> Don’t look for a section on permissions or consent in that document, by the way. There isn’t one. And nothing about nerd lawyer stuff like “opt out of sale” or “objections to processing” in there, either. The Big Tech companies want a two-track system, where other companies’ ad features are required to do all the privacy regulation hassles, but the browser’s own built-in tracking feature is something that people have to find the right setting for and turn off.
This language to make consent popups sound good is suspicious. Not being interrupted while you're browsing is good. A browser setting that people can turn off once, for all participating websites, is good.
You don't need cookie banners unless you want to track the user before they opted in on their own (maybe in the "website settings"). That's why countless websites have none.
The browser would only have to ask once, and then it would still just be "one browser setting", except you'd be notified it exists, as soon as it exits. So what's the point here, other than trotting out the same old stuff nut about cookie banners?
On update, "this is the thing, and that thing is enabled by default, is that okay? Otherwise, click no, then it gets turned off. If you change your mind later, it's under settings -> thing"
It's not complicated, and blaming laws that enforce human rights to avoid the most basic craftsmanship is suspicious.
Is it the case that "countless websites have none"? Some websites, especially small ones operated outside of the EU, simply don't care about their obligations under European law. But in my experience it's extremely rare for European websites not to feature a cookie banner. It's not like it's just corporations: the official websites of the European Commission (https://commission.europa.eu/), the presidency of France (https://www.elysee.fr/), the chancellorship of Germany (https://www.bundeskanzler.de/bk-de/), etc. all have one.
> Some websites, especially small ones operated outside of the EU, simply don't care about their obligations under European law. What about lobster.rs?
Such as HN? Honest question, for all I know they're breaking EU law and nobody cares. Or maybe they don't.
Anyway, pouet.net doesn't have one. It links to a ton of group sites, many European, try to count the ones that don't have a cookie banner.
For fun, I did a quick and dirty test on the HN front page at the time of this comment, out of 30 links, I counted 11 cookie banners. Let's say I missed a few (a bunch of the ones I counted were a small bar at the top or the bottom, easy to miss, not even sure if they blocked the page), let's say it's 20 out of 30. One third of all websites is still a huuuuuuge amount of websites.
I took privacy seriously before I "had to". So for me, nothing changed. Why would it? You can have a link in the footer to opt into tracking. If actually "value consent" and all that. It's a complete non-issue for most sites that have banners, they could just stop being creeps and it'd be fine. But they don't want to stop, they want to annoy users as much as legally possible and then funnel the annoyance at the laws protecting those users against them.
"Have you heard about this new thing, you have to wear something around your ankle and can't be a school teacher and stuff like that? Yeah it's really insane, how will children learn anything, ever again?"
"Wait, what are you even talking about? Have you done something?"
Of course there's corner cases, of course this can also be a hassle for sites that aren't "creeps". But generally? The same generic false claims, over and over? Just no.
HN used to be non-compliant, but does seem to have fixed it, I'm not seeing any cookies in a browser where I'm not logged in.
pouet.net is tracking me. On my first visit they deposited a cookie named POUETSESS4 with a 1 year expiry and a persistent hash identifier in my browser.
I checked a few outbound links from that site to European domains, and it does seem to be about 50/50 on whether they have similar problems, which is much better than any rate I've seen elsewhere. Good on this community for having a lot of folks who care about privacy and roll their own web frameworks. But I doubt it's the case that the other 50% or the parent site intended to secretly track me; they just ended up with a dependency on some tracking framework by accident, and they're too small to get in trouble for it.
>Problem one: Over-rating search, social, and app store ads
Isn't this a problem with today's ad attribution system? The author doesn't try to argue how the new system makes it worse.
>Problem two: Incentives for extra tracking
Same as above. It sounds like he's against attribution in general, which is an okay position to have, but I'd rather he say this upfront and more directly rather than spending 1k+ words on what essentially can be boiled down to "I hate Attribution Level 1 because it's attribution, and attribution is bad in general", and implying the issues he has are issues with Attribution Level 1 specifically.
The issue is that problem one is real, but not in a way that's beneficial to other advertising products.
