First of all, if you don't practice any tracking limitation, you're almost certainly giving additional parties (directly or otherwise) access to your personal information. This is marketing data brokerage, this is the whole ballgame.

To your point about the actual harm, I've come to see it as a kind of ecological problem. Wasting energy and sending more trash to a landfill doesn't harm me individually, at least not immediately. But it does harm in aggregate, and it is probably directly related to other general harms, like overall health outcomes, efficiency, energy costs, etc.

No, accepting cookies by itself may not do much to me, but the broader surveillance and attention economy that relies on such apathy certainly has.

> I just have not yet been convinced I should actually care.

I'm not out to convince you since my reasons are unlikely to apply to you. There are some of us who want privacy for privacy's sake. We respect the social boundaries of other people, and find those who don't respect our social boundaries creepy. We don't much care one way or the other if those people are out to exploit us or to harm us. It is the act itself that we consider violating.

> Now, I am not going around giving my real email out to random sites, though, although even that doesn’t strike me as particularly dangerous.

I am fanatically following my rule "one email per website". Obviously, they all route to the same inbox. Initial motivation was to see who leaks my address and simply block it. However, the separation helped me out tremendously more than I ever expected (at the very least I believe so).

I'm originally from a country with a highly oppressive regime. Years ago I signed up for financial support to a political opposition leader. Things weren't as bad and it felt safe enough at the time. They had my email, of course.

Eventually opposition systems were compromised, and the full donor list became public. The regime's response: they cross-referenced it against emails registered on government services. For quite a few whose addresses matched, police officers paid a visit — looking for grounds to fine them, pressure them, etc.

My alias for that site existed nowhere else. No match, no visit. Definitely an experience I was more than happy to avoid.

> I click “accept the cookies” almost every time. I just personally don’t feel it’s worth the effort and cost to try to avoid it.

the effort and cost to download an ad-blocker that automatically removes the prompt to accept/deny entirely is practically zero and the amount of clicks you'd save yourself would quickly exceed the clicks it took to install the blocker.

> I just don’t think it is something that is worth stressing out about and fighting against. Maybe I am actually naive

It seems like you are, but that's just how our brains work. We're very bad at judging long term and abstract risks, especially when the consequences and their connection to the cause are intentionally kept unclear. For example, when people's cars started collecting data on their driving habits and selling that data to insurance companies a lot of people saw their insurance rates go up, but none of the insurance companies said that it was because of the data collected from their cars. I'd be willing to bet the data being collected by tracking your browsing history has already been screwing you over in various aspects of your life, online and offline, but you won't be told when it happens or why.

You won't notice the effects, but allowing tracking feeds your behavioral profile into the data broker economy. You can then be targeted with things like dynamic pricing based on your guestimated income, invasive ads for significant life events, health care risk modeling, tracking your group affiliations, identity theft, and more.

Feel similarly. And to be honest, even when I do select decline all, I have little confidence that the function does what it says it does.

[Reject Optional], [Essential Cookies Only] ... I am one of the people who clicks such options. But to some degree they are "privacy theater". Any website that presents you with such a choice is almost certainly loaded to the gills with tracking/analytics and various 3rd-party services that will track you with browser fingerprinting regardless of any buttons you click on the cookie banner. Nevertheless I still reject them, mostly out of spite.

I recently spoke with an engineer who was building a product using the information he is able to acquire from these data brokers. This includes every search query you've ever made, anything you've purchased with a credit card, and anything that is in the public record (i.e. a pending divorce case, or child custody dispute). He uses that information to generate a profile on leads to determine how much they can squeeze from this person in whatever deal they are making. (I'm not going to get more specific than that.) This person had no incentive to lie to me about what they were building.

The data trail you are creating is much more personal and invasive than you want to imagine, and in the wrong hands it could be used to devastating effect.

Apply the same logical test to freedom of speech, and you’ll get the same result.

You’re not missing anything about what’s likely to happen to you personally. What you’re missing is the manner in which rights shape your life and your society even when you don’t exercise them, and sometimes even when nobody is currently exercising them, and that significant harm can be built out of a vast number of smaller harms that aren’t individually that bad.

Read the fine print. You’re usually not consenting to cookies, you’re consenting to having your data gathered, processed, enriched and sold by hundreds of companies around the world.

One click usually gives random foreign corpos the right to your data across a multitude of platforms, the right to identify you across data sets, and to permanently link your device identifiers to you, for ”fraud detection” on a site which sells nothing.

