Categories
Cookies and tracking

Cookies under attack

So, Max Schrems is going to have a go now at cookie banners, so many of which are either confusing or downright illegal.

No specifically picking on them but Forbes is a case in point. It throws up the usual huge cookie page and when you go to choose (rather than just click click click accept everything), after scrolling down a very long way one finds a ‘reject all’ button. But it still sets 15 cookies that the Brave browser blocks and a further 11 that get through.

Ironically I was looking for info about WhatsApp’s latest about turn on its new forcing of users to accept its new privacy T&Cs. This led me to the Forbes story on the issue…

I have cookies disabled on one of the browsers I use and it’s always amusing to see sites screaming that they will not work without cookies… and yet they all seem to work just fine (obviously, shopping carts and such excepted), although you do meet the occasional website that just cycles endlessly trying and failing to set a cookie and showing a blank page. Well done guys. Nice.

Categories
Cookies and tracking Web content Website whinging

Trust

Trust in websites is under attack as has been for some time now.  These days it is really very hard to know what website to trust and which to avoid, which produce valid, trustable news stores and which are fake, even which product reviews are valid and which are misleadingly good and may even have been paid for. Fake websites include those that wish, among other things to deprive you of your hard earned cash, or persuade you that voting ‘x’ is what you must do.

A recent win for Microsoft in a private trademark case highlights part of the issue and I have witnessed similar first hand. It transpired that scammers had passed themselves off as Microsoft or Microsoft partners and used various trademarks owned by Microsoft. This was all related to those well known ‘your computer has a virus’ type phonecalls and pop-up adverts. I have worked on cases regarding academic integrity and websites passing off as our own and so this case is interesting to me. However, it serves to highlight just how easy it is to get someone to trust you by throwing up a website which looks identical to a company that you do trust, or at least you know of.

To make matters worse of there are now so many domain variants available that it is very difficult to fully protect one’s brand. Again, I was very active here in the past and I could, for example buy and activate domains similar to those used by people who created websites to pass off as our own. It was not helped one bit when Nominet decided to sell single-letter domains such as ‘a.uk’ where typo-squatting was then made easy, for example mistyping xyz.ac.uk as xyz.a.uk. Some years ago the Ascension Islands opened up their ‘.ac’ domain, again causing confusion where people would register xyz.ac hoping to trap typo’s from xyz.ac.uk. Just how far one goes buying any domains that come close to your own is a very difficult question and can result in large spends.

Encryption, aimed at promoting trust and security does not really help. While it is laudable that one can obtain digital certificates for free, when coupled with domain squatting this can result in trust being placed where it really should not. 

This is not limited to websites. Whoever thought it a good idea to allow people using IP telephony to put their actual phone number into the system on trust was just daft. You can no longer assume that a call comes from the number shown in the caller-ID, and if someone by chance or design fakes their number to be one already in your contacts lists, well, you can see that going badly for the recipient.

So, where are we? Well, anyone can throw up a website, for free or very little cost. Anyone can grab the design of a valid website and repurpose it as their own scammer base. Anyone can buy just about any domain regardless of how close it is to a real company URL, set up email addresses and either wait for hits or advertise the fake website somehow. And this is without doing anything actually half clever like using malware. And it does not stop there. I worked on a case where a website had a valid-looking address in the City of London. Calls to the building management (on office block with lots of various companies) found no such name on record. In the event I was close to retirement and let this one slide, but I can just imagine some mailroom employee diverting any received post to the scammer. My longest running case took seven years but I finally had a foreign-based fake website closed down after radically disrupting their ‘business’.

To answer my ‘where are we?’ question in part all I can say is it has become very hard to trust any information on the web, and that’s a crying shame. The scammers are like a virus – they are killing their host. How we can stop people becoming a victim I do not know. For myself, I begin by trusting nothing and I use my decades of experience to parse what I see and determine whether or not it is valid. Mobile phone calls from numbers not in my contacts are ignored. URLs in SMS message or emails are NEVER clicked. If I can be bothered to I will investigate – obfuscated URLs, those where someone is attempting to be clever by mixing letters to look like something real, or adding to real-looking domains can be easier to read if pasted into a text-editor. Anything that comes from the bank will also appear in their app and so can be checked.