Search, social and app store ads are over rated in that a lot of brands should probably decrease their investment, but things like programmatic display ads are absolutely not under rated. The correct number of dollars that should be spent on those placements is close to zero.
Agreed, this can't be worse than what it's replacing. Still, the author has some interesting points I hadn't considered before.
I guess from the advertiser's perspective this standard could be a concern, because the loss of cookie-based tracking might make it harder for them to develop alternative attribution tracking methods that don't have the same data quality problems.
> Agreed, this can't be worse than what it's replacing.
The mistake is assuming this replaces anything instead of becoming just one more piece of the tracking puzzle.
Even if it did "replace" cookies or whatever, it's strictly worse than "before" because it's giving advertising a front seat in the browser. My browser should be doing precisely nothing to help you attribute your ad impressions or whatever. But now Mozilla et al have to waste their time maintaining and augmenting this opaque piece of mathematical faff.
This is a debate I've seen many times now on HN. I sympathize with what you're saying, but the flip side is that many users seem to prefer a free ad-supported funding model over a paid, ad-free model. If a site is going to be serving me ads anyway, then all else being equal I'd rather them make as much money off each impression as possible to incentivize them to keep providing me with free services. The privacy and resource cost of a user's browser sending anonymized attribution statistics is very minimal.
Maybe? Depends on what the ads are for. Obviously I'm not going to buy something I don't actually want just to support the site I'm on, but I have no particular objection to buying something I discovered through an ad if it's something I would buy anyway if I discovered it organically.
This seems like this is written by an advertiser who wants their profits, but pretending to care about privacy so they get users' support.
Here is a more honest summary:
"This proposal hurts us, small advertisement networks and professional marketers. Reject it, or we will ramp up the tracking to compensate for the lost opportunities!"
I've been wanting to build something like this for mobile advertising attribution. Mobile attribution is much worse since it by nature needs to on a device / fingerprinting level track across apps, and since there is not HTTP direct connection between the apps, the tracking is much more broad. Companies like AppsFlyer are in 20% of apps and track everything that happens in those apps.
I'd like to see AppsFlyer work on this as well. Moving mobile attribution to device based would be a huge privacy benefit. But it might be quite difficult for a company like AppsFlyer to do this, so it might need to end up being pushed by Apple and Google, but as both advertising companies, they might be even less incentivized for this kind of local tracking.
Meta and Google are entirely advertising-focused companies, with their main revenue coming from being able to put together accurate profiles of people to spam them with campaigning attempts to get them to buy things.
Author of the OP is the VP of the adtech company, with their main revenue coming from being able to put together accurate profiles of people to spam them with campaigning attempts to get them to buy things.
He is not mad because Google can kinda-track users under new system. He is mad because Google can kinda-track users under new system, but his company _won't be able to any more_. Hence all the "cartel" talk.
"The average person in the USA has about $1200/year spent on advertising intended to reach them. Where do you want “your” $1200 spent?"
Interestingly $1,200 is roughly 3.5% of what the average American spends per year (roughly $78k), and $1200 is roughly 15% of the average American's discretionary spending. That doesn't seem too crazy to me as a cost for the main driver of the matching and branding system of the capitalist economy of the United States.
The cost is your attention, your mental health, as well as buying things you didn’t know you needed or didn’t know you didn’t need. It’s not a level playing field.
Except it isn't a level/merit-based 'matching and branding system', it's exactly the opposite - people see what others pay for them to see (and what's most likely to influence the viewer in a generally detrimental way), not what's actually beneficial/useful to them.
Imagine if all google results were ranked purely based on advertising potential... this is already starting to happen and it clearly makes google noticeably worse.
Not only is it bad for people and society, but it also undermines the whole idea of open and fair competition in a capitalist system - why do I need to make my product better if I can just spam advertising and dishonest marketing instead?
Both ads and capitalism are messy and have some externalized harms, but are better than the alternatives.
In the "advertising led" model of customer discovery, businesses advertise to essentially tell the market that they exist and provide a service. They do so by paying for advertising space across various mediums. This includes everything from their store signage to Craigslist ads, to TV and sophisticated digital advertising.