Clicking on accept or deny on those notices makes no real difference, since the ”partners” and ”vendors” usually enshrine their core data activities into the ”legitimate interest” category, which has no opt-out.

I don’t think there is much short term danger from the cookies. It’s more the principle of the thing. I hate the bullshit language of how we and our 1500 partners respect your privacy choices. They don’t respect anything and would sell their own grandmothers for a dollar.

I'm worried about my browsing to be tracked across the entire internet for the purposes of marketers to "enrich" my profile... just to sell me more and to sell that data to third-parties who can make all sorts of decisions based on a made up story about who I am, my preferences, my values and whatnot.

there's a reason I don't walk around naked either. it wouldn't hurt me, but I don't need that kind of exposure for no upside

For me it's mostly a matter of principle. I'm against online tracking and I will do everything I can to not be monetized. Also clicking reject is not that difficult and if a website tries to make it difficult I just close the tab.

I think he is referring to how some have an "Accept cookies" and a cookie's settings, but to reject cookies you have to open a separate dialog box. I agree, and I think it is so wild that people would give their actual email to random sites.

I'm the same, (well, mid thirties, and over a decade) but I always click accept for cookies.

The only times I've stopped, or tried to deny it is with the recent thing I've seen from some sites that say "accept cookies or pay money". I think that is scummy, and against what these regulations require, so I'll usually just close the site in that case.

Oh and to address the point from the main article, I think I'm unfortunately beholden to more companies, but would strongly prefer to not verify my identity, because I have little to no trust in the companies to safeguard my actual personal data. (rather than inferred cookie tracking data, which they can have imo).

same experience here, but one exception:

I just always the most left button, as this is usually "cancel" or "deny" - not alwys right,though :-D LOL

"software developer" is pretty broad. Here this is specifically B2C (business to customer) applications. I only assume that you haven't been in this market sector, otherwise you would've been more familiar with GDPR and all the concerns that prompted it.

There was a time where the Internet was the wild west and you could've easily been personally targeted and exploited. Businesses sold your data to whoever.

Even today, if you decide to accept all cookies, you're safer than what you used to be.

Rejecting the non-essential cookies puts you in the safest spot from bad actors.

It seems crazy that no one stressed it yet: for the last few years refusing the cookies has been requiring EXACTLY the same effort as accepting them, for the wide majority of websites!!!

It's disheartening that so many people still do this (and not accepting has rarely ever required enormous efforts, to begin with).

I don't think you are being naive but I do caution you before you don't worry.

Its not always clear what the desired outcome is here. The dark pattern could have nothing to do with the tracking most folks worry about. We like our phones more than our laptops because we touch the screens for example. The dark pattern here could simply be you use the site more because you do more actions there driving you to waste time and view ads. Who knows.

I like to just roll over and bite the pillow, click "accept all cookies" and let them go in dry and unprotected.

> Maybe I am actually naive, but I just have not yet been convinced I should actually care.

You are. Tracking is extremely dangerous to the society.

Before Shiftkey offers a nurse a shift, it purchases that worker's credit history from a data-broker. Specifically, it pays to find out how much credit-card debt the nurse is carrying, and whether it is overdue.

The more desperate the nurse's financial straits are, the lower the wage on offer. Because the more desperate you are, the less it'll take to get get you to come and do the gruntwork of caring for the sick, the elderly, and the dying

https://pluralistic.net/2025/02/26/ursula-franklin/

I would imagine it's the GDPR "ACCEPT ALL COOKIES" in big font and then in very small low contrast text "select some cookies" or "reject cookies" that they were describing.

ublock it all away. ez pz

Which is why I installed the "Consent-o-matic" extension which dutifully denies everything for me, and I have uBlock Origin for everything else.

Meanwhile I just bounce from the site 60% of the time. Most websites aren't needed for my survival, and I hope they are happy that they lost a customer while I go to their competitor.

Moral of the story is: If you want me to see your content, and maybe spend money, don't cover up your content.

Especially if you're not EU-based and not subject to GDPR, stop listening to the laws of some foreign country that doesn't control you.

> It's like they just assume that everything on the web is trustworthy.

> It's not hard to see why though. They grew up with app stores & locked down devices.

When we create a safer world, people’s defense mechanisms naturally atrophy or are never developed in the first place.

Maybe we should make young learners in primary school use "infected" Windows XP so they can dodge spam popups and learn what and what not to click.

> They grew up with app stores & locked down devices. No concept of a file or file system

I think almost every Android user has thise concepts.

