Categories
Cookies and tracking Data protection Website whinging

Crumbling cookies

With the fines and threats imposed by France on Google and Facebook it was interesting to note that both Facebook and, possibly unrelated eBay had logged me out overnight and I had a new-looking consent form presented by Facebook in the browser and eBay in the app. The Facebook app has not changed and I am still logged in.

So I had a look at Google again, specifically google.co.uk. The cookie-wall – I’m calling it that because you need to agree to get past it – looks the same as the last time. Google sets two cookies on entry, one (NID) which my cookie crunching app defines as a tracker, and another called CONSENT with a 2038 expiry date. After a short while it sets another called SNID. More success on the iPhone where I keep cookies blocked. here, as before the cookie-wall appears and then vanishes.

My take on this is to question why Goole is setting these three cookies before I have consented to anything and, if they suggest that their product will not work without then why does it work without? To my simple mind nothing should set any cookies until I agree, and even then the only cookie that should be set if I do not agree is one indicating this so it knows next time. Of course, strictly necessary cookies are excepted, but I would argue that no such cookie is needed until I explicitly request a service for which they are required. This would, or at least surely should never happen on a websites entry page, with the exception of sites that require a login before one can access, and even there surely there will be a not-logged-in page where no cookies are required until one logs in.

Categories
Privacy Security Website whinging

Failed circular verification

So, you need access to a Google doc but when you log in Google senses that the PC has not been used before and is suspicious. It needs verification.

Ok, first off, this is not me. I have access to Google etc. And verification is a great idea. But there is a hole and as yet we’ve not found the bottom.

Verification is all very well provide you can actually do what is required. But what where your verification is your works telephone and you did not enter a mobile number, nor do you want to tell Google your mobile number anyway?

Google has ‘other ways’ to verify you. Following this path it sends you a code to an email address. The only email address in use was the works one. The code came but this is not enough. Google still wants to send a text to a phone – it still wants that mobile number you don’t want to put in. This ends up being circular, with another code being emailed and, once again another request for a mobile.

In the end it was quicker to ask the document owner to simply email it rather than trying to reach the bottom of the hole being dug by Google.

Categories
Cookies and tracking Website whinging

Google, sort-of positive

I know I whinge about Google from time to time but they do give me 15Gb of storage, of which I use a tiny amount and only for Gmail (which is also free of course). Having just received an email about account charges for dormant accounts or those using too much space I thought I would check, and managed to free up an extra 20Mb or so meaning I am using about 300Mb now for Gmail, much of which is me being too lazy to delete emails or pull attachments off onto local storage.

Yes, it does of course mean all those emails are sitting in Google somewhere and can be searched, but these days be honest, if you really don’t want The World to see something don’t put it on the Internet in the first place. Speaking as a privacy advocate and, indeed as a privacy researcher (Ph.D. in Internet privacy, 2017) you do need to take some responsibility for your own privacy. Encrypt important emails and let them scan all the remaining dross, ‘them’ here being all the nameless agencies around the globe rather than Google who, at the end of the day need to make money somehow in order to give us 15Gb of storage for free.

I’ve been in this game for a long time now and I remember Google when it was new. They made such a difference to web searches – anyone remember AltaVista? I ran Google Search Appliances for a number of years too which dramatically improved searches for our corporate websites.

But I will not stop whinging about the whole let’s track everyone across everywhere and see what they are looking for so we can tailor adverts to them… sorry.

Categories
Website whinging

Website crashes

Once again we see a company spiralling into nonexistence along with the associated sales on their website and the associated flooring of said website by people wanting to buy.

Surely it’s time that website designers actually sorted things like this out? Time and again companies and governments throw up websites which are backend heavy to the extent that once over a certain threshold the backend cannot cope and sulks off into the 500 corner.

While I can accept this – professionally speaking (or as was before I retired anyway!) – a small website crashing under unexpected load, I cannot accept that a website that is actually designed to provide a user experience under load is put together in a way that it falls over. This is the 21st Century and this stuff is not rocket science. It’s not a DDoS attack, it’s actual people wanting to access a website! Governments are not excepted from this criticism – we’ve seen what our own lot manages to do recently. And surely the crashes caused by everyone and their dog jumping at online shopping sites due to COVID should be fresh in the memory of every web designer?

