[HN Gopher] Dark patterns after the GDPR: consent pop-ups and th...
___________________________________________________________________
Dark patterns after the GDPR: consent pop-ups and their influence
Author : DyslexicAtheist
Score : 111 points
Date : 2021-03-05 16:44 UTC (6 hours ago)
(HTM) web link (dl.acm.org)
(TXT) w3m dump (dl.acm.org)
| glsdfgkjsklfj wrote:
| permanent fix: learn to use your uBlock-Origin quick element
| picker.
|
| Every time you open a site and it shows a popup for picking your
| cookies, just open uBlockOrigin from your browser toolbar, click
| the quick element picker (eye dropper icon), click the popup.
|
| Done. Now you will never see the popup for that site (even if you
| do not save cookies, or clear your cookies), and you are
| technically guarantee to not accept any non-essential cookies
| ever (if they follow spec)
| K0nserv wrote:
| This is the PDF: https://arxiv.org/pdf/2001.02479.pdf I couldn't
| understand how to find it on the linked site. Maybe the
| submission URL should be changed?
| angrais wrote:
| If you click "Get Access" you'll be asked to lot into a
| university account or such
| Bakary wrote:
| Who came up with the term dark patterns? It's psychological
| manipulation and fraud, pure and simple
| hnuser123456 wrote:
| Because there are shades of gray
| Bakary wrote:
| There's a spectrum of gray in the effect and scale of the
| manipulation, but deciding to manipulate the user or not is a
| binary choice.
| SpicyLemonZest wrote:
| Is it? It's comforting to think so, but I'm not convinced
| there's a meaningful dichotomy that can be drawn. I add a
| "save this card" functionality to my store so users don't
| have to type it in every time they buy something: am I
| offering a neat convenience feature, or am I manipulating
| them by reducing the psychological barrier of a sale?
| Bakary wrote:
| >Is it? It's comforting to think so, but I'm not
| convinced there's a meaningful dichotomy that can be
| drawn. I rework my store's checkout workflow, making it
| simpler so users only have to click a couple buttons to
| buy a product: am I making their lives easier, or am I
| manipulating them by reducing the psychological barrier
| of a sale?
|
| "making their lives easier" implies that the purchase is
| the default outcome that the user needs to improve their
| lives, when the purchase could simply not be made at all.
| As long as the intention is to make more money, and that
| the effort expended does not improve the nature of what
| is purchased in some way, I'd say it technically
| qualifies even if the consequences are the lightest of
| grays.
|
| That said, your example is thoughtful, and you are
| probably right overall. We could look at the broader
| context of all these systems encouraging consumption, but
| that would be moving the goalposts on my part.
|
| edit: just to clarify an edit took place while I was
| replying
| SilasX wrote:
| So "dark pattern" is a dark pattern?
| slabity wrote:
| > Who came up with the term dark patterns?
|
| Harry Brignull
|
| https://en.wikipedia.org/wiki/Dark_pattern
| s_dev wrote:
| Would you consider the fact that bread and fruit and veg are
| always at the start of a supermarket journey a dark pattern?
|
| Supermarkets have gotten customers to spend more than they
| intended with all their patterns as well -- just like social
| media sites get customers to spend more time online. It's just
| what they optimise for. The concept is much older than the
| coined word.
| ben509 wrote:
| Most of a supermarket's layout is determined by hard
| requirements like refrigeration, stocking heavy items and
| handling payments.
|
| If you're wondering why, for instance, the milk is in the
| back, it's because it needs to stay cool and it's heavy.
| Silhouette wrote:
| _Most of a supermarket 's layout is determined by hard
| requirements like refrigeration, stocking heavy items and
| handling payments._
|
| That hasn't been generally true for a long time. The big
| chains spend a fortune deciding how their stores should be
| presented and optimising the layout of different products,
| and there is a lot of sophisticated analysis going on
| behind the scenes. There are certainly recurring themes in
| the results, but for example there are several major stores
| near me that have totally different layouts in many
| respects including all of the ones you mentioned, and it
| would be surprising if any of those differences was an
| accident. The stores don't run all those loyalty card
| schemes, nor rearrange their products from time to time,
| just for fun!
| perl4ever wrote:
| The whole concept of the placement of the milk being
| suspicious and _needing_ an explanation never made sense to
| me. Why would they or should they optimize for people who
| go to the supermarket just to buy milk? It makes perfect
| sense to me from the point of view of _usually buying more
| than one thing per trip_.
|
| If in a "normal" grocery store trip you go through most of
| the store then _of course_ you want to get refrigerated and
| frozen foods last, just before you go to the checkout. So
| they don 't warm up too much.
|
| By the way, frozen stuff is _not_ all on the perimeter in
| my experience of US supermarkets. It 's funny how something
| can be so mundane and everyday you never really look at it.
| Bakary wrote:
| >Would you consider the fact that bread and fruit and veg are
| always at the start of a supermarket journey a dark pattern?
|
| No, because the term seems superfluous or euphemistical to
| me. But yes in the sense that it is psychological
| manipulation.
|
| Is an entity intentionally deceiving or manipulating the
| customer/user/etc. using their understanding of psychology?
| Psychological manipulation
|
| >The concept is much older than the coined word
|
| Indeed, we already have a name for it as I've been trying to
| say!
| Semaphor wrote:
| but they aren't? Fruit and veggies are first for our
| (Germany) two largest chains, bread isn't second for either.
