I despise engineers writing code when they don't understand laws.

Yes, we can play the tracker-removal cat-and-mouse game, but that involves a lot of time and effort, projected forever. This battle is going to be won by whoever has the most time and money to waste, and, spoiler alert: it's not the adblock vendors. It's Google.

In the specific case of cookies, you need those to authenticate to web services, so you can't just block all of them. Instead you need to delicately allow or deny every cookie based on if it's purpose is holding a login token or tracking a user. In fact, sometimes it's both.

Strictly speaking, if I log into Facebook, that shouldn't be considered consent to track. But right now, that's how it works. You know all those "login with Facebook" buttons all over the web? Those give Facebook third-party tracking capability. There is no browser extension in the world that will allow you to login with Facebook without also telling Facebook what site you were logging into. You need a law to force Facebook to split-brain themselves and silo off that data from their advertising operations.

Yeah, sure. "Just don't use Login with Facebook". Except every third-party login system has this problem - and there are plenty of smaller companies that absolutely do not want to handle user credentials and require that you use a third-party login service. And given that using smaller providers are the easiest way to get your credentials stolen, it is entirely understandable and advisable that they not roll their own authentication.

Furthermore, most users are not at all aware of all the technical stuff I mentioned above - and they shouldn't have to be in order to have privacy.

Having a well-written law is a lot easier: you just tell Facebook, "no, really, if you use your login service to track people we're going to fine you". Corporations react to (sufficiently large) fines a lot more favorably than technical restrictions or circumvention. "Don't be evil" is a way bigger guarantee than "can't be evil".

Preach! What we ultimately need is just a law that says it is illegal for companies to collect or store any data for marketing purposes, tracking, or resale. No opt ins, no exceptions. Unfortunately we can't fully kill targeted or unsolicited advertising at the root because of freedom of speech issues, but we can eliminate all the data it depends on.

why do you dislike targeted advertising?

People see "targeted advertising" as "I was thinking about buying a bike and it shows me ads for bikes", ie. it's showing me what I want to see. That is not targeted advertising. Targeted advertising is showing you what they want you to see when they want you to see it, or showing you the same products in a light that makes you more likely to buy them.

For example, showing you unlikely or imagined bike-related problems, to sell you useless protection gear or insurance after you get your bike. Showing you ads for motorcycles, because although you probably don't want one, someone who already likes bikes is more likely to buy a (more expensive) motorcycle, so that's where they'll direct their spam.

Targeted advertising is about manipulation, using knowledge of the customer to change their behavior. No one is going through those efforts to show you what you already want and save you a quick Google.

you have quite a low view of people's ability to make decisions for themselves if you think being shown ads is manipulation. And I struggle to see how targeted ads are somehow worse than the same sort of 'manipulation' inherent in using an algorithmic feed like HackerNews or Twitter. Both are exposing you to things they want you to see. Yet you don't seem to have such strong opposition to those as you do targeted ads.

> you have quite a low view of people's ability to make decisions for themselves if you think being shown ads is manipulation.

The ENTIRE POINT of an ad is manipulation. Advertisers wouldn't bother if people always ignored ads.

I think it's less the targeted advertising, and more like I can't take 5 internet steps today without 40 people shouting at me to buy their diapers because my partner googled "diapers" last night.

I really don't mind targeted advertising.

One the ads are more relevant.

Two because the ads are more relevant the advertiser makes far more money on them and therefore doesn't have to show you as many to fund their service.

Generally the ads that are targetting me are unrelated to things that I want.

But also, much of ads are scams, and the targetting helps the scammers find susceptible targets

Fortunately, we have replaced the tracker removal cat and mouse game with a consent banner cat and mouse game, projected forever.

Problem solved, am I right? ;)

Well, yes, law enforcement in general is a cat-and-mouse game. That doesn't mean we shouldn't have any laws.

I 100% agree, but I feel like the proliferation of consent banners was predictable and if people didn't want it, the law should have initially accounted for it.

Assuming people would just log less was hopelessly naive (especially given that apache defaults already do enough logging to run afoul of the GDPR).

A lot of GDPR is (intentionally) misrepresented.

Apache logs for example do not run afoul of GDPR unless you:

A) process them. (Correlate them with further identification)

B) sell them.

C) do nothing to secure them.

Regardless. The law does have conditions for these cookie banners. Namely that if you do not present an easy 2 click opt out then you’re in violation. Many people are in violation in what I feel is an attempt at a sort of civil disobedience. “They can’t prosecute us if we all do it” mentality.

I'm not sure a lawyer would agree with your assessment of the Apache logs. If they aren't actively being used to maintain site health, the mere collection of private IPs is enough to make them unnecessary private information.

And that's the default for collection of Apache logs.

You would be 100% in the clear on that as long as you apply a reasonable retention policy to your logs. Keeping them forever isn't reasonable. Keeping them for a year almost certainly is.

You would be 99% in the clear if you do nothing. The worst that's likely to happen is that you're forced to adopt a retention policy and delete old logs, and even that is extremely unlikely unless you are Google/Facebook scale or are doing something significantly worse than industry standards.

I guess it varies depending on the lawyer, mine agrees with my interpretation.

Law depending on the opinion of lawyers is “useful”.

If anyone wants to attempt to prosecute me for storing Apache logs then I’m happy to defend it in court. GDPR isn’t the boogeyman unless you’re selling data. I’m quite certain there are sympathetic judges to that end. Logs are necessary and even in some cases legally mandatory.

I would talk to your lawyer.

With a 20 million euro minimum fine on the table, I don't think I'll feel comfortable on this topic until either the law is clarified or someone sets precedent.

My lawyer's great, but he won't be paying the fine if he's wrong.

$20 million isn't the minimum fine. That's the maximum fine for companies with under $500 million in annual turnover.

You aren't going to get the maximum fine unless you are doing something egregious. Collecting the default Apache logs and not using them for anything malicious isn't going to get you the maximum fine or likely any fine at all.

On other hand there could be an extension that sends tracking history and everything else to everyone. If you really want to share that information.

"Given that you can completely block cookies"

You can also hire oricate security to stop stalkers, and yet stalking is illegal

Because GDPR has nothing to do with cookies.

You can have cookies without consent.

Tracking requires consent even if it doesn't use cookies.

You can block some tracking in the browser, but server-side tracking generally can't be blocked.

GDPR cares about whether you are tracking, not about the means you use to accomplish it.

Because cookies are useful functionality that should be used in our best interests, not to pad some corporation's bottom line via surveillance capitalism. We shouldn't have to block cookies or anything, they're the ones who have to stop creating software that is essentially malware.