Also while 73°C is a proper sauna, there are plenty of hotter ones. 90°C is closer to what I'm used to at my apartment building's common sauna. I do take two breaks when I'm there for 30 mims though.
For context, a statement from the legal experts who monitored the trial.
> It is our collective assessment that the jury verdict against Greenpeace in North Dakota reflects a deeply flawed trial with multiple due process violations that denied Greenpeace the ability to present anything close to a full defense.
I can't speak to the institution but the only public statements on their website relate to this particular trial. It could be this is the first ever trial they have monitored in this way; it might also be a group that will only ever monitor this one trial.
I guess I was expecting a Matt Levine-style breakdown of why the trial was run improperly and why an appellate court would be expected to strike it down. Instead we have vague statements that could have come from an elected’s staff.
Yeah we're dealing with a mud fight between two highly resourced adversaries who are practiced in bullshit underhanded tactics and influence operations.
Nah, its one source of funding. The oil giants pump there money in bonkers oppossition- one Greta Thunberg glueing herself to a public street does more damage to that cause then the whole of counter propaganda ever could. And it prevents the debate about resonable measures like free public transport.
related topic -- "Judge shopping" refers to the practice of litigants strategically filing lawsuits in court districts or divisions where they are likely to be assigned to a judge sympathetic to their cause, often exploiting structural quirks in the judiciary
Most state courts randomly assign you a judge so it's not that simple, in some cases you can target certain districts in certain states where there are less judges (like the Texas patent judge). This is a trial in North Dakota because that's where the protests happened. I doubt they had many options in a single jurisdiction. The fallback for this stuff is of course a circuit court appeal.
Oil companies have been suppressing climate change research for decades to keep cooking the earth for profits. Is that not corruption? I suppose if you are economically exposed to these gains, don’t believe in climate change, and/or won’t be here for the bad times from this, the facts may not matter to your mental model. The facts remain that climate change is real and oil companies are doing their best to extract every bit of profit they can until we’re off of oil, regardless of the negative trajectories and outcomes from this.
Oil companies have a definite history of punching people and then suing them for running into their fist. But I should also point out that Greenpeace is the kind of shitty activist company that also does those kind of tactics, so an oil company suing Greenpeace leaves my priors as "I don't know which side is more likely right in this scenario."
You know, it's possible for these oil companies to have done all this bad stuff, and for Greenpeace to be a pretty shitty organization. And for the person to have a different mindset than all the strawman assumptions you just made.
Oil companies have done worse than that, but we're not talking about them right now we're talking about Trial Monitors Dot Org, the real authoritative source on this trial that has done literally nothing else.
Oil companies haven't done a damn thing. We are the cause of global warming. Every time we pump gas into our car, buy anything that came from far away, or use any technology dependent on oil. Blaming oil companies is childish garbage people do to avoid recognizing their personal share of the responsibility.
You know the carbon footprint concept was literally created by BP marketing, to place the blame for climate change on society, and distract from all the evil stuff they did to promote more fossil fuel consumption and sabotage climate science.
The blame is 100% on society, so BP is correct to place it there. If we wanted to reduce our CO2 output to near zero we could do that easily. But it turns out that we would rather have all of our modern conveniences, so this is 100% our fault. Blaming it on oil companies is like a murderer blaming Smith and Wesson.
You’re sadly making this a simpler issue than it actually is. There are countless industries that have used immoral tactics to make more money. That includes tobacco companies (lying about health benefits & consequences to smoking), gambling companies (misleading people about how much money they can expect to make), and, of course, oil companies (lying about how harmful gas is to the environment).
Using gas is not actually necessary to have all our modern conveniences. In fact, it is fucking stupid to rely on continuous resource extraction, deleting our fuel supply to create energy, when we can get it continuously for free from the environment with a minor up-front investment.
It is not 100% our fault. This is only like blaming it on Smith & Wesson if Smith & Wesson had created “pacifist guns” that allegedly solved societal violence, or if Smith & Wesson spent huge amounts of money trying to convince people that guns are not actually dangerous objects.
Blaming oil companies for the extremely well documented history of suppression of research and action into the impact of climate change is not childish.
Yes, and cigarettes, asbestos, lead in gasoline, and a few others, too. Clearly there is a place for education and coordinated action among the common people.
You are literally avoiding the topic (Greenpeace intentionally created a misleading authoritative-looking entity) to say "Oil bad! Boo oil companies!".
The facts remain that Greenpeace did in fact attempt to slander (legal definition) the big oil corp.
Maybe you support "win at all costs" in this fight, but don't pretend one side is pure and honest.
Well, let's not get into this left-right thing because that could go back and forth forever. Especially in the current environment.
eg - "As an outsider, why is [the jury and judge] a credible institution over the monitors?"
We should all just give the legal experts time to look over the records of what happened, and assess why. From there, a consensus will likely emerge as to what happened during and before the trial. And the justice or injustice of the matter will present itself.
But you can't have a judge say one thing and some other single expert say another, and from those pieces of information decide anything of an authoritative nature. Our institutions just don't have that type of credibility any longer. This is the consequence of credibility crises for any society's steward classes.
It was a long slide getting here, decades actually. But I think we are firmly now at the point of the "credibility collapse" portion of the "credibility crisis".
Witness as GP transfers out any remaining assets through crypto (we got hacked !), declares bankruptcy, and comes back with a new name, and Big Oil gets HOSED.
. . . She apparently will not go to jail because she is old, and it would be “sentencing her to die within the state prison system.” And hey, while she is accused of moving millions of dollars and various properties she owns to third parties to avoid financial penalties -- this Green Peace story the same take as the "70M Boomer" title below . . .
Why should I care what they think? Seriously, I'm so tired of seeing XYZ totally real and credentialed expert non government organization pop up in weird appeals to authority. They couldn't even be bothered to monitor any other trials for this one, this looks to be the only thing they've ever done.
It's a great story that documents the shifting winds of legal systems across continents.
My takeaway: there is zero consistency or absolute truth in any legal system.
"Human rights campaigners called Chevron's actions an example of a strategic lawsuit against public participation (SLAPP)"
"Chevron requested that the case be tried in Ecuador and, in 2002, the US court dismissed the plaintiffs case based on forum non conveniens and ruled that Ecuador had jurisdiction. The US court exacted a promise from Chevron that it would accept the decision of the Ecuadorian courts."
"A provincial Ecuadorean court found Chevron guilty in 2011 and awarded the plaintiffs $18 billion in damages. The decision was affirmed by three appellate courts including Ecuador's highest court, the National Court of Justice, although the damages were reduced to $9.5 billion."
But now, *Ecuador must pay Chevron* for damages:
"In 2018, the Permanent Court of Arbitration in The Hague ruled that the $9.5 billion judgment in Ecuador was marked by fraud and corruption and "should not be recognised or enforced by the courts of other States." The amount Ecuador must pay to Chevron to compensate for damages is yet to be determined. The panel also stated that the corruption was limited to one judge, not the entire Ecuadorean legal system."
I'm not sure that's an accurate description. Are "Human Rights" inherently left-wing? Is environmental protection inherently left-wing? Is political corruption inherently right wing?
This is of legal experts each with 30+ years of experience in the fields with which this trial is concerned (environmentalism, corruption, humans rights abuses).
Perhaps anti-oil activists would have been a better term. That seems more plainly true to me.
