Next.js Hacker News
EU Member States (and Google) suddenly want to keep cookie banners
48 points by robin_reala 16 hours ago | 19 comments
  • Ajoha
    Supporting noyb.eu since years for their great work.
  • Sweepi
    The origin story of the "EU" cookie banner:

      1. Proposal: Lets ban tracking.
  2. "But what if the user wants to be tracked? People want better adds![1] We are also missing out on business innovations!"
  3. Fine. But since nobody in their right mind would want to done to them, you must prove with out a shadow of a doubt that the people you are tracking did consent to that.
  4. Surely, nobody will do this.
  5. Cookie banners everywhere.
    [1] I am not kidding. "Isnt it better if the ads show things you are interested in?" was a main talking point.

    Bonus: The original proposal (~2017) also mandated that social media which uses personal algorithmic feeds must make the individual data set of each user which is used to generated said feed viewable and editable to the user. Was ofc shut down by the corporate bootlickers people tend to vote into our parliaments.

    • Cider9986
      The vast majority[1] of people do opt out as we can see with the "ask app not to track" on iOS. When it's a simple yes or no button, nobody wants to be tracked.

      It's pretty funny seeing youtube beg for you to allow them to on a screen right before the popup. Of course, I doubt they haven't found a way around it at this point.

      [1] 96% in 2021

      https://mashable.com/article/ios-14-5-users-opt-out-of-ad-tr...

  • itopaloglu83
    The amount of tracking is already at insane levels, none of this is being done with good intentions.

    We must get rid off cookie banners permanently and a browser level “do not track” must be enforced.

    Nothing can be gained by meeting in the middle with these intrusive ad companies.

    • throwawayqqq11
      Wouldnt't a court ruling that elevates a DNT headers as legally binding expression of intent make cookie banners obsolete?
      • wolvoleo
        Yes it absolutely would and this is exactly what this proposed legislation would have done.
  • account42
    > Using completely far-fetched figures, it argues that without cookie banners, all online advertising would come to a standstill.

    If only. Unfortunately even without any tracking at all they could still bombard you with their psychological warfare machine.

    • wolvoleo
      They could but not quite as targeted. Which helps a lot.

      For everything else, there's uBlock Origin.

  • wolvoleo
    Why is Google even allowed to lobby in Europe?
  • Cider9986
    Cookies are not the meta for tracking anymore. Fingerprinting [1] is highly effective across IPs and across incognito/browser profiles. Content blockers like Brave shields or uBlock Origin do not stop fingerprinting.

    The only browsers I've found that defeat it on desktop are Mullvad and Tor Browser as well as all the antidetect browsers I've tried.

    Disturbingly, fingerprint.com is not defeated by Tor browser on Android. We know fingerprinting is more effective on Mobile, and the recommendations say to use desktop for the most anonymity, so this isn't surprising.

    You still aren't completely de-anonymized if you are tracked across browser sessions and websites because that doesn't link back to your real identity, but it's damn easier because all it takes is one mistake and all that activity is tied to your identity. It would also allow an adversary to target you specifically with an exploit, but obviously this is not in most peoples threat model.

    Mullvad [2] and Tor browser are blocked from using or signing up for most websites because of IP reputation and the browser fingerprinting protections which make them look like VMs and bots. Unlike the antidetect browsers, they don't spend extensive resources on site compatibility and avoiding detection, which leaves most sites shaking you down for suspect fraud. Annoying, when the real fraudsters are passing through easily with anti detect browsers and residential IPs.

    Antidetect browsers are used by marketers, web scrapers, social media account managers, ecom, among other low lifes. These use different browser profiles to avoid fingerprinting by isolating and randomizimg identifiers while constantly patching(use a few week old version and you'll see it gets detected as something to be blocked, not detected as in correlated cross profile, just blocked) to avoid detection.

    I'd like to see a privacy focused antidetect browser, but perhaps open source makes it easier for the fingerprinters to find detections.

    Brave shields blocks cookie popups by default, so I'd recommend Brave browser to everyone who's annoyed by them. I assume uBlock has a list that does this as well. I remember reading recently that the vast majority of websites don't even abide by the cookie popups, and content blocks like Brave Shields or uBlock Origin block the cookies anyway.

    [1] https://fingerprint.com

    [2] Essentially Tor Browser without the Tor network built in for better usability on the web. Because VPN IPs have better reputation than Tor exit nodes.

    Can be used with any VPN, but most users will use Mullvad VPN giving a larger crowd. Mullvad has a browser extension which, when connected to Mullvad VPN on your computer, allows you to choose what ever server/IP you'd like and also offers a randomized per website and session option.

