Mastodon

These Cookie Warning Shenanigans Have Got to Stop

This will be short, ranty and to the point: these warnings are getting ridiculous:

I know, tell you something you don't know! The whole ugly issue reared its head again on the weekend courtesy of the story in this tweet:

The reason I don't know if it makes it better or worse is that on the one hand, it's ridiculous that in a part of the world that's more privacy-focused than most it essentially boils down to "take this cookie or no access for you" whilst on the other hand, the Dutch DPA somehow thinks that this makes any sense to (almost) anyone:

And the Dutch DPA’s guidance makes it clear internet visitors must be asked for permission in advance for any tracking software to be placed — such as third-party tracking cookies; tracking pixels; and browser fingerprinting tech — and that that permission must be freely obtained. Ergo, a free choice must be offered.

Is this really what we want? To continue chucking up cookie warnings to everyone and somehow expecting them to make an informed decision about the risks they present? 99% of people are going to click through them anyway (note: this is a purely fabricated figure based on the common-sense assumption that people will generally click through anything that gets in the way of performing the task they set out to complete in the first place). And honestly, how on earth is your average person going to make an informed decision on a message like this:

Do you know how hard it is to explain OAuth to technical people, let alone the masses? Oh wait - it's not OAuth - it's Oath but even I didn't get that at first because nobody really reads these warnings anyway! And now that I have read it and I know it's Oath, what does that really mean? Oh look, a big blue button that will make it all go away and allow me to do what I came here for in the first place...

But say you are more privacy focused and you wanted to follow that link in the original tweet. Here's your fix:

And if you're smart enough to actually understand what cookies are and be able to make an informed decision when prompted with a warning like TechCrunch's, then you're smart enough to know how to right click on a link and open it incognito. Or run an ad blocker. Or something like a Pi-hole.

Or you move to Australia because apparently, we don't deserve the same levels or privacy down here. Or have I got that back to front and Europeans don't deserve the same slick UX experience as we get down here? You know, the one where you click on a link to read an article and you actually get to read the article!

So let's be European for a moment and see how that experience looks - let's VPN into Amsterdam and try to control my privacy on TechCrunch:

Are you fucking serious? This is what privacy looks like? That's 224 different ad networks that are considered "IAB Partners" (that'd be the Interactive Advertising Bureau) and I can control which individual ones can set cookies. And that's in addition to the 10 Oath foundational partners:

You can't disable any of those either by the look of it so yeah, no privacy on that front. But at least you can go and read their privacy policy, right? Sure, Unruly's is 3,967 words, Facebook's is 4,498 words and Zentrick's is another 3,805 words. Oh - and remember that you need to accept cookies on each one of those sites too and you're going to want to read about how they and their partners track you...

And the ridiculous thing about it is that tracking isn't entirely dependent on cookies anyway (and yes, I know the Dutch situation touched on browser fingerprinting in general too). Want to see a perfect example? Have a go of Am I Unique and you'll almost certainly be told that "Yes! You can be tracked!":

Over one million samples collected and yet somehow, I am a unique snowflake that can be identified across requests without a cookie in sight. How? Because even though I'm running the current version of Chrome on the current version of Windows, less than 0.1% of people have the same user agent string as me. Less than 0.1% of people also have their language settings the same as mine. Keep combining these unique attributes and you have a very unique fingerprint:

The list goes on well beyond that screen grab too - time zone, screen resolution and even the way the canvas element renders on the page. It's kinda cool in a kinda creepy way.

And here's the bit that really bugs me (ok, it all bugs me but this is the worst): how do we expect your normal everyday person to differentiate between cookie warnings and warnings like these:

I know what these are and you probably do too by virtue of being on this blog, but do you really think most people who have been conditioned to click through the warning that's sitting between them and the content they wish to read understand the difference between this and a cookie warning? We literally have banks telling people just to ignore these warnings:

So in summary, everyone clicks through cookie warnings anyway, if you read them you either can't understand what they're saying or the configuration of privacy settings is a nightmare, depending on where you are in the world you either don't get privacy or you don't get UX hell, if you understand the privacy risks then it's easy to open links incognito or use an ad blocker, you can still be tracked anyway and finally, the whole thing is just conditioning people to make bad security choices. That is all.

Privacy Cookies
Tweet Post Update Email RSS

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals