Why is this being fought with technical measures (which are ineffective and cripple the web as a platform) instead of legal consumer law where you can easily fine and punish companies that do the fingerprinting?
EDIT: Note that you can do BOTH - but one without the other is just a game of whack-a-mole.
Because some browser-makers (Firefox at least) believe that the identity of those browsing the web should be protected. Legislators do not believe that. (At least, a majority of legislators do not.)
What kills me is the cookie consent stuff, they should of enforced that Do Not Track is honored, and have fees that make sites ensure compliance or be sued over not honoring DNT which iirc was sent as a HTTP header, it would of actually been a meaningful solve.
Would you consider the entire European Union a minority of the legislators? Because that's what GDPR is designed to do, make identifying customers well controlled and expensive whatever the method.
DNT is ~useless because it's opt-out, whereas "auxiliary", non-essential tracking is opt-in under GDPR.
Websites don't need cookie consent dialogs if they only use cookies to do things that don't need to be consented to, like providing the service they are offering. Look at Apple's website, they don't have any.
DNT may be opt-out. But it should certainly be treated as "Don't even bother asking for consent to track, because I already told you the answer is no, and you'll be harrassing me by asking."
My argument is current laws did nothing to give teeth to DNT. I'm not worried about what the technological defaults are, but I would argue that without DNT being legitimized, it was dead on arrival. We have had it in browsers for ages, and we've dropped the ball on enforcing it for ages.
My other argument is, if you detect DNT, the cookie consent dialog shouldn't be shown at all.
A law needs a justification and needs to apply equally to everyone. Writing that about fingerprinting would not be trivial. Some site operators can make a believable argument that they use it in ways that are good for society.
My bank phoned me last summer. I'd authenticated with my usual two factors but a new browser fingerprint, then transferred a large sum to a new recipient. The bank blocked the transfers I did thay day, then phoned me to check whether I'd been phished, suffered a keylogger attack or something.
Even if this were the case - which I don’t actually believe, but… - it would be straightforward for that law to also constrain these purposes and prevent data sharing with non-worthy operations. At present it’s basically a free for all.
That is literally what GDPR is. Somehow it got reduced to cookie banners in HN psyche, but the whole idea of GDPR is to make sure that the data can be collected and used for well defined purposes that are either necessary to provide a service (preventing CC fraud would qualify), or are explicitly consented to.
The problem with the consent part is that you basically can’t take part in the modern world if you don’t. The theoretical possibility of opting out is undermined bu deliberately bad ux
Not really, there are plenty of plugins that dismiss the popups automatically without consenting to marketing. But generally we should press our legislators to require a universal interface that then can be automated, not try to win a cat-and-mouse game against multibillion conglomerates whose income depends on winning it.
I think the misunderstandings about the GDPR (even many smart people don't get it) prove that designing and writing such a law is difficult and the result has to be complex.
IMO the GDPR is good. But… it is poorly understood by many affected people . IMO if a law is poorly understood by the people it affects, then one should assume the law to be at fault, not the people. IMO it's good but I'm not happy.
> IMO the GDPR is good. But… it is poorly understood by many affected people . IMO if a law is poorly understood by the people it affects, then one should assume the law to be at fault, not the people.
You are assuming that it has to be either of them who is at fault. In reality there are third-parties who have been spewing FUD in order to confuse people about the law.
The short answer which should be obvious... regulatory doesn't work, legal doesn't currently work.
The burden of proof is on the claimant, and with proper information control you can't ever meet that burden of proof. It becomes an ant versus a gorilla instead of David vs. Goliath.
Tell me, how do you differentiate a simple random alpha-numeric string from another random string that may have been generated as a fingerprint.
Mathematically do you think there's any way to actually prove one way or the other? If not, how would that bias the system if the person is adversarial and lies.
The only way to prevent this is to make sure the information is nonsensical.
Preventing collection would identify you in a way that they can prevent access. Even though websites are public, you see this happening with any captcha service.
Can you provide any proof that "regulatory doesn't work"?
Might be my European outlook, but consumer law has been stupidly effective at curbing abuses from companies here and was much more effective than playing the technology race USA is trying to fight. There's always a next side-step, the next abuse a company can invent - and you keep trying to push the responsibility of avoiding it to users (by adding more and more onerous technology) instead of punishing the abusers.
You don't need proof you just need some sound reasoning about the trends. If it were as effective as you claim, progression in this area would have halted full stop.
Ask yourself how long have those consumer laws been in effect.
Has this technology problem progressed during that time (increased or decreased).
