Sorry, I should have clarified my question further. They already broke their promises on Hong Kong. So I was asking what the other promises people think they won’t break?
Like are we talking Taiwan? Or something in mainland China?
Hence: which promises and which people?
With regard to HK - agree they broke their promises, but it’s not like it wasn’t highly predictable a leader like Xi would do this, the shocking part was the speed, not the action.
Apologies for upsetting people by being too vague.
I am kind of frustrated by the widespread misunderstandings in this thread.
Laws are best when they are abstract, so that there is no need for frequent updates and they adapt to changing realities. The European "cookie law" does not mandate cookie banners, it mandates informed consent. Companies choose to implement that as a banner.
There is no doubt that the goals set by the law are sensible. It is also not evident that losing time over privacy is so horrible. In fact, when designing a law that enhances consumer rights through informed consent, it is inevitable that this imposes additional time spent on thinking, considering and acting.
It's the whole point, folks! You cannot have an informed case-by-case decision without spending time.
What I find funny about the whole thing is that the grand majority of companies with cookie banners are not implementing them correctly, and therefore are still in breach of the law.
I see constantly banners on sites that set tracking cookies by default, and delete them if you reject them in the banner (or even worse, not delete them at all!) – this is not compliant as the cookies were set before consent was given
Also see banners where there is only a big "OK" button, with no visible option to reject, this is also not compliant!
And not to forget: Giving consent and rejecting to give consent must take equal effort, otherwise you are not compliant. This is veeeery easy to do. Literally just place 2 equal buttons next to each other ... Basically, all you need to do is not to spend additional effort to F things up. But surprise surprise! Most companies act as too incapable to implement it correctly. I _wonder_ what the reason could be ...
You'd think that the $160+ million fine given to Google for incorrectly implementing their consent thingy would be a deterrent, but clearly not.
While the OP of this comment chain stated that laws are best if they are abstract, I think in this case the EU should have mandated an implementation as well, for example a browser based consent setting. Can be global, can be per-website. But the (ad)tech companies wouldn't like that, because as it turns out if given a fair choice, the majority of people would not opt-in, and they don't like that. Even though a small percentage of visitors that do opt in would already generate statistically significant results.
It's the same with the alternative, e.g. US sites simply not allowing access from the EU. They could just not have tracking. Advertisers could serve non-tracking ads, based on e.g. IP geolocation. But they don't like that because it's not as targeted as before the EU laws.
> I see constantly banners on sites that set tracking cookies by default, and delete them if you reject them in the banner (or even worse, not delete them at all!) – this is not compliant as the cookies were set before consent was given
Depends on what you consider to be "cookies were set". I think it's a valid argument that cookies aren't set until a "Set-Cookie" HTTP header is sent to the server. The banner is just a form to decide whether or not to set the cookies prior to actually doing so. The banner switches aren't the cookies themselves.
What I mean is a lot of sites will add tracking cookies like say through a google analytics tag before the user has actually accepted them.
Then, if the user clicks to reject cookies in the banner they remove the tracking cookies etc – but this is not compliant since if the user takes no action they are being tracked by default.
Look at how Google does it for Blogger. There is an OK button and a "Learn more" one. There is no reject. Are you saying they are breaking the law? EU would love nothing more than to levy more fines.
They are breaking the law. But enforcement lies with national agencies (unlike antitrust where the EU commission itself enforces). Most national agencies don’t bother, only the French CNIL had levied penalties - pretty much on every one of the big ad tech companies in the Faamgs, Bytedance and Twitter…
> The basic requirements for the effectiveness of a valid legal consent are defined in Article 7 and specified further in recital 32 of the GDPR. Consent must be freely given, specific, informed and unambiguous. In order to obtain freely given consent, it must be given on a voluntary basis. The element “free” implies a real choice by the data subject. Any element of inappropriate pressure or influence which could affect the outcome of that choice renders the consent invalid.
Pretty clear, isn't it?
