Categories
Cookies and tracking Privacy

Yup, more cookie observations

I have mentioned before that I have all cookies blocked on the phone. It’s a bit of a faff sometimes, I mean if I really need to access a site that requires a login or similar I need to re-enable cookies, do whatever I needed to do, then block cookies again, but it’s no big deal really.

And it is interesting to see what websites do not even need cookies to function, as well as which websites are so badly constructed that they do not even render anything with cookies blocked. Oh yes, and those websites that throw up a cookie banner but which still work once you are past that, of course with no actual cookies having been set.

As an example, I just visited a well known petition website to add my name. It showed the usual cookie warnings which I ignored and managed to sign the petition with no issues at all. I have an email confirmation so it worked just fine.

This brings me back to my question, should any website need to set any cookies before you enter a part that actually requires them to be set? I still say no.

Categories
Cookies and tracking Data protection Website whinging

Crumbling cookies

With the fines and threats imposed by France on Google and Facebook it was interesting to note that both Facebook and, possibly unrelated eBay had logged me out overnight and I had a new-looking consent form presented by Facebook in the browser and eBay in the app. The Facebook app has not changed and I am still logged in.

So I had a look at Google again, specifically google.co.uk. The cookie-wall – I’m calling it that because you need to agree to get past it – looks the same as the last time. Google sets two cookies on entry, one (NID) which my cookie crunching app defines as a tracker, and another called CONSENT with a 2038 expiry date. After a short while it sets another called SNID. More success on the iPhone where I keep cookies blocked. here, as before the cookie-wall appears and then vanishes.

My take on this is to question why Goole is setting these three cookies before I have consented to anything and, if they suggest that their product will not work without then why does it work without? To my simple mind nothing should set any cookies until I agree, and even then the only cookie that should be set if I do not agree is one indicating this so it knows next time. Of course, strictly necessary cookies are excepted, but I would argue that no such cookie is needed until I explicitly request a service for which they are required. This would, or at least surely should never happen on a websites entry page, with the exception of sites that require a login before one can access, and even there surely there will be a not-logged-in page where no cookies are required until one logs in.

Categories
Cookies and tracking Website whinging

Google, sort-of positive

I know I whinge about Google from time to time but they do give me 15Gb of storage, of which I use a tiny amount and only for Gmail (which is also free of course). Having just received an email about account charges for dormant accounts or those using too much space I thought I would check, and managed to free up an extra 20Mb or so meaning I am using about 300Mb now for Gmail, much of which is me being too lazy to delete emails or pull attachments off onto local storage.

Yes, it does of course mean all those emails are sitting in Google somewhere and can be searched, but these days be honest, if you really don’t want The World to see something don’t put it on the Internet in the first place. Speaking as a privacy advocate and, indeed as a privacy researcher (Ph.D. in Internet privacy, 2017) you do need to take some responsibility for your own privacy. Encrypt important emails and let them scan all the remaining dross, ‘them’ here being all the nameless agencies around the globe rather than Google who, at the end of the day need to make money somehow in order to give us 15Gb of storage for free.

I’ve been in this game for a long time now and I remember Google when it was new. They made such a difference to web searches – anyone remember AltaVista? I ran Google Search Appliances for a number of years too which dramatically improved searches for our corporate websites.

But I will not stop whinging about the whole let’s track everyone across everywhere and see what they are looking for so we can tailor adverts to them… sorry.

Categories
Cookies and tracking

Another Google cookie change

I keep all cookies blocked on the phone unless I actually need to visit a site that uses them for a purpose that I decide is required, e.g. a login function. Even then, after I have finished and while still on whatever website it was I block cookies again and delete all web content (the iPhone option, YMMV).

Not long ago things changed at Google making it impossible to access unless cookies were enabled. I reported this at https://jmh.one/index.php/2020/10/30/google-learns/. Now this seems to have been reversed and once again I find I can visit Google and the cookie warning / acceptance box appears and then vanishes. For a while now I’ve been using Duckduckgo for web searches but the Google cookie-wall-box did prevent me accessing YouTube for a while. So it’s rather handy that the cookie-wall-box has somehow changed back to performing it’s useful vanishing trick.

Of course, this may all be unrelated to Google, or perhaps I am hitting a different node now and there are configuration differences, who knows. But it’s a useful feature/bug nonetheless.

Categories
Cookies and tracking Website whinging

Cookie madness

Just came across a website that takes the biscuit (or cookie in this case). It first threw up a box asking if it can set cookies with two options, agree or refuse. I refused. It then indicated it was deleting the cookies it had clearly set before asking, and diverted me to a Google page which, of course sets even more cookies, and throws up a typical Google-esque box demanding I agree or go into some extended q&a session. Ugh. Why do people still get this stuff so wrong?

Categories
Cookies and tracking Website whinging

Cookie bar confusion

I had reason to visit an information website today and caught sight of the cookie bar, helpfully placed at the bottom of the screen. One mark there for not having the usual almost-a-full-page cookie warning box. But it raises some interesting questions.

