Excellent extension with one glaring flaw: IDCAC accepts cookies if there is no option to decline them. You don't see annoying popups anymore, but the cookies are still there tracking you. This can be combated by combining it combined with Cookie AutoDelete [0]. Cookie AutoDelete solves the problem by purging all cookies automatically (except your whitelist) when the tab is closed. They work great together
> IDCAC accepts cookies if there is no option to decline them. You don't see annoying popups anymore, but the cookies are still there tracking you.
Yes. Because I don't care about cookies. This is not an anti-tracking extension. I do not care about being tracked. I just want to stop being bombarded with cookie consent dialogs.
Yeah, but if you're not aware of this gotcha, the extension takes the choice away from you. It's good that the parent post highlighted this issue.
I don't care a lot about cookies, but if a website is abusive enough that they need to ask for my permission, I prefer to deny it rather than give them a blanket approval (again: what I really care about is wasteful and overbearing JavaScript code that complements tracking via cookie... If I cannot object to that, at least let me object to cookies used for tracking)
Again: you don't need permission for necessary cookies. The fact that the cookie prompt is annoying/difficult to parse and requires opt-out instead of opt-in is against the spirit (and possibly the letter) of the law. If our automation around the cookie prompt is accidentally giving an implicit consent, we ended up doing exactly what the people that push pervasive tracking wanted. We end up rewarding, instead of punishing, people who implemented dark patterns.
The extension is far more useful if you block all cookies by default and whitelist the domains you allow to set them, like me. When you do that, every time you visit a site, sometimes even every time you load a page on a site, you get a cookie pop-up.
They should pair it with a "yes, I am an adult" extension.
> I don't care a lot about cookies, but if a website is abusive enough that they need to ask for my permission
How do you tell the difference?
> Again: you don't need permission for necessary cookies.
Usually it's better to ask forgiveness than permission, but I can understand sites wanting to play it safe and throw up a banner even if they only have "legal" cookies.
I mean, it's kinda in the title of the extension. If you install this extension, it's very obvious that you're okay with cookies... If you wanted that choice, you wouldn't install the extension. I don't understand why this would be an issue.
And to the extent that you do care, you can just block the cookies at the browser level. In-page pop ups on every site is about the stupidest way imaginable to implement anti-tracking controls.
> That's because the alternative is for browsers to send a "I-WANT-TO-BE-TRACKED" header if users want tracking and then basically no-one would consent.
I would say that, getting companies to convince the user that they would be better if they are tracked would be a good feature. Currently,tracking helps the company and hurts the customer, so companies should come up with a reason why tracking is actually good for the customer.
It is an unpopular opinion but I see GDPR as a watershed for user hostile design. It used to be that people involved with the web read Jacob Nielsen and Don’t Make Me Think, there was always pressure from the suits to distract users with BS but it was possible to hold the line.
Once the GDPR came out, now it was required, even admirable, to distract users. Once that window was broken the car got stripped within 24 hours and now it is not unusual to have to dismiss 3 or more pop ups asking you to subscribe to an email newsletter.
I have a zero-tolerance policy for dialogs, with few exceptions.
If I can't use the site while ignoring them, I close the tab.
What I realized after a while that this sort of user-hostile design correlates strongly with poor quality content, so it's also a great way to save my time.
I don’t mean this to be rude, but that’s how complete sentences work. Sometimes they’re internally inconsistent, but when you reach the full stop you’ve hopefully arrived at a coherent view of what the speaker intended to express. I know with this one that I did, even when I noted the same inconsistency. It seems you did too, but got hung up mid-sentence anyway. Maybe just be glad you understand what they meant to say?
The point is, calling it zero-tolerance when it's not is misleading. There's a perfectly fine way to describe zero-tolerance with exceptions, and it's not even far fetched: “low tolerance”.
Complete sentences may make it possible to pretend bad wording is consistent, but that doesn't make it good wording.
My point wasn’t that it’s good wording, just that it may be good enough to understand what someone meant to convey. I can be very literal myself, and I can take others’ words overly literally as well. It hasn’t made life better for me to insist on that kind of consistency from others, especially when they know I know what they meant to say. It has helped me to develop some instinct for accepting the intent of people’s communication rather than the minutiae of it. Even when I find the inconsistencies. It’s much nicer to realize what someone meant, and sometimes even to have a small laugh to myself about the way they put it.
Misleading? I wasn't mislead. It seems like you weren't mislead. The person who responded to you wasn't mislead. Was anyone mislead? Really, a single person? Or is language a mechanism to probabilistically encode information and not a formal system, even if it often approximates one? Go learn Lojban and leave everyone who actually wants to communicate be.
Yeah with the benefit of 5 minutes hindsight it's hilarious that I got suckered in literally just because I felt a single word wasn't precisely accurate. I mean, "misleading" didn't mislead me in the slightest, the overall meaning was clearly that it's better to be correct than not, precisely the impetuous of my snark. He who is without sin, yada yada yada
I guess I should clarify that in the rare case I still want to access the content, I still do not engage with the modal dialogs, but instead use a proxy service such as archive.is to present it in an accessible way.
I consider modals to be a gross accessibility issue.
I went through a phase when I was reading way too much about communism and riding shotgun back and forth to Buffalo a lot while stoned and resolved I was going to quit reading the web with a normal web browser but instead I was going to run everything through a workflow system that would convert web sites to HAR files, strip out all the ads and bullshit.
I worked on it pretty seriously for two weeks but got hung up on the problem that my web archiving system was never 100% sure that a page had finished loading (that there would be more significant AJAX calls) so it would set long timeouts and even with a lot of stripping out the junk it was going to be even more awkward than dealing with the junk.
Looking back at it however it looked like an overly ambitious project.
By zero tolerance, I mean to say that I do not engage with the dialogs in any way, e.g. clicking agree, cancel, close, or the area around the dialog if it is blocking the page.
By few exceptions, I mean that I look for an alternative method to access the content rather than disengaging from it entirely.
I am imperfect, so if you were to observe me 24/7, you would probably see me slip up eventually. But this is an ideal I strive for and for the most part am satisfied with the results of pursuing.
FWIW I'm very sorry I put you through this. My comment was low value, posted during insomnia, I was very surprised by the reach it gained while I slept at last.
You're confused. The EU's cookie consent dialogues do not come from the GDPR; they're several years older than that. They come from the Privacy and Electronic Communications Directive (ePD), particularly the 2009 amendment to that.
I think you're partly right but it happened before GDPR - when advertisers decided to ignore the DNT[1] flag. If DNT was respected, GDPR cookie pop ups would be unnecessary. Unfortunately the modern web is not about user choice but about herding users like cattle to maximize "engagement".
DNT was an "evil bit" non-solution that was stupid all the way from initial concept to execution to predictable industry response. We are better off without it.
No. The problem is the legal framework for user tracking informed consent didn't exist back then. Sites wouldn't be able to simply ignore DNT if doing so created legal liability for them.
Corporations essentially had a presumed right to track users. Now they don't, they need to get informed consent first. A DNT header makes the user's non-consent explicit: not only is the user presumed not to have consented to tracking, the presence of this header signals active and explicit denial of consent from the user.
It's not like the evil bit at all. We're dealing with corporations that operate openly on the market. It's perfectly possible to say "it's illegal to ignore this bit" if it comes with the threat of heavy fines attached.
Millions of websites are currently showing stupid cookie popups because they're mandated by law to obtain the user's consent. Why shouldn't that consent or lack thereof be expressed once in the browser UI instead?
The only issue with DNT is that it wasn't mandated.
As an example, a user may store in the browser preferences that information about their browsing habits should not be collected. If the policy of a Website states that a cookie is used for this purpose, the browser automatically rejects the cookie.
That's one of the odder things about the HN user base. How much we care about things seems to have little to do with how much they affect our lives. Most of us exist with a magic shield carefully affixed to our every point of contact with the electronic world that fully insulates us from anything we don't want to see, but it is maniacally important to us that Google doesn't know it was John Smith who searched for "sexy ostriches" eight years ago.
So because it doesn't "affect our lives" surveillance capitalism is okay? No.
It's about principles. We simply don't want corporations knowing anything about us unless absolutely necessary. It's bad enough that governments have to know about us. We really don't need the private sector mass surveilling the entire globe and exploiting our data for god knows what purposes.
Data should be a massive legal liability. It should cost them money to hold onto any piece of data about any person. They should be scrambling to forget all about me the second the transaction is finished.
I agree in principle - but you need a centralised government to punish them.
You could in theory have third party auditing and user reviews but almost nobody would care and they wouldn't have much power.