They might or might not have had more valid cases in their respective pasts. But it doesn't seem right to me to term themselves "trial monitors" when they seem pretty plainly biased for one side of the trial. It would be more okay if they had some pro-oil attorneys on their board too, or called themselves "Greenpeace Defenders" or something.
I know, it's hardly the first or the most egregious case of deceptive naming out there. But it's still worth calling out in my opinion, especially when it it still, at the time of this writing, on the top of the HN thread about this, described as if they were unbiased legal experts.
> But it doesn't seem right to me to term themselves "trial monitors" when they seem pretty plainly biased for one side of the trial
We don't say that "human rights monitors" need to draft a few brutal dictators in order to provide a balanced take on genocide...
I'm not sure why "trial monitors" would suggest such a lack of bias either. Monitoring organisations are explicitly setup to ensure that a minority group under threat from a superior power are getting a fair shake.
The whole notion of the "tragedy of the commons" needs to be put to rest. It's an armchair thought experiment that was disproven at the latest in the 90s by Elinor Ostrom with actual empirical evidence of commons.
The "tragedy", if you absolutely need to find one, is only for unrestricted, free-for-all commons, which is obviously a bad idea.
A high-trust community like a village can prevent a tragedy of the commons scenario. Participants feel obligations to the community, and misusing the commons actually does have real downsides for the individual because there are social feedback mechanisms. The classic examples like people grazing sheep or cutting wood are bad examples that don't really work.
But that doesn't mean the tragedy of the commons can't happen in other scenarios. If we define commons a bit more generously it does happen very frequently on the internet. It's also not difficult to find cases of it happening in larger cities, or in environments where cutthroat behavior has been normalized
> A high-trust community like a village can prevent a tragedy of the commons scenario. Participants feel obligations to the community, and misusing the commons actually does have real downsides for the individual because there are social feedback mechanisms.
That works while the size of the community is ~100-200 people, when everyone knows everyone else personally. It breaks down rapidly after that. We compensate for that with hierarchies of governance, which give rise to written laws and bureaucracy.
New tribes break off old tribes, form alliances, which form larger alliances, and eventually you end up with countries and counties and vovoidships and cities and districts and villages, in hierarchies that gain a level per ~100x population increase.
This is sociopolitical history of the world in a nutshell.
"and eventually you end up with countries and counties and vovoidships and cities and districts and villages, in hierarchies that gain a level per ~100x population increase."
You say it like this is a law set in stone, because this is what happened im history, but I would argue it happened under different conditions.
Mainly, the main advantage of an empire over small villages/tribes is not at all that they have more power than the villages combined, but that they can concentrate their power where it is needed. One village did not stand a chance against the empire - and the villages were not coordinated enough.
But today we would have the internet for better communication and coordination, enabling the small entieties to coordinate a defense.
Well, in theory of course. Because we do not really have autonomous small states, but are dominated by the big players. And the small states have mowtly the choice which block to align with, or get crushed. But the trend might go towards small again.
(See also cheap drones destroying expensive tanks, battleships etc.)
Internet is working exactly the opposite way to what your describing - it's making everything more centralized.
Once we had several big media companies in each country and in each big city. Now we have Google and Facebook and tik tok and twitter and then the "whatevers".
Yes, but there is a difference between having the choice of joining FB or not having a choice at all when the empire comes to claim you (like in Ukraine).
FB is part of the empire though, and it is coming for us.
canadians need an anti-imperial radio-canada run alternative. we arent gonna be able to coordinate against the empire when the empire has the main control over the internet.
when the americans come a knocking, we're gonna wish we had chinese radios
> That works while the size of the community is ~100-200 people,
Yet we regularly observe that working with millions of people; we take care of our young, we organize, when we see that some action hurt our environment we tend to limit its use.
It's not obvious why some societies break down early and some go on working.
> Yet we regularly observe that working with millions of people; we take care of our young, we organize, when we see that some action hurt our environment we tend to limit its use.
That's more like human universals. These behaviors generally manifest to smaller or larger degree, depending on how secure people feel. But those are extremely local behaviors. And in fact, one of them is exactly the thing I'm talking about:
> we organize
We organize. We organize for many reasons, "general living" is the main one but we're mostly born into it today (few got the chance to be among the founding people of a new village, city or country). But the same patterns show up in every other organizations people create, from companies to charities, from political interests groups to rural housewives' circles -- groups that grow past ~100 people split up. Sometimes into independent groups, sometimes into levels of hierarchies. Observe how companies have regional HQs and departments and areas and teams; religious groups have circuits and congregations, etc. Independent organizations end up creating joint ventures and partnerships, or merge together (and immediately split into a more complex internal structure).
The key factor here is, IMO, for everyone in a given group to be in regular contact with everyone else. Humans are well evolved for living in such small groups - we come with built-in hardware and software to navigate complex interpersonal situations. Alignment around shared goals and implicit rules is natural at this scale. There's no space for cheaters and free-loaders to thrive, because everyone knows everyone else - including the cheater and their victims. However, once the group crosses this "we're all a big family, in it together" size, coordinating everyone becomes hard, and free-loaders proliferate. That's where explicit laws come into play.
This pattern repeats daily, in organizations people create even today.
I get the feeling it's the combination of Schelling points and surplus. If everyone else is being pro-social, i.e. there is a culture of it, and the people aren't so hard up that they can reasonably afford to do the same, then that's what happens, either by itself (Hofstadter's theory of superrationality) or via anything so much as light social pressure.
But if a significant fraction of the population is barely scraping by then they're not willing to be "good" if it means not making ends meet, and when other people see widespread defection, they start to feel like they're the only one holding up their end of the deal and then the whole thing collapses.
This is why the tendency for people to propose rent-seeking middlemen as a "solution" to the tragedy of the commons is such a diabolical scourge. It extracts the surplus that would allow things to work more efficiently in their absence.
I’ve heard stories from communist villages where everyone knew everyone. Communal parks and property was not respected and frequently vandalized or otherwise neglected because it didn’t have an owner and it was treated as something for someone else to solve.
It’s easier to explain in those terms than assumptions about how things work in a tribe.
Even here, the state is the steward of the common good. It is a mistaken notion that the state only exists because people are bad. Even if people were perfectly conscientious and concerned about the common good, you still need a steward. It simply wouldn’t be a steward who would need to use aggressive means to protect the common good from malice or abuse.
> A high-trust community like a village can prevent a tragedy of the commons scenario.
No it does not. This sentiment, which many people have, is based on a fictional and idealistic notion of what small communities are like having never lived in such communities.
Empirically, even in high-trust small villages and hamlets where everyone knows everyone, the same incentives exist and the same outcomes happen. Every single time. I lived in several and I can't think of a counter-example. People are highly adaptive to these situations and their basic nature doesn't change because of them.
While an earlier poster is over stating Ostrom’s Nobel prize winning work — it is regularly shown that averting the tragedy of the commons is not as insurmountable as the original coining of the phrase implied.
Ostrom showed that it wasn't necessarily a tragedy, if tight groups involved decided to cooperate. This common in what we call "trust-based societies", which aren't universal.
Nonetheless, the concept is still alive, and anthropic global warming is here to remind you about this.
She not “disprove” the existence of the tragedy of the commons. What she established was that controlling the commons can be done communally rather than through privatization or through government ownership.
Communal management of a resource is still government, though. It just isn’t central government.
The thesis of the tragedy of the commons is that an uncontrolled resource will be abused. The answer is governance at some level, whether individual, collective, or government ownership.
> The "tragedy", if you absolutely need to find one, is only for unrestricted, free-for-all commons, which is obviously a bad idea.