But on the trustworthy web assumption, I agree. The only effective remedy is a personal calamity.

People are also struggling to think about what is computed or stored where or what different wireless interfaces do. Imagine what sort of data people enter into LLMs!

In some sort of weird sense, it makes me appreciate the 'free armor trimming', 'alt F4 helps block attacks in pvp', and similar people in RuneScape. It gave young me a very low stakes environment to learn about scams, losing only what amounts to a little bit of my time. I wonder if there is an argument that we should encourage a certain level of scamming in video games just for the lessons it teaches at low cost? Alas, this isn't generalizable to society at large.

That's an exaggeration. Young people on average have grown up with drastically greater understanding of what a file is than any other generation that has come before them. They grew up using Chromebooks or laptops in school, constantly interacting with the local file systems, uploading files to Instagram and TikTok from the file systems on their smartphones, browsing their phones for files constantly. They know what a file is, they use & manage files more than any other generation prior.

No other prior generation comes close.

Compare them to people growing up in the 1980s. The average person at that time was overwhelmingly oblivious to computing very broadly, their grasp of a "file" as a concept would have been close to non-existent. That was just 40 years ago.

In the mid 1980s a mere 10% of US households had home computers. And that was a high mark globally, it was drastically lower in nearly every other country (closer to zero in eg China, India at that time). The number of people routinely using office PCs was still extremely low.

Today young people have a computer in their hand for hours each day, and they knowingly manage files throughout the day.

Not just the web. Last time I installed Backdrops on my phone (a nice wallpaper app), you would literally approve hundreds of uses of your data when you press Consent. Even if you choose to manage choices, 200 'legitimate interest' options are enabled by default. Even when you are a paying Pro user. Data used includes location data.

What makes it worse is that a substantial portion of users block web trackers through an adblocker. However on phones, unless you have a rooted phone or use some DNS-based blocker, all these analytics get uploaded without restraint.

Atm I use Firefox with uBlock which blocks the cookie banners, but Firefox's extension model is broken, and every single extension provides 100% access to my websites to whoever controls the extension. I don't like it.

Some browsers (e.g. Vanadium, Vivaldi) have a built-in adblocker, so you have to trust one party less.

How would you implement ability to arbitrarily block any network connection on any website without giving an extension 100% access?

Safari’s extension model could be really good by now, had they not stopped putting effort into it. You are able to define which extensions have access to which websites, and if that applies always or only in non-Private¹ mode. You can also easily allow an extension access for one day on one website.

But there are couple of things I find subpar:

You can’t import/export a list of website permissions. For a couple of extensions I’d like to say “you have access to every website, except this narrow list” and be able to edit that list and share it between extensions.

On iOS, the only way to explicitly deny website access in an extension’s permissions is to first allow it, then change the configuration to deny. This is bonkers. As per the example above, to allow an extension access to everything except a narrow list of websites is to first allow access to all of them.

Finally, these permissions do not sync between macOS and iOS, which increases the maintenance burden.

¹ Private being the equivalent to incognito.

> every single extension provides 100% access to my websites to whoever controls the extension.

But the browser also has 100% access to all of the websites. The browser is software that works for you. You control the browser.

Who but yourself do you imagine controls your extensions?

I had similar frustrations and been maintaining a Firefox fork trying to fill a gap there. The result is Konform Browser and I think it might be relevant to you; please check it out!

https://codeberg.org/konform-browser/source/releases

https://techhub.social/@konform

Shared today on Show HN but seems to be drowning in deluge of LLMs...

https://news.ycombinator.com/item?id=47227369

> every single extension provides 100% access to my websites to whoever controls the extension

That feels a like a bit of overstatement and depends on what addons you use and how you install them... CSPs at least make it possible to restrict such things by policy (assuming user has been exposed to it and parsed it...). https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web... MV3 introduced further restrictions and controls regarding addon capabilities. While I agree the UI and UX around this could be much better, it's not all hopeless. The underlying pieces are mostly there.

While the fundamental addon execution security model in Konform Browser is inherited from upstream, for core addons like uBO you can improve the supply-chain security situation by loading it under "system scope" and disable addon updates in the browser itself. So while we don't (yet) improve on the runtime aspects you speak of, at least for now we can tighten up the supply-chain side to minimize risk of bad code running in the first place.

Literally `apt-get install webext-ublock-origin-firefox`.