And don’t get me started on cookies!

Categories
Cookies and tracking Privacy

Yup, more cookie observations

I have mentioned before that I have all cookies blocked on the phone. It’s a bit of a faff sometimes, I mean if I really need to access a site that requires a login or similar I need to re-enable cookies, do whatever I needed to do, then block cookies again, but it’s no big deal really.

And it is interesting to see what websites do not even need cookies to function, as well as which websites are so badly constructed that they do not even render anything with cookies blocked. Oh yes, and those websites that throw up a cookie banner but which still work once you are past that, of course with no actual cookies having been set.

As an example, I just visited a well known petition website to add my name. It showed the usual cookie warnings which I ignored and managed to sign the petition with no issues at all. I have an email confirmation so it worked just fine.

This brings me back to my question, should any website need to set any cookies before you enter a part that actually requires them to be set? I still say no.

Categories
Cookies and tracking Data protection Website whinging

Crumbling cookies

With the fines and threats imposed by France on Google and Facebook it was interesting to note that both Facebook and, possibly unrelated eBay had logged me out overnight and I had a new-looking consent form presented by Facebook in the browser and eBay in the app. The Facebook app has not changed and I am still logged in.

So I had a look at Google again, specifically google.co.uk. The cookie-wall – I’m calling it that because you need to agree to get past it – looks the same as the last time. Google sets two cookies on entry, one (NID) which my cookie crunching app defines as a tracker, and another called CONSENT with a 2038 expiry date. After a short while it sets another called SNID. More success on the iPhone where I keep cookies blocked. here, as before the cookie-wall appears and then vanishes.

My take on this is to question why Goole is setting these three cookies before I have consented to anything and, if they suggest that their product will not work without then why does it work without? To my simple mind nothing should set any cookies until I agree, and even then the only cookie that should be set if I do not agree is one indicating this so it knows next time. Of course, strictly necessary cookies are excepted, but I would argue that no such cookie is needed until I explicitly request a service for which they are required. This would, or at least surely should never happen on a websites entry page, with the exception of sites that require a login before one can access, and even there surely there will be a not-logged-in page where no cookies are required until one logs in.

Categories
Cookies and tracking Website whinging

Google, sort-of positive

I know I whinge about Google from time to time but they do give me 15Gb of storage, of which I use a tiny amount and only for Gmail (which is also free of course). Having just received an email about account charges for dormant accounts or those using too much space I thought I would check, and managed to free up an extra 20Mb or so meaning I am using about 300Mb now for Gmail, much of which is me being too lazy to delete emails or pull attachments off onto local storage.

Yes, it does of course mean all those emails are sitting in Google somewhere and can be searched, but these days be honest, if you really don’t want The World to see something don’t put it on the Internet in the first place. Speaking as a privacy advocate and, indeed as a privacy researcher (Ph.D. in Internet privacy, 2017) you do need to take some responsibility for your own privacy. Encrypt important emails and let them scan all the remaining dross, ‘them’ here being all the nameless agencies around the globe rather than Google who, at the end of the day need to make money somehow in order to give us 15Gb of storage for free.

I’ve been in this game for a long time now and I remember Google when it was new. They made such a difference to web searches – anyone remember AltaVista? I ran Google Search Appliances for a number of years too which dramatically improved searches for our corporate websites.

But I will not stop whinging about the whole let’s track everyone across everywhere and see what they are looking for so we can tailor adverts to them… sorry.

Categories
Cookies and tracking

Another Google cookie change

I keep all cookies blocked on the phone unless I actually need to visit a site that uses them for a purpose that I decide is required, e.g. a login function. Even then, after I have finished and while still on whatever website it was I block cookies again and delete all web content (the iPhone option, YMMV).

Not long ago things changed at Google making it impossible to access unless cookies were enabled. I reported this at https://jmh.one/index.php/2020/10/30/google-learns/. Now this seems to have been reversed and once again I find I can visit Google and the cookie warning / acceptance box appears and then vanishes. For a while now I’ve been using Duckduckgo for web searches but the Google cookie-wall-box did prevent me accessing YouTube for a while. So it’s rather handy that the cookie-wall-box has somehow changed back to performing it’s useful vanishing trick.