In practice I'd prefer a world without government and with companies tracking me over a government that steals half of my income and protect me from "evil" trackers.
Same thing with abortion. Of course wasting a human life is a tragedy, but it's hard to imagine economic model where you can guarantee the life of a foetus nobody knows much about, without needing a centralised entity. (you could in theory have protection agencies - as in The Machinery of Freedom - which guarantee your safety have you sign a contract saying you won't do that or else - but that would be hard to enforce).
> In practice I'd prefer a world without government and with companies tracking me over a government that steals half of my income and protect me from "evil" trackers.
What does "in practice" mean here?
I get the sense that when people say things like this, they think folks would have the lifestyles they currently have in the US, but much better because they don't have to pay any tax. In reality, a world without government would be run by the type of people who run Russia right now.
Great if you're connected to enough strongmen to be an oligarch I suppose but not that great for anyone else.
From what I see it has gone the way of "regardless" and "irregardless". I'm sure there's a cool word for this too. Antonyms that are actually synonyms.
Wait, just because throwaway787544 is OK with websites tracking where his behaviours on their domain, he should publicly give you and everyone his real name and address ?
If you walk in on a store that has security cameras in it and you accept to be filmed while you are in there, does that mean that I should be allowed and able to access you entire private photo and video gallery ?
Sorry but what's twisted is some pseudonymous throwaway account not only shaming people for caring about privacy but also proclaiming loudly that they don't care when their privacy gets violated. You gotta be kidding me.
well these are different purposes, aren't they? I do delete the cookies afterwards, so I don't care whether they get accepted or denied. But for this extention, the purpose was always just to get rid of the popups. I mean if you're automating it anyway, it's much easier to choose the happy path and comply isn't it? Those cookies can always be deleted later.
I'd rather use an extension that tells companies no, that exercises the legal right to say no. Dont just accept then delete (with likely other downstream consequences such as re-logging in when you dont want), just opt out. Make it clear that privacy matters. Dont just hack (with multiple extensions), vote.
Use a moral & good & fit to task (not apathetic & consenting extension) like Consent-o-matic[1] or Auto Cookie Optout[2].
Some people actively dont care. Dont do that. Care. Help. Be a positive influence. (Ed: wow, unpopular opinion, over something that costs people nothing to assist in!! -2 points!
Time and drain on my patience is a cost. And it is a particularly awful trade in this case; both of those are extremely precious resources, one of which is nonrenewable.
I do not care about cookies. Not one person on the Internet can demonstrate a concrete harm caused by the existence of advertiser cookies on their machine. If you want to spend time twiddling these knobs, more power to you. I've got things to do and I will gladly take the first option that erases the annoyance with a minimum of disruption.
Sad that you have no spare effort-capacity whatsoever to make a choice for yourself like this, that you see yourself as at zero! Woe unto you.
I dont get why this proclaimed unwillingness & lack of deciding leads you to pick the worse less defensive pick though. Why actively choose worse defense? I dont get your argumentation. Why is the worse dumber pick better for you, even if you dont feel convinced of the harm? Presented with a defensive & apathetic option, I don't see why you would still choose worse.
FWIW, I agree. Be the change you want to see in the world.
'Actively not caring' is insidious and depressing. It normalises data surveillance and says there's no point fighting it.
Comments here seem to ask if cookies are really worth all this fuss. Frankly, I don't think it's much of a fuss at all. Block the pop-ups, auto-delete the cookies. It's so simple I'm bemused there's any pushback.
Its a mindflip to me to imagine wanton anti-caring like this. Literally just make an incredibly smallley modestly better choice to serve yourself & each other better. Why not pick a good option? Why go through the trouble then be like, fuck it, Ill pick a shitty option? I dont get the anti-progressive pro-shitty attitude. But it sure seems popular & well represented! Blast us all!
> Why not pick a good option? Why go through the trouble then be like, fuck it, Ill pick a shitty option?
You're assuming way too much active thought and choice on the part of the people who don't care about cookies. You're assuming that it was a choice between options at all.
In my case, a website I was happening to read mentioned the I Don't Care About Cookies extension, and I thought, "oh, it'd be nice to have something that stops all of those annoying cookie pop-ups" and installed it. That is all. Is such an action really an "anti-progressive and pro-shitty attitude"? Am I really harming you or myself or society by doing that?
