![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Cookie Banners
2024-04-28 11:09Far-too-many-years ago, at either a pub or a party, I was ranting about how annoying cookie banners were not, in fact, top-to-bottom pure evil, but were a consequence of a well-meaning-but-terribly-implemented attempt to Stop Bad Things. A (very) non-technical friend asked me to explain further, but I gave up on a verbal explanation after it became apparent that this stuff is almost fractally complex; pretty much every part of the puzzle requires significant background explanation before it makes sense (at least, way more than I could marshall in a casual conversation). I foolishly promised a written version in the near future.
This is that written version, aimed at non-technical readers. I repeat: this is (deliberately) a very, very, non-technical summary. I am skipping over so many technical details, in the interests of making this comprehensible to non-technical people and "only" ~1800 words long...
(If you understand some of those technical details, congratulations! Their omission from this essay is A Feature, Not A Bug. The footnotes dig a little deeper, but I'm trying to avoid exponential footnote growth, too)
In the beginning, the World Wide Web got invented. It was easy to hack together a basic website, and lots of people did.
Shortly afterwards, people started putting adverts on these new-fangled "web page" things. Pretty soon, it was possbile to effectively "sell" some fraction of your web page to a web advertising company, who would give you a small sum of money every time a reader saw one of their adverts on your page.
For this story, the important bit is that the "advert" bit of the web page is now controlled by the advertising company.
This means that the readers' web browsers are talking to the ad company's server, as well as the server of the webpage hosting the advert[1]. In turn, this means that the ad company's server knows which adverts it's sending to which users on which web pages.
The advertising companies soon realised that, as well as simply working out how many users saw advert-A on webpage-X, and advert-B on webpage-Y (which is necessary for their core business) they could also tell which readers were visiting both webpage-X and webpage-Y.
Multiply that up by billions of webpages (which tends to happen on the web) and each of the advertising companies had built themselves their own world-wide-web surveillance network. They could literally track which webpages were being viewed by which people, for approximately all webpages[2] and all web readers[3]. So they did just that.
That tracking is how they know that you just visited [car maker]'s website, and will now show you car adverts on every page you visit for the next three days.
Aside: This is now how those advertising companies make most of their income: by selling ad space based on the interests of who they will show it to. Want to advertise [cars|fantasy books|cat food]? We'll show your adverts only to people interested in [cars|lord of the rings|cats], and not waste time showing them to people interested in [bicycles|sci-fi|dogs].
Aside aside: this interest-targeting is a powerful (but stealthy) tool, and is being used by Bad People for Bad Things[4].
Customers started to notice adverts "following" them around the web. Technically-adept people did some quick 2+2=4 to figure out what was going on, and were Not Happy, because, y'know, Pervasive Surveillance is Bad[6].
Thus, people started making attempts to Stop This Sort Of Thing.
I'm fairly sure that someone asked the advertising companies to not do that, please. I'll leave you to imagine how successful that was.
There were also some technical attempts, but they didn't work very well, either.
The first major legal attempt to block things was the Dreaded Cookie Law[7].
(Why "cookie"? As well as the common biscuit-related meaning, the word "Cookie" is the somewhat whimsical name for a fairly fundamental bit of web technology[8] that was, at least initially, the technical linch-pin holding these surveillance networks together)
So now we come to the "terribly-implemented" bit. The core idea of the cookie law is to require consent from the end user. Consent, you say? Consent to what, exactly?
Somehow[9], this law and the surrounding guidance ended up being about "consent to use cookiesto conduct surveillance", rather than "consent to use cookies to conduct surveillance".
Also, the requirement to obtain this consent ended up with the webpages rather than with the adverts, forcing the implementation onto every web page publisher everywhere. (and also allowing the ad companies to apply financial pressure: no consent from your readers? less ad money for you!)
Doing the implementation really properly requires deep discussions between [people who understand all the technical details that I'm leaving out] and [people who understand all the legal details that I'm leaving out] probably resulting in them cross-teaching each other the whole mess. A proper outcome may involve hitting the bottom line of the company running the pages, too (because it may mean reducing advertising income, or compromising the ability to track how effective their own advertising is, or both).
At which point you have a lengthy three-way discussion between the legal/technical/commercial arms of this hypothetical company. Executives who want the minimum-staff-effort way to achieve minimum-legal/commercial risk will just hurry things along, and eventually someone says "[expletive] it!" and you end up with some sort of compromise, probably involving a cookie banner full of deliberately-obfuscated words and UI dark patterns, aimed at getting as many readers as possible to click the "just make this damn banner go away, dammitand let them track me forever" button.
(and of course, most small companies and approximately all private individuals may not even have any [people who understand the details] and will probably just end up applying one of the standardized off-the-shelf tools which offer that same end result)
So you get cookie banners everywhere. And the major web advertising companies[10] are watching your every online move.
The next major legal attempt to stop this stuff was part of GDPR (and similar laws in other countries), which is attempting to go after the "surveillance" angle and the consent angle[11] but that's a whole other can of worms...