Right. And that’s what people are usually talking about when they say “tragedy of the commons”.
People invoke the tragedy of the commons in bad faith to argue for privatization because “the alternative is communism”. i.e. Either an individual or the government has to own the resource.
This is of course a false dichotomy because governance can be done at any level.
It also seems to omit the possibility that the thing could be privately operated but not for profit.
Let's Encrypt is a solid example of something you could reasonably model as "tragedy of the commons" (who is going to maintain all this certificate verification and issuance infrastructure?) but then it turns out the value of having it is a million times more than the cost of operating it, so it's quite sustainable given a modicum of donations.
Free software licenses are another example in this category. Software frequently has a much higher value than development cost and incremental improvements decentralize well, so a license that lets you use it for free but requires you to contribute back improvements tends to work well because then people see something that would work for them except for this one thing, and it's cheaper to add that themselves or pay someone to than to pay someone who has to develop the whole thing from scratch.
Seconded. I tried hard to use Bazel in a polyglot repo because I really wanted just one builder.
Unfortunately, the amount of work you need to just maintain the build across language and bazel version upgrades is incredibly high. Let alone adding new build steps, or going even slightly off the well-trodded path.
I feel like Bazel would need at least 5 more full-time engineers to eventually turn it into an actually usable build tool outside Big Tech. Right now many critical open source Bazel rules get a random PR every now and then from people who don't actually (have time to) care about the open source community.
My go-to now is to use mise + just to glue together build artifacts from every language's standard build tools. It's not great but at least I get to spend time on programming instead of fixing the build.
Yes, each of the big techs has teams that just work on the build systems, however it should also be noted that none of the big tech use the open source Bazel, Google uses Blaze internally which is what Bazel is derived from, Amazon uses Brazil which has nothing to do with Bazel and Meta uses Buck, which I know nothing of so I won't comment on it.
The major issue I found when trying to use Bazel was that its essentially a build system without specific rules for each language, hence rules support for each specific language is dependant on each language's specific community, most of which are quite tiny, and mostly maintained by upstreaming changes from their individual companies, servicing their own needs, hence a lot of work is required to make it work for your own company's needs.
Notice the phrase "from a moral standpoint". You can't argue against a moral stance by stating solely what is, because the question for them is what ought to be.
Really depends what the moral objection is. If it's "no machine may speak my glorious tongue", then there's little to be said; if it's "AI is theft", then you can maybe make an argument about hypothetical models trained on public domain text using solar power and reinforced by willing volunteers; if it's "AI is a bubble and I don't want to defraud investors", then you can indeed argue the object-level facts.
Indeed, facts are part of the moral discussion in ways you outlined. My objection was that just listing some facts/opinions about what AI can do right now is not enough for that discussion.
I wanted to make this point here explicitly because lately I've seen this complete erasure of the moral dimension from AI and tech, and to me that's a very scary development.
> because lately I've seen this complete erasure of the moral dimension from AI and tech, and to me that's a very scary development.
But that is exactly what the "is ought problem" manifests, or? If morals are "oughts", then oughts are goal-dependent, i.e. they depend on personally-defined goals. To you it's scary, to others it is the way it should be.
Looking at these comments, it's painfully apparent how many think that being polite in your communication is more important than actually doing something.
I agree it would have been nicer if the message was more polite. But if you compare that to having the backbone follow through with meaningful long-term changes against a corporation you don't trust or respect, there shouldn't even be a discussion.
And don't even get me started with the people who come in here just to point out that Codeberg isn't perfect either.
> I agree it would have been nicer if the message was more polite. But if you compare that to having the backbone follow through with meaningful long-term changes against a corporation you don't trust or respect, there shouldn't even be a discussion.
You’re framing it as either/or when it isn’t. You can push for real change and communicate like an adult. The two aren’t in conflict; often they reinforce each other.
> The two aren’t in conflict; often they reinforce each other
I’d think they _are_ inherently in conflict. Every person has 24 hours per day, and they can spend them on researching and doing what’s right or on reaching consensus. There is some mutual reinforcement to some extent (as it’s usually right to have a reasonable consensus on what’s the right choice), but beyond some basic level there’s always tradeoff.
And for programming language designers, I really appreciate when they make the right long-term choices even if I don’t understand initially why they were made.
The fetish for "manners" has stood in the way of every single positive societal change. It's exactly what MLK meant with the white moderate favoring a negative peace over positive change:
the Negro's great stumbling block in his stride toward freedom is not the White Citizen's Counciler or the Ku Klux Klanner, but the white moderate, who is more devoted to "order" than to justice; who prefers a negative peace which is the absence of tension to a positive peace which is the presence of justice; who constantly says: "I agree with you in the goal you seek, but I cannot agree with your methods of direct action"
MLK was, of course, famous for hurling vitriolic personal insults at people he disagreed with.
You should really take a step back and consider if MLK’s struggle for racial equality is an appropriate point of comparison for an open source project deciding to change to a different CI provider.
> You should really take a step back and consider if MLK’s struggle for racial equality is an appropriate point of comparison for an open source project deciding to change to a different CI provider.
To the type of nerds who crash out about a git hosting provider and publicly insult other developers, moving off GitHub might even be more meaningful than whatever MLK did.
> it's painfully apparent how many think that being polite in your communication is more important than actually doing something.
The zig maintainers think that, too, thus the presence of a Code of Conduct on their website. But, as always, it's a "rules for thee, but not for me" situation - if the author was called a "monkey" by someone else, I can guarantee he would invoke the CoC to call them out, but when he does it, it's fine.
Nobody thinks that. They just don't think that "doing something" gives you an excuse to be an arsehole. Especially if you are hypocritically violating your own CoC.
Yes, it does. Given the choice of having a coworker that's a very nice 0.1x engineer and having a bloody annoying one that's a 10x I'll work with the 10x any day.
The internet has evolved such a Newspeak, censor-driven culture, it's sad to see. I want people to be able to tell each other "I think this is shit and here's why".
Politeness is free and easy, it's not a big ask and it's certainly not an either-or.
I wouldn't even call it politeness, it's more like basic human decency. Would Andrew Kelly appreciate it if the LLVM guys publicly wrote a blog post calling the Zig maintainers losers and monkeys? Just screams of immaturity, which isn't surprising seeing their political views.
Just the fact of someone migrating a project to another platform during the last week of November suggests that last straws were involved. That’s more of a January or a June thing than November/December.
Fury can be a powerful motivator to commit to doing something you’ve been putting off. It also means your community announcement is going to be pretty spicy, unless you let someone else write it.
> it's painfully apparent how many think that being polite in your communication is more important than actually doing something
I absolutely agree, but people in charge of large projects/groups, in any context, should know better than to put their personal feelings and opinion on topics into the "corporate" messages they are putting out. I am guilty of this myself, no one is holier than thou, but still. AK should know better.
This. The round & slimy language is what big corps do. I don't like how this post is written – but what really matters here is that they are doing a good job moving away from GitHub. I hope more OSS does this.
> the moment I can get a project up on its legs, to where I can interact with some substantial part of its functionality and refine it, I'm off to the races. [...] This is the part where I simply don't understand the objections people have to coding agents.
That's what's valuable to you. For me the zero to one part is the most rewarding and fun part, because that's when the possibilities are near endless, and you get to create something truly original and new. I feel I'd lose a lot of that if I let an AI model prime me into one direction.
It's not FUN building all the scaffolding and setting up build scripts and all the main functions and directory structures.
Nor do I want to use some kind of initialiser or skeleton project, they always overdo things in my opinion, adding too much and too little at the same time.
With AI I can have it whip up an MVP-level happy-paths-only skeleton project in minutes and then I can start iterating with the fun bits of the project.
> I can build anything, but often struggle with getting bogged down with all the basic work. I love AI for speed running through all the boring stuff and getting to the good parts.
I'm in the same boat (granted, 10 years less) but can't really relate with this. By the time any part becomes boring, I start to automate/generalize it, which is very challenging to do well. That leaves me so little boring work that I speed run through it faster by typing it myself than I could prompt it.
The parts in the middle – non-trivial but not big picture – in my experience are the parts where writing the code myself constantly uncovers better ways to improve both the big picture and the automation/generalization. Because of that, there are almost no lines of code that I write that I feel I want to offload. Almost every line of code either improves the future of the software or my skills as a developer.
But perhaps I've been lucky enough to work in the same place for long. If I couldn't bring my code with me and had to constantly start from scratch, I might have a different opinion.
> By the time any part becomes boring, I start to automate/generalize it, which is very challenging to do well. That leaves me so little boring work that I speed run through it faster by typing it myself than I could prompt it.
The two aren't mutually exclusive. You can use AI to build your tooling. (Unless it's of sufficient complexity or value that you need to do the work yourself)
The time spent on the tooling is very low. Using AI for that would be like renting a flamethrower because couple of times a year I like to go camping and light a fire. I'd rather just use a lighter.
Exactly. If they indeed only use the cookie for essential functionality, this kind of joke banner only makes their choice to respect visitors' privacy equally annoying.
Even worse: because it makes it seem like the EU law is just meritless pestering of people, they are actually fighting for the right for worse sites to spy on their visitors.
It is that. It has done literally nothing to improve anything whatsoever, in any country. And most of the "cookie management" scripts that people use, barely even work. Both the law and the way it's complied with in practice are a dumb solution to a problem that the EU should have forced browser vendors to solve. Only the user's browser can choose not to send back cookies, and it would be trivial for the user to be shown a dialog when they navigate to a previously-visited site in a new session saying:
Last time you were here, the site stored information that may help them recognize you or remember your previous actions here.
< I want to be recognized > / < Forget Everything >
[ ] Also keep these third-party cookies <Details...>
[x] Remember my choice and don't ask again for ycombinator.com
The EU law is fine, the implementation used isn't. But never blame the EU laws for cookie banners; the law does not mandate banners at all, let alone the ones full of dark patterns to nag you into accepting anyway. That's all the industry.
The industry could have come up with a standard, a browser add-on, respect a browser setting, etc but they chose the most annoying one to pester you, the user.
> let alone the ones full of dark patterns to nag you into accepting anyway.
In fact the law pretty explicitly disallows dark patterns like that. Of course tech companies have a loosy-goosy relationship with the law at the best of times.
> In fact the law pretty explicitly disallows dark patterns like that.
Yes. For "cookie banners" the law in fact forbids hiding "Reject all non-essential and continue" to be given less visual weight than "Accept all and continue", let alone hiding it behind "More details" or other additional steps.
It also requires consent to be informed (i.e. you need to know what you're agreeing to) and specific (i.e. you can't give blanket consent, the actual categories of data and purposes of collection need to be spelled out) and easily revokable (which is almost never the case - most sites provide no direct access to review your options later once you've "opted in").
One good example I can think of for a "cookie banner" that gets this right is the WordPress plugin from DevOwl: https://devowl.io/wordpress-real-cookie-banner/ (this is not an ad, but this is the one I've been recommending to people after having tried several of them) because it actually adds links to the footer that let you review and change your consent afterwards.
EDIT: Sorry, I first misread "disallows" as "allows". I've amended my reply accordingly.
Yeah, and only when (I think) Google got a hefty fine did the banner implementations start to add an instant "opt-out" button. The tech companies really try to skirt the rules as closely as possible.
I'm glad I'm not in EU legal, it's gotta be like dealing with internet trolls ("I didn't ACTUALLY break any rules because your rules don't say I can't use the word "fhtagn"")
I feel like the #1 problem with the cookie law is that the vast majority of websites need to do something in order to comply while keeping their business model and the law hasn't provided a clear direction for how to comply with it.
If they had done that, nobody would be making cookie banners wrong.
Kind of. The intent is good and the wording disallows some of the dark patterns. The challenge is that it stands square in the path of the adtech surveillance behemoths. That we ended up with the cesspit of cookie banners is a result of (almost) immovable object meeting (almost) irresistable force. There was simply no way that Google, Facebook et al were ever going to comply with the intent of the law: it's their business not to.
The only way we might have got a better outcome was for the EU to quickly respond and say "nope, cookie banners aren't compliant with the law". That would have been incredibly difficult to do in practice. You can bet your Bay Area mortgage that Big Tech will have had legions of smart lawyers pouring over how to comply with the letter whilst completely ignoring the intent.
Yes, this sounds good. This sounds like something desirable. I mean, this is the expectation literally everywhere else so... why not the web?
Also, data collection is fully a choice. You can always choose not to. I've built websites with logins and everything and guess what - no cookie banners necessary. Just don't collect data you don't need.
> GDPR requires informed consent before collecting data.
And this is a good thing, no? I certainly think so.
> It's a wonder we don't have to force everyone through an interstitial consent page.
If the information being tracked is truly essential to the site/app (session management and authorisation data for instance) then no consent is needed, for anything else ask before you store it, and most certainly ask before you share it with your “partners” or anyone else.
There's obviously a lot more real world than they can codify into laws and examples but I think if you can get consent, you should get consent. The ICO:
> Private-sector or third-sector organisations will often be able to consider the ‘legitimate interests’ basis in Article 6(1)(f) if they find it hard to meet the standard for consent and no other specific basis applies. This recognises that you may have good reason to process someone’s personal data without their consent – but you must avoid doing anything they would not expect, ensure there is no unwarranted impact on them, and that you are still fair, transparent and accountable.
Session tracking, storing account information, addresses, etc all seem obvious in any e-commerce system but you still have every opportunity to notify and consent that data collection.
I think you and I both think that data protection is a good thing, I'm just a little more wary of leaning on legitimate usage* as a way to skip formal consent.
I'm definitely not in favour of the “legitimate interest” bollocks. There is a significant difference between “absolutely necessary for running the site/app” and “we see your desire to not be tracked, but we want to track you anyway so we are going to make you click a bunch more things to opt out again, because fuck you and your silly little privacy”.
Many websites are free because they survive from ads. Ads make more money if you collect data. The EU law essentially cut the revenue of all these websites. Their choice is to not collect data (meaning less revenue) or show a popup (meaning more bounce rate, which means less revenue).
People who think this is a good thing are being short-sighted. That's because this law mainly affects websites that host information that visitors visit from clicking on links on the web. If a website is like Facebook or Youtube, where users must sign up first or probably already have an account, they will be able to collect data for ads with or without banners since they have their own ToS for creating an account, and they can infer a lot from how the user uses their services.
I'm not saying privacy regulation is a bad thing. It made countless businesses reconsider how they handle people's data. But it's clear to me that there are two problems.
First, this regulation hurts all the small websites that need to exist in order for we have to have a healthy "web." A lot of these are making only barely their hosting costs in ads, so there is no way they can afford the counsel to figure out how to comply with laws from another continent. If we had another way to support these websites, this wouldn't be a problem, but ads are really the lifeblood of half of the internet, and almost nobody wants to donate or pay a subscription.