I have two browsers. One is my persistent logins browser (Mail, banking, etc). The other is my "browsing" browser which is inside of a windows VM that gets restarted and reverted every morning at 4 AM.
It blows my mind that you'd have such disregard for your own personal data protection by not implementing a similar system. Why not spend half a day setting up something that solves the problem long term without depending on you to consciously make the "right" decision over and over?
It's a feature not a flaw. See, I literally don't care about cookies. Deny them, allow them, whatever. Just don't bother me. That's exactly what the extension says and does.
I agree with you on not caring at all about cookies.
I've never understood the obsession with cookies and tracking. It seems that some people imagine Sundar Pichai sitting in his underground lair, following the browsing session of individual Chrome users, cackling with evil delight.
We know that Facebook employees stalked people using the 'tracking' info. We know police stalked people with their info. We know people with access to PRISM data used it to stalk people.
I respect your, and others’, opinion about not caring about tracking. But this extension is not named "i-dont-care-about-tracking", but instead misleading people into thinking it’s only about cookies when it’s not. It accepts all and any tracking, which can be far more advanced than just simple cookies.
Again, anyone can use this, I really don’t care, but the original author is essentially doing the work of adtech companies (not really surprising that they sold out their users in that context) by lying about the extension.
Temporary Containers also solve this problem (as long as you don't open things outside temporary containers), while also isolating tabs from other cookies.
I thought the goal of IDCAC was to get rid of those annoying cookie consent popups. It tries to block or hide the popup, but when cookies are required to use the site it automatically accepts them, assuming you will handle erasing unwanted cookies in some other way.
There are quite a few news websites that deny access to the site unless you agree to being tracked (e.g. [1]). Authorities in EU countries are split on the legality of that -- the Dutch data protection authority explicitly disallows such behavior [2], while German authorities are silently tolerating it [3].
In my opinion, this goes against the spirit and the letter of GDPR, but it seems that they are getting away with it for now. The matter hasn't been discussed by the European Court of Justice yet.
In those cases, as a non-paying user, you essentially have the choice between accepting being tracked, or not viewing the site. IDCAC errs on the side of being able to view the site.
[3] In the case of online raffles, a German court even explicitly allowed forcing users to agree to their data being used for advertising purposes if they want to participate in the raffle. https://openjur.de/u/2185336.html
You don't need uMatrix to block all third party cookies, in both Firefox and Chromium that is a build in option.
And I don't think that option is as good as IDCAC (or Consent-O-Matic [0]) + CookieAutoDelete. With those two add-ons even first party cookies are deleted, while you don't need to close banners all the time.
Easy to say "move to another", but what offers comparable functionality?
The vulnerability does not seem that serious to me... isn't it going to be pretty obvious if it gets exploited with this description?
> An attacker may exploit the vulnerability to get the extension to crash or cause memory exhaustion according to the researcher. When the extension crashes, users are left without protection until it is reloaded.
So I'm going to start seeing a bunch of ads as my clue, right?
[Not a drive-by:]
> It requires that users become active, e.g. by clicking on a link.
The article you linked has plenty of information in the comments, it's actually a good resource.
I know, I love uMatrix, and was sad to leave it. I've migrated to uBlock Origin, but it isn't the same even with dynamic filtering window opened. With uMatrix I had been taking the approach of denying all third-party resources by default and selectively allowing just the ones I need, and after the move largely ended up abandoning this approach.
The different UI of uBO was part of this decision, but not the biggest factor. Over time it had gotten less and less workable even with uMatrix's great UI. I could no longer configure a site once and then expect it to work for any amount of time, as the rate at which new mandatory third-party dependencies were added to sites kept increasing. And I was visiting more websites as part of avoiding big sites like Amazon.
In addition, uBO's CNAME unmasking meant that many resources that were considered first party by uMatrix, are treated as third party by uBO. This added to the burden of whitelisting, but also got me thinking about how fuzzy the first party / third party distinction was and that it was increasingly a poor proxy variable for what I was really trying to block (trackers mostly, and also some annoyances).
I also use the Temporary Container extension in Firefox. In the end I decided that the default block lists of uBO combined with the isolation and discarding of persistent data provided by Temporary Containers was good enough for most browsing. I still use a whitelisting approach for my handful of permanent containers, and uBO's dynamic mode UI is good enough for that.
[0] https://github.com/Cookie-AutoDelete/Cookie-AutoDelete