Consider the cookie bar:

Ok. Teasing that statement out logically, if one does nothing at all then one would surely not expect any cookies to be set. Well, six are, two of which are Google cookies and considered to be trackers. This is poor. If one clicks anywhere or clicks the Accept button then yes, cookies are set. Personally I do not agree with the ‘clicking into the content’ part and it raises a further question. If one is to determine what types of cookie to accept then it is necessary to click on the ‘cookie settings’ or the ‘cookie policy’. These are part of the same website and are thus part of the content. So, does clicking on either of these – a necessary function before one accepts cookies – constitute ‘clicking into the content’?

The cookie policy itself lists several Google cookies as strictly necessary. Personally, I would disagree with that as I am sure others would agree.

Cookies, other than those which are genuinely necessary for the website to function, are only supposed to be set with informed consent. This means the user needs to understand what the cookies are doing and then give a positive indication that they accept that cookies will be set. Most websites now give choices as to what classes of cookie can be set and this is useful. But many, many websites still set unnecessary cookies before the user even gives consent. To my mind, the only cookie that should be set regardless is the one that records ones cookie choices. I would consider that to be strictly necessary given what it does. Tracking cookies are never necessary for a site to function, and classes of cookie that are strictly necessary really ought to be limited to those for which a website cannot function without – for example, shopping carts, and even then the shopping cart does not need to be in place when one first visits a website. If a site has been designed which cannot function without cookies and has no cart (or similar) functionality at that stage then I would strongly suggest the designer has got it badly wrong.

Categories
Cookies and tracking

Google learns…

It seems that Google have fixed the rather useful feature, sorry, bug whereby if you browse to any Google site with cookies disabled it would throw up the cookie warning but clicking ‘I agree’ made that go away while not being able to actually set any cookies. Of course, the warning would come back on every visit but only one extra click needed and still no infernal cookies.

Now, the warning box does not clear when you click ‘I agree’ and so there is no way to run a Google search and refuse all cookies. Oh well, I’ve not actually used Google for some time now anyway. Duckduckgo FTW.

It is interesting to note that faults in software are generally classed (ok, mostly tongue-in-cheek) as features by the manufacturer but bugs by the users. Here, their bug was our feature, and was useful for a short while.

But surely this constitutes a cookie wall? I wonder… because those are generally outlawed.

Categories
Cookies and tracking Website whinging

Cookie consent box strangeness

Just recently I noticed that Google has changed the way the cookie consent reminder works. In the past it used to count down and then attempt to force you into the consent process but clearing the cookies reset this. Now there is no way past. I’ve not used Google for searches for some time now but Google Maps is handy sometimes. The iPhone app does not do this so presumably that has some other consent mechanism.

Dilbert, which I always visit daily has also started now to throw up a consent screen that one cannot get past. I wonder if these are both as a result of Schrems II. I have not checked what Google set but the Dilbert website sets 17 cookies while asking for consent to set cookies. As I use a cookie cruncher on the Mac that deletes cookies that I have not flagged as wanted every minute this is a minor issue and I always now clear cookies before visiting other websites to avoid them tracking me across sites.

On the iPhone I have all cookies blocked and so clicking on any ‘accept’ button makes no difference but does usually get past the screens. Google is interesting though because here, Google pops up the consent screen and it them immediately vanishes. I expect that will be ‘fixed’ soon though.

Categories
Cookies and tracking

Cookies – the good, the bad and the mouldy…

We are now several years into the changes in law which became known as the cookie law. Since then, the EU has enacted the GDPR which has added some urgency to ensuring that websites are compliant in the area of cookies and other stored information such as pixel trackers. The GDPR confirmed the consent requirements and national data protection organisations are taking an increasing interest in this area.

The basic requirements are that websites gain informed consent before storing cookies unless those cookies are what is termed ‘strictly necessary’. These strictly necessary cookies include those set in order to provide a service that the user specifically requested, for example to log into a website or carry out functions associated with shopping carts. It clearly does not include analytics cookies or the plethora of advertising and marketing cookies. Website designers may argue that their website will not function without cookies and where that functionality is a shopping cart I would agree. However, if the functionality in question is so the website can remember my shoe size this is not strictly necessary and I would expect to have to give my informed consent before such a cookie is stored.

Informed consent is key. It means that the user must be informed of why a cookie is being set and must then consent to it being set. And there’s the thing – I can permit the website to set cookies and consent to those cookies being set by advertisers such that they are also accessible to other websites, but I should not be forced to do so, I should understand what it means, and it should not be automatic. One may argue here that five pages of legalese indicating why a cookie is set is not a particularly valid way to inform the user.

There is also the issue of pre-checked options although this is lessened if there is a ‘reject all’ button as some websites have. Websites should not use pre-checked consent boxes but there is give and take here, in particular where the user can actively refuse cookies. However, to take the letter of the law the practice is not legal and you must not use pre-checked boxes in this way.

Cookies in the real world?