Now, ok, getting real for a tad – yes there is bound to be a limit of what cash can buy where web hosting is concerned and budgeting for ‘what if’ situations can be hard. But look at some of the cloud based services where you can simply let it run wild and pay for the extra horsepower second by second as needed. Give the unpredictability I can almost – I stress almost – accept a queuing system, but what really gets me is that someone implements a queueing system which itself overloads and errors! Good grief…

Categories
Cookies and tracking Website whinging

Cookie madness

Just came across a website that takes the biscuit (or cookie in this case). It first threw up a box asking if it can set cookies with two options, agree or refuse. I refused. It then indicated it was deleting the cookies it had clearly set before asking, and diverted me to a Google page which, of course sets even more cookies, and throws up a typical Google-esque box demanding I agree or go into some extended q&a session. Ugh. Why do people still get this stuff so wrong?

Categories
Cookies and tracking Website whinging

Cookie bar confusion

I had reason to visit an information website today and caught sight of the cookie bar, helpfully placed at the bottom of the screen. One mark there for not having the usual almost-a-full-page cookie warning box. But it raises some interesting questions.

Consider the cookie bar:

Ok. Teasing that statement out logically, if one does nothing at all then one would surely not expect any cookies to be set. Well, six are, two of which are Google cookies and considered to be trackers. This is poor. If one clicks anywhere or clicks the Accept button then yes, cookies are set. Personally I do not agree with the ‘clicking into the content’ part and it raises a further question. If one is to determine what types of cookie to accept then it is necessary to click on the ‘cookie settings’ or the ‘cookie policy’. These are part of the same website and are thus part of the content. So, does clicking on either of these – a necessary function before one accepts cookies – constitute ‘clicking into the content’?

The cookie policy itself lists several Google cookies as strictly necessary. Personally, I would disagree with that as I am sure others would agree.

Cookies, other than those which are genuinely necessary for the website to function, are only supposed to be set with informed consent. This means the user needs to understand what the cookies are doing and then give a positive indication that they accept that cookies will be set. Most websites now give choices as to what classes of cookie can be set and this is useful. But many, many websites still set unnecessary cookies before the user even gives consent. To my mind, the only cookie that should be set regardless is the one that records ones cookie choices. I would consider that to be strictly necessary given what it does. Tracking cookies are never necessary for a site to function, and classes of cookie that are strictly necessary really ought to be limited to those for which a website cannot function without – for example, shopping carts, and even then the shopping cart does not need to be in place when one first visits a website. If a site has been designed which cannot function without cookies and has no cart (or similar) functionality at that stage then I would strongly suggest the designer has got it badly wrong.

Categories
Cookies and tracking Website whinging

Cookie consent box strangeness

Just recently I noticed that Google has changed the way the cookie consent reminder works. In the past it used to count down and then attempt to force you into the consent process but clearing the cookies reset this. Now there is no way past. I’ve not used Google for searches for some time now but Google Maps is handy sometimes. The iPhone app does not do this so presumably that has some other consent mechanism.

Dilbert, which I always visit daily has also started now to throw up a consent screen that one cannot get past. I wonder if these are both as a result of Schrems II. I have not checked what Google set but the Dilbert website sets 17 cookies while asking for consent to set cookies. As I use a cookie cruncher on the Mac that deletes cookies that I have not flagged as wanted every minute this is a minor issue and I always now clear cookies before visiting other websites to avoid them tracking me across sites.

On the iPhone I have all cookies blocked and so clicking on any ‘accept’ button makes no difference but does usually get past the screens. Google is interesting though because here, Google pops up the consent screen and it them immediately vanishes. I expect that will be ‘fixed’ soon though.

Categories
Web content Website whinging

The trouble with web searches

These days finding information on the web is tedious at best. You almost need to go in knowing the answers in order to judge whether the information revealed by your search is even close to the mark.

For example, searching for “west yorkshire lockdown” on Duckduckgo finds a piece from the Yorkshire Post which immediately throws up a cookie screen and is, of course laden with adverts. I have no issue with a newspaper site having adverts, my issue is why isn’t there de facto information available via the government and if it is, why isn’t that ranked higher up? Search engines throw you to the wolves aka the advertising media for any information on just about any subject, certainly anything general in nature.

Another search, something I never expected to need to know, is to find out if one can drive through a locked down area where your start and end points are both outside said area. Again, lots of media sites, none of which come anywhere close to answering the question.

gov.uk does have information, but even here it’s not as clear as it might be. For example, I know there are current local lockdowns in effect including Bradford but gov.uk offers only “Find out what restrictions are in place if you live, work or travel in the north-west area and other affected areas.” I presume here that West Yorkshire is ‘other’ – why not spell it out to make it obvious? Are they charged per word like old telegrams were? The resultant page does list Bradford but does not mention Ilkley and yet I gathered from Facebook that it is included.  Back to Duckduckgo and a search for “ilkley lockdown” brings up a newspaper site which immediately throws up a cookie page with non-functional option links! Reloading that cured the issue and then deleting the 30 cookies it set even after I rejected them all gave some solace. Finally, that website tells me that anywhere that pays council tax to Bradford is included, specifically adding that Ilkley and Keighley are locked down. That nugget is missing from gov.uk. I did check Bradford council’s website but gave up when it shoved some survey popup at me.

