Daily Archives:January 20th, 2020

Cookie Monster

It’s so easy to focus on the more disastrous aspects of Brexit that I’d like to raise the spirits of UK citizens by pointing out one possible very positive outcome. But we’re going to have to work for it, make our voices heard, and bring freedom for our nation from a pan-European menace that has plagued us for years!

I am referring, of course, to the outrageously stupid legislation that requires websites to display those notices telling us that they use cookies.

It clearly hadn’t occurred to the idiots who crafted these rules — enforced first in the EU’s e-Privacy directive and implemented in the UK’s Privacy and Electronic Communications Regulations (PECR) — that basically every site on the web uses cookies. Therefore, unless you only ever visit the same half-dozen sites, you’re adding a burden to vast numbers of online interactions.

So it’s no surprise that nobody actually reads the notices. I have to agree to several of these every day, and I don’t think I’ve ever read any of them. It’s a fundamental and obvious part of user interface design that if you make users mechanically perform the same task too often, they’re not going to read the text in the dialog box before clicking OK. I have about five devices on which I regularly browse the web, so I need to click the OK button on each of them, even for sites where I’ve already said I don’t object.

And here’s the thing that makes it even more stupid…

Suppose you don’t actually want cookies stored on your machine, and you say ‘no’ when the website asks if it can store them. I don’t know if there’s anybody in Europe who actually does this, but let’s pretend for a moment. How do you think the website could remember your decision? Why, by storing a cookie on your machine, of course. That’s the only way. But you’ve just said it can’t do that, so you are going to get the stupid pop-up every single time you visit that site. If you are consistent about your refusal, then almost every page on the web is going to have this annoyance every time you visit it. (That’s in addition to all the ones that can’t work at all without storing cookies, because they need them to remember important things about your logged-in session, etc.) If this legislation was meant to enhance people’s privacy protection, it also gave them a big incentive to agree to giving it away.

I presume these rules must have been designed by people who only ever visited Facebook and one or two other sites, so they assumed that your preferences could be set in just a few clicks. They hadn’t fully understood the nature of the beast they were unleashing.

So we should start a determined post-Brexit campaign to end this madness, at least for Britons. If we can’t remove the requirements completely, then there are trivial technological solutions which could make it go away. Imagine, for example, that I could configure my browser to say, as a general rule, “Yes, I’m happy with that category of cookie and no, I’m not happy with this one”. It could send that as part of each HTTP request, or each HTTP request to a new site, and only if those headers are not present, or if the site wanted to use cookies for something else, would it be required to ask. If necessary, the browser could be required to prompt you every year to make sure your preferences hadn’t changed. And if you don’t want any cookies at all, you’d set that option and, while large chunks of the web wouldn’t work for you, at least you wouldn’t be prompted on every page.

In fact, most browsers allow you to change various settings on a per-website basis already, so you can decide whether or not you like cookies in general and enable them for sites you trust. People already had the ability to enforce some control of cookies for themselves. But even if you want the website to be told, for example, that you’ll allow cookies for some things and not for others, the legislation doesn’t allow that information to be transmitted to the site in place of an immediate, human, per-site interaction. And so we end up with this silliness.

It’s time to get this fixed. To whom do we write our letters? Or is one of those online petitions the best way to get started? If we demonstrate that it doesn’t have to be this way, we can set a precedent for our neighbours, and the rest of Europe will love us again at last!

Update: Some useful feedback in the Comments; see below!

© Copyright Quentin Stafford-Fraser