Second, this regulation doesn't even really protect people's private data in the end, which may give users a false sense of security because they have the GDPR on their side. I forgot the name, but there was a recent gossiping app that required the user to upload a photo in order to sign up, which should be deleted afterwards, but they never deleted it and when the app was hacked the attacker had access to photos of all users. It's the same thing with GDPR. We can tell when a website is clearly not complying with the GDPR, but there is no way to tell if they actually complied with the GDPR until the server gets hacked.
Even the way they comply with GDPR isn't enough to protect users' privacy, e.g. if you have an account on Discord and you want your data deleted, they will simply turn every post your made into an "anonymous" post. This means if you sent a message that discloses your private information on Discord, that will never get deleted because its outside the scope of compliance. You could literally say "Hi, my name is XYZ, I live in ABC" and they won't delete that because you consented to provide that information, they will just change your username from "xyz" to "anonymous" or something like that.
I still wonder what are the actual benefits of GDPR with these cookie banners when 99% of the users just stay on Facebook and Youtube anyway.
> Many websites are free because they survive from ads. Ads make more money if you collect data.
My business is to get money out of other people's wallets and bank accounts. I could get make much money if you just logged into your bank account and approved transactions whenever I told you to, or screamed less whenever I took the wallet out of your pocket on my own.
That there's a way to earn more money does not justify it as legitimate thing to do, and if you can't figure out how to run a service in legitimate ways does not mean that illegitimate ways that attempt to violate its users in secret suddenly become okay.
Like I said, GDPR only stops the smallest websites from doing that, and in most cases they're barely a "business," they're just some website that gets paid only enough in ads to cover its hosting costs so that the webmaster doesn't have to pay money on top of time to publish information for free for everyone on the internet.
The largest websites will still "violate its users in secret." That's why I don't think GDPR is as useful as people purport it to be.
You're going to get force-fed ads optimized via collected data either way. The only question is whether small websites will exist that rely on third-party ad networks or only Facebook and Youtube will exist because they have first-party ad delivery systems. I don't think the latter is healthier than the former. Do you?
I read an interview with a bunch of different young people. They all basically said "I just click 'yes' or 'accept' automatically". It sounded like they all believed that this was something they had to do in order to get to the content.
Bad implementation of the EU law indeed, as another comment said. It fails the purpose completely and just create more problems for nearly everyone.
In some cases is how I would state it. It's actually very rare that you have to consent to 'accept all cookies' to read content, I've never actually seen it myself. 'Pay if you want to read more' is common, for certain types of sites.
Yep, it baffles me that a lot of people would rather not have the option to reject cookies. Its weird to say "I don't want to stop a website tracking me because the UX is terrible. I'd rather get tracked instead.".
Of course, it would be better if the UX were even better, but I'd rather take something over nothing.
> Yep, it baffles me that a lot of people would rather not have the option to reject cookies.
Back in the day browsers offered this natively. When the advertising companies started building browsers there was a lot of incentive to see that go by the wayside of course...
But the earlier comment isn't saying that you shouldn't have options, rather that the law needs to be more specific, such as requiring browsers to work in coordination with website operators to provide a unified solution that is agreeable to users instead of leaving it completely wide open to malicious compliance.
These kind of laws need to be careful to not stifle true innovation, so it is understandable why it wanted to remain wide open at the onset. But, now that we're in the thick of it, maybe there is a point where we can agree that popup dialogs that are purposefully designed to be annoying are in volition of the spirit and that the law should be amended to force a better solution?
> that the law needs to be more specific, such as requiring browsers to work in coordination with website operators
1. The law isn't about browsers or websites. It equally applies to all tracking. E.g. in apps. Or in physical stores.
2. The world's largest advertising company could do all you describe. And they do work with websites. First by repackaging tracking through FLoC. Then by just simply repackaging tracking and calling it privacy: https://x.com/dmitriid/status/1664682689591377923
> It equally applies to all tracking. E.g. in apps. Or in physical stores.
Obviously. And where there are problems in those domains equal specificity would be asked for. But since we're talking about in the context of browsers specifically...
Cookies don't matter. There are many different ways to track users without using cookies even when talking about browsers specifically. But what does matter was already discussed. Are you reading comments in complete isolation again or what? There is a context that has been built up.
> Cookies don't matter. There are many different ways to track users without using cookies
Oh look. Here's what I wrote:
--- start quote ---
The law isn't about browsers or websites. It equally applies to all tracking. E.g. in apps. Or in physical stores.
--- end quote ---
> But what does matter was already discussed. Are you reading comments in complete isolation again or what? There is a context that has been built up.
This is literally the only thread around your comment. There are dozens of other discussions, yes. I was specifically replying to your comment, and expecting replies within the context of your comment.
A historical law that hasn't had anything to do with the discussion since conception isn't about browsers, but the discussion about how future laws might improve upon 'malicious' use of browsers is. Said 'malicious' use of browser isn't about cookies, though, so such a new law would not be written about cookies anyway, so where do you think cookies even fit?
> I was specifically replying to your comment
You replied to it in a mechanical sense. But you did not reply to the content of it. And now are apparently doubling down on that even after it was brought to your attention...
In practice these banners regularly break. They are hard to click on certain devices where the button is off screen. If they use JavaScript and there is an error elsewhere, you can’t hide them. And I regularly see them over and over again on the same sites because for some reason they can’t track me effectively for this purpose.
In short they are a regular minor annoyance that does take time and effort.
Seems like it's working then? Because the website chose to (optionally) track you, you need to go through a minor annoyance to accept it. You're effectively making a choice that you're fine with this annoyance (since you keep using the website) and since you're accepting it, you're fine with being tracked.
Other people already get two choices to make here which they didn't get before, which is a win in my book. Seeing the banner, you can decide to avoid the website and if you still wanna use the website, you can chose if you allow them to track you by PII or not.
I get the choice, but I make the choice I like less because it is more convenient to make it. If we only look at the positives, then the situation is better. But we have to look at the cost, and there is a cost, in terms of time and mental effort, to read the banner, figure out what the choices are, and if I am not accepting all cookies, how to go through the process of rejecting some of them. Sometimes it's very involved.
Also, I am an educated consumer and understand what a cookie is. Most people do not and do whatever is necessary to make the consent screen go away. Because of that, effectively they don't get this choice.
As one of the parent posts said, if it was implemented on the browser level, I would get the choice, and the cost of making the right choice would be smaller. If the defaults were to "reject unnecessary cookies" then most of the population would get the benefit.
The way it is right now feels like a net negative. Most people don't know what the consent is about and will not spend the time to learn it. Companies still find ways to track you that agrees with the letter but not the spirit of the law. I have friction whenever visiting a new website (or an old one that forgot my choice). The only winners are people who don't value their time and are smart enough to understand cookie consent. That's a small percentage of the general population.
I do click yes. It still wastes my time since especially on mobile they obscure at least 1/3 of the viewport. They're just like the other popups that are now on most every site: The "Sign up for our newsletter" or "Get 10% off by signing up for emails", the paywall, the "It looks like you're using an adblocker."
There's a reason people have always hated popup ads even though "just close them" has always been an option.
You should understand that the law doesn't mandate the cookie popup to be annoying. It's a deliberate choice of websites, they want you to hate the banner and the law.
