RFC 35140: HTTP Do-Not-Stab (2023)(5snb.club) |
RFC 35140: HTTP Do-Not-Stab (2023)(5snb.club) |
I fully understand that it's absence wouldn't meant that people won't get stabbed, but it would save time and mental space of all people like me who really don't care about being stabbed or not.
Honestly if anything, I'd like to be stabbed more.
By analogy to current situation about tracking ... Ad companies know too much about me? I think they know too little. For example for half a year they still haven't figured out that I know barely any words in German and are serving me German advertisements all the time just because I happen to be living in Germany currently.
You can still laugh at the joke with the section there, you’ll just have fewer confused people to correct, and be in one less elite club.
While it's true that children will often go out of their ways to test boundaries, I have no trouble giving them the benefit of the doubt and saying that children are innocently experimenting.
Companies, meanwhile, are doing this with fully deliberate malicious intent. They do this because capitalism rewards it. We need to say this, and keep saying it, until everyone gets it. Companies cannot be reared like children. Companies do not “mature” to become well-behaving, ethical citizens. With the profit motive in effect, companies have every incentive to work around every legislation and regulation and screw us at every opportunity they get. The profit motive must go.
On a more serious note: yeah wtf. I hope we in the EU draw the conclusion of companies even being unable (unwilling?) to gain informed consent and just start treating these privacy breaches as an outright crime.
Do a sidedoor as a /do-not-stab.txt
Do-Not-Stab: 1
For Microsoft this also rings true from the opposite direction. Any specification that Microsoft technically abides is implemented in an egregiously dark way (at least for anything consumable at an enterprise level).
They go to great lengths to exercise every bit of leeway permitted by the spec, even when it doesn't make economical sense, because what are you gonna do about it? Vote with your wallet? Against the vendor that runs all your workstations and manages your directories and databases and deployments and authentication and authorization and business intelligence and and and?
No, you're gonna accommodate their absurd counter-requirements because what other choice do you have? The decision then becomes:
1. branch your code to shit with `vendor == microsoft` clauses
2. branch your project/architecture to shit and effectively maintain a Microsoft version alongside the "normal" core version
3. use Microsoft's bespoke library that solves the problem they created
A project that selects option 3 will face the least resistance integrating with Microsoft products, but will also become beholden to arbitrary rules that complicate integration with every other vendor who benevolently implements the standard.
Certainly not any government. If you think the EU's regulation are of any help to the consumer you are gravely mistaken. The EU is quickly becoming a fucking nightmare to live in. "The more corrupt the state, the more numerous the laws". The meme that goes around atm is that while Elon Musk created Tesla, SpaceX and Starlink the EU managed to get everybody to now have plastic bottles who do not close properly anymore: due to some regulation that mandates that bottle caps must hold to the bottle, weird only partially-functional mechanism have been created and it's a PITA to either drink from a plastic bottle or, worse, try to lay it horizontally in a fridge.
That's what the EU is: probably that some politicians or bureaucrats with enough brain cells to recognize a bottle cap on the ground thought "I've got an idea to make the EU better, let's mandate every bottle to have a cap that cannot be separated from the bottle".
As a result you lay horizontally a plastic bottle of sugary drink in your fridge (because you've been used to do that for decades) and now all your fridge is sticky due to the bottle leaking.
It's all that is wrong with the EU bureaucrats in one example.
Also hailing the EU as the savior vs Microsoft when our lives becames miserable with EU consent cookie popups virtually everywhere is a bit thick.
I haven't encountered that meme, but if it exists, it's like most memes seem to be: Wrong. The bottle caps work just fine.
At least the EU made something useful
https://www.emballagefokus.dk/goer-noget-uden-at-goere-noget...
The whole thing smells like a made up issue concocted by some company wanting to sell their bottle cap solution.
Imagine in real life, someone starts making a joke, and then suddenly starts cursing and yelling. I wouldn't be comfortable with what feels like a lack of self-control and I will try to move away before things get violent.
Either do the "joke" style or the "angry rant" style, not both. The joke can be explained calmly if there is a need to.
The original criticism I wasn't objecting to wasn't making this distinction, and so this is a different argument. I wasn't defending the angry tone, only the existence of a section, "if you didn't get it, here's the point".
>Imagine in real life, someone starts making a joke, and then suddenly starts cursing and yelling. I wouldn't be comfortable with what feels like a lack of self-control and I will try to move away before things get violent.
Okay, now it seems like you're saying the section would be bad even with a calm, non-angry tone, in which case my point about the need for a non-joke section applies.
