, similar to QuantaMagazine.org. I already | know how far through the article I am, my browser shows me a | scrollbar. | xtracto wrote: | > my browser shows me a scrollbar. | | It is useful for mobile browser users. | justkez wrote: | I recently purchased something from the official UK Nintendo | Store [1]. I did not opt-in, and was not asked to opt-in, to | marketing emails. | | Several days after purchase I received a marketing email with an | Unsubscribe link. | | I submitted a GDPR enquiry and after a few weeks I get: | Having investigated this matter fully, we can see that you were | opted in as a result of a small technical difficulty which we are | now fixing. We have taken action to set your marketing | permissions to "no" as requested. | | I think we're so far past the GDPR "start date" that there's an | apathy to it from companies and they're pushing the limits again. | How Nintendo can have such a formalised GDPR enquiry process but | such sloppy controls is beyond me. I will formally complain to | ICO (UK data regulator) but I doubt it'll effect much. | | [1]: https://store.nintendo.co.uk/ | vMPQonVtAjLWmr wrote: | Is the UK still subject to the GDPR now after Brexit? | lmkg wrote: | Yes, part of the Brexit agreement was the UK "domesticating" | some parts of EU law by passing them as UK legislation. There | is now a law called UK-GDPR, which is literally a copy-paste | of GDPR, with names of EU institutions find-and-replaced with | their UK equivalents. | | There are still some operational differences, around the fact | that the UK regulators will not participate the cooperation | mechanisms that the other regulators will. This ends up | mattering for businesses: a significant aspect of GDPR was | that a company only ever had to deal with one regulator, but | now they need to interface with one for the EU and a second | for the UK. | Nextgrid wrote: | I believe GDPR is supposed to be implemented in every | participating country's legislation, so the GDPR was | implemented in UK law and this remains the case even after | Brexit. Nothing prevents them from amending that law and | repealing the GDPR's effects on it though. | Nextgrid wrote: | In the UK, there's another law called the PECR in place that | _may_ supersede the GDPR in this case. | | I've had multiple merchants get back to me after such a | complaint claiming that under the PECR they're allowed to send | further marketing solicitations following a purchase. | | I haven't pushed it further so no idea if this is actually | legal or if the GDPR supersedes it. | matthewheath wrote: | The Privacy and Electronic Communications Regulations | (PECR)[1] do not _supersede_ GDPR as such, they sit alongside | it. | | Section 22 is the relevant section they are hoping to rely | on, specifically section 22(3) which allows them to: | | ---------- | | (3) A person may send or instigate the sending of electronic | mail for the purposes of direct marketing where-- | | (a) that person has obtained the contact details of the | recipient of that electronic mail in the course of the sale | or negotiations for the sale of a product or service to that | recipient; | | (b) the direct marketing is in respect of that person's | similar products and services only; and | | (c) the recipient has been given a simple means of refusing | (free of charge except for the costs of the transmission of | the refusal) the use of his contact details for the purposes | of such direct marketing, at the time that the details were | initially collected, and, where he did not initially refuse | the use of the details, at the time of each subsequent | communication. | | ---------- | | So in this case, they are obliged to let you withdraw your | consent every time they email you. It is not a blank cheque | for them to keep emailing you simply because you've purchased | something; it is consent-based and therefore uses the same | consent processes as the GDPR. | | -- | | [1] https://www.legislation.gov.uk/uksi/2003/2426 | wojciii wrote: | I complained about tv2.dk (I used to be a customer) sending me | a e-mail after I deleted my user and told them not the send me | e-mail. This was a really bad experience where their support | attempted to make me login to the site which I refused to do | since I removed my user previously. | | Then I sent them a GDPR request to remove all my info and | complained to the Danish Data Protection Agency. | | I stopped receiving e-mail but got nowhere with my complaint. | The agency wrote me that they didn't want to pursue this. Based | on this .. I don't think that anyone is taking GDPR seriously | and no one is trying to defend the small people (me!). | switch007 wrote: | This is absolutely /rife/ in my experience. | lmkg wrote: | Having seen how other companies make the sausage, I can take a | guess. | | To Nintendo, marketing is not a "core" business function, so | when the company was sorting out GDPR, no one invited them to | the room and they didn't ask to be invited. When companies | think about "what data do I have" they tend to get tunnel | vision to their main business operations. I bet Nintendo has | robust processes for their online gaming services. No one ever | seems to think about the twenty dozen Google Analytics accounts | they're all running, and a good fraction of them don't even | think about their CRM systems. | shadowgovt wrote: | > How Nintendo can have such a formalised GDPR enquiry process | but such sloppy controls is beyond me. | | Probably because only 1% of 1% of their customers even bother | to notice. I'd be willing to bet money that you were the first | person to discover this implementation error. | GlitchMr wrote: | I have a different issue myself. Despite having opted-in to | marketing e-mails I never have obtained a marketing e-mail from | Nintendo since then. Nintendo's website shows that I have | agreed to "receive promotional e-mails". At one point I did in | fact unsubscribe, but later I resubscribed. I think that there | is a bug that sometimes causes promotional e-mail setting to | not be updated in newsletter database (maybe the server was | down when I tried to change the setting, and Nintendo Account | website quietly ignored the error). | bombcar wrote: | Main bulk mailing companies (iContact, Sendgrid) will make a | blocklist for you of anyone who has unsubscribed - and if | you're not careful about it once on you'll NEVER get off - | and it prevents send to those addresses even if you later re- | add them to your list. | superjan wrote: | Today's xkcd: https://xkcd.com/2432/ ___________________________________________________________________ (page generated 2021-03-05 23:01 UTC)