| Aldi has neither at the beginning.
| maweki wrote:
| Highly depends on the Aldi. Mine does indeed start with
| bread but has Veg at the end of the first aisle across the
| refridgerated goods. I would guess that the position of the
| bread depends on the infrastructure, specifically where the
| baking station can be built.
| kspacewalk2 wrote:
| Your comment lacks any explanation at all. Why is the term
| 'dark patterns' 'psychological manipulation and fraud'?
| Bakary wrote:
| Every time I see the term 'dark pattern', it's always a case
| of one or the other, with the delineation into fraud varying
| depending on the relevant laws. In this case, they mention
| how websites skirt the minimum GDPR requirements and trick
| the users to do what they want, so it looks to be both.
|
| The term is in the best case superfluous, in the worst case a
| harmful euphemism.
| hinkley wrote:
| Your top level post reads as if people who use 'dark
| patterns' as a term have an agenda, and that agenda is
| fraud and psychological manipulation.
| Bakary wrote:
| I don't think everyone who uses that term has an agenda.
| I'm sure most have good intentions, or just are naturally
| attracted to new buzzwords. It just so happens the term
| does play into the agenda of those who have one and who
| manipulate others psychologically in this way.
|
| The whole topic is a sensitive one. I'm sure a sizeable
| number here on HN derive some direct or indirect profit
| from such practices (running, being employed in or having
| stock in a company that does this sort of thing,
| especially FAANGs) while also having some dissonant
| misgivings about how the internet and technology is
| evolving. Terms like 'dark patterns' only serve to deepen
| this confusion and create additional moral distance
| between such tech workers and the consequences of their
| work, even if they are not necessarily intended to be
| nefarious: therefore, we ought to discourage it whenever
| possible.
|
| Of course, in the grand scheme of things, none of what I
| say here will actually have an effect on any of this, but
| it's fun to discuss these topics all the same.
|
| In any case, I don't see how any of this can be inferred
| from that single original sentence, but I'll take your
| word for it.
| hinkley wrote:
| I think if someone puts the pauses at different spots
| than you, the grammar changes substantially. Reading your
| replies I figured it out, but it reads like not everyone
| caught that so I thought it might help you sort out some
| of the reactions you're getting.
| Bakary wrote:
| As a non-native speaker, I appreciate the feedback. I
| have yet to master the intricacies of this language :)
| harrybr wrote:
| The term "dark pattern" refers to user interface design
| patterns. That's where the "pattern" bit comes from.
| There was already a term for anti-pattern which referred
| to mistakes. I wanted a term that had a Machiavellian
| tone to it, so I chose "dark" (Star Wars, Harry Potter,
| why not?).
|
| I'm not quite sure why this term proved to be so popular.
| I think it is helpful to have a term that is a little
| vague though, as it can be a lot of work to pin down
| whether something is truly deceptive with an outcome of
| harm - or just an annoying attempt to nudge.
| Bakary wrote:
| Thanks for letting me know. Looking through the thread
| again after my initial off-the-cuff reaction, I'm
| starting to think that I may be reading too much into the
| term due to my own biases and assigning interpretations
| to people that they might not have. There's certainly
| more to say on this topic.
|
| >I'm not quite sure why this term proved to be so
| popular.
|
| Well, it does sound cool and memorable on its own...
| perl4ever wrote:
| I read it as primarily saying that the _thing which 'dark
| patterns' refers to_ is more plainly called "fraud and
| psychological manipulation, not so much that merely
| _using 'dark patterns' as a euphemism_ is itself
| "fraud...etc." Suspicious perhaps, but as an indirect
| second-order thing.
|
| It can be seen as ambiguous, but a lot of language relies
| on assumptions about what a reasonable person would be
| thinking. Which causes trouble if you're trying to
| express a contrary or startling opinion.
| diffeomorphism wrote:
| That is not what the sentence says at all. It simply says
| that "dark pattern" is a euphemism/harmless wording for what
| is done.
| rapnie wrote:
| Another alternative proposed to IETF inclusive terminology
| draft is 'deception pattern'.
|
| https://github.com/ietf/terminology
| Bakary wrote:
| I can't say I completely agree with the philosophical outlook
| behind this list, but this specific term you cite seems like
| a clear improvement
| dominotw wrote:
| > fraud
|
| then take them to court and make a killing.
| Bakary wrote:
| I sincerely doubt that much financial reward will come for
| any random individual doing this to any randomly selected
| website in that sample that does not meet the GDPR
| requirements.
|
| On one hand, you've technically got the right idea that I
| ought to put some skin in the game. On the other, it's a
| reasoning meant to shut down criticism on the same level as
| the infamous "yet you participate in society, curious!" comic
| dominotw wrote:
| > I sincerely doubt that much financial reward will come
| for any random individual doing this to any randomly
| selected website in that sample that does not meet the GDPR
| requirements.
|
| Then whats the point of GDPR if its not worth taking them
| to court. Is the idea that only govt can bring them to
| justice?
| Bakary wrote:
| This topic is above my paygrade since I lack the relevant
| legal knowledge. But some things I've noted so far:
|
| - GDPR shone a light on these practices that is visible
| to the casual user. This highlights some examples long
| term counter-productive thinking: people blaming GDPR for
| showing those practices instead of the practices
| themselves. A symptom of the messed up ways in which all
| this has been developed over the years
|
| - Even single governments alone aren't enough in some
| cases (see France's measly series of fines against Google
| that probably evoked laughter in the boardroom)
|
| - As a user, the prospect of being able to download my
| data from FAANGs seemed so miraculous and unrealistic at
| first that it made me realize I complacent I had gotten
| to unequal practices and to these websites and companies
| just doing whatever they wanted whenever they wanted.
| That specific point alone is worth the entirety of GDPR
| to me
|
| - Baby steps. GDPR is already a step in the right
| direction, they are still figuring these things out
| (especially enforcement) whereas the private sector has
| decades of experience in anti-user practices, honed by
| some of the finest minds. The next step is to get a
| better share of the deal for Europeans as a whole.
| Silhouette wrote:
| _Is the idea that only govt can bring them to justice?_
|
| Mostly, yes. The main enforcement authority is the
| government regulator in each member state (and the UK,
| which retains the system post-Brexit).
| shadowgovt wrote:
| Precisely why the new term was devised: dark patterns are
| not, in general, _technically_ fraud.
|
| They are playing completely within the rules but taking
| advantage of human psychology to tilt the outcome in the
| direction the website owner wants (and, it is assumed,
| against what the average user wants).
| neltnerb wrote:
| Well, an interpretation of the rules that their lawyers
| said was at least justifiable enough to make a legal
| argument out of. It's hard to write rules when the readers
| are incentivized strongly to use any ambiguity as a weak
| spot to attack and use as a workaround rather than
| following intent.
|
| Following intent isn't a good legal framework either, of
| course, better to make the people with legal training work
| hard to write them correctly once rather than making them
| complicated to interpret.
| nickt wrote:
| Slightly OT, but for anyone using Safari "Hush Nag Blocker" is
| highly recommended.
|
| https://apps.apple.com/us/app/hush-nag-blocker/id1544743900
| Causality1 wrote:
| As someone who's blocked cookies and ads for years, the result of
| the GDPR has a been a parade of unblocked pop-ups. Frankly I
| liked it better when pop-ups had naked women in them.
| ddddfdohvsyknn wrote:
| These regulations seem worse than nothing. We already have
| browsers, we can block and filter cookies based on our individual
| preference and adjust depending on our tolerance for privacy vs
| functionality. How has this changed the data collection practices
| of Facebook or Google in any meaningful way? Not enough people
| are asking what effect the many new regulatory burdens will have
| for the internet. It entrenchs the existing players (know who has
| the money to hire 20 compliance officers for every Tuscan villa?)
| and makes the barrier to entry to compete more difficult. Plenty
| of proto facebooks have fallen by the wayside. Remember AOL?
| Remember Myspace? Now the big players have a hand in writing the
| law that potential competitors will have to comply with.
| [deleted]
| planb wrote:
| Why is this downvoted? This is exactly what happend. Speaking
| with non tech savvy users here in Germany, they feel safe and
| secure on Facebook and fear the ,,world wide west" that the
| open Web has become, where you need to click 20 consent
| messages on every website without knowing what all that stuff
| means. This is just like EULAs - one more annoying thing they
| simply accept with a slightly bad gut feeling.
| Thlom wrote:
| One thing I don't understand is why in the good lords name do
| I have to consent to being tracked every day when I have
| already agreed to the goddamn cookie jar? Often several times
| per day as well!
| bombcar wrote:
| On iPhone at least Safari seems to throw away cookies with
| wild abandon resulting in the stupid popups continually
| popping up.
| xtracto wrote:
| I think the GDPR and other sites would have better results if
| they approached these in a similar manner as how the
| "nutrition warning labels" are done in Mexico (
| https://mexiconewsdaily.com/news/new-warning-labels-now-
| requ... ):
|
| Make it so every page that contains a tracking element MUST
| permanently display a large-ish (say, 1% of the screen for
| each) seal/label indicating that it is tracking you (like
| ESRB labels). That way, website will be pushed to remove the
| tracking elements so that they can remove the offending
| banners.
| okamiueru wrote:
| I for one welcome it. If a website has this popup, and it
| doesn't default to disabled tracking, and there are
| "legitimate interest" bullshit that cannot be turned off, I
| close down the website. I even uninstall apps (chess.com,
| here's looking at you).
|
| Just because website purposefully give a terrible UX in an
| effort circumvent the law does not mean the law is wrong.
| It's the implementation.
| unix_fan wrote:
| I feel like this is a point the HN crowd likes to ignore when
| it calls for governments to regulate certain aspects of tech.
| Do regulations like this really protect consumers, or just make
| their experience worse?
| PurpleFoxy wrote:
| The GDPR added a data export feature to many websites. I have
| used it so much. I think the pressure is being felt by
| companies. Otherwise walled off platforms like apple are
| starting to open up.
| Nextgrid wrote:
| The GDPR covers more than cookies though. The GDPR regulates
| data collection and processing regardless of which technical
| means are used to do so. Disabling cookies in-browser doesn't
| change anything when it comes to tracking IP addresses or
| browser fingerprinting.
| macinjosh wrote:
| GDPR is a textbook example of how government intetvention in our
| business never ends in the way the technocrats desire/promise. It
| simply makes things more convoluted and difficult for everyone
| including those they claim to be protecting.
| slacktide wrote:
| GDPR consent buttons and statements are as worthless as the
| California Proposition 65 cancer warning that gets slapped on
| every consumer product. Any plugins to strip them out or
| automatically consent?
| ericra wrote:
| ublock origin takes care of most of them. You will want to go
| to settings > filters and make sure that you have EasyList,
| EasyPrivacy, and EasyCookie all enabled. I would also recommend
| Fanboy's Annoyances filter list enabled, as it contains quite a
| few nice cosmetic filters to block out similar annoying web
| elements.
| bombcar wrote:
| Thank you for this! In Chrome it was "right click on UO
| shield, Options -> Filters, expand and find the ones
| mentioned."
| Zak wrote:
| Yes: I don't care about cookies
|
| https://www.i-dont-care-about-cookies.eu/
| ganzuul wrote:
| An Android version would be great. The mobile web is becoming
| harder and harder to use.
| Zak wrote:
| You can use it on Android with Kiwi Browser, a Chromium
| derivative. It used to work with Firefox, but it looks like
| Firefox _still_ hasn 't un-broken extensions on Android.
| tobasq wrote:
| Looking at the source code suggests that Kiwi is based on
| Chromium 77. A shame; it's a great idea. We need a mobile
| browser with extensions.
| Zak wrote:
| I suppose that's getting a bit dated, but I'd have to be
| actively experiencing _significant_ breakage to give up
| extensions for a browser update. I am not.
| Nextgrid wrote:
| It's different from the Prop 65 warnings. Unlike those, the
| GDPR explicitly bans annoying/misleading consent prompts.
| Merely disclosing tracking isn't enough to comply, consent
| needs to be:
|
| * explicitly opt-in, so no action from the user means they
| shouldn't be tracked - pre-ticked checkboxes are not allowed
|
| * it should be as easy to opt-in as to opt-out, so approaches
| like a big "accept tracking" button but a "learn more" or
| putting the deny option in the fine print isn't allowed
|
| * needs to be "informed consent", so the user should be made
| fully aware of what data will be collected and how it will be
| used
|
| * needs to be granular, so the user should be allowed to decide
| what data to provide and for what purpose
|
| * optional - you are not allowed to deny/degrade the service if
| the user does not consent to tracking
|
| The problem is that the GDPR is not being enforced properly.
| The annoyances you are facing would not be a thing if the law
| was enforced. It explicitly learned from the earlier "cookie
| law" which merely enforced disclosure and led to stupid &
| useless cookie banners with no easy way for the user to
| actually act on them.
| mLuby wrote:
| Whether something is "legal" is a fuzzy computation that runs in
| the minds of average citizens on a jury, though it's more
| commonly simulated by judges and lawyers. The text is not
| absolute.
|
| So what if an accept-only contract (like a ToS, EULA, or consent
| pop-up) did what average users _think_ they agreed to, regardless
| of what the text says?
|
| This would shift the _burden of understanding_ from the user,
| where it currently lies, to the company. If it 's essential to a
| company's business model that users agree to something complex
| that most users don't understand, the company will just have to
| help the users understand, deploying all those marketing and UX
| patterns they've perfected over the years to do so.
|
| (Yes I know this isn't how contracts currently work; it's just a
| harmless little thought experiment.)
| Silhouette wrote:
| FWIW, legal systems are sometimes closer to what you're
| describing there than you might realise. Obviously this varies
| with jurisdiction, but contracts of adhesion often do carry
| less weight in the event of litigation, for example
| automatically giving any benefit of the doubt to the party that
| didn't write the contract. Often there are relevant consumer
| protection rules as well, for example a general requirement
| that the terms of any B2C agreement must be reasonable or they
| will be unenforceable. More generally still, contract law is
| usually based on the basic idea of a meeting of minds, with an
| implication that all parties understand the contract they are
| entering into.
|
| When we drew up the Ts & Cs for my first business that was
| selling online, we took advice from a lawyer who specialised in
| this kind of work, and one of the first points they made was
| that if there was anything at all surprising or unusual in what
| we wanted for our terms, it should be emphasized prominently
| and early, not buried in small print at the back, for exactly
| the kind of reasons above.
|
| I once saw an anecdote (possibly apocryphal, I don't know)
| about a consumer rights lawyer who said they never bothered
| reading the small print in these situations. When someone
| expressed surprise that even a lawyer wouldn't check what they
| were signing up to, they replied that either the terms offered
| would be reasonable, in which case the lawyer would have no
| problem with them, or they wouldn't, in which case the
| unreasonable aspects would be unenforceable anyway.
| pixelpoet wrote:
| What absolutely infuriates me is this "legitimate interest" crap
| that is almost always hidden away, and often you have to scroll
| through literally hundreds of opt-outs with no way to disable
| them all in a single click.
|
| If I'm so damn "legimately interested", why is it on by default
| and basically impossible to turn off? Find me _one person on this
| earth_ who is legitimately interested in being tracked by
| marketing companies who sell their information on to whatever
| giant collections. This should be illegal.
| simpss wrote:
| It's usually a good hint that it really isn't a legitimate
| intrest case if they allow you to turn it off.
|
| A legitimate intrest does not require an opt in (or an opt
| out). Consent does. If the page mixes those two up they're
| either clueless or trying to walk in the gray area and don't
| really understand(or don't want to understand) what either of
| those terms mean.
| secondcoming wrote:
| Legitimate Interest has a legal definition as a Legal Basis.