There have been subsequent rulings stating that not giving a equally styled no/reject option or letting people choose between one yes option and thousand separate no options is already a influence that nullifies consent.
Also specific means you can't just tell them you have to use a cookie for technical reasons and use it for tracking later — they might have given you consent for that cookie for the purpose you told them about, not for the purpose of tracking.
All kinds of actors try to bend the rules here, while the rules are verh clear.
One way to see it is that it's their way of passive-aggressive protest against a law they don't want. Maybe the aim was never to abide by the law, just to pretend and annoy people enough to draw them on your side.
I take an even more cynical view: their intent is far from passive.
They want the end user to be irritated in the extreme. When users complain they'll say “we have to do this, the law says so, look, everyone else is doing the same thing” in the hope that people will support later action to have the privacy protections wound back.
The message from these antagonistic companies is clearly: "Look at what they made me do to you!" And users (even here in the HN comment section) fall for it. Like a beaten spouse. Yessssssss, it's the evil EU.... Why do they force you to beat me up?
A clear example of passive-aggressive protest was from Google, the removal of links to Google maps from the search results. Instead of providing a choice of multiple map providers, they just completely removed the links. To clarify: I'm in Europe (France).
> I am kind of frustrated by the widespread misunderstandings in this thread.
SV and the advertising industry thrives on those misunderstandings.
Put simply, there is no need for "cookie banners" unless those cookies are being used to track or personally identify me (hello advertisers!), in which case, I need to give my opt-in informed consent to allow this; and so I should.
Hardly surprising SV and the advertising industry campaigns against "cookie banners", rather than their own unethical trading in personal data without consent.
Silicon Valley in general has a huge problem understanding consent. If the world was a night club, "Silicon Valley" would be that creepy guy who goes up to everyone saying "You're dancing with me now, unless you opt out [Yes | Ask again later]."
I am informed and chose "No" each time. Why do EU lawmakers not allow me to automatically say no? All they have to do is add a line to the law enforcing companies to respect the DNT or GPC header.
> Why do EU lawmakers not allow me to automatically say no?
What do you mean? There is no law banning companies from honoring a DNT header, companies just choose not to do so. The law already allows it, it just doesn't mandate it.
Microsoft, in its eagerness to hit Google's revenue, universally set DNT on its browser of the day, which muddied the water on informed consent, and gave Google and other trackers an excuse not to respect it, since it wasn't technically the user requesting not to be tracked, but Microsoft.
> Non-standard: This feature is non-standard and is not on a standards track. Do not use it on production sites facing the Web: it will not work for every user. There may also be large incompatibilities between implementations and the behavior may change in the future.
I tried looking at the various browser standards positions, and as far as I can see, nobody has even asked Blink or WebKit if they are interested in supporting it. Is there any movement on this at all? The official website says that it’s part of “several major browsers”, but this seems dishonest when the biggest browser that supports it is Firefox with ~2.5% market share and no actual major browser seems to be aware of its existence.
There's movement from the Internet Advertising Bureau, they explicitly say that this signal must be adhered to if the header is present, and this signal must be forwarded to Demand Side Platforms.
I mean is there any movement in getting major browsers to adopt this?
Normally when a spec. like this is written that needs adoption from web browsers, an explainer is written and then the major rendering engines are asked for their feedback. For instance, here’s an explainer:
I tried to find where this was done for GPC and couldn’t find anything. Did they just write a spec. and not bother doing any of the work involved in getting it adopted? Or is there progress being made that I didn’t see? Hence my question: Is there any movement on this at all? Or is the process of getting it adopted by Blink and WebKit at absolute zero?
DNT does not provide informed consent. It may, if set to not track, imply denial, but the reverse is not true. If DNT is accepting or unset, the site needs to fall back to the banner to get consent. And at that point you may as well prompt everyone with the banner instead of complicating the codebase with extra logic for a DNT edge case.