In any case, the standard of "what if this were real life" is a bad one to use. An internet post is not an in-person interaction, and it optimizes for different things. You might as well object to footnotes on the grounds that, "hey, in real life, you wouldn't go on all these tangents because that's distracting".
If you already got the point, by the time you got to the rant, and don't need the explanation, you can (and should) stop reading there. It's not relevant to you. It's supplemental information for anyone who didn't get the point. You know, the ones you don't think deserve the same level of understanding as you, the ones who weren't elite enough, like you, to get the reference.
But you were -- you just hid it under a veneer of snark, innuendo, and plausible deniability so I'd be tainted by the implication, while still allowing you to (right on cue) insist that's not what you meant.
Maybe now you're starting to understand why ambiguity in writing is a double-edged sword. But then, if you were that conscientious, I wouldn't have to make the original point in the first place.
IMO we need to start normalizing being militant about this stuff again, to aggressively and adversarially defend the freedom to use your computer the way you choose to use it
I'm dubious about people becoming militant about this when the software engineering industry gave Chrome a red carpet by using it and installing it on their relatives' computers while knowing very well it's adware and when switching to the alternative is incredibly cheap.
It's almost as if Steve Ballmer and the legendary "developers developers developers" speech still rings true today - the key to getting people to use your software is to make life as easy for the power users as possible, let them spread the word. And it's ironic how Microsoft lost its ways there... a lot of people I know have gone from Windows to Mac and convinced their close relationships (aka those whose computers they fix) to do the same. It's just so much more relaxing to boot into an OS that doesn't try to shove advertising down your throat at every turn.
HN is not a hive mind. There are people here who love Firefox, people who despite it, and everyone in between. It’s tiring to always be reading your type of comment, as if everyone is a hypocrite. Maybe, just maybe, the people making those contradictory comments are not the same individuals.
And it’s not like Mozilla is free from controversies, including several of betraying user trust. If every major browser maker is going to break your trust and sell your data, I can see why people choose their poison based on other factors.
I use neither Firefox nor Chrome. Is Safari any better? Or Brave? In some areas yes, in others no. I don’t think there’s a single browser vendor which gets it unambiguously right.
Yes. As a millennial the times of civil disobedience was better. Not only did we get a better internet for consumers, but better companies were rewarded and won. Rose tinted glasses? Possibly, but there’s another reason for disobedience: the other side does it, and they do it just for money.
Concretely, is there something like Adblock that can be done for cookies? I don’t think blocking is as effective as poisoned data though. They ask for data, they should get it. If you don’t get consent, poisoned data is merely malicious compliance.
It could even be standardized as an extension to DNT: “if asking for consent after a DNT header, a UA MAY generate arbitrary synthetic data”.
I use a combination of two browser extensions: Cookie AutoDelete[0] and I don't care about cookies[1]. The second hides any GDPR 'compliance' popup; the first deletes any cookies set by a website when you close the last tab with it open. Both extensions have whitelist functionality.
Sadly even if you’re inclined to do this, it’s always a war of attrition, and corporations seem to realize they can just up the cost of your resistance in terms of time/frustration, and that’s enough for them to win in the long term. The history and trajectory of platforms, from browsers to AppStore’s to SaaS-all-the-things, is just tragic, with the amount of user control on a downward slide at each stage. The big question now is whether / how / to what extent AI is going to be corporate or democratized, but it’s hard to be optimistic.
Or, you know, if Clicking do-not-stab for 60 more years sounds like it sucks, you can try to become a shepherd or something. Works great for ~10 years, and then you can’t use cars, dishwashers or light switches without clicking do-not-stab, at which point they finally win and you say, you know what? I should be grateful they asked before they stabbed me, I practically owe it to them anyway, and I can’t wait to see all the love/cash rolling in after I’m a big shot shepherd influencer. Like and subscribe y’all and as always, hail corporate
But perhaps it really only succeeded, because that Microsoft was like the Boeing of today, a company where Pournelles second type (the institutionalists) had taken over and was just riding out the momentum, allowing the upstart unfunded open source hippies to actually have success.
I'm just going to click "yes," stop asking.
For netizens, the idea that the use should be able to opt out of logs about their interaction with the service the operator owns is novel (because they always had the option of not using the service if they found the pattern distasteful).
However the EU dropped the ball by not making it mandatory to respect this flag. If they had we wouldn't have had the huge cookiewall mess we have now.
If anything the shift is going the other way, with some of the more busy-body jurisdictions trying to take things that are properly enforced by the user's user-agent and instead making them officially the responsibility of the other party.
Because of legal requirements, the General Assault Control header may not be enabled by default, as American states like Colorado require explicit opt-out (rather than explicit opt-in). This protects Colorado's thriving stabbing and shooting industry as most users will never want to opt into being stabbed.
Despite the feature being forced to be disabled by default, the organisation behind the spec is pushing hard for customers to download fringe browsers that implement the feature (though you may need about:config to enable it). Because of the small user base, the request not to be assaulted can be used by websites not willing to follow the standard to make their stabbings and shootings more precise. End users can request a JSON file from the web server containing the supposed support for the GAC header, but requesting this URL may be used to kick the user in the teeth by non compliant servers.
This isn't my tribe, but I'm incredibly pleased to see a beautiful reflection of the old internet within this webring.
https://en.wikipedia.org/wiki/Do_Not_Track#:~:text=The%20Do%....
I can dream...
I don't know if they still do it, but last time I browsed Medium I found that it claimed to respect DNT, which is quite nice. Lots of self-hosted analytics software also respects DNT out of the box and I don't think site administrators often bother to turn that off. Still, the vast majority of websites probably ignores the header, especially since it's been deprecated as a standard. If you care about such things, maybe also consider looking into Sec-GPC, its intended replacement.
But apparently it was considered too complex and "lacking enforcement".
Now maybe if it survived till GDPR it could have it's enforcement, but Mozilla yanked support before that...
They don't actually hate you. Rather, they love your money and they have a depraved indifference for you.
No idea if that bit of lore is true but it is certainly the case that RFCs are usually the final word on the relevant standard. In fact, once they get their ID, RFCs cannot be modified or rescinded; only superseded by another RFC.
The idea that a published RFC is a final word is a newer idea too. Yeah, you can't modify an RFC, you have to publish a newer one, but that was a pretty good way of doing distributed change control in 1969.
> https://www.rfc-editor.org/rfc/rfc8700.html
Nowadays you're supposed to comment before it gets to "Internet standard"
Another satire RFC in the same spirit is the one about the evil bit[2] (designate one bit in packets to indicate whether it’s intended for evil), with the same subtext as the linked post: no, you can’t trust malicious entities to change their behavior to make it easier to stop.
(Sutures As A Service) which is a additional somewhat often used service once Stabbing As A Service has occurred.
Them: What's your LinkedIn Account?
Me: Don't have one.
Them: Twitter?
Me: Nope.
Them: InstaGram or TicToc?
Me: Nope.
Them: Do you use the web at all?
Me: Only through Lynx. I see a lot fewer ads.
Them: No JavaScript! How do you use YouTube?
Me: I don't, really.
Them: You have no social media?
Me: Well... I *did* order a pizza from Dominos online once...
Yeah... I don't use the web much as you would expect for someone
who's livelihood depends on it. I just wish USENET was still
USEFUL. I have a rant in me about ad-tech and crap-ware on the
web. I'm just enjoying my life without the web too much to
write it. And clearly, HN is my web-tech achilles heel.> Google has also released a browser plug-in that turns off data about a page visit being sent to Google, however, this browser extension is not available for mobile browsers.
source: https://en.wikipedia.org/wiki/Google_Analytics#Privacy
For example, I have my browser send all of these with each request:
Do-Not-Eat: 1
Do-Not-Insert-Into-Anus: 1
Do-Not-Do-Evil: 1
Do-Not-Chew-Loudly: 1
Do-Not-Forget-To-Bring-A-Towel: 1
Do-Not-Pee-Into-The-Wind: 1
Do-Not-Give-Me-Up: 1
Do-Not-Let-Me-Down: 1
Do-Not-Turn-Around: 1
Do-Not-Desert-Me: 1
Do-Not-Stab: 1
The last one I added just now because this article opened my eyes to this glaring omission.
"Fools! I have invented a usb device which can collect votes from the Internet and drive a knife through your heart!"
This gets more and more unhinged, I love it
Maybe they could get advice on the best way to do that from these people?: https://news.ycombinator.com/item?id=42169027
I didn't mean to say that all of HN despises Firefox, but simply that it very often brings negative sentiments, so seeing the comment I was responding to so high up in the thread made me react. It was also a kind reminder that militating is as simple as using an alternative to Chrome.
> And it’s not like Mozilla is free from controversies, including several of betraying user trust. If every major browser maker is going to break your trust and sell your data, I can see why people choose their poison based on other factors. > I use neither Firefox nor Chrome. Is Safari any better? Or Brave? In some areas yes, in others no. I don’t think there’s a single browser vendor which gets it unambiguously right.
And you're making my point about the perfect solution fallacy as well! Of course Firefox isn't perfect and has screwed up on several occasions, does that mean it's comparable to a piece of software that sends every single bit of information it can gather to its parent ad company?
