> The GPC signal will be intended to communicate a Do Not Sell
So, there is no tracking opt-out like DNT had.
Do Not Sell is classic regulatory capture: It allows incumbent players to continue their current bad behavior, and directs revenue streams from smaller players (data brokers) to existing monopolies.
Also, this opt out won’t interfere with Mozilla’s recently acquired ad business, which uses user data to sell ad real estate (invading their privacy with obtrusive ads).
(Sorry for the awkward sentence, but they claim it is a privacy preserving technology that doesn’t gather or sell user data, and there’s no way to be doublespeak compliant without using tortured grammar.)
Instead of using that, this new proposal seems to be exactly the same thing, just with more work for website hosters (having to add nonsensical files to /well_known/) and claims that this time, the regulatory backing will be good enough. Bullshit. They could have just tried to enforce the DNT header now, with the new regulations and the old case law. Instead they ripped it out of Firefox.
DNT failed because advertising and online stalking companies refused to abide by it when browsers enabled it by default. The GPC spec tries to work around this by having the spec disable the feature by default.
This new spec is necessary because American legislation requires opt-out signals not to be the browser default. That means DNT, as browsers used it, is not legally an opt-out signal, because browsers default to it.
What this is doing is throwing out the header that had legal backing in Europe for a slightly worse copy that hopefully has legal backing in America in the future.
It's a silly specification, but if it gets companies to actually respect this iteration of the DNT spec then I'll accept it.
There are dozens of ways how browser devs could make it default, without making it default - by way of malicious compliance. Example: The first time the browser is opened, display a big fat page asking "DO YOU WANT TO BE TRACKED & SURVEILLED ON THE INTERNET??? NO (highlight in nice colour) / YES (add dark pattern here) / learn more (in tiny font)". Pretty sure most people would click "NO". Every couple of weeks it could pop up again with a similarly phrased question "ARE YOU SURE YOU STILL DON'T WANT TO BE TRACKED?" but this time with a nice UI element where the user can specify that the answer to this rhetorical question will stay the same for the next n days/months/years/decades/centuries/millenia.
Allowing assholes to continue being assholes is the crux of the problem. Companies ignoring DNT on as a default should have been met with massive punitive fines and liability. Instead, we're not doing anything to curtail the behavior.
Wasn't this just microsoft back in the day that enabled it by default, and they were already a small player at that point (Chrome was the leader and even Firefox had more market-share back then iirc).
In other words: "browsers" didn't make it the default, one small browser did.
And so if _any_ browser, whatever tiny percentage they might have of the market, will make this new proposal the default, advertisers can again say "see? totally unreasonable, we won't follow that".
But it being made default by Microsoft was never the problem, ad-companies just didn't care.
Internet Explorer's market share was a little more to a little less than Chrome's in mid 2012. It was the only significant browser to enable Do Not Track by default as far as I know.
Advertisers wouldn't have cared until laws forced them to care. Microsoft enabling it by default ensured there would be no laws.
I was pleasantly surprised to learn that my state passed a law requiring businesses that serve 50k or more residents here respect this setting and opt me out of tracking by default.
Do I understand correctly that this means that browser will have to do yet another useless request to domains or website to know the GPC status in addition with the request required to retrieve the ressources ? In addition with OPTION requests that already have to be done?
I work as a Data Protection Officer, which is a legal role under GDPR, and am rather unimpressed by GPC. I could whine for a day, but among the most problematic issues: It's not clear if "Sec-GPC: 0" should be interpreted as:
1. "no" to collect personal data under GDPR consent; or
2. "objection" to collect personal data under GDPR legitimate interest or;
3. "no" to retrieving and storing data on a user device (e.g. cookies, localStorage); or
4. A linear combination of the above.
Personally, I think we should simply fine the heck out of all websites until they all feature a "Reject all" button. No need for browser vendors to propose standard which at least one browser vendor can't be bothered to implement.
"Sec-GPC: 0" is invalid. The value can only be 1, and that explicitly cannot be changed in the future according to the spec.
This makes GPC a flag that means "unknown" or "opt-out". There is no "please share my data with your newsletter company" value, there can only be "do whatever the default is for sharing my data with any company you partner with".
> Personally, I think we should simply fine the heck out of all websites until they all feature a "Reject all" button.
Personally I’m tired of cookie pop-ups on websites, a reject all button does nothing to solve the actual problem. If a users browser can somehow communicate the preference so we don’t need to click on pointless stuff then wouldn’t that be optimal?
