Cookies; accept or deny

Developers and contributors can find a link to our github page and engage in development project planning here.
Post Reply
Message
Author
kestasjk
Co-Owner
Co-Owner
Posts: 100
Joined: Tue Mar 14, 2017 8:13 pm
Location: Perth, Australia
Karma: 284
Contact:

Cookies; accept or deny

#1 Post by kestasjk » Thu Jul 22, 2021 9:21 pm

We're doing a few things to try and modernize webDip a bit, one of which is getting compliant with the GDPR cookie rules. I think it's absurd; it can only affect cookies on the site you're visiting not tracking cookies in 3rd party requests, and it's something a user should set themselves in their browser not have to set for every website they visit.

But .. okay, so let's just add a banner to the bottom asking whether the user accepts cookies, and disable any interactivity / search etc. Then I think "well how do you store the user's choice to deny cookies.. without a cookie?"
All I can think of is using URL rewriting to add a session ID to each URL a user visits, but this has just the same privacy implications as cookies do and would take a fair bit of effort.


I looked at sites that have these cookie accept/deny flags.. e.g. cookiebot.com who's business is ensuring other sites are compliant.. and they keep track of your choice by storing a cookie, and they store your session ID before you accept the request to store cookies.
Capture.JPG
I just don't get it .. I tried googling around for this paradox but can't seem to find any info on. Any other web devs encountered this? (I do some web dev professionally for work, but these are for domestic Australian sites that don't need to worry about this EU law)
3

kestasjk
Co-Owner
Co-Owner
Posts: 100
Joined: Tue Mar 14, 2017 8:13 pm
Location: Perth, Australia
Karma: 284
Contact:

Re: Cookies; accept or deny

#2 Post by kestasjk » Thu Jul 22, 2021 9:58 pm

Okay .. reading into it more it looks like there are exemptions for "strictly necessary" cookies, which includes storing user preferences, authentication, website functionality etc, so the Accept/Deny cookies banners are really only for cookies relating to tracking.

Well that's a relief .. still not looking forward to adding this
1

gimix
Site Moderator
Site Moderator
Posts: 262
Joined: Tue Nov 13, 2018 8:56 am
Location: My Mountains, the highest in Europe
Karma: 260

Re: Cookies; accept or deny

#3 Post by gimix » Fri Jul 23, 2021 5:41 pm

Many sites are now offering an "adjust cookies" option where you basically can
  • refuse all cookies (and probably leave the site)
  • accept only "essential" cookies: temporary Session ID's, the "cookie preference" cookie, ...
  • also accept "operational" cookies: "stay connected" or "remember me" cookies, info whether javascript or some other technologies are enabled in your browser and/or their use has been explicitly allowed by you, ...
  • accept all cookies including analytics and perhaps also third party (the latter may still be a further, separate choice)
Yes, it's one more (perhaps not so useful) piece of work I'm sure you're not looking forward to add :lol: , but it is the only way you can lawfully use something more than the "essential" cookies if your user is a EU citizen.

And I must say that while as a dev I find all this a bit vexing, as a user I often take the time to fine tune my preferences
3

Jamiet99uk
Posts: 17936
Joined: Sat Dec 30, 2017 11:42 pm
Location: Durham, UK
Karma: 9677
Contact:

Re: Cookies; accept or deny

#4 Post by Jamiet99uk » Fri Jul 30, 2021 10:27 am

I think that British websites should leave biscuits on your computer instead of cookies.
12

orathaic
Bronze Donator
Bronze Donator
Posts: 1085
Joined: Fri Sep 29, 2017 3:20 pm
Karma: 294

Re: Cookies; accept or deny

#5 Post by orathaic » Mon Aug 09, 2021 11:06 pm

gimix wrote:
Fri Jul 23, 2021 5:41 pm

And I must say that while as a dev I find all this a bit vexing, as a user I often take the time to fine tune my preferences
I must say, as a user and EU citizen, this law has negatively affected my experience hugely. Every little website which asks me for permission instead of simply looking at my 'do not track' request (is it in the header sent by firefox?).

I would much prefer to tweak the setting once in the browser, and not have to run cookie blocking add ons to forcibly delete cookies which appear to be used for tracking. Anyway I digress.
2

flash2015
Gold Donator
Gold Donator
Posts: 2978
Joined: Fri Sep 29, 2017 7:55 pm
Location: Planet Earth
Karma: 1046

Re: Cookies; accept or deny

#6 Post by flash2015 » Mon Aug 16, 2021 11:31 pm

orathaic wrote:
Mon Aug 09, 2021 11:06 pm
gimix wrote:
Fri Jul 23, 2021 5:41 pm

And I must say that while as a dev I find all this a bit vexing, as a user I often take the time to fine tune my preferences
I must say, as a user and EU citizen, this law has negatively affected my experience hugely. Every little website which asks me for permission instead of simply looking at my 'do not track' request (is it in the header sent by firefox?).

I would much prefer to tweak the setting once in the browser, and not have to run cookie blocking add ons to forcibly delete cookies which appear to be used for tracking. Anyway I digress.
"do not track" has been dead for years. An option to turn off tracking by default was never going to fly.

I like what the EU has done. It isn't perfect, but it is a start. Whilst I know there are countermeasures to help reduce tracking, they aren't ideal and it is becoming harder and harder to maintain over time. Allowing consumers explicit choices for tracking and giving consumers options to get their data deleted formally is a good move.

kestasjk
Co-Owner
Co-Owner
Posts: 100
Joined: Tue Mar 14, 2017 8:13 pm
Location: Perth, Australia
Karma: 284
Contact:

Re: Cookies; accept or deny

#7 Post by kestasjk » Fri Aug 27, 2021 11:36 am

flash2015 wrote:
Mon Aug 16, 2021 11:31 pm
orathaic wrote:
Mon Aug 09, 2021 11:06 pm
gimix wrote:
Fri Jul 23, 2021 5:41 pm

And I must say that while as a dev I find all this a bit vexing, as a user I often take the time to fine tune my preferences
I must say, as a user and EU citizen, this law has negatively affected my experience hugely. Every little website which asks me for permission instead of simply looking at my 'do not track' request (is it in the header sent by firefox?).

I would much prefer to tweak the setting once in the browser, and not have to run cookie blocking add ons to forcibly delete cookies which appear to be used for tracking. Anyway I digress.
"do not track" has been dead for years. An option to turn off tracking by default was never going to fly.

I like what the EU has done. It isn't perfect, but it is a start. Whilst I know there are countermeasures to help reduce tracking, they aren't ideal and it is becoming harder and harder to maintain over time. Allowing consumers explicit choices for tracking and giving consumers options to get their data deleted formally is a good move.
But why not set your browser to not accept cookies? You can use incognito mode, or a privacy focused browser that goes through tor, or set cookie policy based on whether it’s session / third-party / etc, or have a whitelist for sites you want to allow if you’re very concerned, or a blacklist for sites you want to deny if you’re less concerned etc.

To me it seems like if the Alexa/Google Home/Siri devices started coming out, but instead of letting people decide if they want to buy them or not based on which has the best privacy features instead it’s mandated that every time you want to ask something there’s a mandatory “Please repeat the same command to confirm before we process it.” ; why not leave it to people to decide these things for themselves?

flash2015
Gold Donator
Gold Donator
Posts: 2978
Joined: Fri Sep 29, 2017 7:55 pm
Location: Planet Earth
Karma: 1046

Re: Cookies; accept or deny

#8 Post by flash2015 » Fri Aug 27, 2021 7:39 pm

kestasjk wrote:
Fri Aug 27, 2021 11:36 am
flash2015 wrote:
Mon Aug 16, 2021 11:31 pm
orathaic wrote:
Mon Aug 09, 2021 11:06 pm


I must say, as a user and EU citizen, this law has negatively affected my experience hugely. Every little website which asks me for permission instead of simply looking at my 'do not track' request (is it in the header sent by firefox?).

I would much prefer to tweak the setting once in the browser, and not have to run cookie blocking add ons to forcibly delete cookies which appear to be used for tracking. Anyway I digress.
"do not track" has been dead for years. An option to turn off tracking by default was never going to fly.

I like what the EU has done. It isn't perfect, but it is a start. Whilst I know there are countermeasures to help reduce tracking, they aren't ideal and it is becoming harder and harder to maintain over time. Allowing consumers explicit choices for tracking and giving consumers options to get their data deleted formally is a good move.
But why not set your browser to not accept cookies? You can use incognito mode, or a privacy focused browser that goes through tor, or set cookie policy based on whether it’s session / third-party / etc, or have a whitelist for sites you want to allow if you’re very concerned, or a blacklist for sites you want to deny if you’re less concerned etc.