For existing privacy options — location, microphone, camera — Safari on iOS has the options of "ask"/"deny"/"allow".
I wouldn't be surprised by legislation for a Do Not Track option in DMA designed Gatekeepers' browsers, defaulting to "ask", where all three options must be handled accordingly by websites.
"Ask" would also have to be the default behaviour when no preference is transmitted.
Again, as the law in question requires informed consent, "allow" and "ask" end up being the same thing. A new DNT law as you propose would contradict the other law of which we speak.
I doubt there would be any concerns with "complicating the codebase" (really?) if there was a Yes-Track header that gave consent but no negative signal.
It's not really a Yes Track if it's simply absent. The user hasn't requested to be tracked. I'm not even sure with it set to 0 that you can assume that intent. I guess it would depend on the browsers behavior, but as you say the law is not compatible with that use.
> I'm not even sure with it set to 0 that you can assume that intent.
That's the problem. Someone not paying attention might inadvertently set DNT: 0, which is why the law is written the way it is. But at the same time we have techies who knowingly and carefully set such values and want the service to acknowledge it, contrary to the law. Hence the contention.
>Laws are best when they are abstract, so that there is no need for frequent updates and they adapt to changing realities.
Couldn't disagree more, people (and even companies) have a right to know if they're breaking the law. Broad laws just make everyone (potentially) guilty. It's ripe for abuse and corruption.
This is not what I meant. Laws are made concrete and understandable through either case law (harder for citizens to anticipate IMO) or through statutory interpretation in civic law traditions. Both (eventually) offer a clear understanding of the meaning and scope of a law.
There is a kernel of truth in that, but lets not forget, that laws alone don't have any consequences. It is the willingness to force people to comply with the law, that has the actual consequences. If our judges and governments and forces in general are not willing to pursue violations of the law, then we can have any law we want, it still won't matter. We do need more law enforcement on GDPR! A lot more.
I partly agree but feel you’ve conflated a few things:
- Laws are best when abstract. This is true. Laws work best when they cover a class of behavior, not specific behaviors.
- Requiring informed consent is good. This I disagree with with because it is a hard to measure outcome. Abstract, yes, but to the point where nobody knows what it means. The only way to meet this in spirit is to go so far overboard that nobody can ever say you didn’t try hard enough.
- Mandating that huge populations spend time to make informed case by case decisions. This is like mandating pi=3. As soon as this became the goal the whole enterprise was doomed. The only way this happens is with notaries and witnesses , which is far too heavy a burden for visiting a website.
The whole thing is noble intent, but disproportionate to the problem and not aligned with the putative goals.
Regulation can be good, and it should be abstract, but it cannot mandate abstract outcomes. Imagine if speed limit signs said “speed limit: optimized balance of reduced time to destination and net cost of carbon emissions and amortized risk of accidents”
I’d say the ability to have speed limits is the regulation. How it’s implemented vary depending on the road. Regulations should be abstract so that the implementation can be sensible and adaptive to the context.
And everyone knows what “informed consent to tracking”. If you’re building something, you know when you intrude on your users’ privacy. But everyone chose forgiveness instead of permission, and now I throwing a fit when the latter is required.
The definition of consent is provided here. [0] There are clear application guidelines. To me it takes being intentionally obtuse or malicious in the interpretation when reading the text to come to the conclusion "I don't know what it means so I'll do the thing that benefits me".
Imagine blowing through a stop sign and trying to explain that you don't know what it means, the Earth is moving so you could never really be in compliance. You're not wrong but it's clear that your incompliance doesn't come from a place of honest misunderstanding.
> Mandating that huge populations spend time to make informed case by case decisions
It's mandating that the user is given the tools to provide informed consent, not that they must use them properly. If you need to know what it means, the text is clear. If not and never needed to read it, it's easy to conclude it's hard, impossible even.
Sure I find it reasonable to disagree on these points.