    Mullvad and Tor are always incognito mode so tabs and logins are lost on close. Mullvad is working on a persistent mode, so I'm looking forward to that usability improvement.

    • wolvoleo
      It's called a cookie banner in street language but it forbids fingerprinting just the same without consent.
    • Macha
      Neither GDPR rules against tracking nor “cookie banners” are limited to cookies, so it’s unfortunate that “cookie banner” became a popular term since it means these discussions always waste time on “you can be tracked without cookies”
    • cucumber3732842
      > It would also allow an adversary to target you specifically with an exploit, but obviously this is not in most peoples threat model.

      I saw that at the organizational level back in like 2015. Unless you were running the exact browser/os/extension combo that the organization they were targeting (multinational defense contractor in this case, i.e. a target worth the effort) was running on the corporate workstations the JS wouldn't run. And even if you forced it to the payload endpoint wouldn't like it.

  • snowpid
    I think this shows how much we need better democratic institutions like a full functioning parliament and (in my view) direct democracy on EU level.

    If the councils make stupid ideas, citizen could start an initiative or at least the MEP can annoy the commission.

    • 0dayz
      No it doesn't because it's member states not the commission push banners.

      Which is thanks to the same member states for pushing the EU to have the council in the first place.

  • no-name-here
    Wouldn't the likely effects of this be to:

    1. Push even more of the internet within walled gardens like Meta and YouTube, where they don't have to rely on 3rd party cookies in order to show relevant ads

    2. Push more of the web, including journalism, behind paywalls

    3. Cause a lot of the existing free (ad supported) web to be taken down

    4. For existing free/ad-supported sites, an even larger quantity of ads per page/time would be needed to continue running?

    ?

    • wolvoleo
      1) No. This has been covered. Google for example is already not allowed to correlate data between their services, they must ask for permission.

      This is why there's an extra popup on YouTube for me asking for permission to use data from search etc (which the click to consent plugin automatically dismisses and denies)

      2) That's happening anyway. And not just in the EU. And most users don't pay anyhow. The media world is just in a shrinkage phase anyway. We don't need 4 newspapers in every city anymore. A lot of this is just leftovers from an old system that is no longer functional. I see more global news sources now. For example I often read the guardian website these days despite not being in Britain, but because its values tend to align with me and their reporting is fairly good. In the 90s I'd never have considered reading a foreign paper regularly especially from a random city like Manchester. I would just pick one from the local options. Even my own 100k population city had its own paper. These days that is just silly.

      3) This is probably what they're afraid of but for me it would be a good thing. Less incentive for clickbait sites, much easier to find real info.

      4) Thus more users will use adblock. Not a bad thing either.

      • no-name-here
        1) Is the argument that if Google can “only” target based on something like all of your YouTube history, that doesn't let them target with relevant ads to you? Although I think something like Facebook or IG etc are the stronger examples.

        2) A lot of places no longer have any local news at all - even the big city newspapers are scaling back their local beat coverage. Is the argument that revenue is unrelated to whether newspapers can continue to support quality journalism?

        3) Maybe that's a new thing? But I remember the web back in the early years when everything wasn't paywalled behind walled gardens.

        4) If more users are using adblock, how do you expect websites to continue to support themselves - the vast majority of sites you click on will prompt you for payment to view their content?

        • wolvoleo
          1) No, but the tracking needed for targeted ads is also behind a consent wall. I'm just saying that just because other services are also owned by Google, they can not use that data for ads in youtube without permission.

          2) I think there is just less revenue available for quality journalism, but that it doesn't really matter because the reach is so much greater. Sites can specialise in topics, not in localities. Like I said that's how I ended up reading the Guardian. I even paid them for a while but the amount they want for adfree is too expensive for me so I just view it with adblockers again. It was 6 euro a month for a while which was ok but now it's 12. Prices keep going up and we get ever less. Some sites now demand money in return for 'fewer' ads, like The Verge! That's pure enshittification.

          3) Yeah that's my point. Websites were always doing fine. Even with untracked ads in the past. I don't understand why everything is suddenly so critical. They were able to survive for 20-30 years without having to enshittify. Why now?

          4) I don't really know (nor care). I'm definitely not going to pay every site I come across, that's obvious. I'm not going to watch ads either. But I never have for the last 20 years and it's never stopped them before. It's not like adblocking is a new thing, people have been doing it for decades and probably higher numbers than today (considering how difficult it is on mobile). Paywalls are kinda new but most people avoid those too. I think there are just going to be a lot less sites around which is not a bad thing at all to me.