To me it seems like if the Alexa/Google Home/Siri devices started coming out, but instead of letting people decide if they want to buy them or not based on which has the best privacy features instead it’s mandated that every time you want to ask something there’s a mandatory “Please repeat the same command to confirm before we process it.” ; why not leave it to people to decide these things for themselves?
What do you think I do??? I take all sorts of counter-measures to reduce my exposure to tracking and ads (cookies aren't the only way - need to screw up the fingerprinting too, if possible). Tor isn't a reasonable everyday driver. I even have a fake VPN (netguard) on my phone to try and block apps sending tracking info out. It is very scary how much info each app sends out. For example pretty much every app you install on your mobile phone will send info to facebook - when you block one URL, they choose another, you block that and it chooses a third.

To do this properly, it is a full time job! And even then it is just too easy to screw it up. It is good to have something backed by law giving you some control of your data. Again, I am sure there are lots of things wrong with GDPR...but choosing "the problem is all too hard, let's do nothing" isn't a better option. Given the information asymmetry, without help the average user has no hope of having any real control at all.

You make it sound like there are clear options for the user to decide which devices have the best privacy and which devices give you the best control of your data. That is nonsense. The services are designed in such a way to make this as opaque as possible. The goal is to make it so hard that you go "Oh F*** it" and Accept whatever. This is BS. It is right that government steps in and at least attempts to even the playing field here.
1

kestasjk
Co-Owner
Co-Owner
Posts: 100
Joined: Tue Mar 14, 2017 8:13 pm
Location: Perth, Australia
Karma: 284
Contact:

Re: Cookies; accept or deny

#9 Post by kestasjk » Fri Aug 27, 2021 10:31 pm

flash2015 wrote:
Fri Aug 27, 2021 7:39 pm
I take all sorts of counter-measures to reduce my exposure to tracking and ads (cookies aren't the only way - need to screw up the fingerprinting too, if possible). Tor isn't a reasonable everyday driver. I even have a fake VPN (netguard) on my phone to try and block apps sending tracking info out. It is very scary how much info each app sends out. For example pretty much every app you install on your mobile phone will send info to facebook - when you block one URL, they choose another, you block that and it chooses a third.

To do this properly, it is a full time job! And even then it is just too easy to screw it up. It is good to have something backed by law giving you some control of your data. Again, I am sure there are lots of things wrong with GDPR...but choosing "the problem is all too hard, let's do nothing" isn't a better option. Given the information asymmetry, without help the average user has no hope of having any real control at all.
Mmmm.. Focusing on cookies I can see how people might want to not have Google Analytics or other advertisers track them, but having every website make you accept cookies is a really backwards way to accomplish that.

What you're doing by adding a VPN to your phone, staying secure and alert etc; that seems like the right way to protect your privacy and security.
Actual bad actors aren't going to give you a please-can-I-abuse-you banner; they're too small to sue. They'll keep on trying to hijack your browser, add malware / extensions, steal your CC info, ransom your documents, etc..

Sites like Google/Facebook/etc will still collect as much depersonalized data as possible and use what you're searching for to provide relevant ads. Sites like this will still collect data to monitor trends, catch cheaters, develop bots, calculate whether a player is reliable or not, etc. We really don't collect info because we want to spy on you.
Ironically if web-hosted information about you actually is used to spy on you it will be because a government agency either demanded it or intercepted it.


I'm not an anti-government zealot, I think some parts of the GDPR are sensible, and I understand the need for regulation of a new industry.. but I do think if you are concerned about your privacy online being compromised by cookies you should set your browser to restrict them.

In a world where cookies are outlawed only outlaws will use cookies. (And come on .. it's a piece of text that we ask your browser to repeat on subsequent requests, it's not a GPS tracking device..)
1

kestasjk
Co-Owner
Co-Owner
Posts: 100
Joined: Tue Mar 14, 2017 8:13 pm
Location: Perth, Australia
Karma: 284
Contact:

Re: Cookies; accept or deny

#10 Post by kestasjk » Fri Aug 27, 2021 10:56 pm

Also the GDPR aim/goal that users be able to erase their information is another thing that, like a lot of legislation, seems well intentioned but is full of problems in practice.
Would you like games you participated in to be erased because a user wanted his information erased, and for there to be gaps in forum conversations etc? What if it's a multi-accounter that violated the rules and then demands the "right to be forgotten"?

If we really wanted we could allow people to erase their data from Analytics, Google provides this functionality as the GDPR requires them to, but how would Google be able to filter out the site-wide Analytics data for the whole site relating to a single user?
Well we would need to provide user-identifying information to Analytics so that it can correlate each request to a user, that's the only way Analytics can erase a particular user's information.. but this involves actually providing the very sort of individually-identifiable tracking flags that surely the law was trying to prevent!