[1] This is where the term "third-party" enters the discussion. The web page owner's server is the "first-party". The user's web browser is the "second-party". The advertising company's server is the "third party".
[2] Superficially, it's limited to the web pages that show any kind of advert. But the advertising companies are cunning, and have found ways around that limitation. (log in with..., web page analytics tools, and more)
[3] Superficially, they can't attach real names to this info, either, it's all just [reader x] and [reader y]. But from many viewpoints, that's not actually much of a limitation anyway. Plus, the advertising companies are cunning, and have found ways around that limitation. Facebook's "real name" policy, for example? Or Google (via GMail) getting access to all your email?
[4] "Interest-based ad targeting". Let's think like a villian for a moment: How about you show an ad for my self-published book (about the evil conspiracy of [socialists|immigrants|boogeymen]) to people interested in [pickup trucks|looking for a job], but hide the ad from people interested in [left-wing news outlets|polital news][5]. Now, start thinking like an unscrupulous/authoritarian politician, or a PR company hired by a global megacorporation, and think of all theterrifying interesting ways you can use this. But that's a whole other essay.
[5] Now, you're not supposed to be able to target ads by race/religion (or by policital leaning in some parts of the world) but bad guys are cunning and found ways around that limitation. How about people interested in cycle lanes, guns, "states' rights", brexit, hip-hop/country/whatever music, or [insert job/skill here]? Or living in [specific neighbourhood/city]?
[6] Some nominally anti-authoritarian people claim to be fine with this pervasive surveillance, because it's Free Enterprise Surveillance, not Evil Government Surveillance, and therefore okay. But (can you see it coming yet?) governments are cunning, and have found ways around that limitation.
[7] IIRC, it's actually a cluster of related laws, primarily in the EU, but "skipping technical details" includes the legal details, so moving swiftly on...
[8] I'm not going to explain cookies much here. Except to say that if you turn them off completely, half the web (including most of the e-commerce) will just stop working, and That Would Be Bad. Let's just say there are good cookies, bad cookies and shades-of-grey cookies. Plus is is where that "third-party" term makes its second appearance, and that's a technicality I've now failed to completely omit so I'll stop before this footnote outweighs the rest of the essay...
[9] I'm sure this had nothing at all to do with lobbying by web advertising companies.
[10] I keep saying "the major web advertising companies" without naming them. I'm not 100% up-to-speed on the balance of power here, but AFAIK the big players are Alphabet/Google, Meta/Facebook and X/Twitter. Lesser-but-still-huge players include Microsoft, Apple and Amazon and potentially several more I'm forgetting.
Another aside: these companies have successfully injected themselves into the global advertising market as middle-men, and are hoovering up a huge slice of the money in that market. If you want to know why [newspapers/magazines/your favourite periodical publication] has no money these days, it's because these guys ate most of their advertising revenue.
[11] To paraphrase something I heard in a very different context: Submission under duress is not Consent.
This is that written version, aimed at non-technical readers. I repeat: this is (deliberately) a very, very, non-technical summary. I am skipping over so many technical details, in the interests of making this comprehensible to non-technical people and "only" ~1800 words long...
(If you understand some of those technical details, congratulations! Their omission from this essay is A Feature, Not A Bug. The footnotes dig a little deeper, but I'm trying to avoid exponential footnote growth, too)
In the beginning, the World Wide Web got invented. It was easy to hack together a basic website, and lots of people did.
Shortly afterwards, people started putting adverts on these new-fangled "web page" things. Pretty soon, it was possbile to effectively "sell" some fraction of your web page to a web advertising company, who would give you a small sum of money every time a reader saw one of their adverts on your page.
For this story, the important bit is that the "advert" bit of the web page is now controlled by the advertising company.
This means that the readers' web browsers are talking to the ad company's server, as well as the server of the webpage hosting the advert[1]. In turn, this means that the ad company's server knows which adverts it's sending to which users on which web pages.
The advertising companies soon realised that, as well as simply working out how many users saw advert-A on webpage-X, and advert-B on webpage-Y (which is necessary for their core business) they could also tell which readers were visiting both webpage-X and webpage-Y.
Multiply that up by billions of webpages (which tends to happen on the web) and each of the advertising companies had built themselves their own world-wide-web surveillance network. They could literally track which webpages were being viewed by which people, for approximately all webpages[2] and all web readers[3]. So they did just that.
That tracking is how they know that you just visited [car maker]'s website, and will now show you car adverts on every page you visit for the next three days.
Aside: This is now how those advertising companies make most of their income: by selling ad space based on the interests of who they will show it to. Want to advertise [cars|fantasy books|cat food]? We'll show your adverts only to people interested in [cars|lord of the rings|cats], and not waste time showing them to people interested in [bicycles|sci-fi|dogs].
Aside aside: this interest-targeting is a powerful (but stealthy) tool, and is being used by Bad People for Bad Things[4].
Customers started to notice adverts "following" them around the web. Technically-adept people did some quick 2+2=4 to figure out what was going on, and were Not Happy, because, y'know, Pervasive Surveillance is Bad[6].
Thus, people started making attempts to Stop This Sort Of Thing.