I personally find informed consent to be a very desirable thing, because it aims at the goal of legislation, not at the means. If you think that citizens cannot, should not, or should not be required to profoundly understand what is happening to them in digital contexts, that's a specific point of view. From this you evaluate the trade-offs.
My personal (humanistic) perspective is that a profound understanding and practical control over our digital lives are the prerequisite for dignity, which is the ultimate goal of a state.
> If you think that citizens cannot, should not, or should not be required to profoundly understand what is happening to them in digital contexts, that's a specific point of view.
Yes, that is what I believe. Most especially the "required" word. I do believe they should be allowed, empowered, encouraged, and enabled to understand those things, but I do not think it is a good requirement.
IMO people also have a right to not care about this. At their peril, perhaps, but who am I to tell someone that they may not use digital tools unless they commit to this understanding?
No user wants informed case-by-case decisions, we want to not be tracked. Making this a question that needs to be explicitly answered was already a bastardisation of the original intent of privacy legislation. A competent legislator would've required a user agent level option (like a more advanced version of DNT) that can be set globally and overriden per site. This could be written vaguely enough to not require patching as technology changes.
And even if we wanted case-by-case consent, a standardised format and actually enforced rules against coerced consent would've also been quite easy to do.
Some of the most intrusive cookie banners I've seen are on EU institutional websites. If they can't find a way to provide access to information without pages of consent boxes what hope have the rest of us. The law came ten years too late and focused on a narrow technical step rather than the privacy goals directly.
> The European "cookie law" does not mandate cookie banners, it mandates informed consent. Companies choose to implement that as a banner.
Would there exist any other method of implementing it that would be substantially different? Its hard to imagine. I suppose they could implement it by not having tracking cookies.
I think the ideal situation is that people could just set it as a browser preference and be done with it. Oh wait they already can.
Setting a browser preference is not giving explicit opt-in informed consent to handle my personal data (for that is what this is about) on a case by case basis.
That is what the law requires.
Blame the unnecessary gathering of personal data (and think about why they want it!), not the 'cookie law'.
It is more than about using cookies, despite the regulations being informally called cookie laws, any tracking and storage of PII is covered.
> Would there exist any other method of implementing it that would be substantially different?
A checkbox or button, anywhere on the page, that you can click to opt-in or ignore to not op-in. Once clicked the site/app has consent to track that consent, so the box can stay ticked (or be moved out of the way entirely as long as a way to retract consent is easily available, perhaps via an obvious link in page footers). Done. Informed consent implemented in a way that doesn't irritate any user (those that care either way, and those that don't care at all).
They could even include a short bit of text begging people to opt in because it helps their site/app make more money from advertisers, without going as far as a pop-over or otherwise wasting a large portion of screen space.
> Its hard to imagine.
For those with very little imagination, perhaps.
> … ideal situation is that people … set … a browser preference …. Oh wait they already can.
Only with regard to cookies, and perhaps other local storage, which as I stated at the top is not at all the whole matter. And even within those limitations those options are rather ineffective against the experienced stalkers that the advertising industry consists of, because they can and will simply ignore things like DNT and will work around cookie/localstorage/other blocks using various other fingerprinting tricks.
That is essentially what I said, the default state being opted-out rather than there being an in/out/unknown tri-state, so my "ignore" and your "no click" are the same [in]action.
> does not mandate cookie banners, it mandates informed consent. Companies choose to implement that as a banner.
Good luck explaining alternative technology to the lawyers and then to the lawyers of the other party in court should the need arise, and then to the judge. While you are technically 100% right, I believe you will have a truly hard time implementing anything other than the cookie banners.
Such basic functionality as cookies shouldn't need explicit consent. The consent is you navigated to the webpage, if you don't like it you can use a browser that doesn't set cookies.
Tracking is not configurable client-side. Blocking cookies is not sufficient to prevent tracking. Is it the EU that doesn't understand technology or you?
How do I even know that you want to try and farm my personal data until I go there?