Then there is other legislation like COPPA in the US, which means children under 13 can't have data stored relating to them (or something like that.. I'm not an expert).
In order to comply with that we would need to ask people their age / date of birth, which is PII that we have no interest in collecting, and even then that's not necessarily enough if they think your service is child oriented.


Anyway just a bit of a pet peeve I guess.. things were so much simpler in 2005..

Jamiet99uk
Posts: 17936
Joined: Sat Dec 30, 2017 11:42 pm
Location: Durham, UK
Karma: 9677
Contact:

Re: Cookies; accept or deny

#11 Post by Jamiet99uk » Tue Aug 31, 2021 12:29 pm

I blame Capitalism (and the removal of PPSC).
3

Octavious
Posts: 2470
Joined: Fri Sep 29, 2017 4:16 pm
Location: The Five Valleys, Gloucestershire
Karma: 1937
Contact:

Re: Cookies; accept or deny

#12 Post by Octavious » Tue Aug 31, 2021 2:23 pm

I blame Socialism (and the removal of PPSC)...

... and the French ...
I eat cookies to improve my snacking experience

Jamiet99uk
Posts: 17936
Joined: Sat Dec 30, 2017 11:42 pm
Location: Durham, UK
Karma: 9677
Contact:

Re: Cookies; accept or deny

#13 Post by Jamiet99uk » Tue Aug 31, 2021 2:40 pm

Octavious wrote:
Tue Aug 31, 2021 2:23 pm
I blame Socialism (and the removal of PPSC)...

... and the French ...
At last we have found a common cause to unite us.

flash2015
Gold Donator
Gold Donator
Posts: 2978
Joined: Fri Sep 29, 2017 7:55 pm
Location: Planet Earth
Karma: 1046

Re: Cookies; accept or deny

#14 Post by flash2015 » Tue Aug 31, 2021 4:46 pm

kestasjk wrote:
Fri Aug 27, 2021 10:31 pm
Mmmm.. Focusing on cookies I can see how people might want to not have Google Analytics or other advertisers track them, but having every website make you accept cookies is a really backwards way to accomplish that.
You are right that it isn't covering every scenario...but it is a start. And for the average user that doesn't clear cookies periodically it really shouldn't be a big deal. They should only see this once per website.
What you're doing by adding a VPN to your phone, staying secure and alert etc; that seems like the right way to protect your privacy and security.
Actual bad actors aren't going to give you a please-can-I-abuse-you banner; they're too small to sue. They'll keep on trying to hijack your browser, add malware / extensions, steal your CC info, ransom your documents, etc..
Most people don't know what a VPN can potentially help protect you from. It won't protect you from tracking by websites. It only provides protection against MITM tracking (e.g. your ISP...or dodgy coffee shop wifi). Even if you don't screw it up (e.g. leaking NDS queries), you need to worry whether your VPN provider is compromised or is dodgy. Remember all the people hawking NordVPN?:

https://techcrunch.com/2019/10/21/nordv ... as-hacked/

I am not sure if the "but there are even worse guys on the internet!!" is a convincing argument for us to ignore the data hoarders we deal with every day.
Sites like Google/Facebook/etc will still collect as much depersonalized data as possible and use what you're searching for to provide relevant ads. Sites like this will still collect data to monitor trends, catch cheaters, develop bots, calculate whether a player is reliable or not, etc. We really don't collect info because we want to spy on you.
Ironically if web-hosted information about you actually is used to spy on you it will be because a government agency either demanded it or intercepted it.
Depersonalized data??? LOL. Their goal is to gather as much PII as possible about you. They are big enough that they may not share the personalized data (e.g. companies may say they want to run ads against a specific anonymized profile...or may upload PII about you and say run ads against similar people)...but that doesn't mean they aren't trying to gather as much as possible about you.

You are right that there are a lot of legitimate reasons to be able to gather data. I am a developer myself so I understand this. This isn't an easy problem.

You bring up a good point. Given that companies are retaining so much information on individuals, this makes it much easier for current and future governments to use it too. But this is yet another argument why we should have more control of our data...so that it can't be potentially be used against us by governments (or pilfered by other bad guys) in the future.
I'm not an anti-government zealot, I think some parts of the GDPR are sensible, and I understand the need for regulation of a new industry.. but I do think if you are concerned about your privacy online being compromised by cookies you should set your browser to restrict them.