I've implemented them. The sites hate them as well. They do it because there are whole law firms now who just troll for clients with ads that say "Did you shop at <BRAND>? Your privacy may have been violated!" and file suits under CCPA, etc. The "violation" was some technicality of a cookie banner. Then the site operator has to pay attorneys and pay a settlement, which pays the plaintiff attorneys. At the end of the day, the "plaintiffs" were never "harmed" at all -- some boring usage data of an ecommerce website or something was put into a Google Analytics dashboard so that some marketer could maybe analyze conversion rates.
I have seen a ton of these ads in the past few years.
All these laws have done is created a ton of wealth for lawyers.
Well, it works, so it doesn’t matter that it’s the website owners doing it, since in practice the frustration lands on the EU lawmakers. That just makes the law bad: it doesn’t really prevent anything, and it leaves people a little more anti-EU.
You and maybe others keep saying that. I assure you, we don't choose to use them.
If you want to operate an ad-supported site, you need that consent. Untargeted ads are pointless and they don't make money. If you disagree, can I interest you in some brake pads for a Toyota Corolla? How about a dental chew for elderly cats? No? ok.
If you operate an e-commerce site or a SaaS of some kind, you probably need to advertise it online. To have traffic land on your site from advertising, you need to have ad network 'pixels' on your site. That's what they require. If you won't comply, then you can't advertise and you probably can't get many customers.
Websites which need neither are called "hobby sites." I'm very happy for the personal blogs which use no analytics, have no need to remember anyone or collect any "data." The sites showing the cookie banners are not that. They need to make money in order to exist.
> Untargeted ads are pointless and they don't make money. If you disagree, can I interest you in some brake pads for a Toyota Corolla? How about a dental chew for elderly cats? No? ok.
Why didn’t you instead suggest server space or a novel automation tool? You know, things relevant to people visiting HN.
That’s how untargeted ads work. You don’t simply advertise anything anywhere, you advertise relevant things to relevant communities. Advertise the break pads on a community of car enthusiasts and the cat chew on pet forums.
Under German law, the BGB (Bürgerliches Gesetzbuch, German civil law book defining most private laws) provides very specific and concrete provisions for liabilities and duties in most business transactions and commercial exchanges of goods and services and even employment. It's not necessary to agree to formal contractual obligations in writing for most service agreements unless you want to add additional obligations or explicitly waive ones prescribed by the BGB (and some in fact can't be waived or not entirely) - if you can prove an agreement was made that falls under the BGB's laws, those laws apply to it regardless of the existence of a written and signed contract. And yet it's extremely uncommon not to have a written contract for serious business relations and most contracts explicitly insist on signatures (in fact in German contract law, the legal phrase "in Schriftform", literally "in writing", is defined in such a way it specifically requires a document signed by both parties whereas for "in Textform", literally "in text", even an e-mail or text message would be sufficient).
It's not cookie banners that are wasting productivity, it's mutual distrust and the need to protect against it. "Cookie banners" (or more correctly: consent forms) are legal contracts. The reason they are often so annoying to navigate is that the companies that built them want to try to trick you into agreeing to things you have no interest in agreeing to or might even have an interest in not agreeing to. Technically the law forbids this but it's still more profitable to risk the fine than to abide by the law.
Or to put it another way: there's no honest reason to require a consent form to let you read an article. The consent form isn't for reading the article, it's for what the site wants to do to you (or your data - which includes all data collected about you because the GDPR defines that as being yours, too) while you're reading the article.
The GDPR doesn't make you waste time on cookie banners. The GDPR grants you ownership of all personally identifiable information of you and about you - it creates legal rights and protections you previously didn't have. Cookie banners exist because companies want to infringe upon those rights. Most cookie banners are difficult to navigate because most companies don't want you to understand what you're agreeing to (and on second order because they want you to blame the law granting you rights rather than them for infringing upon those rights).
> there's no honest reason to require a consent form to let you read an article.
Respectfully, this is untrue. The article is there because of the ads that pay the bills. Without ads there is no article and no site. Without consent, under these laws, the ads can only be useless ads that no advertiser wants to pay for, which means they either can't sell the ad space at all, or have to sell it for $0.0001 CPM hoping that like, Coca Cola will want to just remind the readers that Coke exists and not care too much if anyone even clicks it.
> Without consent, under these laws, the ads can only be useless ads that no advertiser wants to pay for, which means they either can't sell the ad space at all, or have to sell it for $0.0001 CPM hoping that like, Coca Cola will want to just remind the readers that Coke exists and not care too much if anyone even clicks it.
When behavioral targeted advertising was new, it vastly outperformed previous ad networks which used a spray-and-pray approach and paid by impressions. In the years (decades?) since, the payouts for behavioral targeted advertising have dropped significantly. "Untargeted" ads on the other hand have mostly vanished simply because the ad networks that used them have moved on to behavioral ads where they had to compete with mass data harvesters like Alphabet and Meta, mostly unsuccessfully.
Behavioral targeted advertising also doesn't live up to its promise for consumers. Nowadays most actual ads people get are either trying to sell products they already purchased or outright fraud - the rest is the same generic drivel that you would expect without targeted advertising. The reduction in tracking surface from sites that don't require these ads to operate (e.g. sites that previously fed into networks like Google's via unrelated services that can now no longer be legally used for that purpose and require opt-in) also means the targeting will become increasingly worse.
The GDPR does allow for making behavioral ads conditional to accessing content, by the way. But it requires providing the user with the option to instead pay for the content. The problem a lot of companies like Meta run into is that it also requires the price to be proportionate to the lost advertising revenue - Meta is infamous for having priced its "ad-free" tier orders of magnitude higher than their actual value of an individual user.
That said, what is killing this kind of site isn't users deciding not to give away their data but services like Google scraping their content and pre-empting user traffic to their websites entirely - first via news feeds and search summaries and now via "AI enhanced search". The ad-driven business model is dying and has been dying for a long time, the GDPR just puts limits on what can replace it. Google wasn't paying sites because it wanted to sell ads, Google was paying sites because it needed access to their users' data.
You also can't have capitalism without bureaucracy. There's no such thing as stateless capitalism because states allow for capital to exist. Without states, you'd have to justify your claims to your peers and anything in excess of what you can justify for personal needs would be considered hoarding and wasteful. And in order to have a state, you need bureaucracy to structure the operation of that state for it to act as a cohesive entity.
Rights don't make sense without bureaucracy because they only have meaning when you deal with them at that layer of abstraction. You can't respect and infringe "rights" interpersonally. You can act ethically or unethically, you can be nice or a bit of a dick, you can harm or help. But rights only become necessary as a concept when you have processes that need to interact with them and abstract entities that uphold and enforce them. Rights allow you to sue or call the police. But without rights you can't have capitalism. States enforce property rights literally at the end of a gun (and this includes "state property" too in case you were wondering about so-called "communist" states).
Dude, I was in France and browsed to a page and it was a full page cookie modal with like 3 buttons and all these sliders. Turns out everywhere in the EU has these insane page things.
I don't agree. It is the main way I am being informed that some sites I attempt to use, share my data with thousands of external partners, for no relevant function. I do not believe this information would be divulged to me and the public, if voluntary.
The public is mistreated in innumerable ways, starting by not letting them know it is happening.
> the EU should have forced browser vendors to solve. Only the user's browser can choose not to send back cookies
This is only an option if you limit tracking to using cookies. But neither tracking technologies, nor the current EU law, are limited to tracking via cookies. It also kills functionality for many web applications without also accepting all tracking. Some browser-flavors went to extreme lengths to prevent tracking through other means (eg fixed window size, highly generic header settings, ...).
