Categories
Cookies and tracking

Another Google cookie change

I keep all cookies blocked on the phone unless I actually need to visit a site that uses them for a purpose that I decide is required, e.g. a login function. Even then, after I have finished and while still on whatever website it was I block cookies again and delete all web content (the iPhone option, YMMV).

Not long ago things changed at Google making it impossible to access unless cookies were enabled. I reported this at https://jmh.one/index.php/2020/10/30/google-learns/. Now this seems to have been reversed and once again I find I can visit Google and the cookie warning / acceptance box appears and then vanishes. For a while now I’ve been using Duckduckgo for web searches but the Google cookie-wall-box did prevent me accessing YouTube for a while. So it’s rather handy that the cookie-wall-box has somehow changed back to performing it’s useful vanishing trick.

Of course, this may all be unrelated to Google, or perhaps I am hitting a different node now and there are configuration differences, who knows. But it’s a useful feature/bug nonetheless.

Categories
Cookies and tracking Website whinging

Cookie madness

Just came across a website that takes the biscuit (or cookie in this case). It first threw up a box asking if it can set cookies with two options, agree or refuse. I refused. It then indicated it was deleting the cookies it had clearly set before asking, and diverted me to a Google page which, of course sets even more cookies, and throws up a typical Google-esque box demanding I agree or go into some extended q&a session. Ugh. Why do people still get this stuff so wrong?

Categories
Cookies and tracking Website whinging

Cookie bar confusion

I had reason to visit an information website today and caught sight of the cookie bar, helpfully placed at the bottom of the screen. One mark there for not having the usual almost-a-full-page cookie warning box. But it raises some interesting questions.

Consider the cookie bar:

Ok. Teasing that statement out logically, if one does nothing at all then one would surely not expect any cookies to be set. Well, six are, two of which are Google cookies and considered to be trackers. This is poor. If one clicks anywhere or clicks the Accept button then yes, cookies are set. Personally I do not agree with the ‘clicking into the content’ part and it raises a further question. If one is to determine what types of cookie to accept then it is necessary to click on the ‘cookie settings’ or the ‘cookie policy’. These are part of the same website and are thus part of the content. So, does clicking on either of these – a necessary function before one accepts cookies – constitute ‘clicking into the content’?

The cookie policy itself lists several Google cookies as strictly necessary. Personally, I would disagree with that as I am sure others would agree.

Cookies, other than those which are genuinely necessary for the website to function, are only supposed to be set with informed consent. This means the user needs to understand what the cookies are doing and then give a positive indication that they accept that cookies will be set. Most websites now give choices as to what classes of cookie can be set and this is useful. But many, many websites still set unnecessary cookies before the user even gives consent. To my mind, the only cookie that should be set regardless is the one that records ones cookie choices. I would consider that to be strictly necessary given what it does. Tracking cookies are never necessary for a site to function, and classes of cookie that are strictly necessary really ought to be limited to those for which a website cannot function without – for example, shopping carts, and even then the shopping cart does not need to be in place when one first visits a website. If a site has been designed which cannot function without cookies and has no cart (or similar) functionality at that stage then I would strongly suggest the designer has got it badly wrong.

Categories
Cookies and tracking

Google learns…

It seems that Google have fixed the rather useful feature, sorry, bug whereby if you browse to any Google site with cookies disabled it would throw up the cookie warning but clicking ‘I agree’ made that go away while not being able to actually set any cookies. Of course, the warning would come back on every visit but only one extra click needed and still no infernal cookies.

Now, the warning box does not clear when you click ‘I agree’ and so there is no way to run a Google search and refuse all cookies. Oh well, I’ve not actually used Google for some time now anyway. Duckduckgo FTW.

It is interesting to note that faults in software are generally classed (ok, mostly tongue-in-cheek) as features by the manufacturer but bugs by the users. Here, their bug was our feature, and was useful for a short while.

But surely this constitutes a cookie wall? I wonder… because those are generally outlawed.

Categories
Cookies and tracking Website whinging

Cookie consent box strangeness

Just recently I noticed that Google has changed the way the cookie consent reminder works. In the past it used to count down and then attempt to force you into the consent process but clearing the cookies reset this. Now there is no way past. I’ve not used Google for searches for some time now but Google Maps is handy sometimes. The iPhone app does not do this so presumably that has some other consent mechanism.

Dilbert, which I always visit daily has also started now to throw up a consent screen that one cannot get past. I wonder if these are both as a result of Schrems II. I have not checked what Google set but the Dilbert website sets 17 cookies while asking for consent to set cookies. As I use a cookie cruncher on the Mac that deletes cookies that I have not flagged as wanted every minute this is a minor issue and I always now clear cookies before visiting other websites to avoid them tracking me across sites.

On the iPhone I have all cookies blocked and so clicking on any ‘accept’ button makes no difference but does usually get past the screens. Google is interesting though because here, Google pops up the consent screen and it them immediately vanishes. I expect that will be ‘fixed’ soon though.

Categories
Cookies and tracking

Cookies – the good, the bad and the mouldy…

We are now several years into the changes in law which became known as the cookie law. Since then, the EU has enacted the GDPR which has added some urgency to ensuring that websites are compliant in the area of cookies and other stored information such as pixel trackers. The GDPR confirmed the consent requirements and national data protection organisations are taking an increasing interest in this area.

The basic requirements are that websites gain informed consent before storing cookies unless those cookies are what is termed ‘strictly necessary’. These strictly necessary cookies include those set in order to provide a service that the user specifically requested, for example to log into a website or carry out functions associated with shopping carts. It clearly does not include analytics cookies or the plethora of advertising and marketing cookies. Website designers may argue that their website will not function without cookies and where that functionality is a shopping cart I would agree. However, if the functionality in question is so the website can remember my shoe size this is not strictly necessary and I would expect to have to give my informed consent before such a cookie is stored.

Informed consent is key. It means that the user must be informed of why a cookie is being set and must then consent to it being set. And there’s the thing – I can permit the website to set cookies and consent to those cookies being set by advertisers such that they are also accessible to other websites, but I should not be forced to do so, I should understand what it means, and it should not be automatic. One may argue here that five pages of legalese indicating why a cookie is set is not a particularly valid way to inform the user.

There is also the issue of pre-checked options although this is lessened if there is a ‘reject all’ button as some websites have. Websites should not use pre-checked consent boxes but there is give and take here, in particular where the user can actively refuse cookies. However, to take the letter of the law the practice is not legal and you must not use pre-checked boxes in this way.

Cookies in the real world?

If I look at a product in a shop and an assistant comes to me and tells me there is an alternative, or better product then that presents me with no issue. However, if I then go to a different shop I do not expect someone to then show me products like the ones I just viewed in the first shop unless I specifically ask. And there is the difference, I can chose to ask or not. So why are tracking cookies any different?

And I certainly do not expect to go into a newsagents and pick up a paper only to have 33 sticky notes stuck on me from 33 other papers, each saying I do not want them to send me anything. Mind you, I don’t buy newspapers…

You must comply

This brings us to the question of cookie walls. Here, a website forces you to agree to their cookie policy before you can even see the website. In my opinion any such website should simply be ignored. Why, for example should I need to consent to it storing cookies just so I can see their email address or other contact details?

And I do object when I find a website that offers me a choice of some 400 advertising partners and lets me deselect each one, one by one. It’s far easier to just visit some other website. And let’s not get into discussion over the numerous websites which have a privacy and cookie notice hosted on some other website at a completely different URL which also sets its own cookies! One particularly famous website gave me a large privacy notice that I could not get past without either accepting or drilling down through layers of options. It was somewhat amusing to count over 400 partner sites that may get my data, and also drilling down further I got to a different, presumably parent website at a completely different URL. Needless to say this was an example of a US website.

Obfuscated messages

It is not always obvious how one even deselects cookies when consenting. The use of graphical sliders to allow or refuse cookies may be obvious when it is visually clear that green is go and red is not. So why do some websites chose shades of grey, and others just have a black slider with no indication of which way is off? This is not rocket science. Some websites use a simple tick box – surely that is sufficient? Can you imagine the problems in a fast food outlet where you end up with a spicy burger and a sugar laden drink because the options for ‘not spicy’ and ‘diet free’ were just black balls on a grey background?

Fighting back

So, to recap, cookies which are strictly necessary can be set by a website without consent when you visit it but these are a tightly defined subset of cookies which are actually necessary for a website to do what you want, not what it wants. Any other cookie must only be set once the user has given their informed consent. Cookies which store one’s choice here can be accepted as strictly necessary. Thus, a website storing a cookie to save your cookie choices for that website is ok as it is associated with you actually requesting something.

However, some websites, particularly media types take this to mean it is ok for each and every one of their partner sites to also set a cookie to save your choice. To me this is its bad programming – why are you causing my browser to visit each of your partner websites in order for each one to then store a cookie saying I do not want you to send me cookies from them? One newspaper website I visited and immediately selected ‘reject all’ on its cookie notice caused 33 individual cookies to be set.

It is sometimes amusing watching websites fail miserably when cookies are disabled in the browser. Some throw you off and demand you allow cookies, some struggle, some have no issues at all. I found one that displays nothing and constantly reloads itself trying to set a cookie. I suspect someone got their cookie sensing code a bit wrong there.

It is less amusing to struggle through a website’s cookie notice and deselect everything only then to be told I can get no further because I use an ad blocker. But wait, if the ad blocker checker is cookie based and I deselected cookies how come it even works?

Remember that tracking cookies are no use if they are not available when you visit other websites. So, for example you visit website A and you have no cookies set at all. Website A sets a tracking cookie served by website C. You then visit website B and it can read the tracking cookie set by website A and thus data about you can be transferred. But if you delete the cookie before you visit website B then that website cannot know. This is oversimplified but essentially is how you end up stalked by adverts.

Personally, I address this in a specific way. Cookies are always turned off on my phone. Yes, it means there are some things I cannot do because they require me to log in, but if I absolutely have to use the phone for those then I can quickly turn cookies back on, do the work, then delete the cookies. On the laptop I now use an app which allows me to chose what cookies I want to keep from each website I use. So, for example I can allow any login function cookies for the various web-based forums I visit. The app is set to delete any unwanted cookies after a minute or there is a button to delete immediately. Using this, I can visit a website and delete all its cookies right away. Of course, this is personal preference and suits me because I have always been security conscious. And other browsers have other mechanisms. I do recommend that you investigate something which suits you. I would also recommend that you take a look at what cookies your browser has stored, you’ll probably be amazed!

It’s not all bad news. There are some really well thought out websites out there. An example is where a website has a very simple line at the bottom, with cooke options not pre-checked and a button to accept or otherwise. Many, many websites run by organisations with insane amounts of money (and therefore buying power when it comes to website design) could learn from this.

Chocolate chip anyone?

Categories
Cookies and tracking

Awful cookie consent pages…

There’s an interesting mixture of cookie consent pages and functions these days, ranging from one nice site I saw that had defaulted to ‘none’, to those that seem to want you to opt out individually to over 400 advertising cookies, with quite a few of those requiring you to go and find the advertiser in question to opt out. I just saw one which has the usual half-page banner that only gives an option to accept all cookies, but hidden (in plain sight) is a link that takes you to a consent page. This page does nothing that wanting you to consent to all cookies but, if you try hard enough it tells you how you can opt out – by visiting some advertising agency cookie control site. Er, no, that’s not how it should be done.

I wonder if anyone (other than me) actually bothers to complain to whatever agency is even listening about these stupid practices!