| It's a list of Purposes and Special Features that a Vendor
| declares to the IAB that they claim to need [0]. A User
| absoultely has the right to Object to Consent and Legitimate
| Interest.
|
| Any CMP that does not allow you to opt-out is on shaky GDPR
| legal ground.
|
| [0] https://vendor-list.consensu.org/v2/vendor-list.json (see
| 'vendors' object)
| MaxBarraclough wrote:
| As the paper states, the GDPR is comically unenforced. I doubt
| these 'legitimate interest' cookies are compliant with the law.
| In practical terms, they don't need to be. Nothing happens to
| websites that break the rules.
|
| > _The processing must be necessary._
|
| https://ico.org.uk/for-organisations/guide-to-data-protectio...
| detaro wrote:
| While I agree it's often bullshit, "legitimate interest" is not
| trying to argue it to be your interest, but the sites.
| xg15 wrote:
| "legitimate interest" is a legal term with specific definitions
| in the GDPR. (And indeed it refers to the interest of the
| _site_ , not yours)
|
| IANAL, but as I understand, it refers to data collection that
| is _inherently_ needed to perform a service.
|
| E.g., a pizza delivery service has a _legitimate interest_ to
| know the address of the place where it should deliver the pizza
| to - because, well, otherwise they can 't deliver the pizza.
|
| In such a case, the GDPR wouldn't require the pizza place to
| get consent. (the GDPR requires that a service is performed
| even if consent is denied, so without the legitimate interest
| exception, the pizza place could end up in a legal catch-22 if
| someone ordered a pizza but denied consent to collect the
| address.)
|
| The basic idea seems perfectly reasonable to me, but of course
| sites always tried to stretch the "legitimate interest"
| definition as wide as they could get away with, and this seems
| to be the latest iteration of that.
|
| I have no idea where the latest fad of claiming all kinds of
| ridiculous things as legitimate interest as long as there is an
| "object" button comes from, but I imagine there was some court
| case that decided this was borderline legal. If anyone else
| knows more about this, I'd really like to know as well.
|
| But at least I think this is why many consent popups ask the
| exact same questions twice, once as "consent", off by default
| and once as "legitimate interest", on by default: They are
| simply trying their luck on two separate legal avenues. (Not
| that this would make any sense from a UX point of view or from
| the intent of the law. But I guess it does make sense from a
| "scummy lawyer" point of view)
| MereInterest wrote:
| Interesting that this site itself may use one of the described
| dark patterns. The banner on the main page has options "Got it"
| and "Learn more". There is no indication as to whether the "Got
| it" button is taken as consent for tracking, nor is there a
| "Reject all non-essential tracking" option on the main banner.
|
| Whether or not this site is compliant depends on whether the "Got
| it" button is taken as affirmative consent for non-essential
| tracking or not.
| sandgiant wrote:
| This is just a regular journal page. Not surprised they're
| tracking their users. A better place to link would probably
| have been the arXiv: https://arxiv.org/abs/2001.02479v1.
| ectopod wrote:
| The best way to let a site know that you don't want tracking
| cookies is to disable cookies. Most sites work fine. This one
| redirects you to:
|
| https://dl.acm.org/action/cookieAbsent
| [deleted]
| danShumway wrote:
| The site itself completely stops working if cookies are
| disabled, it just forwards me to a "cookie absent" error page.
|
| Their privacy policy says:
|
| > Other than in the restricted-access portions of the Web Site
| that require an ACM Web Account, ACM does not log the identity
| of visitors. However, we may keep access logs, for example
| containing a visitor's IP address and search queries. We may
| analyze log files periodically to help maintain and improve our
| Web Site and enforce our online service polices. ACM only uses
| analytical cookies and does not use any user-specific targeting
| cookies.
|
| > A cookie is a small file of letter and numbers that is placed
| on your device. Cookies are only set by ACM when you visit
| restricted portions of our Web Site and help us to provide you
| with an enhanced user experience. Raw log files are treated as
| confidential.
|
| So... not sure why a public portion of their website straight-
| up won't load without them. They're clearly not only
| checking/setting cookies on certain pages, otherwise they
| wouldn't know that my cookies were disabled.
| shadowgovt wrote:
| It took some digging, but if you go to
| https://www.acm.org/privacy-policy, the "this website uses
| cookies" banner at the bottom includes a selector to choose
| which ones are used, and "necessary" is auto-selected.
| Expanding the "Show details" panel along the selector shows
| which cookies are considered necessary, and it looks like
| it's part of their Cloudflare attack protection system
| (__cfduid), their load balancing schema (AWSALBCORS), the
| cookie storing the status of your cookie consent (hah,
| ironic) (CookieConsent). But then there are some that _I_
| wouldn 't personally consider necessary, such as two
| Bloomberg-vended cookies that appear to mirror the consent
| information to Bloomberg's servers, a Swiftype tracking
| pixel, a YouTube cookie to estimate the user's bandwidth for
| optimizing video loading, and some suspiciously-opaque
| BACKEND and sessionState cookies.
|
| In general, it's unfortunate their page doesn't degrade
| gracefully if cookies are disabled (though that's not always
| possible; for example, you can't assume that traffic
| Cloudflare can't analyze for trust is trusted... but those
| BACKEND and sessionState cookies being mandatory feels lazy).
| 1vuio0pswjnm7 wrote:
| "Interesting that this site itself may use one of the described
| patterns."
