Cookies ⁽⁵⁾

There seems to be an increasing number of websites now that are finally coming round to the act that they should not set cookies unless the user accepts them. They do this by having an Accept / Reject button which is great and fulfils the requirement nicely. On visiting the site one can simply press Reject All or whatever and then no cookies should be set other than those classed as strictly necessary. True, there are still many websites whose designers falsely consider that advertising cookies are strictly necessary but many websites are now far more compliant than they were a few years ago. However, not being too negative on thise conforming websites but does anyone actually check the number of users clicking Accept vs Reject? That kind of information, which can of course be collected entirely anonymously (developers please note!) would be most useful. It occurs to me - and I can't be the only one - that if a website clearly gives the choice to reject all these cookies and still functions without, then if people are generally rejecting them why do they even need them. It would be far nicer if these websites simply did not use those cookies in the first place.

A well known supermarket-attached clothing website has a privacy notice apparently powered by OneTrust. It gives the usual cookie choices where one can deny certain classes of cookie. On the positive side of things the selections are off by default. Good. But that’s where the positive ends… Certain cookie classes cannot be switched off – they are ‘always active’. These include data which: Now ok I’ve lumped them all together as displayed and not all are definitely evil at first glance. But let’s tease the evil out a little… Monitoring for the prevention of fraud is fine but it is not saying how. Does it mean that my data will be sent somewhere for fraud checks? Now, that may still be acceptable but it really needs to say. Sending and receiving information for advertising purposes. Ok, this is a big no. They can’t do that with no way to switch it off, no matter how much they want to. Cookies used for this can never be classed as strictly necessary. Combining my data with offline sources – again, what on earth is their plan here, tell me. The same goes for distinguishing my device from others. Do they even know how most home broadband routers work? Are they going further than just the IP address, which would be common across a household, or are they suggesting browser profiling? If the latter, stop it. In any event I browse this particular vendor in private mode with my cookie cruncher running so good luck with that!

I came across a website a couple of days ago that has the usual, rather useless cookie notice generated as the site claims several times by some random cookie policy generator. Ok so it has the usual three options, accept, decline, or see more information. But I was rather surprised that clicking ‘decline’ threw me to Google which then wanted me to agree to it’s own cookies. Not a good start. On further analysis, the ‘decline’ button URL is… Google.com! Big fail. The cookie notice itself is the usual waffle and on the positive side, if there is one, it does tell you all the evil it committing. In one section it does state that the third party cookie being set lasts forever and is used to track your cross the whole of the web. Of course, it has set all the cookies before you even agree. Fail number 2. In all the site sets 32 cookies, 8 of which are third party; and it causes your browser to make over 200 requests to nearly 60 different IP addresses. And the cookie policy generator they used? It has a short disclaimer basically saying they’ve no real idea what they are doing and only provide the generated cookie notice for informational purposes. Ugh. No, I'm not going to give the URL, and anyway I forgot about it ages ago the website was so useless...

When browsing to a website that site may set cookies for itself or third party cookies. I am not delving into this here, suffice to say that third party cookies are generally considered the ones to avoid at all cost. But how do you know what cookies are being set? I use three different browsers across the systems I use personally. Safari on my iPhone usually has cookies disabled completely. I use Safari and Brave on the Mac. On my Linux PC I use Firefox with not specific settings but set to delete cookies on exit. And on my Windows PC I use a mixture of Firefox and Brave, but I rarely use this system to browse websites other than a select few that I use regularly. This works for me, but generally speaking is not a good solution for ‘the many’ because things will break. So… Safari on the Mac tells me what trackers have been prevented from profiling me. Brave has a similar function. A comic website that I used to browse daily sets 17 cookies regardless of whether I reject or accept them. Enter a website that I discovered today while reviewing content on the excellent noyb.eu. https://webbkoll.dataskydd.net/en The code behind this website analyses websites and shows all sorts of things including cookies set, and also requests made to other servers – when you browse to a website very often that site causes your browser to visit other sites for parts of the whole, media and imagery for example. One must remember it is not the website you visit doing this, it is that website causing your browser to do it. The webbkoll website teases all of this out and displays it for you to see. I was rather surprised to note that webbkoll finds 53 cookies at the comic website! That may in part be because Safari genuinely blocks some, but to get down to 17 from 53 this is quote a lot. Webbkoll details them all too. Webbkoll is definitely another very useful tool when trying to figure out what a given website is trying to do.

Cookies, and cookie banners or notices have been around for a long time now. These notices are aimed at gaining consent to process personal information but it is often hard to see what that actually means. There are times it must happen, for example to provide a service or a product the company concerned does need to know who you are. But the spread of cookies across the Web has a far more sinister use and is often not understood by the general public. There have been all manner of attempts to cure the cookie issue over the past few years and the current crop of browsers have options to cut out third party cookies, for example. But the issue persists, in part because some websites simply ignore the rules or exist in jurisdictions where they do not apply, and in part because websites adapt to use first party cookies for the same purposes as before. The marketeers will no doubt argue that nothing comes free, and I accept that to a point. While it may well be fair game for the likes of Facebook to monetise my data because the platform itself dopes not cost me to use, the desire to track my activities outside of Facebook is the opposite. Advertising is, of course part of everyday life. Commercial radio and television rely on it in order to present programmes at no cost to the end user - the viewing and listening public. But these large companies - the likes of Facebook and Google - have stepped way outside the circle that one may consider to be reasonable. While radio and TV adverts are one way, that is they do not know I have watched them or listened to them, when an advert on a website is presented the fact I have clicked on it can be recorded. I will expand on this next. Take for example a TV advert. If one watches the advert and then calls the company, or if one buys a product and there is a card asking how one found it, any response is voluntary. Responses can be used to gauge the success of the advert. This is the old way of things, still relevant today. Now take an advert on the web. By simply clicking on the advert the vendor or, more probably the advertising agency can see that the advert has been clicked. If one then proceeds to a purchase that too can be recorded and the data tied together. This can form a profile of the specific user. However, we need to go one step further. All this data can be connected across many websites such that a user can be profiled and tracked across disparate purchases across many websites. This gives the advertisers far more detail than would be achieved by voluntary submissions to surveys and such. And the user has little choice. This data can then be used to form an advertising strategy and show that user adverts for…