Embattled users worn down by privacy options? Let them eat code

Struggle ye not with cookies, lest ye become a cookie monster

by · The Register

Opinion The people are defeated. Worn out, deflated, and apathetic about the barrage of banners and pop-ups about cookies and permissions.

Brits hate how big tech handles their data, but can't be bothered to do much about itManaging the endless stream of cookie banners leaves little energy for anything elseConnor Jones, 03 Oct 2024

Admittedly, the people here are the 40 percent of Brits who have never said no to a cookie in their lives. The rest of us can only feel smug if we've never clicked "Allow" to get into a site we don't care about and just need stuff from in a hurry. Those option boxes are there to protect us. They don't, and the laws that mandate them are an embarrassing failure.

Part of the problem is nothing seems to happen if you don't bother. Having your data privacy abused is like living in a house with faulty wiring. You know it's bad and you should do something about it, but it's always easier to put it off while nothing bad is happening. Then the bad thing happens.

You might not care that your car is snitching on you, until it catches fire and the maker refuses to take responsibility because you previously drove at 85 mph.

Taking your money without taking responsibility is a way of life for entire industries, and the more data they have on you the easier it is. They are far bigger than you and they've already got your cash, so good luck disagreeing.

Regulators and lawmakers recognized this power imbalance, which is one of the reasons behind things like the EU cookie law – more properly, the ePrivacy Directive and GDPR. This has the very best of intentions, mandating that cookies are personal data and we own them. We get to make mandatory decisions from an informed viewpoint about the specific use of such things. Only we don't. The constant call for choice wearies us and becomes our enemy. The cookie fighter has become the cookie monster.

The issue is one of psychology, not technology. In the same way that companies construct terms and conditions to be as appetizing to read as creek mud is to gargle, they design cookie options to take too much attention to properly operate. They know the default action to any online irritant is to do whatever it takes to make it go away with the least expenditure of thought. The cumulative effect of thousands of the things is capitulation.

Organizations whose business models rely on screwing every drop of personal data out of you can and do spend all day every day finding new ways to skirt privacy directives. It is very difficult to legislate against constant annoyances, although the regulators try. One of the latest enterprising innovations is to use the cookie law option box to ask for money to opt out of cookies and trackers. This "Consent Or Pay" approach is, at first blush, and second, against the GDPR. Regulators do like to be fair, though, which is why the UK's Information Commissioner's Office (ICO) is having a jolly good think about it.

Not that this matters if the cookie laws themselves are completely failing a large percentage of users and doing nothing much for the rest of us. The behavior of harassed humans isn't going to change, nor is the avarice of the bottom line. Regulators think in terms of behavior and practice, of stopping things that go wrong rather than innovating for improvement. Sometimes, however, you've got to go tech bro.

If people are easily worn down by repetition and misdirection, computers thrive on the first and are highly resistant to the second. If all cookie law option boxes were a standard format, so that it was easy for users to get the muscle memory to decline that stuff they didn't want, the story would change dramatically. They're not, of course, and given the variety of sites, as well as services and device display settings, it's not a practical option. Create a standard API, however, and those objections go away.

The user gets to configure their own default responses in the browser's privacy settings, and the cookie law option box disappears. Sites and services can ask to have their special cookies opted in, but the price to the users for not thinking about such options is zero.

Cookie-addicted businesses will hate this idea, but it's hard to construct a logical reason why it's a bad idea. It's entirely in the spirit of personal data protection, while being a small modification to an existing mechanism that's not working and needs to be fixed. The additional burden to site and service creators, and browser makers, is negligible. As APIs go, this is a bijou miniature compared to the complex monstrosities that enable all the online cleverness we know and love.

There are further advantages. As things stand, it's difficult to impossible to automate scanning for compliance of mandated data privacy options. With an API, we're off to the races. Even more intriguing, consider a landscape where publicly available compliance APIs are part of the armory of regulators and activists alive. That would focus a lot of minds in a healthy direction.

Computers are far better at following rules than humans. We might as well get them on our side. ®

Extracting vendor promises won't fix cybersecurity. Extracting teeth mightOne branch of tech has learned to work together to solve the near-impossible. Now it's our turnRupert Goodwins, 30 Sep 2024AI to power the corporate Windows 11 refresh? Nobody's buying thatMicrosoft should look to Apple for lessons in flogging dead horsesRupert Goodwins, 23 Sep 2024China’s quantum* crypto tech may be unhackable, but it's hardly a secret* Quite Unlikely A New Technology’s Useful, ManRupert Goodwins, 16 Sep 2024Upgrading Linux with Rust looks like a new challenge. It's one of our oldestFrom the crooked timber of humanity, no straight thing was ever built. Not even a kernelRupert Goodwins, 09 Sep 2024