Little wonder then that the masses only work on mis- or poor information from media websites whose sole aim is to push their version of reality and make money out of it. Perhaps they need to start writing this on the side of a big red bus rather than the lies of the past!

Categories
Website whinging

Do website owners ever look for errors?

Many websites nowadays have grown into enormously complex beasts with multiple bits and quite often bits that do not work. Other websites now make the journey into the site so horrendous, what with cookie popups and the occasional ‘please turn off your ad blocker’ popups that one cannot get past. I come across these almost daily when performing seemingly routine tasks or looking for information.

Where there is an error but one still needs to interact to gain something, perhaps modification to a service or to purchase something, you are then left with a struggle to find out what to do next. In some cases it is simple, go elsewhere. But in others, say, your energy provider while you are still in contract, one must persevere.

As an example, one energy provider makes the point that, in order to cancel a particular part of the service you can phone or go online.  They explain that should you phone you will be waiting in a queue so why not do it online? Oh but if so, you need to cancel before the renewal date whereas if you phone you can cancel up to 14 days after renewal. Ok, but the relevant section of the website simply never works and gives an error page saying you need to phone. The online chat also has a queueing system of course so no help there.

So, do website owners or whoever does their marketing actually look at errors? There is an issue here if they rely on external analytics providers such as Google Analytics because the analytics cookie may not be set at the point of error and may only be set at the actual generic error page. That may give a trail where someone clicks on a link on the main website which then errors, but not so if one follows the published direct URL. The web server log itself would be saviour here but I suspect that marketers neither know about them nor have access anyway.

Errors aside, I also wonder how many look into their analytics to see the number of people that failed to get any further into the site than the home page. This may be people like me that, when faced with an armoury of popups simply go elsewhere after killing all the cookies the site has set, usually without consent. Or again, people like me that persevere and choose ‘deny all’ to the cookie popup only to be presented with a popup asking me to kill my ad blocker. Again, I click away as must others. You would think that such information would be useful in order to shape the future of their website and maybe do away with the privacy invasive bits so they do not need to gain consent anyway… but I suspect that such statistics are ignored, or not available anyway.

Meanwhile, this rant has left me still needing to cancel a part of my energy contract and deciding whether to phone or wait and try online tomorrow, or apply a sledgehammer solution and cancel the direct debit with the bank and let them sort it out!

Categories
Travel Website whinging

Hotel booking websites

We recently had a short break on another continent and used a well-known booking website in order to book a hotel. Our booking was based on the information provided on, or rather through that website. There was no other source of information on the hotel in question and it seemed to suit our needs according to what information was available to us. So we were a little surprised to find that the hotel was very basic and did not compare well to the advertisement. We have since taken this up with the booking website and the advertised facilities have been changed. Of course, the website itself disclaims everything under the sun, not their fault, etc.

This leads me though to the question of trust. The web has become a rather tenuous place, what with search results generally useless unless you are very clever with search terms. Results are filled with hopeless information that is generally light years from what you want. It seems, then, that hotel booking websites are going the same way. Rely as they may on their disclaimers, where there is no other source of information regarding a hotel one must ‘trust’ what is published on these portals and lay the blame for any unforeseen issues at their door. Or are we destined to only use them for an introduction and after this communicate directly with each hotel? If so, what use are they?

Someone simply looking to book a hotel and find the best deal is going to base their decisions on what is set out before them by the booking website. Surely these websites need to take a lot more care over their advertisements. If a hotel states that it has a continental breakfast one should not expect just a bit of toast. If it says the room has a coffee maker then a coffee maker should be in the room.

To my mind these companies cannot hide behind the same kind of ‘mere conduit’ ideas that protect Internet providers because they are themselves a service. You go to them so they can help you make a choice. The Competition and Markets Authority (CMA) has already investigated the sector and carried out enforcement actions against some of these websites. Their angle is to do with competition so is not relevant in the case I outline here but I do wonder if the Advertising Standards Agency (ASA) may take an interest. I have yet to fully digest the findings as it is not an area of law in which I have practiced. However, the law is not a mystery to me and this is one of those niggling issues that I tend not to drop…