I highly recommend Temporary Containers for Firefox. It can be set up so that every time you open a new tab, that is a new context, new logins, new cookies.
No reason to block sites that set cookies, since in a few minutes they will be deleted anyway.
I whitelist cookies; only sites that I have a known relationship to (e.g., HN, for login) get to set cookies.
The overwhelming majority of the web still works just fine. It's trivial to pick out what doesn't, as it either tends to:
a. require cookies for some inane task that doesn't need them, and it tells me this
b. breaks horribly. Typically, JS trying to access LocalStorage, but not checking whether the call was successful or not.
The grandparent is also wrong about,
> Therefore if you do not have cookies from the major ad networks, you're either a brand-new device or an incognito browser.
No, or you're whitelisting all or third-party cookies. (The latter being significantly easier to do, and causes much less breakage. I don't think I've ever seen a third-party cookie cause breakage.)
N.b., I'm not necessarily recommending what I do to others; it takes a lot of work, and I really need better tooling around my flow. But it gives me the context on how cookies/persistence causes or does not cause site breakage.
Or you can just freely allow all cookies from any website that wants to set them (sites will be happy and working), but only for current browser session. You have to remember to restart the browser every now and then, though.
Then use whitelist to selectively allow cookies from some "friendly" sites to be stored permanently.
If the intent is no tracking, then this defeats the purpose.
Often the browser stays open for hours and you'll have identifying tracking cookies very quickly.
A great, really underused feature in Firefox is first party cookie isolation: it isolates all cookies set by a site to the same domain, preventing all cross site tracking.
Set privacy.firstparty.isolate to true in about:config.
Or use an extension like Cookie Auto-Delete. It clears all cookies set by a given tab when that tab is closed, and lets you whitelist domains which can set cookies which won't be deleted.
Thanks, that's much better than my approach. This is exactly the extension I needed, as it makes cookie management more straightforward and transparent to me.
>the actual important pages that people want to use?
Where is this special list of important pages? Are the sites I want to use not important? Does your comment need to be so simultaneously defeatist and hostile?
>Where is this special list of important pages? Are the sites I want to use not important? Does your comment need to be so simultaneously defeatist and hostile?
Or, as I like to call it, pragmatic.
Visits are a power law distribution, 80% of people's visits go to 20% of sites, and so on, recursively. s
So unless e.g. the top 1000 (which may vary depending on country) people want to use are there, e.g. the social media, news sites, booking, video, shopping sites, banking sites, you're just talking about a number of niche websites.
Sites that "still work with JS disabled" are in the minority on those lists.
Essentially you're saying "don't use all those sites with the content/services you want", use all those others that don't have tracking (but which you don't really care for).
E.g. pointing to Diaspora vs Facebook...
The best I've seen people come up with on this front is DDG vs Google.
If plenty is "a few" than I would agree (and I am glad you respect privacy). I am still searching for one site that I could give an example for GDPR and they are all blatantly violating it. In most cases they just give you fake impression they respect privacy (by setting banner to "opt-out" (which is violation on its own) after the tracking 3rd party scripts are already loaded).
The whole privacy deal on the web just shows moral corrosion. It is putting IT neck to neck with scammers.
> I am still searching for one site that I could give an example for GDPR and they are all blatantly violating it.
I think the reason you can't find one is likely because you are disqualifying all the ones that aren't violating it. There a lots of websites that don't violate GDPR: they don't record any information. Perhaps we can quibble about server logs and whether or not IP addresses are PII, but let's stick to at least the broad strokes here since you are saying all sites blatantly violate GDPR.
I think what you are probably trying to say is that amongst the websites that are trying to harvest your data, (virtually) all of them do so in a way that violates GDPR. This is not surprising to me, because at its heart GDPR is trying to encourage companies not to harvest personal information.
I don't think we will ever get around that. The question is not whether or not many (most? virtually all?) companies will try to get around GDPR (they will). The question is whether or not GDPR will have an positive influence on the use of private data. I can say in the company I do work for, it has completely transformed how we deal with PII. We now actually have gatekeepers that tell marketing what they can and can't have access to. If there are problems, then people actually get chewed out and we put real, emergency resources into fixing them. I mean it is absolutely night and day.
For us there is always this fight between people and departments that would like unrestricted access to information and people who are protecting it. Without GDPR, there was no defense! There was no argument you could make -- "It's wrong!" "By whose definition? The lawyers are fine with it" Now we can legitimately say, "You can't legally do that". Not only that, but I've even had marketing managers being very concerned that we might be handling data incorrectly. I've never, ever seen that before in my 30 year career.
Yeah, there are lots of problems and I don't see them going away ever, but man GDPR is really helping in a lot of areas.
Ok, I wasnt talking about protecting the data part.
>The question is not whether or not many (most? virtually all?) companies will try to get around GDPR (they will)
They arent getting around, they are violating it, based on GDPR beeing doe as a concept, you cant workaround it.
The question is, when it will be enforced.
I dont have anything against tracking, targeted ads etc. but if GDPR is followed, which means opt-in consents, no "lets stuff everthing under legitimate interest" and so on. Under GDPR conditions I am even prepared to turn off ad blockers.
And I wont even start talking about mobile applications.