Just as often as it brings positive sentiments. Something that is (from anecdotal observation) quite common from both camps on HN is disappointment with Mozilla’s governance.
> does that mean it's comparable to a piece of software that sends every single bit of information it can gather to its parent ad company?
Not the argument I made. As I said, I use neither.
My point exactly! You're talking about which browser to use for web development. That's not relevant for engineers not touching html/js/css, and for all non tech savvy family members whose computers we set up.
Yes, al subjective, biased and anecdotal, but wanted to leave one real (yet still virtual) vote in favour of Firefox's Developer Tools here.
Do they provide a guaratee to only sell once, instead of selling to everyone?
Is there any evidence this actually happens? Or are we just going based on vibes?
Given the data, why would a trillion dollar company leave money on the table? Their shareholders DEMAND they monetize it. There are few forces against this.
https://www.eff.org/deeplinks/2020/03/google-says-it-doesnt-...
Given the 2.095 trillion reasons why this should happen, and few reasons it shouldn't, you should demand evidence it DOESN'T happen. Presumption of innocence is backwards when there are market forces.
You might also want to read our ToS in order to stay informed about the multiple ways, some of them illegal under EU law, you still will get stabbed.
(Approximate reading time: 4h53m, assuming a law degree and multiple years of experience in data protection law practice)
Estimated cost for paying every random website you stumble upon: one bazillion dollar / month (imitates Dr. Evil face)
I like to use Consent-o-Matic[1] for this. IDCAC accepts tracking when ignoring the request doesn't work. CoM rejects all tracking on those popups. I like the slight Fuck Off that that sends.
Centralizing the serving of third party (or even first party) content is already way outside the original norms of the internet.
Heck, back in the day, HTTP caching would be enough to block tracking. (No javascript, and only the ISP sees which users pulled the document from cache.)
Which is why it should be defined in the law. The GDPR and the ePrivacy directive define what counts as tracking and what is acceptable. See for example:
https://commission.europa.eu/resources-partners/europa-web-g...
I don’t think GP is suggesting we just make a law that says “u track, u pay fine”.
I don't think it's that easy though. The "just" is doing a lot of work in there. Consider:
Some websites have login with third-party credentials. It doesn't matter that you choose to use these for convenience, because intent doesn't matter, and it is a fact that both the Service Provider and the Identity Provider are tracking you. IdP knows which sites you are logging in to, and SP knows and stores your third-party identity (they might say they need it to know which account you're logging in to, but like I said, intent doesn't matter).
Hacker News is currently tracking me. They might say the cookie is needed for session stuff to work, but intent doesn't matter, and it is a fact that the cookie uniquely identifies me.
My web browser is tracking my mouse position. Mozilla might say they need it for styling stuff to work, but intent doesn't matter, and it is a fact that Mozilla's software is tracking my mouse position in real time (let's not even talk about browser history).
Your browser cache might have two HN posts where my comments appear. If that's the case, then it would be a fact that you are tracking which posts I am commenting on. Intent doesn't matter, so hopefully you're not a company (tracking is fine if you're an individual though (based on the quoted text)).
/s
Hopefully this ride down the slippery slope illustrates some subtleties, at least without a very precise definition of "tracking". But then again, if the definition is too precise, there's gonna be loopholes in the letter of the law; in that case we might say that we should also consider the spirit of the law, but "intent" is part of that.
Think about how obsessive companies are about "UX" and how disruptive the banner is. Bitch-slapping people for fighting against tracking is more important to them than the user being able to access or use the site at all.
Most EU national government websites have cookie banners. Even the European Commission website has a cookie banner!
This should have been implemented at the browser level. Let the browser generate a nice consistent UI to nag EU users when visiting websites about accepting cookies and let the rest of us opt out.
I understand it’s was media and communication departments do, and that it’s natural that the people working within them would want to do so regardless of where they work. It’s their trade after all, unfortunately they bring the exact same “user engagement” mindset with them into the public sector. Well, at least in my anecdotal experience with a handful of these departments in 7-8 different cities around here. You can of course make good points on user metrics on a public website, but they should frankly work very different than they would on most web sites. On a public website it should be the goal to get to user to leave the site as quickly as possible, because the longer they hang around the more time they are spending finding what they need. That’s not what happens with these metrics in my experience, however, instead they are used to do what you might do on a news site.
That’s just one side of it, however, because the privacy concerns are their own issue. If you absolutely want metrics on a public website at least have the courtesy to build your own. It should be illegal for public web sites to use 3rd party tracking. I know why they use it, it’s for the same reason they spend a ridiculous amount of money on custom designs systems build on top of what is usually SharePoint or Umbraco. They refuse to hire the Django (insert any other extremely low maintenance system) expertise because it’s expensive on the “long term budget”, even though it would be much cheaper than 3rd party tools and consultants on the actual long term budget. Anyway, that is another point. But it really pisses me off when public websites need you to allow 3rd party tracking because they aren’t using it in any way which serves the public.