|
| Is it really interesting, though. For example, we have seen
| this as a very common retort in HN comments every time an
| author is critical of advertising, tracking/analytics, etc.
| Someone points out the author's site itself uses the thing
| being critiqued.
|
| Is that supposed to detract from the argument being made by the
| author. That does not make much sense.
|
| It is a bit like another common retort we see in discussing
| tech company behaviour: "But everyone else is doing it." Does
| that make it OK. Or one we see when discussing regulatory
| action: "They should be focusing on X not Y." Don't look here,
| look over there.
|
| I am highly skeptical of comments that try to leverage these
| tactics. The message is what it is. Whether or not it is valid
| does not depend on who is voicing it, where it appears, or
| what's going on somewhere else. This is pure misdirection.
|
| This paper might be a worthwhile read. It makes little sense to
| pre-judge it before reading, simply because it appears on ACM's
| website, and ACM's website developers try to get users to
| enable cookies. What if the paper is re-posted on a site with
| no Javascript and that does not try to set cookies. Does the
| content of the paper then become "legitimate". Why or why not.
|
| It is easy to retrieve this paper without using cookies, from
| another site. For example,
|
| https://web.archive.org/web/20210305175101/https://dl.acm.or...
|
| PDF:
| https://web.archive.org/web/20200701025846if_/https://dl.acm...
|
| Not trying to single out this one comment. It's fine. The paper
| is not really arguing for or against banners and other notice
| and consent mechanisms, just studying their use. I cannot even
| see the banner because I use a text-only browser.
|
| The most interesting paragraph in the paper IMO is the last
| one. They ask why the client, e.g., through browser settings,
| cannot be in control of the legal consent mechanism. What if
| clients were to sed an additional HTTP header to indicate
| whether or not the user consent to cookies. For example, Allow-
| Cookies: no.
|
| The online advertising companies have apparently fought against
| this, e.g., the DNT header. If you enable DNT in one popular
| browser deployed by an advertising company you get this
| ridiculous warning message. Why the heck is it a big deal if
| the user controls the headers sent and the server has to honour
| them. When you read RFCs about www development they always make
| it sound like clients and servers on are equal footing. The
| reality is quite different. These companies want to control how
| a user "consents".
| yholio wrote:
| The whole landscape of tracking and user consent is such a
| clusterfuck that I can't even bother anymore to care about
| cookies.
|
| I use Brave in private mode (analogue with incognito in Chrome)
| and have a GDPR consent killer extension. It's annoying that some
| sites (ex. Youtube) pester you to login or signup on first visit
| but there are definitely less than the GDPR consent spam. I will
| login to the sites I have a relationship with, only when I need
| it, using the password manager.
|
| At the end of the session I just close the browser and be done
| with it, it's irrelevant what the extension agreed on my behalf
| since all those cookies are gone. I know about browser
| fingerprinting but I hardly think my browsing is valuable enough
| for that.
| rwcarlsen wrote:
| For me personally - all these popup banners and modal walls for
| websites about cookies and stuff just really make the internet a
| worse place. I suspect that empirically, they don't accomplish
| what the GDPR intended to - and they make the internet less
| enjoyable. Thanks GDPR.
| Nextgrid wrote:
| The problem is that the GDPR is not being enforced properly.
| The GDPR explicitly bans annoying/misleading consent prompts,
| so this shouldn't be an issue if the law was enforced. It
| explicitly learned from the earlier "cookie law" which merely
| enforced disclosure and led to stupid & useless cookie banners
| with no easy way for the user to actually act on them.
| harrybr wrote:
| Exactly. It's amazing that this is not widely known. The
| deceptive GDPR pop-ups we all hate are not GDPR compliant!
| sefrost wrote:
| Same here. I would be interested to know from people outside
| the GDPR area - do you ever see cookie banners? Do you know
| what they are?
|
| Sometimes I hit a USA based news website which simply denies
| access, because I'm in the UK, on GDPR grounds. Which seems an
| overreaction.
| celestialcheese wrote:
| US companies started implementing it as a result of CCPA. So
| it's everywhere now
| bombcar wrote:
| EVERY WEBSITE I visit from my location in the USA seems to
| have these stupid cookie popups. We added one to OUR WEBSITE
| even though nothing is hosted in the EU - simple cargo-
| culting "everyone is doing it so we must do it also".
|
| I doubt it actually does a @#$@$ darn thing.
| layoutIfNeeded wrote:
| I don't have a cookie banner on my website. You know why?
| Because I don't track my users with (or without) cookies.
| Maybe you should stop doing it on your website, and then
| the cookie banner can be removed.
| josefx wrote:
| > We added one to OUR WEBSITE even though nothing is hosted
| in the EU
|
| Location of the host is irrelevant, it depends on the
| target audience. Serve pages to the EU? You get to follow
| it.
|
| > simple cargo-culting "everyone is doing it so we must do
| it also".
|
| If your site is cargo culting everything it probably also
| has a ton of third party trackers for the same reason.
| strictnein wrote:
| > Location of the host is irrelevant, it depends on the
| target audience. Serve pages to the EU? You get to follow
| it.
|
| This is completely false. Your laws do not follow you
| around on the internet.
| Zak wrote:
| > _Serve pages to the EU? You get to follow it._
|
| What can the EU do about it if the company has no
| physical or legal presence in the EU? Have there been any
| serious attempts at such enforcement?
