No idea if that bit of lore is true but it is certainly the case that RFCs are usually the final word on the relevant standard. In fact, once they get their ID, RFCs cannot be modified or rescinded; only superseded by another RFC.
> https://www.rfc-editor.org/rfc/rfc8700.html
Nowadays you're supposed to comment before it gets to "Internet standard"
You can still laugh at the joke with the section there, you’ll just have fewer confused people to correct, and be in one less elite club.
Imagine in real life, someone starts making a joke, and then suddenly starts cursing and yelling. I wouldn't be comfortable with what feels like a lack of self-control and I will try to move away before things get violent.
Either do the "joke" style or the "angry rant" style, not both. The joke can be explained calmly if there is a need to.
Certainly not any government. If you think the EU's regulation are of any help to the consumer you are gravely mistaken. The EU is quickly becoming a fucking nightmare to live in. "The more corrupt the state, the more numerous the laws". The meme that goes around atm is that while Elon Musk created Tesla, SpaceX and Starlink the EU managed to get everybody to now have plastic bottles who do not close properly anymore: due to some regulation that mandates that bottle caps must hold to the bottle, weird only partially-functional mechanism have been created and it's a PITA to either drink from a plastic bottle or, worse, try to lay it horizontally in a fridge.
That's what the EU is: probably that some politicians or bureaucrats with enough brain cells to recognize a bottle cap on the ground thought "I've got an idea to make the EU better, let's mandate every bottle to have a cap that cannot be separated from the bottle".
As a result you lay horizontally a plastic bottle of sugary drink in your fridge (because you've been used to do that for decades) and now all your fridge is sticky due to the bottle leaking.
It's all that is wrong with the EU bureaucrats in one example.
Also hailing the EU as the savior vs Microsoft when our lives becames miserable with EU consent cookie popups virtually everywhere is a bit thick.
https://www.emballagefokus.dk/goer-noget-uden-at-goere-noget...
I haven't encountered that meme, but if it exists, it's like most memes seem to be: Wrong. The bottle caps work just fine.
Another satire RFC in the same spirit is the one about the evil bit[2] (designate one bit in packets to indicate whether it’s intended for evil), with the same subtext as the linked post: no, you can’t trust malicious entities to change their behavior to make it easier to stop.
IMO we need to start normalizing being militant about this stuff again, to aggressively and adversarially defend the freedom to use your computer the way you choose to use it
I'm just going to click "yes," stop asking.
Yeah, no. Hostile advertising companies added that cookie banner as a form of "malicious compliance" with the law purely to annoy everyone like a buncha spoil't little brats who didn't get their way, so now they're gonna make everyone suffer... If we get a similar law in the USA, you can expect to see annoyances just like it (and probably worse) on sites hosted here, too.
That was the obvious outcome. What did people predict: site owners leaving money on the table? Who pays for operating the sites then?
I would love to know what happened. Did the laws get "revised" to re-open the loophole? Was superseding legislation passed? Did the courts reject it? Are there enforcement issues?
1) They aren't trusted to be reasonable about user consent.
2) They are only to take action when they judge it is reasonable to check user consent.
It'd probably be a very rocky process to nail down what those words like "loophole" and "workaround" mean as the advertisers start abusing prescribed no-banner situations.
When I walk down the street and sometime sees me go by, those aren't my photons they caught. By analogy, same with my browsing history.
Other people also own their own memories and records - some of which may be about you.
At least, this is how it was for most of human history.
Now some people think they should be able to demand everyone destroy records about them. If it was possible, no doubt they'd also demand people destroy any memories about them as well.
Of course there are practical limitations on that kind of physical surveillance. It's expensive, tends to attract attention, and even nation states can only do it to a few people at a time. Information technology allows it to scale to almost everyone, almost all the time, for a small fraction of a corporate budget.
Perhaps it's worth at least considering restrictions on that.
I don’t see any difference between online “tracking” and real world stalking. If some one was following you every where you went taking notes on everything you did, interrupting you and preventing you from actually doing what your were actually wanting to do, you’d be able to have the police intercede in your behalf. Only now we think it is different because “on a computer”.???
This is the part that would get the police involved, and no-one online is doing anything like this.
Doris the curtain-twitcher compiles a dossier on everyone, maybe shares it in her gossip circles. No-one cares.
Most EU national government websites have cookie banners. Even the European Commission website has a cookie banner!
This should have been implemented at the browser level. Let the browser generate a nice consistent UI to nag EU users when visiting websites about accepting cookies and let the rest of us opt out.