Have the fines against the large tech companies actually been collected and were they sufficient to curb that behavior or are they still being administrated or adjudicated (decades later)?
Have the large tech companies provided all of the information they collect for review (including the intermediates they generate from processing for derivation internally, in a way that discloses all the ways they use it), or did they only provide a plausible alternative, or just the base information collected without explanation. Do you have a way to prove its the former and not the latter?
I'm sure consumer law has been effective at eliminating the provable abuses domestically. If they were effective internationally, why would the problem be progressing to ever more complicated ways of ubiquitous tracking (which are against that law), or even domestically for those multinationals.
Its business as usual and these people know centralized power structures suffer structurally from corruption and malign influence, and as a market force they exploit that.
There's enough money in people's futures that no fine will actually solve the issue because fraud gets baked into the process. Privacy, communication, and agency are what largely compose people's future.
Due process from corporate sovereignty guarantees they can draw it out as long as they need to while continuing to make money off their actions, both increasing costs to regulatory (as a resource drain), and increasing revenue.
The real cost is borne on either the individual or on the public, and corporations have incentive to lie in ways that are difficult or impossible to prove. A lie of omission, is a lie.
In my opinion, for certain critical societal protections, its necessary to have a guilty by default, for 'people' whose only possible motive is profit incentive. The corporations or the firm are considered people in most locales, but they only adjust behavior based on profit or future profit (through monopoly).
Placing the burden of proof on the company to prove they are complying, instead of compliant with good faith protections by default, would eliminate most benefits they might receive from deceit, or lying through omission.
Just so we're clear - the consumer law has mostly not been adjusted to cover data mining yet and you seem to be building your argument on the assumption that it has.
As far as I was aware, it had. Everything I've seen in the last 5 years points to that. Is that not the case?
Granted, I didn't go directly to the regulatory site because who can sit down and analyze multiple legalese documents that have thousands of pages with crossreferencing requirements.
- living in the UK, I barely ever receive spam calls or messages. I can be reasonably sure that companies don't sell my contacts to third parties, I can withdraw my consent to marketing communications and spam will stop, I did it multiple times. My American friends seem to have way more problems with that, to the extent of buying burner phones to buy insurance. Considering that the tech is exactly the same across the pond, the difference is entirely in the legislation and consumer protection.
- cars became much cleaner and more efficient over the last three decades thanks to the ever ratcheting Euro standards. I only need an old car passing by to be reminded of that, you can just smell the difference.
- my broadband connection has a minimum average speed guaranteed by law, which protects me from the line being oversubscribed. This actually works, and a friend of mine got a sizeable compensation for a period when they didn't get the full speed.
So consumer laws work, and saying that enforcement can't be done is a bit of a post-hoc rationalisation. It is true that GDPR can and should be enforced harsher, but it's just one example in a long and successful history of consumer protections.
As for cars, how do we know that's true. There was Dieselgate, but from what I've heard they only got them because of whistleblowers.
Many VOCs which these laws are designed to reduce are odorless. The ones are visible are larger particle size and generally less of an issue from an environmental perspective from most accounts.
You can literally smell it in the air, older cars don't have cats to burn everything uncombusted down to CO2+H2O. You can smell it with a modern car for the first few minutes while cat is heating up. You can see it in car shapes, there's a reason why every modern car looks the same — aerodynamics and pedestrian safety make car shapes converge. You can see it in ubiquitous cans of AdBlue on petrol stations, which was not a thing just two decades ago (and still aren't in many developing countries).
Because bad actors have an easy time on an actually global network. It's disturbingly hard to hold bad actors accountable, particularly if they have zero legal presence (e.g. a corporation's subsidiary) in one's jurisdiction.
Is it really that hard? I haven't seen anyone from US actually attempt any accountability - zero punishments for spam callers, zero punishments for data collectors, not even a semblance of attempt to punish data traffickers?
The thing is, there are so many layers upon layers between the end user and the bad actor that it's hard to pin down blame, and even if one succeeds to identify a bad actor, it's a shell company somewhere overseas and the money is long gone, moved off via a dozen other shell companies - and to make it worse, what may be a crime in the US/EU is perfectly legal in wherever these shell companies are set up.
The solution would be dedicated laws that hold the company at the top directly accountable for the actions of all sub-contractor layers, but these laws are rare and often hotly contested (e.g. with a German law mandating responsibility of the top-layer company for wage theft and other labor law violations [1]).
But we’re talking here about major corporations who would (largely) follow the law if there was a law with teeth commensurate with the potential rewards form abuse of privacy.
EDIT: Note that you can do BOTH - but one without the other is just a game of whack-a-mole.