Most modern advertising is an auction where businesses compete to serve their message to customers the algorithms think are most likely to be interested.
This function - of matching users that might be interested in products to businesses providing products - is at this point hugely scaled.
People who want to ban ads will usually give the alternative of a reviewed directory of products and services for each category. That, they say, would be the ideal method of product discovery, along with word of mouth.
However, that runs immediately into the same problem that communism has historically. Who actually controls these directories, which would be a huge source of power for society? I posit that that it is impossible to centralize this effectively, and that the most likely most effective method for idea and product dispersal is something close to modern marketing and advertising.
Why do you assume that any alternative to ads has to be centralized? You also seem to assume the advertising space is not centralized (lol).
If we can build a (centralized or decentralized) system capable of querying/serving content based on price and ad revenue projections, we can also build system capable of querying/serving content based on relevance, ratings, reviews and any number of parameters.
You seem to imply that advertising and marketing give us some kind of advantage in terms of (de) centralization, but that's really not true. The whole purpose of advertising is MAKE people look at ads despite the fact that almost nobody actually enjoys or values looking at ads, whether it's run as a centralized or decentralized model is an implementation detail.
Following the overturning of Roe v Wade, it is clear that the US needs privacy enshrined in the Constitution. For example, it is absurd to imagine a state government trying to distinguish between an abortion and a miscarriage in order to potentially prosecute; this distinction is something that no one beyond the woman should have any right to know.
It's my view that the Founders did not think to directly mention privacy since they had no capacity to imagine technology as powerful as that which enables today's surveillance capitalists. But the sort of law that would establish a general right to privacy (or the kind of values that would lead us to establish one) would likely also hinder companies from aggregating user data for any purpose other than directly serving users. (And it would also hinder the government from surveilling its citizens.)
If such an amendment were considered, we'd all fast find that most techies aren't actually liberals. Oh wait, we saw that when they all turned to support Trump. Surprise, surprise.
I promise you that when consumer and enterprise funds dry up, every one of these AI companies will be placing ads and selling surveillance and drone tech to the government. Anthropic already dropped the part of its constitution that forbid collaboration of any kind with the military. The pressure to profitability is immense.
Today, purported morality is mostly (temporary) sophistry. Most folks will work for Zsuck or Palantir if the money is good enough.
The next time anyone on HN says "GDPR should've been a setting in the browser", I'll just point them to this. This is what browser vendors are making as a default setting.
So they “reinvented” HTTP cookies but with only advertisers?
> Technically, the way it works is that a script running on a site with ads asks the browser to record an ad impression. Then the browser keeps a record of ads seen from all the sites you visit. Later, when you buy something, the retail site can ask the browser to generate a “conversion report” that can be passed to a centralized aggregation service.
Sort of. Cookies track you as an individual with a unique identifier. The conversion report only tracks anonymized aggregate statistics that can't be used to identify you as an individual.
This sounds a lot like “you’re getting analyzed by AI/ML, tied to a specific bucket of similar users, then your continued data expands the bucket, splitting off into different adhoc buckets of similar users”
If so, you can’t be tied to a specific purchase but you can be so tightly grouped it’s basically the same.
> Don’t look for a section on permissions or consent in that document, by the way. There isn’t one. And nothing about nerd lawyer stuff like “opt out of sale” or “objections to processing” in there, either. The Big Tech companies want a two-track system, where other companies’ ad features are required to do all the privacy regulation hassles, but the browser’s own built-in tracking feature is something that people have to find the right setting for and turn off.
This language to make consent popups sound good is suspicious. Not being interrupted while you're browsing is good. A browser setting that people can turn off once, for all participating websites, is good.
You don't need cookie banners unless you want to track the user before they opted in on their own (maybe in the "website settings"). That's why countless websites have none.
The browser would only have to ask once, and then it would still just be "one browser setting", except you'd be notified it exists, as soon as it exits. So what's the point here, other than trotting out the same old stuff nut about cookie banners?
On update, "this is the thing, and that thing is enabled by default, is that okay? Otherwise, click no, then it gets turned off. If you change your mind later, it's under settings -> thing"
It's not complicated, and blaming laws that enforce human rights to avoid the most basic craftsmanship is suspicious.