I still remember being at an all hands at a former employer where the team presenting the revised cookie banners promoted as a benefit that it had opt in rates that would make an authoritarian dictator embarrassed to claim as uninfluenced
Cookies should be categorised as essential and non-essential and the website should specify which laws it is considering when it categorises them as such. The GDPR definition of "legitimate interest" (which is a bit vague but it's not that hard to understand it) should be explicitly clarified so that companies can't claim that a whole swathe of shit they opted you into automatically is "legitimate interest" if they also give you the option to opt out.
At this point they can still attach descriptions to each cookie (hopefully using some standardised interface so you don't have to literally send these with every cookie, localized) and then your browser can still present you with the idiotic: "here's what we would like you to use" interface, but streamline the process with the ability to just opt out of anything which won't outright break the website.
Although this still opens it up for abuse by companies putting things like: "your preference for us not popping up an annoying full-page message every time you visit a new page" into a "non-essential" cookie to incentivise you to just accept them all.
Honestly I think we should just have Joe "Sensible Person" judge company's websites for whether they're being actively malicious in any way and force the closure of any company which is considered actively malicious along with the destruction of all company IP and liquidation of non-IP assets. All the company owners should also be banned from owning/running any other company for 10 years. (only half kidding)
I understand it’s was media and communication departments do, and that it’s natural that the people working within them would want to do so regardless of where they work. It’s their trade after all, unfortunately they bring the exact same “user engagement” mindset with them into the public sector. Well, at least in my anecdotal experience with a handful of these departments in 7-8 different cities around here. You can of course make good points on user metrics on a public website, but they should frankly work very different than they would on most web sites. On a public website it should be the goal to get to user to leave the site as quickly as possible, because the longer they hang around the more time they are spending finding what they need. That’s not what happens with these metrics in my experience, however, instead they are used to do what you might do on a news site.
That’s just one side of it, however, because the privacy concerns are their own issue. If you absolutely want metrics on a public website at least have the courtesy to build your own. It should be illegal for public web sites to use 3rd party tracking. I know why they use it, it’s for the same reason they spend a ridiculous amount of money on custom designs systems build on top of what is usually SharePoint or Umbraco. They refuse to hire the Django (insert any other extremely low maintenance system) expertise because it’s expensive on the “long term budget”, even though it would be much cheaper than 3rd party tools and consultants on the actual long term budget. Anyway, that is another point. But it really pisses me off when public websites need you to allow 3rd party tracking because they aren’t using it in any way which serves the public.
Worst of all is that cookie banners are explicitly a private industry way of dealing with their refusal to respect “do-not-stab”. Public websites could simply put their bullshit into their privacy page. Of course nobody would go there and turn on 3rd party cookies, but why should the public care?
It seems like there should be a parallel to “tragedy of the commons” that talks about how a good idea coupled with extreme penalties can lead to a bad outcome by making any risk calculation result in “jesus we just can’t take any chances here”.
Think about how obsessive companies are about "UX" and how disruptive the banner is. Bitch-slapping people for fighting against tracking is more important to them than the user being able to access or use the site at all.
I miss the old Internet where nobody cared about their privacy.
It also failed to actually ban ad tracking.
For netizens, the idea that the use should be able to opt out of logs about their interaction with the service the operator owns is novel (because they always had the option of not using the service if they found the pattern distasteful).
Centralizing the serving of third party (or even first party) content is already way outside the original norms of the internet.
Heck, back in the day, HTTP caching would be enough to block tracking. (No javascript, and only the ISP sees which users pulled the document from cache.)
However the EU dropped the ball by not making it mandatory to respect this flag. If they had we wouldn't have had the huge cookiewall mess we have now.
Sadly even if you’re inclined to do this, it’s always a war of attrition, and corporations seem to realize they can just up the cost of your resistance in terms of time/frustration, and that’s enough for them to win in the long term. The history and trajectory of platforms, from browsers to AppStore’s to SaaS-all-the-things, is just tragic, with the amount of user control on a downward slide at each stage. The big question now is whether / how / to what extent AI is going to be corporate or democratized, but it’s hard to be optimistic.
Or, you know, if Clicking do-not-stab for 60 more years sounds like it sucks, you can try to become a shepherd or something. Works great for ~10 years, and then you can’t use cars, dishwashers or light switches without clicking do-not-stab, at which point they finally win and you say, you know what? I should be grateful they asked before they stabbed me, I practically owe it to them anyway, and I can’t wait to see all the love/cash rolling in after I’m a big shot shepherd influencer. Like and subscribe y’all and as always, hail corporate
But perhaps it really only succeeded, because that Microsoft was like the Boeing of today, a company where Pournelles second type (the institutionalists) had taken over and was just riding out the momentum, allowing the upstart unfunded open source hippies to actually have success.
