Coming to a browser near you: A new way to keep sites from selling your data
- Thread starter JournalBot
- Start date
It will require at least one high profile lawsuit by California's AG before it has teeth. But this was exciting news to read on WaPo last night and as always, a more comprehensive report on ars.
Upvote
90
(90
/
0)
Looking forward to adoption by Firefox.
And Chrome. I’m certain google will be all over this. /s
And Chrome. I’m certain google will be all over this. /s
Upvote
112
(113
/
-1)
Upvote
28
(28
/
0)
This raises the question of what a sensible default is. For Brave, which has privacy as its raison d'être, it's not difficult (though that it would not be configurable feels weird to me), but what is the right answer for Mozilla, or Vivaldi, or—dare I even ask—Chrome? It ought to be private-by-default for any true user agent as far as I'm concerned, but then it should just be illegal to be a privacy-invading monster in the first place, shouldn't it?
I'm not sure I see this going any differently than DNT.
Upvote
54
(54
/
0)
Great initiative. Looking forward to seeing it in Firefox too.
Meanwhile, Privacy Badger, NoScript and uBlock Origin will have my back (and probably will still, even when GPC is implemented.)
Meanwhile, Privacy Badger, NoScript and uBlock Origin will have my back (and probably will still, even when GPC is implemented.)
Upvote
51
(51
/
0)
There's something about this sentence that is both exciting and scary:
"Now, privacy advocates are back with a new specification, and this time they’ve brought the lawyers."
What we need is some court decisions on this (in the US at least) that cause significant financial damages (e.g., in the millions of dollars) for things to truly change, otherwise, paltry penalties just become the "cost of doing business."
"Now, privacy advocates are back with a new specification, and this time they’ve brought the lawyers."
What we need is some court decisions on this (in the US at least) that cause significant financial damages (e.g., in the millions of dollars) for things to truly change, otherwise, paltry penalties just become the "cost of doing business."
Upvote
54
(54
/
0)
In reality, the court decision will probably be something like "malware is free speech, and so is selling all the data you sucked up."
Upvote
38
(42
/
-4)
And upon arriving on this page, my browser announced that it has blocked trackers (from twitter)! How fitting.
Upvote
54
(54
/
0)
Well you first need to prove that the website you visit is selling your data. Or that the adds happen to be personalized. Wouldn't surprise me at all if Google starts handing out a module that does something to the data locally then have the "anonymized" data shipped of to them in batches.
Upvote
15
(15
/
0)
If the only difference is (potential) legal enforcement, couldn't they have just reused the Do Not Track header instead of introducing a new one?
Upvote
79
(79
/
0)
Agree. One of the main issues from my perspective is we are allowing courts and lawyers to be the soldiers on this fight. What we really need is legislation.
We need to step out of this endless spiral of micro-management by precedent and get some *gasp* sensible leadership.
Upvote
20
(23
/
-3)
I am not sure this will really increase privacy. Suing a company through the GDPR is a long and tedious process for an individual.
I would propose another solution. This would be that if someone collects my information, my web browser has to sign it so that it is OK to use that collected information for further purposes. Handling, storing or selling the user data without such signature could then be made illegal. Then law enforcement could check the servers of any major service provider and look for user data that lacks valid signatures, and charges could be pressed without one individual having to do all the heavy lifting.
I would propose another solution. This would be that if someone collects my information, my web browser has to sign it so that it is OK to use that collected information for further purposes. Handling, storing or selling the user data without such signature could then be made illegal. Then law enforcement could check the servers of any major service provider and look for user data that lacks valid signatures, and charges could be pressed without one individual having to do all the heavy lifting.
Upvote
-7
(4
/
-11)
Why not just use the do not track feature that already exists? Why not just put those legal teeth behind the existing standard? This is infuriating.
Upvote
44
(48
/
-4)
Technically they operate in the same way: both DNT and Sec-GPC are simple present/not present mechanisms. DNT could have been re-used, but it's already widely ignored and caries some social stigma, so I guess they figured a new header-field was warranted.
Upvote
21
(21
/
0)
I actually think that "on by default and unconfigurable" stance might hurt more than help. I can see the legal argument being made that "It doesn't satisfy the user choice requirements by definition because the user has no choice".
Of course the counter is "The choice was to use Brave". But it's a back and forth legal fight at that point that potentially isn't necessary if you make it configurable but default to "on".