| bombcar wrote:
| I have decreed that anyone who serves pages into my
| machines owes me $billion.
| strictnein wrote:
| It's weird how people keep claiming this.
|
| No one says that all sites should honor China's laws for
| visitors from China. No one claims that all sites should
| honor Saudi Arabia's laws for visitors from Saudi Arabia.
|
| But magically the GDPR must be followed by the entire
| world if a visitor shows up from France.
| josefx wrote:
| China has the great firewall, the EU tried something
| similar under the "think of the children" excuse, which
| promptly failed.
|
| Also a lot of people speaking out against China had to
| find out the hard way what some western companies will do
| when you speak out against a cash cow that will happily
| kick them out if its rules are enforced.
| josefx wrote:
| If it has no presence, no money, no sales, no partners,
| basically absolutely nothing in the EU then it may be in
| the clear. But that is a large difference to just not
| having hosts in the EU.
| shadowgovt wrote:
| We've had them up long enough for somebody to have
| generated some hard numbers by now. I wonder what the
| numbers look like on percentage of users that modify the
| settings from the default?
| wuliwong wrote:
| I was just thinking about that the other day. The billions of
| extra clicks and taps and wasted seconds. And for what gain? I
| think that this can be discussed outside of the basic "should
| we regulate" or not. Specifically looking at these modals that
| have spread all over, what actual protection does the average
| user get from this modal?
| ratww wrote:
| The modals don't exist to protect the user. Their goal is
| merely to annoy users to the point they just give up and
| blindly click "Accept". They only exist for the benefit of
| companies, and most of them violate GDPR.
| rwcarlsen wrote:
| Right. I'm not saying the intent of GDPR was to provoke
| them. But empirically, they are an effect of the GDPR. An
| undesirable one - that does _not_ fulfill its intent. I 'd
| say we are in agreement here.
| Bakary wrote:
| That's like accusing the flashlight of making rats scurry under
| the floorboard
| robgibbons wrote:
| You keep using this when people complain about GDPR consent
| banners. We get it, cookies are bad and privacy needs to be
| protected.
|
| It's just a really disingenuous and dismissive comparison.
| Nobody is complaining about flashlights.
|
| GDPR may have been necessary, but the complete garbage heap
| of an experience the popups have turned the web into is worth
| lamenting.
| yohannparis wrote:
| You mean developer or website manager who do not apply the law
| properly. All those deceptive patterns are not part of the
| GDPR, they should clearly label accept and refuse. I think it
| will take time for people to stop gathering so much information
| from users. Once a competitors start to figure it out, users
| might start using them (i.e. New York Times & GitHub.)
| dominotw wrote:
| > . All those deceptive patterns are not part of the GDPR
|
| GP isn't talking about deceptive patterns. Point is that no
| one really understand what these popups are for and everyone
| just blindly clicks ok.
|
| I don't think i've ever declined a cookie popup. have you?
| Semaphor wrote:
| pretty much every time. If I can't find it or it's too much
| work, I load the page in chrome or just close it
| yohannparis wrote:
| Every time I see one I go to the options to refuse all, if
| they do not allow me this option, I leave the page and add
| their domain name to my no cookie blacklist. It's
| strenuous, but I prefer to do so.
| butz wrote:
| How about introducing a standard way to declare and categorize
| cookies and let browser take care of consent? On first start set
| your default cookie preferences for all websites and adjust per
| website, when needed. It could be quickly build as an extension
| first and later moved to browser core.
| zarq wrote:
| This would be so easy for shady tracking websites to circumvent
| scotu wrote:
| My favorite deceptive pattern I encountered is "double click the
| checkbox to disable". Literally a checkbox but it wouldn't do
| anything. I got a little frustrated and started clicking
| furiously just to discover that a double click would reliably
| disable the items...
|
| (I don't remember if this was on desktop or mobile, on mobile
| s/click/tap/g)
|
| Also, I personally lean towards being in favor of GDPR and cookie
| law (wish there were some improvements though); I'd like to say
| it just because every opinion you find is "GDPR useless", "cookie
| law bad"
| Guest42 wrote:
| Yes, seems as though those opinions are the loudest and perhaps
| it encourages the dissenters to stay quiet for fear of down-
| votes. Ive noticed that with certain viewpoints and have
| adjusted towards censoring myself a bit. The crowd seems
| bimodal but perhaps that's the nature of the conversations and
| the voting tool reinforces that.
| Bakary wrote:
| Much of the audience benefits from this sort of manipulation
| and tracking, so it's normal they would be hostile to any
| cookie law
| MaxBarraclough wrote:
| The paper is paywalled. Is it freely available anywhere? _edit_
| arxiv 's preprint: https://arxiv.org/pdf/2001.02479.pdf
|
| Also, off-topic: it's annoying that acm.org has now added a
| horizontal progress bar, similar to QuantaMagazine.org. I already
| know how far through the article I am, my browser shows me a
| scrollbar.
| xtracto wrote:
| > my browser shows me a scrollbar.
|
| It is useful for mobile browser users.
| justkez wrote:
| I recently purchased something from the official UK Nintendo
| Store [1]. I did not opt-in, and was not asked to opt-in, to
| marketing emails.
|
| Several days after purchase I received a marketing email with an
| Unsubscribe link.
|
| I submitted a GDPR enquiry and after a few weeks I get:
| Having investigated this matter fully, we can see that you were
| opted in as a result of a small technical difficulty which we are
| now fixing. We have taken action to set your marketing
| permissions to "no" as requested.