> The main problem with DNT was the lack of legal and regulatory backing it received. Website owners could decide if they'd observe the DNT signal and there were no legal repercussions if they chose not to. This is where GPC is different.
This sounds like an attempt to regulate the entire internet.
... the internet? I get the impression you're trying to ask something that you haven't articulated. I don't know why it'd be assumed that this approach will stop at websites.
It's just an extension of copyright, which already regulates the entire internet. You should have the copyright over your mouse clicks, plus 100 years after the death of the author.
Ideally it would be an attempt to regulate more than that. If I've set a flag that indicates a preference about the use of my personal information that I have some legal right to demand, I want it enforced. You don't get to ignore my request because internet.
Maybe I can use the GPC header as a way to let advertisers track and target me with exciting offers. Perhaps they can create a "fingerprint" from the three headers I send: Host+Connection+GPC, as I request web pages with netcat or tcpclient through a localhost-bound TLS forward proxy. I use these clients on a daily basis for making HTTP requests. I read HTML with a text-only browser. I do not use DNS when requesting www pages. The needed IP addresses are stored in the proxy's memory. For some reason I never see any ads.
Unfortunately, the sec-gpc header does not seem to be working as I have not received any advertisements after I started using it. Perhaps I have to manually request the ads and send the telemetry since I am not using browser that auto-loads resources or runs Javascript. Maybe I need to put the IP addresses for the tracking and ad servers into the proxy's memory.
Meanwhile, I am missing out on whatever products, services and campaign drivel the advertisers might show to people who use netcat/tcpclient and send only three HTTP headers. No doubt all the online merchants using text-only e-commerce platforms must target some amazing offers to all the online shoppers using netcat/tcpclient.^1 Someday maybe I too can receive them.
1. IIRC, funnily enough, there is a commandline "e-commerce solution", i.e., online store, that has been shared on HN before, perhaps as joke.
I don’t think this article does a good job of explaining what this achieves.
> Web users want to have more autonomy over their data. They want to know who has it, where it's going and why, and they want to be able to consent to how their data moves between parties.
> It's up to the developer/business to decide how to treat the signal, for example, removing the user's details from third-party tracking or marketing, following a similar procedure as to when users opt out of sharing data for marketing purposes. If in CCPA jurisdiction, the signal must be observed to avoid legal repercussions.
Okay, so assuming a user has this enabled in their browser settings, and they register on a website. They tick the box that says “Add me to your mailing list”.
Common sense would indicate that ticking of the box overrides the browser setting. So I can share their details with my mail service provider. So by default opt-out and asking for their permission to opt-in is compatible with this setting, right?
Except now apply that logic to the mess of “we respect your privacy, click here to allow sharing your data with our eleventy bajillion trusted partners” popups on so many websites. So, again, by default opt-out and asking for their permission to opt-in. So this setting does absolutely nothing to stem that tide? What’s the point of it then?
Also, how does this tell the user “who has it, where it's going and why”? All I see is a boolean flag.
> At the time of writing, the Attorney General for California has recommended observation of GPC to comply with CCPA. There are also intentions to work with the European Union's GDPR
By default opt-out and asking for their permission is already required by the GDPR, so what is being worked on here exactly?
> Common sense would indicate that ticking of the box overrides the browser setting
In theory, the /.well-known/ file could have its timestamp updated to reflect to the browser that the situation has changed and the user may perhaps need to make another choice. In practice, every website with trackers will just always pretend things have changed and browser controls will be useless.
> Except now apply that logic to the mess of “we respect your privacy, click here to allow sharing your data with our eleventy bajillion trusted partners” popups on so many websites. So, again, by default opt-out and asking for their permission to opt-in. So this setting does absolutely nothing to stem that tide? What’s the point of it then?
This is why I prefer what Microsoft attempted to do with P3P instead. Of course no website ever bothered implementing it, but Microsoft came up with a protocol to at least list a display privacy policies for every partner website.
If browsers came with UI to manage which trackers the user accepts by default, with specific website overrides of course, this mechanism could be extended to in-browser privacy popups that can have their defaults be "no, fuck off" without the ambiguity.
The protocol could even be extended to permit the website to request changing the sharing setting, for instance when you sign up for a newsletter. As long as the UI is gatekept enough (say, once per x minutes after user interaction, up to y parties at once, otherwise the notification will be a little icon in the URL bar), it might just automate away the entire cookie popups.
Of course you'd need to convince the EU and California to declare these protocols as mandatory, but I think that's going to be a lot easier with a protocol where users have more choice than with this unary GPC header.
these web frameworks for privacy always give me a chuckle. DnT didnt work, why would this?
Advertising is an economy worth more than 7.4 trillion USD. it has evaded most attempts to regulate or restrict it in any meaningful sense in the 21st century. the GDPR serving as a bureaucratic organ to which advertisers must subscribe, or quietly ignore with all but the most modest and encumbered window dressings for the illusion of choice by the user.
you cannot restrict, limit, control, or meaningfully impact a 7.4 trillion dollar economy with a voluntary framework. this market rivals the GDP of many developed nations. it will simply spend its way out of any legal problem. there exists no fine that can tame it.
The only thing you can reasonably do in the face of something that evades even governments themselves, is to ship a built-in version of uBlock and noscript, and a blacklist of advertising provider DNS, that is enabled by default for the user. make cookies whitelist-only, and make counter-fingerprinting technology default.
you must do things that cause, as an organism, marketing and advertising agencies to recoil in terror. DoH is a good example, which rallied nearly every telecom provider in the US to lobby the federal government until Mozilla and others acquiesced to letting them join the club.
If the CCPA does indeed interpret this as an opt-out signal, those 7.4 trillion are going to be at risk of a whole lot of (class action) lawsuits. The spec is trying to make itself applicable as an official, regulated signal. DNT couldn't, because Colorado (or more likely, a large donation by those 7.4 trillion dollars) decided that an opt-out cannot be the default.
The stupidest thing is that Google actually got in trouble for trying to restrict third party cookies by default. The UK competition watchdog agreed with advertising companies that Google making such a decision would be abuse of power and bad for competition. That's why they came up with this weird alternative ad system where your browser tracks your interests and shares them in request, so that ad companies can shut the fuck up about it.
Once Google is forced to sell Chrome to a third party, I hope third party cookies will finally be disabled by default.
> because Colorado (or more likely, a large donation by those 7.4 trillion dollars) decided that an opt-out cannot be the default.
A setting left at the default value does not indicate that a person has taken action to express a preference.
It's not a bad thing, or proof of bribery or regulatory capture or whatever, if some jurisdictions decide to formally recognize this reality.
> The stupidest thing is that Google actually got in trouble for trying to restrict third party cookies by default. The UK competition watchdog agreed with advertising companies that Google making such a decision would be abuse of power and bad for competition.
From what I recall, Google was trying to grant themselves a unique privileged position where Google and Google alone would be able to track individuals across sites.
I'm an absolite outsider to this, I use edge and would use chrome if need be.
It seems to me like mozilla appeals to paranoid users who don't pay for software and also don't want to see ads, and in exchange insane demands and revolt is placed upon them.
One thing you learn when providing services is that the demands don't ever stop. The more you provide for free, the more demands you get.
Would not want to be in this space, let's normalize paying for software, then you wouldn't need to worry about alternative monetization schemes.
Tracking is not synonymous with ads. Advertising was big business back when you had to just put a jingle on the airwaves or paint a billboard and trust that the right demographic would happen on it. It is plenty possible display ads and make money from them without invasive tracking, for example duck-duck-go does so. On the other hand if you do not fight tracking, paying for the service is no defense, they will just double-rip every time, triple dip if they think they can slot ads in.
The main problem with DNT was the lack of legal and regulatory backing it received. Website owners could decide if they'd observe the DNT signal and there were no legal repercussions if they chose not to. This is where GPC is different.
....
What to do when receiving a GPC signal
It's up to the developer/business to decide how to treat the signal, for example, removing the user's details from third-party tracking or marketing, following a similar procedure as to when users opt out of sharing data for marketing purposes. If in CCPA jurisdiction, the signal must be observed to avoid legal repercussions.
So what's the difference? Without regulations, which is the real issue here, all this is meaningless just like DNT was. The system is solely based on trusting the site to comply. CCPA only applies in Europe. None of this would apply to users in the US but the article disingenuously implies it would:
At the time of writing, the Attorney General for California has recommended observation of GPC to comply with CCPA
That is not legally binding in any way. This is just DNT with extra step being sold as something it's not. I fail to see how this will benefit the user while making it harder for users to block trackers and advertisers. A site can't prevent you from blocking it's cookies because cookies are stored locally through the context of the browser. Site's can't prevent users from blocking, deleting or modifying cookies.