If anything the shift is going the other way, with some of the more busy-body jurisdictions trying to take things that are properly enforced by the user's user-agent and instead making them officially the responsibility of the other party.
Yes. As a millennial the times of civil disobedience was better. Not only did we get a better internet for consumers, but better companies were rewarded and won. Rose tinted glasses? Possibly, but there’s another reason for disobedience: the other side does it, and they do it just for money.
Concretely, is there something like Adblock that can be done for cookies? I don’t think blocking is as effective as poisoned data though. They ask for data, they should get it. If you don’t get consent, poisoned data is merely malicious compliance.
It could even be standardized as an extension to DNT: “if asking for consent after a DNT header, a UA MAY generate arbitrary synthetic data”.
I use a combination of two browser extensions: Cookie AutoDelete[0] and I don't care about cookies[1]. The second hides any GDPR 'compliance' popup; the first deletes any cookies set by a website when you close the last tab with it open. Both extensions have whitelist functionality.
For Microsoft this also rings true from the opposite direction. Any specification that Microsoft technically abides is implemented in an egregiously dark way (at least for anything consumable at an enterprise level).
They go to great lengths to exercise every bit of leeway permitted by the spec, even when it doesn't make economical sense, because what are you gonna do about it? Vote with your wallet? Against the vendor that runs all your workstations and manages your directories and databases and deployments and authentication and authorization and business intelligence and and and?
No, you're gonna accommodate their absurd counter-requirements because what other choice do you have? The decision then becomes:
1. branch your code to shit with `vendor == microsoft` clauses
2. branch your project/architecture to shit and effectively maintain a Microsoft version alongside the "normal" core version
3. use Microsoft's bespoke library that solves the problem they created
A project that selects option 3 will face the least resistance integrating with Microsoft products, but will also become beholden to arbitrary rules that complicate integration with every other vendor who benevolently implements the standard.
Because of legal requirements, the General Assault Control header may not be enabled by default, as American states like Colorado require explicit opt-out (rather than explicit opt-in). This protects Colorado's thriving stabbing and shooting industry as most users will never want to opt into being stabbed.
Despite the feature being forced to be disabled by default, the organisation behind the spec is pushing hard for customers to download fringe browsers that implement the feature (though you may need about:config to enable it). Because of the small user base, the request not to be assaulted can be used by websites not willing to follow the standard to make their stabbings and shootings more precise. End users can request a JSON file from the web server containing the supposed support for the GAC header, but requesting this URL may be used to kick the user in the teeth by non compliant servers.
They don't actually hate you. Rather, they love your money and they have a depraved indifference for you.
Do they provide a guaratee to only sell once, instead of selling to everyone?
Do a sidedoor as a /do-not-stab.txt
Do-Not-Stab: 1
https://en.wikipedia.org/wiki/Do_Not_Track#:~:text=The%20Do%....
I can dream...
I don't know if they still do it, but last time I browsed Medium I found that it claimed to respect DNT, which is quite nice. Lots of self-hosted analytics software also respects DNT out of the box and I don't think site administrators often bother to turn that off. Still, the vast majority of websites probably ignores the header, especially since it's been deprecated as a standard. If you care about such things, maybe also consider looking into Sec-GPC, its intended replacement.
I fully understand that it's absence wouldn't meant that people won't get stabbed, but it would save time and mental space of all people like me who really don't care about being stabbed or not.
Honestly if anything, I'd like to be stabbed more.
By analogy to current situation about tracking ... Ad companies know too much about me? I think they know too little. For example for half a year they still haven't figured out that I know barely any words in German and are serving me German advertisements all the time just because I happen to be living in Germany currently.
"Fools! I have invented a usb device which can collect votes from the Internet and drive a knife through your heart!"
(Sutures As A Service) which is a additional somewhat often used service once Stabbing As A Service has occurred.
Maybe they could get advice on the best way to do that from these people?: https://news.ycombinator.com/item?id=42169027
This isn't my tribe, but I'm incredibly pleased to see a beautiful reflection of the old internet within this webring.
This gets more and more unhinged, I love it
On a more serious note: yeah wtf. I hope we in the EU draw the conclusion of companies even being unable (unwilling?) to gain informed consent and just start treating these privacy breaches as an outright crime.