52
submitted 11 months ago by rinze@infosec.pub to c/privacy@lemmy.ml

Hi,

In Spain (and probably other places in Europe) we've recently seen a deluge of cookie banners that offer you the option to reject tracking cookies for a fee. The regular GDPR forms are therefore slightly broken, as you get several options: accept, reject (which doesn't work in most cases), and buy a subscription to reject. Consent-O-Matic, for example, is having a hard time. I don't doubt it'll get corrected in time, but I want to talk about something tangential.

Cookie consent has (at least) two layers: the browser layer (where we might delete cookies, reject third party cookies, etc) and the site UI layer (where we're presented with an option when we load the page). This means we can reject third-party cookies at the browser layer and then accept whatever form at the site UI layer.

With the set up mentioned above, is there really any difference between accepting cookies and rejecting cookies? No tracking cookie are going to get installed in my computer anyway. This, combined with an ad blocker, makes the browsing experience exactly the same whether I accept or reject the cookie form. Is there anything I'm missing here?

top 15 comments
sorted by: hot top controversial new old
[-] Shamot@jlai.lu 27 points 11 months ago

When I see this, the only viable option I see is to close the site and boycott it. Any other choice would encourage more companies to do this blackmail.

[-] Cheradenine@sh.itjust.works 4 points 11 months ago

While I agree, and I use TOR or Orbot for everything( which means quite a few things are blocked for me), this doesn't answer OP's question.

[-] Agility0971@lemmy.world 1 points 11 months ago

In duckduckgo search results there is a link to block this domain. I always block shitty domains that farm clicks

[-] rinze@infosec.pub 1 points 11 months ago* (last edited 11 months ago)

Where's that? I just ran a test search but I can't see it :-?

[-] Agility0971@lemmy.world 2 points 11 months ago

Hmm... I cannot see it anymore either. They appeared under each search entry as hyperlink.

[-] Engywuck@lemm.ee 7 points 11 months ago* (last edited 11 months ago)

Interesting question. IMHO you're right: if you reject 3rd party cookies at browser level, so "accepting" them from the GDPR form shouldn't really matter. Plus, many browsers nowadays forbid 3rd party websites to access cookies from other websites (in my understanding)...

I'd like someone with a more deep knowledge to contribute to the discussion.

[-] Atemu@lemmy.ml 2 points 11 months ago* (last edited 11 months ago)

Cookie banners are not really about cookies.

What they're actually asking for is consent to process your data for profit in unethical ways. That usually involves cookies but could theoretically be done entirely without. They're just a technological standard.

You might aswell say: "We use https. [consent] [settings]"

[-] Outtatime@sh.itjust.works 0 points 11 months ago

Zap the banners out of existence with unlock origin

[-] Cheradenine@sh.itjust.works 0 points 11 months ago

It is an excellent question, but there is a third option, which is also blocking at the DNS level. Firefox and Safari block 3rd party cookies by default too.

In your example I do not think there is a difference, and my firewall logs seem to confirm this.

[-] tordenflesk@lemmy.world -1 points 11 months ago

Ublock Origin->Cookie Notices->Check all 4.

[-] rinze@infosec.pub 2 points 11 months ago

Yes, I'm aware those filters exist, but I'm asking about the practical implications of the set up I mentioned in the post.

[-] beta_tester@lemmy.ml -2 points 11 months ago* (last edited 11 months ago)

When accepting a cookie, the cookie is stored on your machine locally for the duration of your browsing session on that site, IF you clear all cookies after a site visit with cookieautodelete. Or they are deleted after quitting the browser session, i.e. after exiting all open tabs AND you've enabled the setting to auto clear cookies.

With cookie autodelete (or firefox containers) and a normal browsing behavior it does not matter much if you accept or delete them, if there is no personal identifier like login data or IP address (always use vpn).

Consent o matic doesn't work on as many sites as istilldontcareaboutcookies and with the up and coming internal firefox functionality isdcaac will hopefully be obsolete within a year or so

[-] RovingFox@infosec.pub 6 points 11 months ago

I recommend you look into web fingerprinting. IP and login data are no longer the only data required to pin point you on the web.

[-] beta_tester@lemmy.ml 0 points 11 months ago

I know how web fingerprinting works. I don't visit sites regularly that use advanced techniques which shouldn't get my info, and if, I would overthink my web browsing behavior. For regular websites it's just too much of a hassle to use advanced fingerprinting methods

[-] RovingFox@infosec.pub 1 points 11 months ago

How do you know they don't use "advanced techniques"? I think you gravely overestimate the complexity of adding them to a website.

this post was submitted on 14 Jan 2024
52 points (98.1% liked)

Privacy

32482 readers
231 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS