JMH ⁽⁹⁾

Elements of my alma mater recently decided to dump Twitter (X) because the values of that social platform have diverged significantly from what the academic institution can tolerate. I suspect numerous other organsations will folow suit. EDRI announced it today and suggest we follow them on Mastodon which I already do. As to Meta, well, there is plenty of press on that and I suspect there will be too on Trump's declaration in endign federal censorship (of social media sites). Let's see what happens next! Personally, and this is purely personal choice really, I escaped from Facebook over a year ago after first deleting all my content on there. I did the same with Instagram. I kept Whatsapp because of all the contacts and groups there. I have WeChat for Chinese friends, and now I am also on Xiaohongshu as well as (still) Tiktok. I left Twitter maybe two years ago, and I left LinkedIn because it held no relevance once I retired. My reasons are varied. For example, I had no issue with LinkedIn, it's just that it is no longer useful to me. As to Facebook, I also have their domains blocked on my Mac via the hosts file after I noticed that despite me leaving I kept on getting thier cookies. On Twitter I had abiut 6 tweets ever, so I simply never used it. YMMV as they say.

So, here we are, waiting for the US Tiktok ban to either take place or not, apparently with droves of US users abandoning ship and running to what has become known as Red Note - actually Little Red Book / Xiaohongshu. It is really rather interesting to see just how many people simply click away the terms given they are in Chinese. One person reported by the BBC was worried about accepting the terms unseen but did so anyway (sorry, can't find the article now - will edit later!). Update: And there we are. The US Supreme Court has upheld the ban. I do like this from the judgement regarding the data collection practices of Tiktok: "the House Report focuses overwhelmingly on the Government’s data collection concerns" (1). Remember Snowden? Pot kettle black. (Note there is a lot more reading in the judgement that my ramblings here... it deserves proper analysis and I'm sure others will do so) (1) https://www.supremecourt.gov/opinions/24pdf/24-656_ca7d.pdf at p.18

There seems to be an increasing number of websites now that are finally coming round to the act that they should not set cookies unless the user accepts them. They do this by having an Accept / Reject button which is great and fulfils the requirement nicely. On visiting the site one can simply press Reject All or whatever and then no cookies should be set other than those classed as strictly necessary. True, there are still many websites whose designers falsely consider that advertising cookies are strictly necessary but many websites are now far more compliant than they were a few years ago. However, not being too negative on thise conforming websites but does anyone actually check the number of users clicking Accept vs Reject? That kind of information, which can of course be collected entirely anonymously (developers please note!) would be most useful. It occurs to me - and I can't be the only one - that if a website clearly gives the choice to reject all these cookies and still functions without, then if people are generally rejecting them why do they even need them. It would be far nicer if these websites simply did not use those cookies in the first place.

(this is an update of a previous post) Ad blockers work well on PCs and other things, smartphones included. But what about your TV? Some time ago our Samsung SmartTV had a software update after which it started displaying rather infuriating adverts in the TV guide. It has shown ads before in the list of apps and things but not in the guide. And in a glaring colour scheme too so it really stood out. I tried blocking various domains via the broadband router as was suggested in forums, but this was not successful. privacy settings at that time also offered little hope. On that particular subject, the privacy settings on the TV were set in a way to trip one up in my opinion. One could de-select advertising partners one by one (they are all on by default and there is no global turn-off option) but if one strayed outside the box or clicked the wrong thing the whole process was abandoned. And on entry to the options ‘Allow all’ was preselected. there are hundreds of advertising partners too. Consent was confusing as well. The list seemed to suggest that consent had been given but on entry to that section it was then possible consent, the unticked box presumably meaning consent had not been given (nor would it have been!) The TV was not a cheap model and I really did not expect advertising in this way. In the end I installed pi-hole which 'cured' the advertising issue in the TV guide. It is interesting to note that the default block list that comes with pi-hole included all the relevant Samsung domains so no other settings were required in order to achieve this aim.

A well known supermarket-attached clothing website has a privacy notice apparently powered by OneTrust. It gives the usual cookie choices where one can deny certain classes of cookie. On the positive side of things the selections are off by default. Good. But that’s where the positive ends… Certain cookie classes cannot be switched off – they are ‘always active’. These include data which: Now ok I’ve lumped them all together as displayed and not all are definitely evil at first glance. But let’s tease the evil out a little… Monitoring for the prevention of fraud is fine but it is not saying how. Does it mean that my data will be sent somewhere for fraud checks? Now, that may still be acceptable but it really needs to say. Sending and receiving information for advertising purposes. Ok, this is a big no. They can’t do that with no way to switch it off, no matter how much they want to. Cookies used for this can never be classed as strictly necessary. Combining my data with offline sources – again, what on earth is their plan here, tell me. The same goes for distinguishing my device from others. Do they even know how most home broadband routers work? Are they going further than just the IP address, which would be common across a household, or are they suggesting browser profiling? If the latter, stop it. In any event I browse this particular vendor in private mode with my cookie cruncher running so good luck with that!

I came across a website a couple of days ago that has the usual, rather useless cookie notice generated as the site claims several times by some random cookie policy generator. Ok so it has the usual three options, accept, decline, or see more information. But I was rather surprised that clicking ‘decline’ threw me to Google which then wanted me to agree to it’s own cookies. Not a good start. On further analysis, the ‘decline’ button URL is… Google.com! Big fail. The cookie notice itself is the usual waffle and on the positive side, if there is one, it does tell you all the evil it committing. In one section it does state that the third party cookie being set lasts forever and is used to track your cross the whole of the web. Of course, it has set all the cookies before you even agree. Fail number 2. In all the site sets 32 cookies, 8 of which are third party; and it causes your browser to make over 200 requests to nearly 60 different IP addresses. And the cookie policy generator they used? It has a short disclaimer basically saying they’ve no real idea what they are doing and only provide the generated cookie notice for informational purposes. Ugh. No, I'm not going to give the URL, and anyway I forgot about it ages ago the website was so useless...

When browsing to a website that site may set cookies for itself or third party cookies. I am not delving into this here, suffice to say that third party cookies are generally considered the ones to avoid at all cost. But how do you know what cookies are being set? I use three different browsers across the systems I use personally. Safari on my iPhone usually has cookies disabled completely. I use Safari and Brave on the Mac. On my Linux PC I use Firefox with not specific settings but set to delete cookies on exit. And on my Windows PC I use a mixture of Firefox and Brave, but I rarely use this system to browse websites other than a select few that I use regularly. This works for me, but generally speaking is not a good solution for ‘the many’ because things will break. So… Safari on the Mac tells me what trackers have been prevented from profiling me. Brave has a similar function. A comic website that I used to browse daily sets 17 cookies regardless of whether I reject or accept them. Enter a website that I discovered today while reviewing content on the excellent noyb.eu. https://webbkoll.dataskydd.net/en The code behind this website analyses websites and shows all sorts of things including cookies set, and also requests made to other servers – when you browse to a website very often that site causes your browser to visit other sites for parts of the whole, media and imagery for example. One must remember it is not the website you visit doing this, it is that website causing your browser to do it. The webbkoll website teases all of this out and displays it for you to see. I was rather surprised to note that webbkoll finds 53 cookies at the comic website! That may in part be because Safari genuinely blocks some, but to get down to 17 from 53 this is quote a lot. Webbkoll details them all too. Webbkoll is definitely another very useful tool when trying to figure out what a given website is trying to do.

No, not statistics in itself. The problem I am writing about is website statistics, and it started a long time ago. Back in the day we simply used web server logs to analyse website traffic. One could see an incoming IP address and see where the associated browser went in the website. This worked well back then as websites were simple affairs and essentially all one big lump. Of course, this was an era when web servers were run almost in the spare time of those few IT (and indeed non-IT) that had any interest in the web. Back then I was not in the central IT team but I was afforded some latitude for experimenting with new things, especially when redundant hardware could be used. It was 1992 and the IMG tag was still in the realm of fantasy. Later, there were two open source packages that became very popular, one called Analog and the other Linklint. The former produced statistics about website visitors and the latter could be used to check for errors, missing pages for example. Analog could, when provided with valid data estimate which countries visitors were coming from, very useful when your organisation markets itself globally. Of course, the marketeers desired more. I was once asked to find out where everyone who only looked at our home page went next. Ok, where they visited another of our own web servers this was do-able, but the question was expanded to ask which of our competitors they visited next. This was new thinking, by which I mean thinking that one could not associate with any other media. For example, if the publisher of one newspaper wanted to know which other newspaper a person took after only glancing at their own it would need some form of physical surveillance, or perhaps a questionnaire. Neither would be particularly reliable, the questionnaire in particular. Enter, stage left, Google Analytics. I had attended a launch event – well of a sort anyway – where a new product was described which would enable one to search all across the web. The name? Google. We had rudimentary search products by this time but nothing like what was being described. Bells were ringing, but rather quietly. I think we could see back then that all of a sudden content has value, just not to us. But, Google search aside we later got wind of Google Analytics ad the bells got louder amongst those of us who could already see future issues. Google Analytics arrived with two quite major advantages. First, IT people no longer had to do anything, and second, the marketeers would have access to easy to understand graphs. But those of us who had this nagging voice about global surveillance and the fact that a corporate entity would effectively have access to data indicating where everyone browsed were ignored. Fast forward to the later times of the GDPR and the coming soon and already years late PECR replacement, cookie laws and all…

Cookies, and cookie banners or notices have been around for a long time now. These notices are aimed at gaining consent to process personal information but it is often hard to see what that actually means. There are times it must happen, for example to provide a service or a product the company concerned does need to know who you are. But the spread of cookies across the Web has a far more sinister use and is often not understood by the general public. There have been all manner of attempts to cure the cookie issue over the past few years and the current crop of browsers have options to cut out third party cookies, for example. But the issue persists, in part because some websites simply ignore the rules or exist in jurisdictions where they do not apply, and in part because websites adapt to use first party cookies for the same purposes as before. The marketeers will no doubt argue that nothing comes free, and I accept that to a point. While it may well be fair game for the likes of Facebook to monetise my data because the platform itself dopes not cost me to use, the desire to track my activities outside of Facebook is the opposite. Advertising is, of course part of everyday life. Commercial radio and television rely on it in order to present programmes at no cost to the end user - the viewing and listening public. But these large companies - the likes of Facebook and Google - have stepped way outside the circle that one may consider to be reasonable. While radio and TV adverts are one way, that is they do not know I have watched them or listened to them, when an advert on a website is presented the fact I have clicked on it can be recorded. I will expand on this next. Take for example a TV advert. If one watches the advert and then calls the company, or if one buys a product and there is a card asking how one found it, any response is voluntary. Responses can be used to gauge the success of the advert. This is the old way of things, still relevant today. Now take an advert on the web. By simply clicking on the advert the vendor or, more probably the advertising agency can see that the advert has been clicked. If one then proceeds to a purchase that too can be recorded and the data tied together. This can form a profile of the specific user. However, we need to go one step further. All this data can be connected across many websites such that a user can be profiled and tracked across disparate purchases across many websites. This gives the advertisers far more detail than would be achieved by voluntary submissions to surveys and such. And the user has little choice. This data can then be used to form an advertising strategy and show that user adverts for…