But, "lets stuff everything under legitimate interest" is totally valid if it is actually legitimate interest. Opt-in consents under GDPR is probably your worst strategy. The lawful basis you want to be under is contract basis: you gather the information you need for the contract. You hold it until the contract is up and then you delete the information. That's the best for everyone.
Legitimate interest is the next best for everyone. You collect the data for contract purposes and you retain it beyond the contract period, or you use it for something other than the contract, but it's for a legitimate reason. You must tell the user that you are using the data for the legitimate reason and what that legitimate reason is!!! It's a very good way to use data. If the user objects, then they can object and you can't use the data (you have 1 month to respond).
After that (and ignoring lawful basis, etc) you have consent. Consent is an awful reason to collect and retain data. You don't need it for the contract. You have no legitimate reason to have the data or to use it. You just want it. So you ask the user if it's OK.
No company should choose consent. It's horrible, even for the business. As I've written before, if the user opts out, there doesn't seem to be a way to opt them back in if they change their mind. So if there is any way for you to turn consent into contract basis, you really, definitely should! If there is some reason that the user would like to consent, they you shouldn't be using consent. You should offer them a service.
It's super frustrating to me that people harp on about consent, because that it really going against the grain for GDPR.
You got the legitimate interest wrong. I wont bother explaining, as I am sick of downvoting (would love to discuss recitals), here is presentation from Tim Walters, check the legitinate interest (or the whole, you might be surprised): https://www.youtube.com/watch?v=-stjktAu-7k
Bottom line, "the grain" of GDPR is user interest. Not "user expirience", not bussines interest.
Users interest.
And it is HARD to decide instead of him, I would rather pop up consent dialog with opt-in than showel everything under legitimate interest.
As it is so easy to make it wrong: sure, you are sending a packet to the customer, you need (legitimate interes) address, phone number comes handy (requiring it is fishy), forcing it to protect login on a social network? I wouldnt do it. For me, as a security aware person, you would crawl trying to prove I am in danger with 15 letter random generated passwords generated for each and every site. Unlike for John Doe. So, it becomes optional, while forcing it, in my case, violates GDPR. It was just one example.
I don't think we are at odds with what you are saying. I'm 45 minutes through Tim Walters' video and there is absolutely nothing new for me so far. I suspect I'll get to the end and there will still be nothing new for me because I'm starting in the same place he is.
As for your example, I totally agree! Forcing you to log in to a social network to send a package is crazy. I order cheese making supplies on the internet because I have no other way to buy them. Not a single supplier of cheese making supplies even offers to make me log into a social network.
You're making the statement that all sites are blatantly disregarding the GDPR and I think it's because you just don't pay attention to the sites that aren't.
I'll give you an example (which is is cheese making again). I wanted to check the shipping costs for cheesemaking.com. I don't like the fact that they make me fill out all of their order forms before they tell me the shipping cost, but they do. They have a newsletter which they use to do their marketing, but for now I've not signed up for it. When I didn't complete the process, they sent me an email. They asked if something went wrong and said they will hold my order for 48 hours. After that, they will delete all of my information.
And these guys aren't even in the EU (and neither am I, although I work on contract for a company that is). This kind of behaviour is exactly what I expect and I think it is completely in line with the directives. The only thing they were missing is telling me under which lawful basis they were operating in each case.
Is it contract basis? Keep in mind that as far as I can tell, "contract basis" does not actually require a contract to be in place (i.e. you don't have to have consideration), so I think there is an argument for saying that since I contacted them and started to initiate a purchase, following up on why I didn't finish (for a limited time period) is within the directive.
Even if it weren't, it is almost definitely within legitimate interest. To really qualify for that, they would have to offer to let be object, but since they will delete my data after 48 hours I think they are following the spirit of the directive (because you only have to respond within 1 month).
I don't know. I think the reason you keep getting down voted is because you seem to be focussed on something that is different than what everyone else is talking about. It's absolutely true that there are a lot of companies who don't give a flying monkey's about GDPR. But it is untrue that there isn't anyone. The rest is details and as Tim Walters is at pain to explain the GDPR specifically is not prescriptive because they want you to follow the principles not a check list of rules.
“There might well be a market for personal data, just like there is, tragically, a market for live human organs, but that does not mean that we can or should give that market the blessing of legislation. One cannot monetise and subject a fundamental right to a simple commercial transaction, even if it is the individual concerned by the data who is a party to the transaction." (https://edps.europa.eu/sites/edp/files/publication/17-03-14_...)
Anyway, I was talking about social network requiring your phone number, not market requiring to log in with social network id. And you are talking about bussines where there is a bussines transaction. I am talking about site you surf to.
> Anyway, I was talking about social network requiring your phone number, not market requiring to log in with social network id. And you are talking about bussines where there is a bussines transaction. I am talking about site you surf to.
OK. That was not clear at all to me! Now that I understand that, I understand what you were trying to say a lot better. I still don't think we materially disagree with each other, though. There are lots of sites that are good examples for GDPR. I think it is absolutely true that none of them are trying to harvest and sell your data! I don't see how that could be the case. If you use that as your criteria, I don't think it is possible that you will find an example. Should those sites be banned from the web? I'm not sure, but it wouldn't bother me, that's for sure!