Is it the case that "countless websites have none"? Some websites, especially small ones operated outside of the EU, simply don't care about their obligations under European law. But in my experience it's extremely rare for European websites not to feature a cookie banner. It's not like it's just corporations: the official websites of the European Commission (https://commission.europa.eu/), the presidency of France (https://www.elysee.fr/), the chancellorship of Germany (https://www.bundeskanzler.de/bk-de/), etc. all have one.
> Some websites, especially small ones operated outside of the EU, simply don't care about their obligations under European law. What about lobster.rs?
Such as HN? Honest question, for all I know they're breaking EU law and nobody cares. Or maybe they don't.
Anyway, pouet.net doesn't have one. It links to a ton of group sites, many European, try to count the ones that don't have a cookie banner.
For fun, I did a quick and dirty test on the HN front page at the time of this comment, out of 30 links, I counted 11 cookie banners. Let's say I missed a few (a bunch of the ones I counted were a small bar at the top or the bottom, easy to miss, not even sure if they blocked the page), let's say it's 20 out of 30. One third of all websites is still a huuuuuuge amount of websites.
I took privacy seriously before I "had to". So for me, nothing changed. Why would it? You can have a link in the footer to opt into tracking. If actually "value consent" and all that. It's a complete non-issue for most sites that have banners, they could just stop being creeps and it'd be fine. But they don't want to stop, they want to annoy users as much as legally possible and then funnel the annoyance at the laws protecting those users against them.
"Have you heard about this new thing, you have to wear something around your ankle and can't be a school teacher and stuff like that? Yeah it's really insane, how will children learn anything, ever again?"
"Wait, what are you even talking about? Have you done something?"
Of course there's corner cases, of course this can also be a hassle for sites that aren't "creeps". But generally? The same generic false claims, over and over? Just no.
HN used to be non-compliant, but does seem to have fixed it, I'm not seeing any cookies in a browser where I'm not logged in.
pouet.net is tracking me. On my first visit they deposited a cookie named POUETSESS4 with a 1 year expiry and a persistent hash identifier in my browser.
I checked a few outbound links from that site to European domains, and it does seem to be about 50/50 on whether they have similar problems, which is much better than any rate I've seen elsewhere. Good on this community for having a lot of folks who care about privacy and roll their own web frameworks. But I doubt it's the case that the other 50% or the parent site intended to secretly track me; they just ended up with a dependency on some tracking framework by accident, and they're too small to get in trouble for it.
That’s what the Do Not Track signal was for, but tech bros still don’t get consent sooooooooo…
I'm not sure what this blog is complaining about.
>Problem one: Over-rating search, social, and app store ads
Isn't this a problem with today's ad attribution system? The author doesn't try to argue how the new system makes it worse.
>Problem two: Incentives for extra tracking
Same as above. It sounds like he's against attribution in general, which is an okay position to have, but I'd rather he say this upfront and more directly rather than spending 1k+ words on what essentially can be boiled down to "I hate Attribution Level 1 because it's attribution, and attribution is bad in general", and implying the issues he has are issues with Attribution Level 1 specifically.
The issue is that problem one is real, but not in a way that's beneficial to other advertising products.
Search, social and app store ads are over rated in that a lot of brands should probably decrease their investment, but things like programmatic display ads are absolutely not under rated. The correct number of dollars that should be spent on those placements is close to zero.
Agreed, this can't be worse than what it's replacing. Still, the author has some interesting points I hadn't considered before.
I guess from the advertiser's perspective this standard could be a concern, because the loss of cookie-based tracking might make it harder for them to develop alternative attribution tracking methods that don't have the same data quality problems.
> Agreed, this can't be worse than what it's replacing.
The mistake is assuming this replaces anything instead of becoming just one more piece of the tracking puzzle.
Even if it did "replace" cookies or whatever, it's strictly worse than "before" because it's giving advertising a front seat in the browser. My browser should be doing precisely nothing to help you attribute your ad impressions or whatever. But now Mozilla et al have to waste their time maintaining and augmenting this opaque piece of mathematical faff.