Worst of all is that cookie banners are explicitly a private industry way of dealing with their refusal to respect “do-not-stab”. Public websites could simply put their bullshit into their privacy page. Of course nobody would go there and turn on 3rd party cookies, but why should the public care?
It seems like there should be a parallel to “tragedy of the commons” that talks about how a good idea coupled with extreme penalties can lead to a bad outcome by making any risk calculation result in “jesus we just can’t take any chances here”.
I miss the old Internet where nobody cared about their privacy.
I don't care about my privacy in the street despite it being public because there's no-one following my every step taking note of where I go, how fast, what music I'm listening to, what I'm looking at... (although the astute reader will argue that this is less and less true, there's more and more tech tracking our activity in real life too)
Unfortunately entire businesses are built around preventing people from using bots, for obvious reasons, so the only obvious way forward to make browsing the web a better experience will also mean ending up on the wrong side of that battle.
Yeah, no. Hostile advertising companies added that cookie banner as a form of "malicious compliance" with the law purely to annoy everyone like a buncha spoil't little brats who didn't get their way, so now they're gonna make everyone suffer... If we get a similar law in the USA, you can expect to see annoyances just like it (and probably worse) on sites hosted here, too.
When I walk down the street and sometime sees me go by, those aren't my photons they caught. By analogy, same with my browsing history.
Of course there are practical limitations on that kind of physical surveillance. It's expensive, tends to attract attention, and even nation states can only do it to a few people at a time. Information technology allows it to scale to almost everyone, almost all the time, for a small fraction of a corporate budget.
Perhaps it's worth at least considering restrictions on that.
It also failed to actually ban ad tracking.
That was the obvious outcome. What did people predict: site owners leaving money on the table? Who pays for operating the sites then?
I would love to know what happened. Did the laws get "revised" to re-open the loophole? Was superseding legislation passed? Did the courts reject it? Are there enforcement issues?
1) They aren't trusted to be reasonable about user consent.
2) They are only to take action when they judge it is reasonable to check user consent.
It'd probably be a very rocky process to nail down what those words like "loophole" and "workaround" mean as the advertisers start abusing prescribed no-banner situations.
Other people also own their own memories and records - some of which may be about you.
At least, this is how it was for most of human history.
Now some people think they should be able to demand everyone destroy records about them. If it was possible, no doubt they'd also demand people destroy any memories about them as well.
The claim is that no sites value their user experience enough to pick an ad solution with a better experience. I doubt that claim.
I still remember being at an all hands at a former employer where the team presenting the revised cookie banners promoted as a benefit that it had opt in rates that would make an authoritarian dictator embarrassed to claim as uninfluenced
Cookies should be categorised as essential and non-essential and the website should specify which laws it is considering when it categorises them as such. The GDPR definition of "legitimate interest" (which is a bit vague but it's not that hard to understand it) should be explicitly clarified so that companies can't claim that a whole swathe of shit they opted you into automatically is "legitimate interest" if they also give you the option to opt out.
At this point they can still attach descriptions to each cookie (hopefully using some standardised interface so you don't have to literally send these with every cookie, localized) and then your browser can still present you with the idiotic: "here's what we would like you to use" interface, but streamline the process with the ability to just opt out of anything which won't outright break the website.
Although this still opens it up for abuse by companies putting things like: "your preference for us not popping up an annoying full-page message every time you visit a new page" into a "non-essential" cookie to incentivise you to just accept them all.
Honestly I think we should just have Joe "Sensible Person" judge company's websites for whether they're being actively malicious in any way and force the closure of any company which is considered actively malicious along with the destruction of all company IP and liquidation of non-IP assets. All the company owners should also be banned from owning/running any other company for 10 years. (only half kidding)
I don’t see any difference between online “tracking” and real world stalking. If some one was following you every where you went taking notes on everything you did, interrupting you and preventing you from actually doing what your were actually wanting to do, you’d be able to have the police intercede in your behalf. Only now we think it is different because “on a computer”.???
This is the part that would get the police involved, and no-one online is doing anything like this.
Doris the curtain-twitcher compiles a dossier on everyone, maybe shares it in her gossip circles. No-one cares.
If your claim is that sites that use cookie banners don't understand the law, I don't know how we square that claim with the European Commission site's cookie banner. Certainly, the government itself can interpret the law successfully, right?