Cookie Monster

It’s so easy to focus on the more disastrous aspects of Brexit that I’d like to raise the spirits of UK citizens by pointing out one possible very positive outcome. But we’re going to have to work for it, make our voices heard, and bring freedom for our nation from a pan-European menace that has plagued us for years!

I am referring, of course, to the outrageously stupid legislation that requires websites to display those notices telling us that they use cookies.

It clearly hadn’t occurred to the idiots who crafted these rules — enforced first in the EU’s e-Privacy directive and implemented in the UK’s Privacy and Electronic Communications Regulations (PECR) — that basically every site on the web uses cookies. Therefore, unless you only ever visit the same half-dozen sites, you’re adding a burden to vast numbers of online interactions.

So it’s no surprise that nobody actually reads the notices. I have to agree to several of these every day, and I don’t think I’ve ever read any of them. It’s a fundamental and obvious part of user interface design that if you make users mechanically perform the same task too often, they’re not going to read the text in the dialog box before clicking OK. I have about five devices on which I regularly browse the web, so I need to click the OK button on each of them, even for sites where I’ve already said I don’t object.

And here’s the thing that makes it even more stupid…

Suppose you don’t actually want cookies stored on your machine, and you say ‘no’ when the website asks if it can store them. I don’t know if there’s anybody in Europe who actually does this, but let’s pretend for a moment. How do you think the website could remember your decision? Why, by storing a cookie on your machine, of course. That’s the only way. But you’ve just said it can’t do that, so you are going to get the stupid pop-up every single time you visit that site. If you are consistent about your refusal, then almost every page on the web is going to have this annoyance every time you visit it. (That’s in addition to all the ones that can’t work at all without storing cookies, because they need them to remember important things about your logged-in session, etc.) If this legislation was meant to enhance people’s privacy protection, it also gave them a big incentive to agree to giving it away.

I presume these rules must have been designed by people who only ever visited Facebook and one or two other sites, so they assumed that your preferences could be set in just a few clicks. They hadn’t fully understood the nature of the beast they were unleashing.

So we should start a determined post-Brexit campaign to end this madness, at least for Britons. If we can’t remove the requirements completely, then there are trivial technological solutions which could make it go away. Imagine, for example, that I could configure my browser to say, as a general rule, “Yes, I’m happy with that category of cookie and no, I’m not happy with this one”. It could send that as part of each HTTP request, or each HTTP request to a new site, and only if those headers are not present, or if the site wanted to use cookies for something else, would it be required to ask. If necessary, the browser could be required to prompt you every year to make sure your preferences hadn’t changed. And if you don’t want any cookies at all, you’d set that option and, while large chunks of the web wouldn’t work for you, at least you wouldn’t be prompted on every page.

In fact, most browsers allow you to change various settings on a per-website basis already, so you can decide whether or not you like cookies in general and enable them for sites you trust. People already had the ability to enforce some control of cookies for themselves. But even if you want the website to be told, for example, that you’ll allow cookies for some things and not for others, the legislation doesn’t allow that information to be transmitted to the site in place of an immediate, human, per-site interaction. And so we end up with this silliness.

It’s time to get this fixed. To whom do we write our letters? Or is one of those online petitions the best way to get started? If we demonstrate that it doesn’t have to be this way, we can set a precedent for our neighbours, and the rest of Europe will love us again at last!

Update: Some useful feedback in the Comments; see below!

5 Comments

Q,
You talk about what I’ll call “cookie preference cookies”. Since these are strictly necessary (legal compliance with ePrivacy Directive) they don’t require the consent of the user. In fact any website which only uses this sort of cookie does not need to ask its users.

Where we do get consent requests is where the Ad industry (and I’m including Google Analytics in that list) wants to target us as individuals and members of groups. So is the fix for the legislation or the Advertising Industry?

The new ePrivacy Regulation is likely to come out shortly so we shall see what that requires and whether UK companies targetting EU customers will be required to comply (I would think yes, á là GDPR), and whether they develop UK-specific sites which allow anyone to drop cookies on your device to track your browsing without notification.

Ah – re the ‘cookie preference cookies’ – that’s good to know; this was based on a quick trial of a few sites a couple of years ago, who clearly weren’t aware you could do this, and presented the pop-up every time.

I did peruse some of the legislation before my rant, but didn’t see anything to this effect, but it’s pretty tedious and convoluted and I certainly didn’t close to a deep investigation; it was after midnight… 🙂

Re the advertising industry, I always used to turn on the browser controls to prevent cross-site tracking; but I agree that that’s a fairly broad brush and doesn’t really distinguish the owner’s use of analytics from an advertiser’s tracking.

Derek McAuley pointed me at http://www.i-dont-care-about-cookies.eu, which looks like a good pain reliever, if it’s legally valid, though sadly it doesn’t work in my normal browsers. It might be enough to make me switch, though!

I don’t think I’ve met anybody who is in favour of this well-intentioned, but terribly poorly-executed, directive, and I’d love to see it go away. In the meantime, however, hiding the relevant divs works a surprising amount of the time. There is an adblock list, listed by default in at least ublock origin’s preferences, called “easylist-cookie” or “fanboy-cookiemonster”, which does this for a large list of sites. (You can of course disable all the other blocklists, if you are otherwise a fan of ads and tracking!)

EFF’s Privacy Badger plugin tries to block cookies that it thinks are used for tracking.
It’s worth a look but doesn’t do anything about the annoying custom popups on every site.

Recently I’ve been clicking on the “more options” buttons on these popups and , when I do that, it always seems that advertising cookies are disabled by default. It’s not clear what classes of cookies get enabled if you don’t manually inspect the list tho’. Is what one sees when one selects “more options” the default for everyone or is it like some kind of Schroedinger’s Cookie where it’s undefined until you look at it?

🙂

I have a feeling the legislation specifies the kind of uses for which you can pre-tick the checkbox and the kind for which an explicit opt-in by a human is required.

It wouldn’t surprise me to learn there was some quantum uncertainty involved as well, though.

Leave a Reply to andyjpb Cancel reply

Your email address will not be published. Required fields are marked *

To create code blocks or other preformatted text, indent by four spaces:

    This will be displayed in a monospaced font. The first four 
    spaces will be stripped off, but all other whitespace
    will be preserved.
    
    Markdown is turned off in code blocks:
     [This is not a link](http://example.com)

To create not a block, but an inline code span, use backticks:

Here is some inline `code`.

For more help see http://daringfireball.net/projects/markdown/syntax

*

© Copyright Quentin Stafford-Fraser