But GPC signals are sent via HTTP headers. Sites could prevent users from accessing the site by detecting if GPC is disabled by the user in the browser just by checking the HTTP headers, forcing users into sharing information with the site to be allowed to access the site.
The point is you’d have one browser setting that would make all the obnoxious cookie consent pops disappear. Making laws is one thing, enforcing them is another, however.
I think cookie consent is a different story. GPC would mean:
"Under the GDPR, the intent of the GPC signal is to convey a general request that data controllers limit the sale or sharing of the user's personal data to other data controllers".
It doesn't preclude a website from storing cookies, and therefore doesn't relieve it from the obligation (at least in the EU) to show an obnoxious popup
Under ePrivacy, websites only need to show a cookie banner when they are doing spyware shit. There are exceptions to this, but generally speaking you don't need a cookie banner for functionality that the user expects. As one example, you don't need a cookie banner for a login cookie or for storing the user's preferences.
While the law has flaws, it's very frustrating to see people misinterpreted it, instead of reaching the correct conclusion that the vast majority of websites are spyware. And that it's not EU's law to blame, but rather standard internet practices related to analytics and the serving of ads.
> The GPC signal will be intended to communicate a Do Not Sell
So, there is no tracking opt-out like DNT had.
Do Not Sell is classic regulatory capture: It allows incumbent players to continue their current bad behavior, and directs revenue streams from smaller players (data brokers) to existing monopolies.
Also, this opt out won’t interfere with Mozilla’s recently acquired ad business, which uses user data to sell ad real estate (invading their privacy with obtrusive ads).
(Sorry for the awkward sentence, but they claim it is a privacy preserving technology that doesn’t gather or sell user data, and there’s no way to be doublespeak compliant without using tortured grammar.)
The article ignores that the DNT header already had some regulatory backing, as in court decisions saying it ought to be respected. https://www.datev-magazin.de/nachrichten-steuern-recht/recht... references such a decision against LinkedIn.
Instead of using that, this new proposal seems to be exactly the same thing, just with more work for website hosters (having to add nonsensical files to /well_known/) and claims that this time, the regulatory backing will be good enough. Bullshit. They could have just tried to enforce the DNT header now, with the new regulations and the old case law. Instead they ripped it out of Firefox.
DNT failed because advertising and online stalking companies refused to abide by it when browsers enabled it by default. The GPC spec tries to work around this by having the spec disable the feature by default.
This new spec is necessary because American legislation requires opt-out signals not to be the browser default. That means DNT, as browsers used it, is not legally an opt-out signal, because browsers default to it.
What this is doing is throwing out the header that had legal backing in Europe for a slightly worse copy that hopefully has legal backing in America in the future.
It's a silly specification, but if it gets companies to actually respect this iteration of the DNT spec then I'll accept it.
As for DNT, Firefox may have removed it but addons can still set it. As useless as that may be, because the spec is marked as outright deprecated (https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/...), you can still send the signal.
There are dozens of ways how browser devs could make it default, without making it default - by way of malicious compliance. Example: The first time the browser is opened, display a big fat page asking "DO YOU WANT TO BE TRACKED & SURVEILLED ON THE INTERNET??? NO (highlight in nice colour) / YES (add dark pattern here) / learn more (in tiny font)". Pretty sure most people would click "NO". Every couple of weeks it could pop up again with a similarly phrased question "ARE YOU SURE YOU STILL DON'T WANT TO BE TRACKED?" but this time with a nice UI element where the user can specify that the answer to this rhetorical question will stay the same for the next n days/months/years/decades/centuries/millenia.
> American legislation requires opt-out signals not to be the browser default
Can you site the legislation stating that?
Allowing assholes to continue being assholes is the crux of the problem. Companies ignoring DNT on as a default should have been met with massive punitive fines and liability. Instead, we're not doing anything to curtail the behavior.
Wasn't this just microsoft back in the day that enabled it by default, and they were already a small player at that point (Chrome was the leader and even Firefox had more market-share back then iirc).
In other words: "browsers" didn't make it the default, one small browser did.
And so if _any_ browser, whatever tiny percentage they might have of the market, will make this new proposal the default, advertisers can again say "see? totally unreasonable, we won't follow that".