This is a debate I've seen many times now on HN. I sympathize with what you're saying, but the flip side is that many users seem to prefer a free ad-supported funding model over a paid, ad-free model. If a site is going to be serving me ads anyway, then all else being equal I'd rather them make as much money off each impression as possible to incentivize them to keep providing me with free services. The privacy and resource cost of a user's browser sending anonymized attribution statistics is very minimal.
Do you want to click through and spend money on the ads?
If not you aren't really working towards them paying a lot for ads, right?
>Do you want to click through and spend money on the ads?
Nobody "wants" ads, but they do want the free content they get today, which are funded by ads.
Maybe? Depends on what the ads are for. Obviously I'm not going to buy something I don't actually want just to support the site I'm on, but I have no particular objection to buying something I discovered through an ad if it's something I would buy anyway if I discovered it organically.
> many users seem to prefer a free ad-supported funding model over a paid, ad-free model.
You don't need pervasive and invasive tracking and wholesale trading of your data to display advertising.
> Agreed, this can't be worse than what it's replacing.
Why can't it?
Because as GP alluded to, the thing it's replacing (cookies) already does exactly the same thing but isn't anonymized.
> the thing it's replacing (cookies) already does exactly the same thing but isn't anonymized.
No idea what it's replacing. Cookies is a red herring. Tracking involves more than just cookies.
This seems like this is written by an advertiser who wants their profits, but pretending to care about privacy so they get users' support.
Here is a more honest summary:
"This proposal hurts us, small advertisement networks and professional marketers. Reject it, or we will ramp up the tracking to compensate for the lost opportunities!"
I've been wanting to build something like this for mobile advertising attribution. Mobile attribution is much worse since it by nature needs to on a device / fingerprinting level track across apps, and since there is not HTTP direct connection between the apps, the tracking is much more broad. Companies like AppsFlyer are in 20% of apps and track everything that happens in those apps.
I'd like to see AppsFlyer work on this as well. Moving mobile attribution to device based would be a huge privacy benefit. But it might be quite difficult for a company like AppsFlyer to do this, so it might need to end up being pushed by Apple and Google, but as both advertising companies, they might be even less incentivized for this kind of local tracking.
> When Meta, Google and Apple [and Mozilla] agree on a “privacy” feature, watch out.
?
This feels like a good sign, to me. I get far more worried when I see the likes of Meta, Google, Spotify, Epic etc team up.
And you think that they team up for your benefit?
Most people (and orgs) do things that benefit themselves. The question as a user, who is likely to be more aligned with you?
- Mozilla, Meta, Google, Facebook
- VP of "monetization technology" company, "Marketing data expert"
Meta and Google are entirely advertising-focused companies, with their main revenue coming from being able to put together accurate profiles of people to spam them with campaigning attempts to get them to buy things.
Author of the OP is the VP of the adtech company, with their main revenue coming from being able to put together accurate profiles of people to spam them with campaigning attempts to get them to buy things.
He is not mad because Google can kinda-track users under new system. He is mad because Google can kinda-track users under new system, but his company _won't be able to any more_. Hence all the "cartel" talk.
Closed immediately due to the invasive "using this site means you agree to our terms of service!!" Popup
Did you read it?
You can tell who works in adtech
"The average person in the USA has about $1200/year spent on advertising intended to reach them. Where do you want “your” $1200 spent?"
Interestingly $1,200 is roughly 3.5% of what the average American spends per year (roughly $78k), and $1200 is roughly 15% of the average American's discretionary spending. That doesn't seem too crazy to me as a cost for the main driver of the matching and branding system of the capitalist economy of the United States.
The cost is your attention, your mental health, as well as buying things you didn’t know you needed or didn’t know you didn’t need. It’s not a level playing field.
Except it isn't a level/merit-based 'matching and branding system', it's exactly the opposite - people see what others pay for them to see (and what's most likely to influence the viewer in a generally detrimental way), not what's actually beneficial/useful to them.
Imagine if all google results were ranked purely based on advertising potential... this is already starting to happen and it clearly makes google noticeably worse.