Of course, this may all be unrelated to Google, or perhaps I am hitting a different node now and there are configuration differences, who knows. But it’s a useful feature/bug nonetheless.

Categories
Cookies and tracking Website whinging

Cookie madness

Just came across a website that takes the biscuit (or cookie in this case). It first threw up a box asking if it can set cookies with two options, agree or refuse. I refused. It then indicated it was deleting the cookies it had clearly set before asking, and diverted me to a Google page which, of course sets even more cookies, and throws up a typical Google-esque box demanding I agree or go into some extended q&a session. Ugh. Why do people still get this stuff so wrong?

Categories
Cookies and tracking Website whinging

Cookie bar confusion

I had reason to visit an information website today and caught sight of the cookie bar, helpfully placed at the bottom of the screen. One mark there for not having the usual almost-a-full-page cookie warning box. But it raises some interesting questions.

Consider the cookie bar:

Ok. Teasing that statement out logically, if one does nothing at all then one would surely not expect any cookies to be set. Well, six are, two of which are Google cookies and considered to be trackers. This is poor. If one clicks anywhere or clicks the Accept button then yes, cookies are set. Personally I do not agree with the ‘clicking into the content’ part and it raises a further question. If one is to determine what types of cookie to accept then it is necessary to click on the ‘cookie settings’ or the ‘cookie policy’. These are part of the same website and are thus part of the content. So, does clicking on either of these – a necessary function before one accepts cookies – constitute ‘clicking into the content’?

The cookie policy itself lists several Google cookies as strictly necessary. Personally, I would disagree with that as I am sure others would agree.

Cookies, other than those which are genuinely necessary for the website to function, are only supposed to be set with informed consent. This means the user needs to understand what the cookies are doing and then give a positive indication that they accept that cookies will be set. Most websites now give choices as to what classes of cookie can be set and this is useful. But many, many websites still set unnecessary cookies before the user even gives consent. To my mind, the only cookie that should be set regardless is the one that records ones cookie choices. I would consider that to be strictly necessary given what it does. Tracking cookies are never necessary for a site to function, and classes of cookie that are strictly necessary really ought to be limited to those for which a website cannot function without – for example, shopping carts, and even then the shopping cart does not need to be in place when one first visits a website. If a site has been designed which cannot function without cookies and has no cart (or similar) functionality at that stage then I would strongly suggest the designer has got it badly wrong.

Categories
Cookies and tracking

Google learns…

It seems that Google have fixed the rather useful feature, sorry, bug whereby if you browse to any Google site with cookies disabled it would throw up the cookie warning but clicking ‘I agree’ made that go away while not being able to actually set any cookies. Of course, the warning would come back on every visit but only one extra click needed and still no infernal cookies.

Now, the warning box does not clear when you click ‘I agree’ and so there is no way to run a Google search and refuse all cookies. Oh well, I’ve not actually used Google for some time now anyway. Duckduckgo FTW.

It is interesting to note that faults in software are generally classed (ok, mostly tongue-in-cheek) as features by the manufacturer but bugs by the users. Here, their bug was our feature, and was useful for a short while.

But surely this constitutes a cookie wall? I wonder… because those are generally outlawed.

Categories
Cookies and tracking Website whinging

Cookie consent box strangeness

Just recently I noticed that Google has changed the way the cookie consent reminder works. In the past it used to count down and then attempt to force you into the consent process but clearing the cookies reset this. Now there is no way past. I’ve not used Google for searches for some time now but Google Maps is handy sometimes. The iPhone app does not do this so presumably that has some other consent mechanism.

Dilbert, which I always visit daily has also started now to throw up a consent screen that one cannot get past. I wonder if these are both as a result of Schrems II. I have not checked what Google set but the Dilbert website sets 17 cookies while asking for consent to set cookies. As I use a cookie cruncher on the Mac that deletes cookies that I have not flagged as wanted every minute this is a minor issue and I always now clear cookies before visiting other websites to avoid them tracking me across sites.

On the iPhone I have all cookies blocked and so clicking on any ‘accept’ button makes no difference but does usually get past the screens. Google is interesting though because here, Google pops up the consent screen and it them immediately vanishes. I expect that will be ‘fixed’ soon though.