But it being made default by Microsoft was never the problem, ad-companies just didn't care.
Internet Explorer's market share was a little more to a little less than Chrome's in mid 2012. It was the only significant browser to enable Do Not Track by default as far as I know.
Advertisers wouldn't have cared until laws forced them to care. Microsoft enabling it by default ensured there would be no laws.
I was pleasantly surprised to learn that my state passed a law requiring businesses that serve 50k or more residents here respect this setting and opt me out of tracking by default.
Do I understand correctly that this means that browser will have to do yet another useless request to domains or website to know the GPC status in addition with the request required to retrieve the ressources ? In addition with OPTION requests that already have to be done?
OPTION isn't always necessary, there are ways to prevent those requests.
Also, the GPC request will probably only be sent when you enable GPC, which basically means "almost nobody".
Any takes on this from someone who knows about it?
I work as a Data Protection Officer, which is a legal role under GDPR, and am rather unimpressed by GPC. I could whine for a day, but among the most problematic issues: It's not clear if "Sec-GPC: 0" should be interpreted as:
1. "no" to collect personal data under GDPR consent; or 2. "objection" to collect personal data under GDPR legitimate interest or; 3. "no" to retrieving and storing data on a user device (e.g. cookies, localStorage); or 4. A linear combination of the above.
Personally, I think we should simply fine the heck out of all websites until they all feature a "Reject all" button. No need for browser vendors to propose standard which at least one browser vendor can't be bothered to implement.
"Sec-GPC: 0" is invalid. The value can only be 1, and that explicitly cannot be changed in the future according to the spec.
This makes GPC a flag that means "unknown" or "opt-out". There is no "please share my data with your newsletter company" value, there can only be "do whatever the default is for sharing my data with any company you partner with".
> Personally, I think we should simply fine the heck out of all websites until they all feature a "Reject all" button.
Personally I’m tired of cookie pop-ups on websites, a reject all button does nothing to solve the actual problem. If a users browser can somehow communicate the preference so we don’t need to click on pointless stuff then wouldn’t that be optimal?
> The main problem with DNT was the lack of legal and regulatory backing it received. Website owners could decide if they'd observe the DNT signal and there were no legal repercussions if they chose not to. This is where GPC is different.
This sounds like an attempt to regulate the entire internet.
So what do you refer to all the other stuff that is accepted as "the internet" but is not websites?
... the internet? I get the impression you're trying to ask something that you haven't articulated. I don't know why it'd be assumed that this approach will stop at websites.
It's just an extension of copyright, which already regulates the entire internet. You should have the copyright over your mouse clicks, plus 100 years after the death of the author.
How is GPC an extension of copyright?
Laws for GPC are an extension of copyright, that prevents companies from selling works that (in theory) belong to us.
Ideally it would be an attempt to regulate more than that. If I've set a flag that indicates a preference about the use of my personal information that I have some legal right to demand, I want it enforced. You don't get to ignore my request because internet.
It's no more regulation than GDPR. They're just trying to make GDPR less insanely annoying.
But given the EU's track record I give this a 0.1% chance of success.
For a while now I have been adding a "sec-gpc: 1" header in the forward proxy (client/browser agnostic). Thus, at least one person is using it.
Unfortunately because this is rare, it’s a strong signal for fingerprinting and helps people track you without your consent.
Maybe I can use the GPC header as a way to let advertisers track and target me with exciting offers. Perhaps they can create a "fingerprint" from the three headers I send: Host+Connection+GPC, as I request web pages with netcat or tcpclient through a localhost-bound TLS forward proxy. I use these clients on a daily basis for making HTTP requests. I read HTML with a text-only browser. I do not use DNS when requesting www pages. The needed IP addresses are stored in the proxy's memory. For some reason I never see any ads.
Unfortunately, the sec-gpc header does not seem to be working as I have not received any advertisements after I started using it. Perhaps I have to manually request the ads and send the telemetry since I am not using browser that auto-loads resources or runs Javascript. Maybe I need to put the IP addresses for the tracking and ad servers into the proxy's memory.
Meanwhile, I am missing out on whatever products, services and campaign drivel the advertisers might show to people who use netcat/tcpclient and send only three HTTP headers. No doubt all the online merchants using text-only e-commerce platforms must target some amazing offers to all the online shoppers using netcat/tcpclient.^1 Someday maybe I too can receive them.