Upvote
40
(40
/
0)
It's not the ads that you need to consent to - it's the sharing of data for personalized ads. Ads will still be allowed just not targeted. They'll have to target their users the old fashioned way "We're selling a gaming PC so target gaming related sites"
Edit: my great hope would be that this can also make the damn cookie notifications unnecessary if it's enabled as I'm clearly saying "only necessary". So don't show me the damn popup.
Upvote
36
(36
/
0)
Hmm, I have Privacy Badger enabled but still get the "red dot" when visiting the GPC website. Is this some regional limitation (I'm in Norway) or are Privacy Badger bragging about this before they've implemented it?
edit:
Paegan found the solution, you need to actively check for updates:
Upvote
32
(32
/
0)
IDGAF. That's what uBlock is for. Haven't felt the slightest bit bad about robbing every single site of their precious revenue since Wikia.com forced me to regain control via hard disk reformat in 2010 with their shitty malvertising.
Upvote
22
(25
/
-3)
That would be sensible, but this is the Do Not Track, Or Else header, and the extra weight behind that statement makes it incompatible.
Upvote
7
(8
/
-1)
It definitely works on mobile Firefox with the Privacy Badger extension. That's the one I tested.
Edit: just tested Firefox desktop, too. The extension needed an update before it sent the signal there.
Upvote
5
(6
/
-1)
While I'm less concerned about privacy this is interesting to me if it this stops the damn accept cookies pop ups on every site. Does it stop that?
Upvote
9
(9
/
0)
It seems like this protocol would have to be written into the law before websites could be legally required to honor it. Otherwise, why would websites be legally required to honor this protocol but not other, competing standards (such as Do Not Track)?
Surely California cannot write a law that says "Websites must honor every privacy-related web protocol, both ones that are in existence now and ones that may come later."
Surely California cannot write a law that says "Websites must honor every privacy-related web protocol, both ones that are in existence now and ones that may come later."
Upvote
14
(14
/
0)
Upvote
1
(4
/
-3)
Wikia was the first thing that really made me feel like maybe this whole Internet thing was a bad idea. Rickroll? ActiveX? Flash sites? All bad. Wikia is worse.
Upvote
11
(11
/
0)
Worth noting in that extensions own words
What I really want is one that does the opposite of that.
Upvote
27
(27
/
0)
And you don't even need a header to announce it, hoping the website will comply because it is within the reach of law.
Upvote
1
(1
/
0)
Cookie AutoDelete is probably what you want. As the name says, once auto cleaning is enabled, after closing a tab it will wipe out associated cookies and local storage, except from domains that you explicitly whitelist. A must-have alongside uBlock.
Worth noting in that extensions own words
What I really want is one that does the opposite of that.
Upvote
9
(10
/
-1)
I don't know about California's law specifically , although the article specifically says that law contemplated their existence. But from a GDPR standpoint I don't actually think a website can use it even if they want to.
I'd happily throw this on my websites and delete the data processing and cookie notifications etc. and tell users to use their browser setting. But GDPR requires I get opt-in consent and looking at the spec this explicitly can't ever provide opt-in consent (emphasis mine).
I need a preference that's a 1 if enabled, 0 if not, and not there if not supported. GDPR requires I know the difference between not-supported and opted-in and this explicitly does not do that. So it's a no from me and I imagine from Europe unless they update GDPR to legally write this in.
Upvote
7
(7
/
0)
I just tried EFF's Privacy Badger on Chrome and it seems not to send the GPC signal as checked on globalprivacycontrol.org
Weird!
PS: ninja'ed by 8igby
Upvote
6
(6
/
0)
Every website in Europe uses it. It's not an elective it's a requirement.
Upvote
73
(73
/
0)
Will Privacy Badger stop Reddit from asking to install it's app one link down in comments?
Asking for a friend ;-)
S
Upvote
23
(24
/
-1)
Especially when the paragraph before calls their support out as tentative - although I am not clear from the quote why the qualifier was used. I didn’t see anything that suggests they would only implement it if it starts to get traction or other cautionary statements.
Upvote
0
(0
/
0)
One can hide these with uBlock (right click on page + Block element + select the thing you want gone; might need a bit of practice to find the right layer to hide). If one has a bit of CSS knowledge, Stylus and similar extensions can do the trick too.
Upvote
7
(7
/
0)