With the fines and threats imposed by France on Google and Facebook it was interesting to note that both Facebook and, possibly unrelated eBay had logged me out overnight and I had a new-looking consent form presented by Facebook in the browser and eBay in the app. The Facebook app has not changed and I am still logged in.
So I had a look at Google again, specifically google.co.uk. The cookie-wall – I’m calling it that because you need to agree to get past it – looks the same as the last time. Google sets two cookies on entry, one (NID) which my cookie crunching app defines as a tracker, and another called CONSENT with a 2038 expiry date. After a short while it sets another called SNID. More success on the iPhone where I keep cookies blocked. here, as before the cookie-wall appears and then vanishes.
My take on this is to question why Goole is setting these three cookies before I have consented to anything and, if they suggest that their product will not work without then why does it work without? To my simple mind nothing should set any cookies until I agree, and even then the only cookie that should be set if I do not agree is one indicating this so it knows next time. Of course, strictly necessary cookies are excepted, but I would argue that no such cookie is needed until I explicitly request a service for which they are required. This would, or at least surely should never happen on a websites entry page, with the exception of sites that require a login before one can access, and even there surely there will be a not-logged-in page where no cookies are required until one logs in.
So, you need access to a Google doc but when you log in Google senses that the PC has not been used before and is suspicious. It needs verification.
Ok, first off, this is not me. I have access to Google etc. And verification is a great idea. But there is a hole and as yet we’ve not found the bottom.
Verification is all very well provide you can actually do what is required. But what where your verification is your works telephone and you did not enter a mobile number, nor do you want to tell Google your mobile number anyway?
Google has ‘other ways’ to verify you. Following this path it sends you a code to an email address. The only email address in use was the works one. The code came but this is not enough. Google still wants to send a text to a phone – it still wants that mobile number you don’t want to put in. This ends up being circular, with another code being emailed and, once again another request for a mobile.
In the end it was quicker to ask the document owner to simply email it rather than trying to reach the bottom of the hole being dug by Google.
I know I whinge about Google from time to time but they do give me 15Gb of storage, of which I use a tiny amount and only for Gmail (which is also free of course). Having just received an email about account charges for dormant accounts or those using too much space I thought I would check, and managed to free up an extra 20Mb or so meaning I am using about 300Mb now for Gmail, much of which is me being too lazy to delete emails or pull attachments off onto local storage.
Yes, it does of course mean all those emails are sitting in Google somewhere and can be searched, but these days be honest, if you really don’t want The World to see something don’t put it on the Internet in the first place. Speaking as a privacy advocate and, indeed as a privacy researcher (Ph.D. in Internet privacy, 2017) you do need to take some responsibility for your own privacy. Encrypt important emails and let them scan all the remaining dross, ‘them’ here being all the nameless agencies around the globe rather than Google who, at the end of the day need to make money somehow in order to give us 15Gb of storage for free.
I’ve been in this game for a long time now and I remember Google when it was new. They made such a difference to web searches – anyone remember AltaVista? I ran Google Search Appliances for a number of years too which dramatically improved searches for our corporate websites.
But I will not stop whinging about the whole let’s track everyone across everywhere and see what they are looking for so we can tailor adverts to them… sorry.
I keep all cookies blocked on the phone unless I actually need to visit a site that uses them for a purpose that I decide is required, e.g. a login function. Even then, after I have finished and while still on whatever website it was I block cookies again and delete all web content (the iPhone option, YMMV).
Not long ago things changed at Google making it impossible to access unless cookies were enabled. I reported this at https://jmh.one/index.php/2020/10/30/google-learns/. Now this seems to have been reversed and once again I find I can visit Google and the cookie warning / acceptance box appears and then vanishes. For a while now I’ve been using Duckduckgo for web searches but the Google cookie-wall-box did prevent me accessing YouTube for a while. So it’s rather handy that the cookie-wall-box has somehow changed back to performing it’s useful vanishing trick.
Of course, this may all be unrelated to Google, or perhaps I am hitting a different node now and there are configuration differences, who knows. But it’s a useful feature/bug nonetheless.
Once again we see a company spiralling into nonexistence along with the associated sales on their website and the associated flooring of said website by people wanting to buy.
Surely it’s time that website designers actually sorted things like this out? Time and again companies and governments throw up websites which are backend heavy to the extent that once over a certain threshold the backend cannot cope and sulks off into the 500 corner.
While I can accept this – professionally speaking (or as was before I retired anyway!) – a small website crashing under unexpected load, I cannot accept that a website that is actually designed to provide a user experience under load is put together in a way that it falls over. This is the 21st Century and this stuff is not rocket science. It’s not a DDoS attack, it’s actual people wanting to access a website! Governments are not excepted from this criticism – we’ve seen what our own lot manages to do recently. And surely the crashes caused by everyone and their dog jumping at online shopping sites due to COVID should be fresh in the memory of every web designer?
Now, ok, getting real for a tad – yes there is bound to be a limit of what cash can buy where web hosting is concerned and budgeting for ‘what if’ situations can be hard. But look at some of the cloud based services where you can simply let it run wild and pay for the extra horsepower second by second as needed. Give the unpredictability I can almost – I stress almost – accept a queuing system, but what really gets me is that someone implements a queueing system which itself overloads and errors! Good grief…
Just came across a website that takes the biscuit (or cookie in this case). It first threw up a box asking if it can set cookies with two options, agree or refuse. I refused. It then indicated it was deleting the cookies it had clearly set before asking, and diverted me to a Google page which, of course sets even more cookies, and throws up a typical Google-esque box demanding I agree or go into some extended q&a session. Ugh. Why do people still get this stuff so wrong?
I had reason to visit an information website today and caught sight of the cookie bar, helpfully placed at the bottom of the screen. One mark there for not having the usual almost-a-full-page cookie warning box. But it raises some interesting questions.
Consider the cookie bar:
Cookies, other than those which are genuinely necessary for the website to function, are only supposed to be set with informed consent. This means the user needs to understand what the cookies are doing and then give a positive indication that they accept that cookies will be set. Most websites now give choices as to what classes of cookie can be set and this is useful. But many, many websites still set unnecessary cookies before the user even gives consent. To my mind, the only cookie that should be set regardless is the one that records ones cookie choices. I would consider that to be strictly necessary given what it does. Tracking cookies are never necessary for a site to function, and classes of cookie that are strictly necessary really ought to be limited to those for which a website cannot function without – for example, shopping carts, and even then the shopping cart does not need to be in place when one first visits a website. If a site has been designed which cannot function without cookies and has no cart (or similar) functionality at that stage then I would strongly suggest the designer has got it badly wrong.
It seems that Google have fixed the rather useful feature, sorry, bug whereby if you browse to any Google site with cookies disabled it would throw up the cookie warning but clicking ‘I agree’ made that go away while not being able to actually set any cookies. Of course, the warning would come back on every visit but only one extra click needed and still no infernal cookies.
Now, the warning box does not clear when you click ‘I agree’ and so there is no way to run a Google search and refuse all cookies. Oh well, I’ve not actually used Google for some time now anyway. Duckduckgo FTW.
It is interesting to note that faults in software are generally classed (ok, mostly tongue-in-cheek) as features by the manufacturer but bugs by the users. Here, their bug was our feature, and was useful for a short while.
But surely this constitutes a cookie wall? I wonder… because those are generally outlawed.
Data retention – those laws requiring providers to retain communications metadata – has come under attack again from the CJEU. After a chain of legislation fell foul to data protection laws over the decades the latest and greatest Investigatory Powers Act is now on very thin ice.
The punchline in Case C‑623/17 was twofold. First, the court determined that “national legislation enabling a State authority to require providers of electronic communications services to forward traffic data and location data to the security and intelligence agencies for the purpose of safeguarding national security” falls under data protection legislation. And second, it found that the legislation precludes “national legislation enabling a State authority to require providers of electronic communications services to carry out the general and indiscriminate transmission of traffic data and location data to the security and intelligence agencies for the purpose of safeguarding national security.”
Mind you, given the government’s actions of late including enacting legislation which is technically illegal, one wonders what difference it will make. Throwing Brexit into the mix may not actually help Them out here because unless changes are made this will greatly affect the UKs ability to transfer personal data as a third country to the EU. Perhaps Schrems, the destroyer of Safe Harbor and Privacy Shield will turn his attention on the UK!