1. IIRC, funnily enough, there is a commandline "e-commerce solution", i.e., online store, that has been shared on HN before, perhaps as joke.
I don’t think this article does a good job of explaining what this achieves.
> Web users want to have more autonomy over their data. They want to know who has it, where it's going and why, and they want to be able to consent to how their data moves between parties.
> It's up to the developer/business to decide how to treat the signal, for example, removing the user's details from third-party tracking or marketing, following a similar procedure as to when users opt out of sharing data for marketing purposes. If in CCPA jurisdiction, the signal must be observed to avoid legal repercussions.
Okay, so assuming a user has this enabled in their browser settings, and they register on a website. They tick the box that says “Add me to your mailing list”.
Common sense would indicate that ticking of the box overrides the browser setting. So I can share their details with my mail service provider. So by default opt-out and asking for their permission to opt-in is compatible with this setting, right?
Except now apply that logic to the mess of “we respect your privacy, click here to allow sharing your data with our eleventy bajillion trusted partners” popups on so many websites. So, again, by default opt-out and asking for their permission to opt-in. So this setting does absolutely nothing to stem that tide? What’s the point of it then?
Also, how does this tell the user “who has it, where it's going and why”? All I see is a boolean flag.
> At the time of writing, the Attorney General for California has recommended observation of GPC to comply with CCPA. There are also intentions to work with the European Union's GDPR
By default opt-out and asking for their permission is already required by the GDPR, so what is being worked on here exactly?
> Common sense would indicate that ticking of the box overrides the browser setting
In theory, the /.well-known/ file could have its timestamp updated to reflect to the browser that the situation has changed and the user may perhaps need to make another choice. In practice, every website with trackers will just always pretend things have changed and browser controls will be useless.
> Except now apply that logic to the mess of “we respect your privacy, click here to allow sharing your data with our eleventy bajillion trusted partners” popups on so many websites. So, again, by default opt-out and asking for their permission to opt-in. So this setting does absolutely nothing to stem that tide? What’s the point of it then?
This is why I prefer what Microsoft attempted to do with P3P instead. Of course no website ever bothered implementing it, but Microsoft came up with a protocol to at least list a display privacy policies for every partner website.
If browsers came with UI to manage which trackers the user accepts by default, with specific website overrides of course, this mechanism could be extended to in-browser privacy popups that can have their defaults be "no, fuck off" without the ambiguity.
The protocol could even be extended to permit the website to request changing the sharing setting, for instance when you sign up for a newsletter. As long as the UI is gatekept enough (say, once per x minutes after user interaction, up to y parties at once, otherwise the notification will be a little icon in the URL bar), it might just automate away the entire cookie popups.
Of course you'd need to convince the EU and California to declare these protocols as mandatory, but I think that's going to be a lot easier with a protocol where users have more choice than with this unary GPC header.
What I think they will do is just prevent you from registering? You want to register? Disable the flag.
The same as with the "do not accept". If you do not, they will nag you endlessly until you finally do allow the cookies.
I mean, we just can't win :(
these web frameworks for privacy always give me a chuckle. DnT didnt work, why would this?
Advertising is an economy worth more than 7.4 trillion USD. it has evaded most attempts to regulate or restrict it in any meaningful sense in the 21st century. the GDPR serving as a bureaucratic organ to which advertisers must subscribe, or quietly ignore with all but the most modest and encumbered window dressings for the illusion of choice by the user.
you cannot restrict, limit, control, or meaningfully impact a 7.4 trillion dollar economy with a voluntary framework. this market rivals the GDP of many developed nations. it will simply spend its way out of any legal problem. there exists no fine that can tame it.
The only thing you can reasonably do in the face of something that evades even governments themselves, is to ship a built-in version of uBlock and noscript, and a blacklist of advertising provider DNS, that is enabled by default for the user. make cookies whitelist-only, and make counter-fingerprinting technology default.
you must do things that cause, as an organism, marketing and advertising agencies to recoil in terror. DoH is a good example, which rallied nearly every telecom provider in the US to lobby the federal government until Mozilla and others acquiesced to letting them join the club.
If the CCPA does indeed interpret this as an opt-out signal, those 7.4 trillion are going to be at risk of a whole lot of (class action) lawsuits. The spec is trying to make itself applicable as an official, regulated signal. DNT couldn't, because Colorado (or more likely, a large donation by those 7.4 trillion dollars) decided that an opt-out cannot be the default.