Not only is it bad for people and society, but it also undermines the whole idea of open and fair competition in a capitalist system - why do I need to make my product better if I can just spam advertising and dishonest marketing instead?
Both ads and capitalism are messy and have some externalized harms, but are better than the alternatives.
In the "advertising led" model of customer discovery, businesses advertise to essentially tell the market that they exist and provide a service. They do so by paying for advertising space across various mediums. This includes everything from their store signage to Craigslist ads, to TV and sophisticated digital advertising.
Most modern advertising is an auction where businesses compete to serve their message to customers the algorithms think are most likely to be interested.
This function - of matching users that might be interested in products to businesses providing products - is at this point hugely scaled.
People who want to ban ads will usually give the alternative of a reviewed directory of products and services for each category. That, they say, would be the ideal method of product discovery, along with word of mouth.
However, that runs immediately into the same problem that communism has historically. Who actually controls these directories, which would be a huge source of power for society? I posit that that it is impossible to centralize this effectively, and that the most likely most effective method for idea and product dispersal is something close to modern marketing and advertising.
Why do you assume that any alternative to ads has to be centralized? You also seem to assume the advertising space is not centralized (lol).
If we can build a (centralized or decentralized) system capable of querying/serving content based on price and ad revenue projections, we can also build system capable of querying/serving content based on relevance, ratings, reviews and any number of parameters.
You seem to imply that advertising and marketing give us some kind of advantage in terms of (de) centralization, but that's really not true. The whole purpose of advertising is MAKE people look at ads despite the fact that almost nobody actually enjoys or values looking at ads, whether it's run as a centralized or decentralized model is an implementation detail.
> called Attribution Level 1, as a standard feature of web browsers
We need to eliminate private companies from our browsers in general. Many years ago they called it "acceptable ads".
Time to fire up the chaffing. Or the pitchforks and torches. Either one.
Advertising needs to be over now.
Following the overturning of Roe v Wade, it is clear that the US needs privacy enshrined in the Constitution. For example, it is absurd to imagine a state government trying to distinguish between an abortion and a miscarriage in order to potentially prosecute; this distinction is something that no one beyond the woman should have any right to know.
It's my view that the Founders did not think to directly mention privacy since they had no capacity to imagine technology as powerful as that which enables today's surveillance capitalists. But the sort of law that would establish a general right to privacy (or the kind of values that would lead us to establish one) would likely also hinder companies from aggregating user data for any purpose other than directly serving users. (And it would also hinder the government from surveilling its citizens.)
If such an amendment were considered, we'd all fast find that most techies aren't actually liberals. Oh wait, we saw that when they all turned to support Trump. Surprise, surprise.
I promise you that when consumer and enterprise funds dry up, every one of these AI companies will be placing ads and selling surveillance and drone tech to the government. Anthropic already dropped the part of its constitution that forbid collaboration of any kind with the military. The pressure to profitability is immense.
Today, purported morality is mostly (temporary) sophistry. Most folks will work for Zsuck or Palantir if the money is good enough.
The next time anyone on HN says "GDPR should've been a setting in the browser", I'll just point them to this. This is what browser vendors are making as a default setting.
So they “reinvented” HTTP cookies but with only advertisers?
> Technically, the way it works is that a script running on a site with ads asks the browser to record an ad impression. Then the browser keeps a record of ads seen from all the sites you visit. Later, when you buy something, the retail site can ask the browser to generate a “conversion report” that can be passed to a centralized aggregation service.
Sort of. Cookies track you as an individual with a unique identifier. The conversion report only tracks anonymized aggregate statistics that can't be used to identify you as an individual.
This sounds a lot like “you’re getting analyzed by AI/ML, tied to a specific bucket of similar users, then your continued data expands the bucket, splitting off into different adhoc buckets of similar users”
If so, you can’t be tied to a specific purchase but you can be so tightly grouped it’s basically the same.
Look up differential privacy. Done right, it is impossible to do what you said.
> The conversion report only tracks anonymized aggregate statistics that can't be used to identify you as an individual.
Combined with the other 200+ tracking points from your machine... Yes, yes you can be identified.
More importantly it's privacy preserving because it doesn't allow for bidirectional communication, which third party cookies could do.