Perhaps you should put a click through gateway that states that "proceeding on to this website will sell your personal information to spammy, scummy advertising".
You can configure your web browser to only send first-party cookies back and never set others. Or configure a subset of domains.
If you're worried about it you should be doing that anyway, since the cookies could be set despite the pop-up (or some websites might ignore the consent pop-up requirement entirely).
> You cannot have an informed case-by-case decision without spending time.
Forcing me to make an informed decision where I don't care about the result is the one of the major ways of wasting my time.
If you wanted to create a good law about this you should make it so I only have to make a case-by-case decision if I care about my privacy (as it's currently exploited) and do nothing if I don't.
> Forcing me to make an informed decision where I don't care about the result
The UK and EU have decided _society_ cares, about the dangers due to unregulated sharing of personal data; hence the law requires informed consent to do this.
If _you_ don't care, then that is your prerogative.
> Forcing me to make an informed decision where I don't care
The laws do not force that. Informed consent before tracking could be implemented other ways, perhaps even more easily.
The companies choose to force you to make the decision, rather than making it something you could choose to click or choose to ignore, because forcing that increases the chance that people who do care will accidentally opt-in and people who don't care will get irritated and (as is evident in places in this thread) incorrectly blame the law.
The companies make a point of inconveniencing people like you who don't care, so they can weaponise you against those of us who do. The companies are doing this to you, not the law.
> Companies want to track me. I want companies to track me.
If you actively _want_ companies to track you, then you take an unusual position.
> So what's the source of the friction
The right to privacy if you want it. Someone wanting to let people to follow you around should not override the preference of those who would prefer not. The "why should I care that other people care" argument is very similar to those who argue against smoking restrictions (or seatbelt requirements, and so on) because "it should be our choice" without thinking about the potential consequences to others.
> if not law itself or its direct consequences?
The source of friction is how the complaints have chosen to interpret the law. They have chosen to do this in a way that causes maximum inconvenience to anyone who want is protections (many are actually in direct contravention of the rules, despite their claims otherwise, but let's for a moment ignore that companies are actively breaking the law). That it also inconveniences people who want to be tracked is a desired sideeffect as it means those people are weaponised in ad-tech's favour in discussions about such matters.
> I think other parties try to force me to care when I don't by introducing all that friction.
As well as the binary "your choice" vs "my choice" that completely ignores those who have not yet stated there preference, have not yet decided, or do not yet even know there is a choice, or are just passing by. This is why active consent should be the default requirement.
> There's a talk about DNT. What's the reason no browser has…
Your premise is incorrect: Some browsers do. It doesn't work because companies ignore it. It is not in the laws that they shouldn't ignore it because ad-tech and their lobbyists successfully campaigned against that being in the legislation. Again: ad-tech is the reason for your inconvenience, not other people's preference not to be tracked.
Part of the issue is that there is a conflict of interests in done quarters, with makers of browsers also being part of the ad-tech stalking business, another place the effects of this are seen is in changes that prevent us choosing to actively block being tracked because we can't express it choice more passively because DNT is ignored.
> I think it would be quite popular.
We very much agree there.
> So it's probably prevented by the law itself
It is not. Show me anywhere in the current legislation where UAs implementing a DNT flag (which, I say again, some do) or ad-hoc tech respecting such a flag is prevented (either directly, or by accidental interaction between rules).
How about an alternative: have a one-click "track me if you want" flag? (Of course it would be terribly naive to think companies would not also just ignore that and track when it isn't set at thier convenience).
> How about an alternative: have a one-click "track me if you want" flag?
That's exactly what I was asking for. It should exist. My theory why it doesn't is that it wouldn't constitute informed case by case consent. So it's illegal.
> Of course it would be terribly naive to think companies would not also just ignore that and track when it isn't set at their convenience
I don't care about that because I want to be tracked, just silently.
If I were to design law I wouldn't ban tracking. I would make sites that do track make the information they have on "me" available to me for viewing and possibly editing at my request.
It wouldn't be even "cookie law" because whatever information you tie and store to whatever identity should be available to this identity.
Unfortunately the spec is official deprecated, rather than just ignored by sites, because without any regulatory weight it, well, would forever just be ignored by those who want to ignore it.
> I would make sites that do track make the information they have on "me" available to me for viewing and possibly editing at my request.
So, GDPR? That is not a cookie law but governs the tracking of PII, including the right to be given a report of what is stored about you and the right to be forgotten¹. Though it isn't finer grained than that: you can have yourself removed entirely and request corrections, but it does not prescribe any option for more selective deleting.
----
[1] except where that would impinge on other regulation, for instance in industries my day job services companies have to keep certain details of people for certain lengths of time (indefinitely for those associated with selling pensions, for instance) for dealing with complaints and other regulator matters in the long term.
Oh. I think we have a misunderstanding. I thought you knew some browsers that support some sort of please-do-track-me-quietly.
> So, GDPR?
Right but about all data and all identities. You believe that holder of cookie <guid> likes cats? If my browser holds that cookie you should be forced by law to offer UI where I can see the preference for cats and possibly change it or delete it.
Although you probably agree: If someone wants to describe politics with a one-dimensional scale, left-right is not so bad. And that's why and how it developed.
The real underlying problem is that in your case, genetic variants are not accounted for. As soon as you include these crucial moderating covariates, it‘s absolutely possible to find true effects even for (rather) small samples (one out of a hundred is really to few for any reasonable design unless it‘s longitudinal)
Anything in health sciences has millions of variants not accounted for, that also interact between themselves so you'd need to account for every combination of them.
And it's usually discouraged by regulators because it can lead to p-hacking. I.e., with a good enough choice of control I can get anything down to 5%
The fundamental problem is the lack of embrace of causal inference techniques - i.e., the choice of covariates/confounders is on itself a scientific problem that needs to be handled with love
It is also not easy if you have many potential covariates! Because statistically, you want a complete (explaining all effects) but parsimonious (using as few predictors as possible) model. Yet you by definition don‘t know the true underlying causal structure. So one needs to guess which covariates are useful. There are also no statistical tools that can, given your data, explain whether the model sufficiently explains the causal phenomenon, because statistics cannot tell you about potentially missing confounders.
The best way to talk about this is IMO effect heterogeneity. Underlying that you have the causal DAG to consider, but that‘s (a) a lot of effort and (b) epistemologically difficult!
I get the use case, but in most cases (and particularly this one) I'm sure it would be much better to implement that client-side.
You may have seen in the WARC standard that they already do de-duplication based on hashes and use pointers after the first store. So this is exactly a case where FS-level dedup is not all that good.
That's not true, you commonly have CDX index files which allow for de-duplication across arbitrarily large archives. The internet archive could not reasonably operate without this level of abstraction.
[edit] Should add a link, this is a pretty good overview, but you can also look at implementations such as the new zeno crawler.
Ah cool, TIL, thanks for the link. I didn't realize that was possible.
I know of the CDX index files produced by some tools but don't know anything about the details/that they could be used to dedup across WARCs, I've only been referencing the WARC file specs via IIPC's old standards docs.
That's an interesting question. They only depend on a single library, but I wonder how much code is really their own. I found it curious, for example, that there is a dedicated mp4 joiner (I mean, if you already have ffmpeg, there is probably no way you can do it better yourself).
That is interesting, huh, yeah they list ffmpeg as a dependency so I wonder what that didn’t cover for them.
Though there are some cases where using pure ffmpeg is just to difficult or impossible. Recently i had such a case where I wanted to merge multiple video files from my GoPro (they come out in 4GB parts if the video is longer than that), but while keeping / correctly merging all metadata such as date / accelerometer / gps / any custom binary streams. Ended up using this and worked great https://github.com/gyroflow/mp4-merge
https://www.goodreads.com/book/show/57873484-freedom