I'm fairly sure that someone asked the advertising companies to not do that, please. I'll leave you to imagine how successful that was.
There were also some technical attempts, but they didn't work very well, either.
The first major legal attempt to block things was the Dreaded Cookie Law[7].
(Why "cookie"? As well as the common biscuit-related meaning, the word "Cookie" is the somewhat whimsical name for a fairly fundamental bit of web technology[8] that was, at least initially, the technical linch-pin holding these surveillance networks together)
So now we come to the "terribly-implemented" bit. The core idea of the cookie law is to require consent from the end user. Consent, you say? Consent to what, exactly?
Somehow[9], this law and the surrounding guidance ended up being about "consent to use cookies
Also, the requirement to obtain this consent ended up with the webpages rather than with the adverts, forcing the implementation onto every web page publisher everywhere. (and also allowing the ad companies to apply financial pressure: no consent from your readers? less ad money for you!)
Doing the implementation really properly requires deep discussions between [people who understand all the technical details that I'm leaving out] and [people who understand all the legal details that I'm leaving out] probably resulting in them cross-teaching each other the whole mess. A proper outcome may involve hitting the bottom line of the company running the pages, too (because it may mean reducing advertising income, or compromising the ability to track how effective their own advertising is, or both).
At which point you have a lengthy three-way discussion between the legal/technical/commercial arms of this hypothetical company. Executives who want the minimum-staff-effort way to achieve minimum-legal/commercial risk will just hurry things along, and eventually someone says "[expletive] it!" and you end up with some sort of compromise, probably involving a cookie banner full of deliberately-obfuscated words and UI dark patterns, aimed at getting as many readers as possible to click the "just make this damn banner go away, dammit
(and of course, most small companies and approximately all private individuals may not even have any [people who understand the details] and will probably just end up applying one of the standardized off-the-shelf tools which offer that same end result)
So you get cookie banners everywhere. And the major web advertising companies[10] are watching your every online move.
The next major legal attempt to stop this stuff was part of GDPR (and similar laws in other countries), which is attempting to go after the "surveillance" angle and the consent angle[11] but that's a whole other can of worms...
[1] This is where the term "third-party" enters the discussion. The web page owner's server is the "first-party". The user's web browser is the "second-party". The advertising company's server is the "third party".
[2] Superficially, it's limited to the web pages that show any kind of advert. But the advertising companies are cunning, and have found ways around that limitation. (log in with..., web page analytics tools, and more)
[3] Superficially, they can't attach real names to this info, either, it's all just [reader x] and [reader y]. But from many viewpoints, that's not actually much of a limitation anyway. Plus, the advertising companies are cunning, and have found ways around that limitation. Facebook's "real name" policy, for example? Or Google (via GMail) getting access to all your email?
[4] "Interest-based ad targeting". Let's think like a villian for a moment: How about you show an ad for my self-published book (about the evil conspiracy of [socialists|immigrants|boogeymen]) to people interested in [pickup trucks|looking for a job], but hide the ad from people interested in [left-wing news outlets|polital news][5]. Now, start thinking like an unscrupulous/authoritarian politician, or a PR company hired by a global megacorporation, and think of all the
[5] Now, you're not supposed to be able to target ads by race/religion (or by policital leaning in some parts of the world) but bad guys are cunning and found ways around that limitation. How about people interested in cycle lanes, guns, "states' rights", brexit, hip-hop/country/whatever music, or [insert job/skill here]? Or living in [specific neighbourhood/city]?
[6] Some nominally anti-authoritarian people claim to be fine with this pervasive surveillance, because it's Free Enterprise Surveillance, not Evil Government Surveillance, and therefore okay. But (can you see it coming yet?) governments are cunning, and have found ways around that limitation.
[7] IIRC, it's actually a cluster of related laws, primarily in the EU, but "skipping technical details" includes the legal details, so moving swiftly on...
[8] I'm not going to explain cookies much here. Except to say that if you turn them off completely, half the web (including most of the e-commerce) will just stop working, and That Would Be Bad. Let's just say there are good cookies, bad cookies and shades-of-grey cookies. Plus is is where that "third-party" term makes its second appearance, and that's a technicality I've now failed to completely omit so I'll stop before this footnote outweighs the rest of the essay...
[9] I'm sure this had nothing at all to do with lobbying by web advertising companies.
[10] I keep saying "the major web advertising companies" without naming them. I'm not 100% up-to-speed on the balance of power here, but AFAIK the big players are Alphabet/Google, Meta/Facebook and X/Twitter. Lesser-but-still-huge players include Microsoft, Apple and Amazon and potentially several more I'm forgetting.
Another aside: these companies have successfully injected themselves into the global advertising market as middle-men, and are hoovering up a huge slice of the money in that market. If you want to know why [newspapers/magazines/your favourite periodical publication] has no money these days, it's because these guys ate most of their advertising revenue.
[11] To paraphrase something I heard in a very different context: Submission under duress is not Consent.
![[livejournal.com profile]](https://www.dreamwidth.org/img/external/lj-community.gif){kind=small}