The stupidest thing is that Google actually got in trouble for trying to restrict third party cookies by default. The UK competition watchdog agreed with advertising companies that Google making such a decision would be abuse of power and bad for competition. That's why they came up with this weird alternative ad system where your browser tracks your interests and shares them in request, so that ad companies can shut the fuck up about it.
Once Google is forced to sell Chrome to a third party, I hope third party cookies will finally be disabled by default.
> because Colorado (or more likely, a large donation by those 7.4 trillion dollars) decided that an opt-out cannot be the default.
A setting left at the default value does not indicate that a person has taken action to express a preference.
It's not a bad thing, or proof of bribery or regulatory capture or whatever, if some jurisdictions decide to formally recognize this reality.
> The stupidest thing is that Google actually got in trouble for trying to restrict third party cookies by default. The UK competition watchdog agreed with advertising companies that Google making such a decision would be abuse of power and bad for competition.
From what I recall, Google was trying to grant themselves a unique privileged position where Google and Google alone would be able to track individuals across sites.
I'm an absolite outsider to this, I use edge and would use chrome if need be.
It seems to me like mozilla appeals to paranoid users who don't pay for software and also don't want to see ads, and in exchange insane demands and revolt is placed upon them.
One thing you learn when providing services is that the demands don't ever stop. The more you provide for free, the more demands you get.
Would not want to be in this space, let's normalize paying for software, then you wouldn't need to worry about alternative monetization schemes.
Tracking is not synonymous with ads. Advertising was big business back when you had to just put a jingle on the airwaves or paint a billboard and trust that the right demographic would happen on it. It is plenty possible display ads and make money from them without invasive tracking, for example duck-duck-go does so. On the other hand if you do not fight tracking, paying for the service is no defense, they will just double-rip every time, triple dip if they think they can slot ads in.
I don't think that Mozilla is saying you should provide service for free. If GPC is turned on, the website can just pop up a paywall, no?
This article is intentionally misleading:
The main problem with DNT was the lack of legal and regulatory backing it received. Website owners could decide if they'd observe the DNT signal and there were no legal repercussions if they chose not to. This is where GPC is different.
....
What to do when receiving a GPC signal
It's up to the developer/business to decide how to treat the signal, for example, removing the user's details from third-party tracking or marketing, following a similar procedure as to when users opt out of sharing data for marketing purposes. If in CCPA jurisdiction, the signal must be observed to avoid legal repercussions.
So what's the difference? Without regulations, which is the real issue here, all this is meaningless just like DNT was. The system is solely based on trusting the site to comply. CCPA only applies in Europe. None of this would apply to users in the US but the article disingenuously implies it would:
At the time of writing, the Attorney General for California has recommended observation of GPC to comply with CCPA
That is not legally binding in any way. This is just DNT with extra step being sold as something it's not. I fail to see how this will benefit the user while making it harder for users to block trackers and advertisers. A site can't prevent you from blocking it's cookies because cookies are stored locally through the context of the browser. Site's can't prevent users from blocking, deleting or modifying cookies.
But GPC signals are sent via HTTP headers. Sites could prevent users from accessing the site by detecting if GPC is disabled by the user in the browser just by checking the HTTP headers, forcing users into sharing information with the site to be allowed to access the site.
in a era when google and openai ask to circumvent copyrights, what’s the point?
The point is you’d have one browser setting that would make all the obnoxious cookie consent pops disappear. Making laws is one thing, enforcing them is another, however.
I think cookie consent is a different story. GPC would mean: "Under the GDPR, the intent of the GPC signal is to convey a general request that data controllers limit the sale or sharing of the user's personal data to other data controllers".
It doesn't preclude a website from storing cookies, and therefore doesn't relieve it from the obligation (at least in the EU) to show an obnoxious popup
Under ePrivacy, websites only need to show a cookie banner when they are doing spyware shit. There are exceptions to this, but generally speaking you don't need a cookie banner for functionality that the user expects. As one example, you don't need a cookie banner for a login cookie or for storing the user's preferences.
While the law has flaws, it's very frustrating to see people misinterpreted it, instead of reaching the correct conclusion that the vast majority of websites are spyware. And that it's not EU's law to blame, but rather standard internet practices related to analytics and the serving of ads.
and google’s chrome will never ever ignore blocking own cookies, at least while they can