"Enterprise policy files" can be used to change Firefox behavior and tweak security model around addon loading. A little explanation and reference of how it works if you want to do the same in other FF build or for other addons: https://codeberg.org/konform-browser/source#bundled-extensio...

Any particular addon you think is missing from the list there and should also be packaged and easily available? Maybe will be able to improve some of the security-UI/UX here too down the line. I'd be keen to hear your take on how this should be done better!

Regarding what addons can and do leak about you to the outside... I think you may also take interest in FF Bug 1405971. We ship a patch for that which can hopefully be upstreamed Soon (tm).

How would an extension work if it didn't have access to the website you're browsing?

What would a safe extension model look like to you?

At some point, you have to implicitly trust someone unless you audit every line of code (or write it yourself) and build everything from source that you run.

I was just talking about this the other day. This all happened right after 9/11(nevr 4get) and people were fucking PISSED that the patriot act wanted to look at people's library histories. It was a HUGE deal where I lived. Now? Nobody gives a shit and people will trade away their valuable privacy for an IQ test.

Can you clarify what you mean?

My local library is run by the county government, so of course the government can see the checkouts, they are the ones I check the book out from. But they restrict checkout information from others. For example, a parent can see the checkouts of their own children, but not after they turn 13.

Perhaps you're talking about subpoenas? Checking some other libraries I see SF Public Library has some discussion about that, but they delete books from your checkout history once they are returned. https://sfpl.org/about-us/confidentiality-and-usa-patriot-ac...

USA PATRIOT Act, early 2000s?

It's almost like not all "technical" people are the same, and in fact have different wants, needs, interests, tolerances and perspectives.

Terrifying.

I bet you use an Android phone don’t you?

"Apps installed on their phones"

"Use Chrome"

"Crazy"

Or, completely normal behavior. Are you suggesting that people should live in a shed in the woods like the Unabomber?

Also Firefox and Safari by default block 3p cookies everywhere, which is a significant step above Chrome

Why not have all tracking disabled by default by law and have users opt in through Settings menus?

With uBlock Origin, you would not see such popups. Also, it may not have an impact on your life, but it sure as hell has an impact on adtech guys' pockets.

So-called "cookie banners" usually ask for your consent to much more than optional tracking cookies. By accepting you might be giving your permission to e.g. track you through various fingerprinting methods, build a profile and share it with advertising partners.

Why even ask for the cookies if denying them doesn’t achieve much?

It’s naive to think that cookies are the only tool used for tracking, but they are the most powerful tool for web based tracking.

No, shan’t give them the metrics :)

I use regular Firefox with the option to delete all data on quit. And I quit maybe once per day or so, as soon as I feel there are too many tabs open. Serves the same purpose.

It was the bikes who fought for pavement everywhere. Cars took it all over. Mud is annoying to walk it, but otherwise humans handle bare dirt just fine.

Look at the suspension on a model T. That thing was built for the dirt wagon roads of the time. People on youtube actually off road the thing today.

This is a perfectly reasonable solution if the problem really is child safety. But we all know it's not. There's money in surveilance and profiling.

> That all random game and messaging sites now wants my kids' passport uploaded to some random 'id verification company' is madness.

This is truly crazy. Random companies interacting on this level with children is far from ideal.

> Please, gov.uk introduce a gov ID verification service? I could trust that, -ish, I have worked with public sector clients several times...

I don't like the idea of governments collecting this sort of data either.

You can just find adblocker rules for cookie banners.

Yeah it's really not worth my mental energy. Sometimes I take the time to reject tracking cookies. But I figure everyone's tracking me and everyone has my SSN at this point, and as long as my credit files are locked I don't really care. Like why do I even care if people are linking all my browsing data together and then using it to market stuff to me.

FWIW I'm 43 and grew up on the dark parts of the internet.

Giving out the Ids directly is stupid. Any sane scheme would use unlinkable attestation.

The problem is most of the time - perhaps all the time - you don't need to care. However you won't know about the exception until it is too late.

If it was about privacy they would simply make all tracking and profiling opt in.

100 percent agreed

Spot on. 99+% of those reading/making these comments use an ad blocker; 99+% of non-techies like me never have and never will.

That was kind of the point.

GDPR has very little to do with dark patterns, nag screens, or online tracking?

> "all the rest of it is a terrible idea"

Having a legal right to ask a company for a copy of all the data they have on you is terrible?

Having a right to ask a company to correct errors in data about you, or delete data about you, that's terrible?

A company having to tell you what they intend do with data about you and stick to it for the threat of a big fine, that's bad?