If I look at a product in a shop and an assistant comes to me and tells me there is an alternative, or better product then that presents me with no issue. However, if I then go to a different shop I do not expect someone to then show me products like the ones I just viewed in the first shop unless I specifically ask. And there is the difference, I can chose to ask or not. So why are tracking cookies any different?

And I certainly do not expect to go into a newsagents and pick up a paper only to have 33 sticky notes stuck on me from 33 other papers, each saying I do not want them to send me anything. Mind you, I don’t buy newspapers…

You must comply

This brings us to the question of cookie walls. Here, a website forces you to agree to their cookie policy before you can even see the website. In my opinion any such website should simply be ignored. Why, for example should I need to consent to it storing cookies just so I can see their email address or other contact details?

And I do object when I find a website that offers me a choice of some 400 advertising partners and lets me deselect each one, one by one. It’s far easier to just visit some other website. And let’s not get into discussion over the numerous websites which have a privacy and cookie notice hosted on some other website at a completely different URL which also sets its own cookies! One particularly famous website gave me a large privacy notice that I could not get past without either accepting or drilling down through layers of options. It was somewhat amusing to count over 400 partner sites that may get my data, and also drilling down further I got to a different, presumably parent website at a completely different URL. Needless to say this was an example of a US website.

Obfuscated messages

It is not always obvious how one even deselects cookies when consenting. The use of graphical sliders to allow or refuse cookies may be obvious when it is visually clear that green is go and red is not. So why do some websites chose shades of grey, and others just have a black slider with no indication of which way is off? This is not rocket science. Some websites use a simple tick box – surely that is sufficient? Can you imagine the problems in a fast food outlet where you end up with a spicy burger and a sugar laden drink because the options for ‘not spicy’ and ‘diet free’ were just black balls on a grey background?

Fighting back

So, to recap, cookies which are strictly necessary can be set by a website without consent when you visit it but these are a tightly defined subset of cookies which are actually necessary for a website to do what you want, not what it wants. Any other cookie must only be set once the user has given their informed consent. Cookies which store one’s choice here can be accepted as strictly necessary. Thus, a website storing a cookie to save your cookie choices for that website is ok as it is associated with you actually requesting something.

However, some websites, particularly media types take this to mean it is ok for each and every one of their partner sites to also set a cookie to save your choice. To me this is its bad programming – why are you causing my browser to visit each of your partner websites in order for each one to then store a cookie saying I do not want you to send me cookies from them? One newspaper website I visited and immediately selected ‘reject all’ on its cookie notice caused 33 individual cookies to be set.

It is sometimes amusing watching websites fail miserably when cookies are disabled in the browser. Some throw you off and demand you allow cookies, some struggle, some have no issues at all. I found one that displays nothing and constantly reloads itself trying to set a cookie. I suspect someone got their cookie sensing code a bit wrong there.

It is less amusing to struggle through a website’s cookie notice and deselect everything only then to be told I can get no further because I use an ad blocker. But wait, if the ad blocker checker is cookie based and I deselected cookies how come it even works?

Remember that tracking cookies are no use if they are not available when you visit other websites. So, for example you visit website A and you have no cookies set at all. Website A sets a tracking cookie served by website C. You then visit website B and it can read the tracking cookie set by website A and thus data about you can be transferred. But if you delete the cookie before you visit website B then that website cannot know. This is oversimplified but essentially is how you end up stalked by adverts.

Personally, I address this in a specific way. Cookies are always turned off on my phone. Yes, it means there are some things I cannot do because they require me to log in, but if I absolutely have to use the phone for those then I can quickly turn cookies back on, do the work, then delete the cookies. On the laptop I now use an app which allows me to chose what cookies I want to keep from each website I use. So, for example I can allow any login function cookies for the various web-based forums I visit. The app is set to delete any unwanted cookies after a minute or there is a button to delete immediately. Using this, I can visit a website and delete all its cookies right away. Of course, this is personal preference and suits me because I have always been security conscious. And other browsers have other mechanisms. I do recommend that you investigate something which suits you. I would also recommend that you take a look at what cookies your browser has stored, you’ll probably be amazed!

It’s not all bad news. There are some really well thought out websites out there. An example is where a website has a very simple line at the bottom, with cooke options not pre-checked and a button to accept or otherwise. Many, many websites run by organisations with insane amounts of money (and therefore buying power when it comes to website design) could learn from this.

Chocolate chip anyone?

Categories
Cookies and tracking

Cookie madness continues…

These guys are having a laugh, but not as much as similar others. This is from a newspaper website after I clicked Reject All on their cookie acceptance form…

The Yes/No column indicates if a cookie is secure. But that’s not the issue I have here, the issue is it still set 20 cookies, including Google and other trackers even though I used the reject option. And note the rather adventurous deletion date of the second cookie, the year 3019.

Their reason for so many is that they claim the following uses of cookies are ‘necessary’: ‘Information storage and access’, ‘Personalisation’, ‘Ad selection, delivery, reporting’, ‘Content selection, delivery, reporting’, and ‘Measurement’. I beg to differ! Oh, and on Google, that is specifically deselected when one presses Reject All and yet their cookies are still being set. Hmmm.