Maybe I am mistaken, but it seriously frustrates me how much people within the relevant field make this mistake of conflating tracking and cookies and come to this "it would be so simple" solution.
A welcome update to the law would be to allow a header flag to opt out/in (or force the do-not-track header to have this functionality) preventing the banner from showing.
The pessimist in me thinks a legally enforced header and corresponding browser setting (so that the user wouldn't have to make an explicit choice per website) would have met enough pushback from businesses for the EU to back down to something with the infinite stupidity of the current solution.
Maybe we could move towards that end in small steps. The EU should start by banning irrelevant non-sequiturs like "We value your privacy" and other misleading or at best distracting language. It can then abandon the notion that users are at all interested in fine-grained choice, and enforce that consent and non-consent to non-essential statekeeping are two clearly distinguished and immediately accessible buttons. No one wants to partially block tracking.
It seems as though the EU is operating under the notion that this is all a matter of consumer choice, as though any informed consumer would choose to have tabs kept on them by 50 trackers if not for the inconvenience of figuring out which button stops them.
I know it'll be considered a hot take, but I'd argue that people don't even know what "tracking" in the Internet context even means enough for their supposed "preferences" about it to be valid.
90% of non-tech-nerds have this simple of an opinion about it:
1. Retargeting ads are "creepy" because ... "they just are"
2. Retargeting ads either annoy me because I think they're dumb in that particular instance ("I already BOUGHT a phone case last week, it's so dumb that it keeps showing me phone cases all day!") or because they're too good ("I gave in and bought the juicer after I kept seeing those ads all around the web") and I don't like spending money.
The rest of "tracking" they don't even know anything about and can't verifiably point to any harms.
Data brokers acquire data from thousands of different sources - many of which aren't stemming from Internet usage - and most of the browser data relevant here isn't tied to their actual name and permanent identity (and doesn't need to be to serve its purpose which is usually "to show relevant ads" and the more specific case of "to get people to come back and buy things they saw").
Honestly, just like people are annoyed by pushy car salesmen, and being asked for a "tip" at a self-order kiosk counter-service restaurant, they are going to be annoyed about aspects of the commercial Internet, and it doesn't automatically mean that they're being victimized or that they need regulations to try to help.
The law isn't there to make you less annoyed, but to protect society and the people. What gripes uninformed individuals may or may not have with the practice based on their surface level understanding are irrelevant to the effects it has on society. That someone uninformed about it can't point to any harms is not a useful observation.
The entire point of the law was to make websites using extraneous cookies and trackcing annoying to use. It's not something that can be solved in the browser _at all_. What I guess no one expected is that most websites would just decide to go on and pester their users rather than stop the tracking -- and that users would still continue using those websites.
> It has done literally nothing to improve anything whatsoever, in any country
That’s because of malicious compliance from all the websites/advertisers. I guess that is partly the lawmakers’ fault for not pre-empting that; but much larger blame lies on the industry that refuses to grant user privacy.
Blaming the industry for it doesn't change the reality that the law has done very little to improve the thing it was aimed at and made the internet worse for users (and developers) with all the banners. By any objective measure its outcomes are terrible - lawmakers should do better than just throwing out things like that.
Very little? The norm used be to slap google analytics on everything. Suddenly everybody thinks about compliance — especially those who didn't even have idea there was something wrong.
Many sites ditched tracking altogether so they don't have to have banners. Everybody is aware of GDPR so you can be pretty confident that when european site has no banner it doesn't track you.
Could the law be better? Sure I would love to ban tracking altogether. But this was lobbied to hell by AD companies. Everybody was kicking and screaming because they want all the data. And we still got something that helps. That is a win.
And you can see how industry hates it in way they implement the banners. It is annoying and confusing on purpose. You could comply in nice way but when you need to share the data with your 141 ad partners and each one gets their own checkbox… good luck.
Same reason nobody was respecting the dont track me flag. The industry is absolutely and exclusively to blame here.
Law was created as response to advertisers invading privacy, are you arguing that unchecked invasion of your privacy is worth it? If anything unchecked invasion of privacy wasted all of those hours plus hours of work of lawmakers plus hours of work while implementing all that advertising in the first place…
in what way is it malicious compliance? the law just requires you ask for consent. that’s exactly what companies do. some companies violate the law by asking for consent in a way that is misleading or incorporates dark patterns. but if the law says “you must ask for consent before you do X” and companies ask for consent before they do X, that is just compliance, not malicious compliance.
As an example of true malicious compliance, some companies intentionally add trace amounts of allergens to all their food, that way they can just claim that all their food contains allergens and not be at risk of being accused of improper labeling. but the intention of the law requiring accurate labeling was clearly not to get companies to add more allergens to their food. it requires a level of creativity to even think of complying like that. It requires zero creativity to think “this law requires user consent before tracking, so let’s ask for consent”.
Have you seen the 300 individual checkboxes you need to disable? Or the hoops that the advertising industry went through to claim that “Do-Not-Track” didn’t count for:
> In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.
The malicious compliance is more that they all refused to add the one-click opt-out until a high-profile enforcement against Google brought them to heel.
The "malicious" compliance came from the trick that accepting / opting-in was fast and almost instant, but rejecting / opting-out was a slow and arduous process, and it required lawsuits and fines [0] for companies to comply.
I found a website that lists all fines handed out for violating the GDPR: [1]
How would that prevent sites from selling their users' data to third parties without consent server-side? GDPR is not about third party cookies, but about requiring informed consent.
It’s because those were made to be bad solution by very advertising companies wanting people to be denied their rights and making it look like law is bad instead of implementation being bad
The 'selling of data' is separate of course, but the banners do nothing to actually ensure that they aren't collecting data you don't know about. They're honor system, which is dumb when you could have browsers not send that data back without opt-in.
In other words, of course Facebook knows you like bacon if you've followed 5 bacon fan pages and joined a bacon lovers group, and they could sell that fact.
But without cookies being saved long-term, Facebook wouldn't know that you are shopping for a sweater unless you did that shopping on Facebook. Today they undoubtedly do know if you are shopping for anything because cookies exist and because browsers are configured to always save cookies across sessions.
Also, I always point this out when this topic comes up: Of all websites I visit and have to click stupid banners on, almost none of them are in the market of "selling data" or building dossiers about individuals ("Steve Smith bought flowers on June 19th. Steve is 28 years old. He has a Ford Explorer. He lives in Boston."). They just want to get metrics on which of their ads worked, and maybe to know aggregate demographics about their audience. My local water utility, Atlassian, and Nintendo to pick 3 sites at random, have never been and are not in the business of data brokerage. But they do need to show cookie banners to not be sued for imaginary harms under CCPA or GDPR (unless they want to not make any use of online advertising or even aggregate analytics).
> They're honor system, which is dumb when you could have browsers not send that data back without opt-in.
Given that there is no objective way to differentiate between functional and tracking cookies, your "technical" solution would also boil down to honoring marking certain cookies as such by the website owner, effectively being the same as what we have today.
(Though I do agree that the UX would be nicer this way)
Well, I mean, we could go the route Safari has, and just blanket-disable 3rd party cookies by default. It's... quite effective (if a tad annoying for folks implementing single-sign-on)
I don't know, I don't think it helps all that much when you are up against Facebook's, and Google's wits on how to circumvent it.
If they can open a port and side-step the security system of Android wholesale, they can probably find a "solution" to the not even that hard of a problem of doing tracking server-side.
There is a problem in convincing everyone on the internet to install a server-side tracking component.
Pretty much everyone was willing to give this away for free on the client side, in return for limited social integration, or (in Google's case) free analytics - server side is a significantly harder sell in many companies, and there is a much richer variety of backend languages/frameworks you have to integrate with.
We are not in disagreement - my point is that is is a fundamentally civil/legal problem, not a technical one. There is no technical distinction between a functional and a tracking cookie.
lol this is what it used to be like back in the day. We have forgotten the old ways and now we yearn for them. Every tutorial instructed old people to just click Always Allow or else they would not be able to read their webmail.
No, it is not that. It highlighted an issue, and it makes it painfully obvious when a particular page is being extra ignorant about your privacy and trying to sell it to thousand vendors instead of a handful.
What I don't like about cookie popups isn't the popup (which isn't something the EU law dictated btw), it's that someone thought it was okay to have hundreds of advertisement vendors and data brokers on a single news article, and it's better to know so I can just close the tab and never interact with that webpage again if they're being excessive asshats.
They have failed at enforcing this properly though, in particular with the recent proliferation of "legitimate interest" abuse (it is only legitimate interest if it an implied component to a service I am directly requesting), and the general issue of popups illegally making rejection different from acceptance, intentionally making rejection slow, or even requiring payment to continue without cookies. And yes, the occasionally completely defective prompt.
I do agree that it would be neater if the browser handled this though. Would also be neater if the internet wasn't entirely sponsored by privacy violations. :/
The law is fine. The industry has just decided that dragging its heels and risking fines is better than actual compliance.
Most of the "cookie management" scripts that people use aren't compliant.
EU law requires "Accept All" and "Reject All Non-Essential" be both equally easy to access and given equal weight (or rather: the latter can't be given less weight and made more difficult to access, which almost all of these scripts blatantly ignore).
Browser vendors can't solve this because the question isn't technical but legal. It's not about first-party vs third-party cookies (let alone same-origin vs cross-origin) but about the purposes of those cookies - and not just cookies but all transferred data (including all HTTP requests).
You don't need to (and in fact can't) opt into technically necessary cookies like session cookies for a login and such. It's plausible that these might even be cross-origin (as long as the other domain is controlled by the same legal entity). If they're provided by a third party, that would indeed be data sharing that warrants a disclosure and opt in (or rather: this can only happen once the user acknowledges this but they have no option to refuse and still use the service if it can't plausibly be provided without this).
The GDPR and ePrivacy laws (and the DMA and DSA) have done a lot for privacy but most of what they have done has happened behind the scenes (as intended) by changing how companies operate. The "cookie management" is just the user-facing part of those companies' hostile and dishonest reactions to these laws as well as a cottage industry of grifters providing "compliance" solutions for companies that can't afford the technical and legal expertise to understand what they actually need to do and think they can just tick a box by buying the right product/service.
Heck, most companies don't even provide legally compliant privacy policies and refuse to properly handly data access requests. The GDPR requires companies to disclose all third parties (or their categories if they can't disclose identities) your (specifically your) data has been shared with and the specific types of data, purposes of that sharing and legal basis for sharing it (i.e. if it required consent, how and when that consent was given) - and yet most will only link you to their generic privacy policy that answers none of those questions or only provides vague general answers or irrelevant details ("We and our 11708 partners deeply care about your privacy").
"EU law"... you mean "regulation", that to prevent some "abuse".
Here, EU is not quite doing the right thing: the web need "noscript/basic (x)html" compatibility more than cookie regulation. Being jailed into a whatng cartel web engine does much more harm than cookie tracking (and some could use a long cryptographic URL parameter anyway).
Basically, a web "site" would be a "noscript/basic (x)html)" portal, and a web "app" would require a whatng cartel web engine (geeko/webkit/blink).
I do remember clearly a few years back, I was able to buy on amazon with the lynx browser... yep basic HTML forms can do wonders.
> because it makes it seem like the EU law is just meritless pestering of people
The law should have been just a browser setting sites had to follow, making it a "banner" has made it meritless pestering while pretending it's for my own good and allowing the worst offenders to make convoluted UI to try and trick you every site visit.
If the EU was a serious entity, they would just forbid cookies that are non-essential. Simple as that. Either you take your responsibility as a law maker serious, or you refrain from making laws entirely.
People ranting against cookie banners and GDPR literally never read the regulation itself and they literally never read what these banners are supposed to trick you into
Man, I am always required to use this seatbelt even though I haven't had a car accident in decades, it takes me seconds to put it on and off, makes this pestering sound when I forget it, that gets into my nerves, another useless law that need nothing to improve security. /s /s
>this kind of joke banner only makes their choice to respect visitors' privacy equally annoying
Their name is "PostHog", a dirtbag left joke from years ago. If they were trying to make joyless scolds happy with their humor, their site would be very different.
> makes it seem like the EU law is just meritless pestering of people
Which it is?
I am from the EU and I don't see what this law has accomplished apart from making the WWW worse, especially on mobile.
I remember back when Opera was a paid browser, last century, it already have options to accept all cookies, refuse them, or set fine-grained preferences per website. No need for handling it at the website level if the client can do it.
You can argue that the law might not have improved things (at least not as much as intended), but nothing about this law has made the WWW worse. If you believe that, you've fallen for the concerted efforts of the advertising industry spreading misinformation about who's idea the annoying consent popups were & (like this website) perpetuating the myth that they're a legal requirement.
None of the new annoyances on the modern web that you're thinking about are mandated by EU law. It benefits the ad industry massively to scapegoat the EU for these annoyances.
The objetive, observable outcome is that before the law, websites don't have cookie banners. Since the law passed, they do. And they make the user lose time, and make navigation much more cumbersome, sometimes even impossible (not even 5 minutes ago, I had to go back on my phone because a newspaper article went into an endless loop after accepting the cookie banner).
It doesn't matter much what happened behind the scenes to cause that outcome. From a black-box perspective, it could be that
(a) the EU mandated the cookie banners,
(b) the EU mandated to provide cookie settings in some generic form, and websites decided to use banners because it's easier, more lucrative, or even to put people against the EU, in spite of having other options that were better for the user.
(c) the EU mandated a different thing and the annoying banners don't even comply with the law.
No matter what the case is, the fact is that the EU made the WWW worse with the law. Either due to an outright harmful law, or to a well-intentioned law with too many loopholes, or to a good law but lack of enforcement. Doesn't matter much for the end user. When you make laws that affect people's daily life, good intentions aren't enough.
The EU law is good for consumers & bad for advertising companies. In response to this, advertising companies have made the web a significantly worse user experience.
You can reasonably argue that if the EU had not taken action to reduce advertising companies' ability to abuse customer rights, then advertising companies would not have retaliated, & therefore the web would be a less annoying experience. You cannot reasonably argue though that this is some isolated one-sided situation where ad companies are devoid of culpability.
Your entire comment essentially amounts to ignoring an elephant in the room to sell a narrative that one "side" bears 100% of responsibility for the outcome.
It's not that I ignore the responsibility of advertising companies. It's just that I take for granted that they are bad. They are an adversarial actor, and they aren't accountable to me. My governments (including the EU) are.
If your government passes some badly-designed regulations that cause a rat infestation, you can be as angry at the rats as you want, but that won't be very useful. If you want things to actually change, it's the government you need to complain against, not the rats.
reply