In a world where cookies are outlawed only outlaws will use cookies. (And come on .. it's a piece of text that we ask your browser to repeat on subsequent requests, it's not a GPS tracking device..)
I will mention AGAIN that I am already taking all sorts of counter-measures to reduce the amount of info gothered...but I do know enough about how tracking technology is evolving that it is a losing battle.

I think you are living in the past a bit with your "oh, just configure your browser and call it a day". Even if that provided you complete protection while using the browser (which it won't) less and less internet interaction is being done using traditional web browsers. We have mobile phones, we have smart TVs and attached devices, "smart devices" in the home like nest thermostats and cameras and assistants, OSs like Windows where you have no control of what information is sent home etc.. You can of course try to setup additional countermeasures (e.g. using a "pi hole" for your dns resolver to try to filter out unnecessary tracking)...but again just relying on technical countermeasures is a losing battle.

Companies like Google also go out of their way to try to stop you from taking countermeasures (e.g. apps which suggest they can help you block tracking/ads are banned from the app store)...and they sell the propaganda that anything not installed from the app store is by definition "unsafe" which is of course nonsense. But ask the average person and they are convinced of this now. Even many techies will regurgitate this now too.

Again, you are making the "since there may be someone else sketchy on the internet" we should ignore the privacy violations right in front of us. You are right that cookies aren't magic. I have used them myself (mostly to keep track of active sessions). On their own they really doesn't do much. But the power of the internet not from individual cookies but from being able to aggregate data from multiple sources over a long period of time...which cookies and other tracking technology feed into.
1

flash2015
Gold Donator
Gold Donator
Posts: 2978
Joined: Fri Sep 29, 2017 7:55 pm
Location: Planet Earth
Karma: 1046

Re: Cookies; accept or deny

#15 Post by flash2015 » Tue Aug 31, 2021 5:03 pm

kestasjk wrote:
Fri Aug 27, 2021 10:56 pm
Also the GDPR aim/goal that users be able to erase their information is another thing that, like a lot of legislation, seems well intentioned but is full of problems in practice.
Would you like games you participated in to be erased because a user wanted his information erased, and for there to be gaps in forum conversations etc? What if it's a multi-accounter that violated the rules and then demands the "right to be forgotten"?

If we really wanted we could allow people to erase their data from Analytics, Google provides this functionality as the GDPR requires them to, but how would Google be able to filter out the site-wide Analytics data for the whole site relating to a single user?
Well we would need to provide user-identifying information to Analytics so that it can correlate each request to a user, that's the only way Analytics can erase a particular user's information.. but this involves actually providing the very sort of individually-identifiable tracking flags that surely the law was trying to prevent!
Have you ever dealt with government regulation before? That they didn't write something into the legislation to deal with our specific use case isn't unique to GDPR. It is something that happens ALL the time.

Yes, if we wanted to comply with this it would take some thought...as it usually does for any new government regulation. I assume for games, you could just change the user to some dummy deleted user...but you probably would need to delete all their forum messages.

I understand of course for a small free volunteer-led website like webdip these changes are expensive and painful. It would be better if there was a clearer regulation difference...but alas there isn't currently.
Anyway just a bit of a pet peeve I guess.. things were so much simpler in 2005..
2005?? Youngster....

I agree though. I am old enough to remember when the internet was seen as an instrument of freedom which was too decentralized to be controlled by government or other entities. Oh how naive we were...
1

alexintour
Silver Donator
Silver Donator
Posts: 24
Joined: Mon Jun 19, 2017 12:37 pm
Karma: 26

Re: Cookies; accept or deny

#16 Post by alexintour » Thu Sep 02, 2021 10:00 am

On my website, I just don't track users (or if I have to, I'd just collect depersonalized data, so I can not trace the single user).

Said that, I think I don't really need to ask every user for an active choice.

I added a Cookie&Privacy policy page (linked in the footer) explaining what (technical) data I am collecting and how every user should proceed if he wants the cancellation of his data from the website.
This is the trikiest part, and this can be solved while changing the actual username and email address of the user to "delete" with some "dummy" data. So I don't erase the user itself (and his games), but I make it impossible to identify this special user and I cancell from the website everything that can relate to him.

This should be enough to be GDPR compliant.
If not, I think I might receive a fine in percentage of the money I make with the website. So something like 10% of 0€ I'm getting out of the website. :eyeroll:

Post Reply

Who is online

Users browsing this forum: No registered users and 0 guests