|
| I think we're so far past the GDPR "start date" that there's an
| apathy to it from companies and they're pushing the limits again.
| How Nintendo can have such a formalised GDPR enquiry process but
| such sloppy controls is beyond me. I will formally complain to
| ICO (UK data regulator) but I doubt it'll effect much.
|
| [1]: https://store.nintendo.co.uk/
| vMPQonVtAjLWmr wrote:
| Is the UK still subject to the GDPR now after Brexit?
| lmkg wrote:
| Yes, part of the Brexit agreement was the UK "domesticating"
| some parts of EU law by passing them as UK legislation. There
| is now a law called UK-GDPR, which is literally a copy-paste
| of GDPR, with names of EU institutions find-and-replaced with
| their UK equivalents.
|
| There are still some operational differences, around the fact
| that the UK regulators will not participate the cooperation
| mechanisms that the other regulators will. This ends up
| mattering for businesses: a significant aspect of GDPR was
| that a company only ever had to deal with one regulator, but
| now they need to interface with one for the EU and a second
| for the UK.
| Nextgrid wrote:
| I believe GDPR is supposed to be implemented in every
| participating country's legislation, so the GDPR was
| implemented in UK law and this remains the case even after
| Brexit. Nothing prevents them from amending that law and
| repealing the GDPR's effects on it though.
| Nextgrid wrote:
| In the UK, there's another law called the PECR in place that
| _may_ supersede the GDPR in this case.
|
| I've had multiple merchants get back to me after such a
| complaint claiming that under the PECR they're allowed to send
| further marketing solicitations following a purchase.
|
| I haven't pushed it further so no idea if this is actually
| legal or if the GDPR supersedes it.
| matthewheath wrote:
| The Privacy and Electronic Communications Regulations
| (PECR)[1] do not _supersede_ GDPR as such, they sit alongside
| it.
|
| Section 22 is the relevant section they are hoping to rely
| on, specifically section 22(3) which allows them to:
|
| ----------
|
| (3) A person may send or instigate the sending of electronic
| mail for the purposes of direct marketing where--
|
| (a) that person has obtained the contact details of the
| recipient of that electronic mail in the course of the sale
| or negotiations for the sale of a product or service to that
| recipient;
|
| (b) the direct marketing is in respect of that person's
| similar products and services only; and
|
| (c) the recipient has been given a simple means of refusing
| (free of charge except for the costs of the transmission of
| the refusal) the use of his contact details for the purposes
| of such direct marketing, at the time that the details were
| initially collected, and, where he did not initially refuse
| the use of the details, at the time of each subsequent
| communication.
|
| ----------
|
| So in this case, they are obliged to let you withdraw your
| consent every time they email you. It is not a blank cheque
| for them to keep emailing you simply because you've purchased
| something; it is consent-based and therefore uses the same
| consent processes as the GDPR.
|
| --
|
| [1] https://www.legislation.gov.uk/uksi/2003/2426
| wojciii wrote:
| I complained about tv2.dk (I used to be a customer) sending me
| a e-mail after I deleted my user and told them not the send me
| e-mail. This was a really bad experience where their support
| attempted to make me login to the site which I refused to do
| since I removed my user previously.
|
| Then I sent them a GDPR request to remove all my info and
| complained to the Danish Data Protection Agency.
|
| I stopped receiving e-mail but got nowhere with my complaint.
| The agency wrote me that they didn't want to pursue this. Based
| on this .. I don't think that anyone is taking GDPR seriously
| and no one is trying to defend the small people (me!).
| switch007 wrote:
| This is absolutely /rife/ in my experience.
| lmkg wrote:
| Having seen how other companies make the sausage, I can take a
| guess.
|
| To Nintendo, marketing is not a "core" business function, so
| when the company was sorting out GDPR, no one invited them to
| the room and they didn't ask to be invited. When companies
| think about "what data do I have" they tend to get tunnel
| vision to their main business operations. I bet Nintendo has
| robust processes for their online gaming services. No one ever
| seems to think about the twenty dozen Google Analytics accounts
| they're all running, and a good fraction of them don't even
| think about their CRM systems.
| shadowgovt wrote:
| > How Nintendo can have such a formalised GDPR enquiry process
| but such sloppy controls is beyond me.
|
| Probably because only 1% of 1% of their customers even bother
| to notice. I'd be willing to bet money that you were the first
| person to discover this implementation error.
| GlitchMr wrote:
| I have a different issue myself. Despite having opted-in to
| marketing e-mails I never have obtained a marketing e-mail from
| Nintendo since then. Nintendo's website shows that I have
| agreed to "receive promotional e-mails". At one point I did in
| fact unsubscribe, but later I resubscribed. I think that there
| is a bug that sometimes causes promotional e-mail setting to
| not be updated in newsletter database (maybe the server was
| down when I tried to change the setting, and Nintendo Account
| website quietly ignored the error).
| bombcar wrote:
| Main bulk mailing companies (iContact, Sendgrid) will make a
| blocklist for you of anyone who has unsubscribed - and if
| you're not careful about it once on you'll NEVER get off -
| and it prevents send to those addresses even if you later re-
| add them to your list.
| superjan wrote:
| Today's xkcd: https://xkcd.com/2432/
___________________________________________________________________
(page generated 2021-03-05 23:01 UTC)