Implications of Global Privacy Control

"Tracking" is pretty vague and trying to stop it is just unenforceable, unlike "selling personal information" which is very clear and what GPC and the CCPA and GDPR cover. I often criticize Mozilla but they're correct in replacing unenforceable DNT (which is also worse fingerprinting-wise since it has three possible values instead of being a binary on-off signal) with GPC. It's long overdue.

DNT failed because advertising and online stalking companies refused to abide by it when browsers enabled it by default. The GPC spec tries to work around this by having the spec disable the feature by default.

This new spec is necessary because American legislation requires opt-out signals not to be the browser default. That means DNT, as browsers used it, is not legally an opt-out signal, because browsers default to it.

What this is doing is throwing out the header that had legal backing in Europe for a slightly worse copy that hopefully has legal backing in America in the future.

It's a silly specification, but if it gets companies to actually respect this iteration of the DNT spec then I'll accept it.

As for DNT, Firefox may have removed it but addons can still set it. As useless as that may be, because the spec is marked as outright deprecated (https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/...), you can still send the signal.

OPTION isn't always necessary, there are ways to prevent those requests.

Also, the GPC request will probably only be sent when you enable GPC, which basically means "almost nobody".

I work as a Data Protection Officer, which is a legal role under GDPR, and am rather unimpressed by GPC. I could whine for a day, but among the most problematic issues: It's not clear if "Sec-GPC: 0" should be interpreted as:

1. "no" to collect personal data under GDPR consent; or 2. "objection" to collect personal data under GDPR legitimate interest or; 3. "no" to retrieving and storing data on a user device (e.g. cookies, localStorage); or 4. A linear combination of the above.

Personally, I think we should simply fine the heck out of all websites until they all feature a "Reject all" button. No need for browser vendors to propose standard which at least one browser vendor can't be bothered to implement.

Ideally it would be an attempt to regulate more than that. If I've set a flag that indicates a preference about the use of my personal information that I have some legal right to demand, I want it enforced. You don't get to ignore my request because internet.

It's just an extension of copyright, which already regulates the entire internet. You should have the copyright over your mouse clicks, plus 100 years after the death of the author.

It's no more regulation than GDPR. They're just trying to make GDPR less insanely annoying.

But given the EU's track record I give this a 0.1% chance of success.

So what do you refer to all the other stuff that is accepted as "the internet" but is not websites?

Unfortunately because this is rare, it’s a strong signal for fingerprinting and helps people track you without your consent.

Maybe I can use the GPC header as a way to let advertisers track and target me with exciting offers. Perhaps they can create a "fingerprint" from the three headers I send: Host+Connection+GPC, as I request web pages with netcat or tcpclient through a localhost-bound TLS forward proxy. I use these clients on a daily basis for making HTTP requests. I read HTML with a text-only browser. I do not use DNS when requesting www pages. The needed IP addresses are stored in the proxy's memory. For some reason I never see any ads.

Unfortunately, the sec-gpc header does not seem to be working as I have not received any advertisements after I started using it. Perhaps I have to manually request the ads and send the telemetry since I am not using browser that auto-loads resources or runs Javascript. Maybe I need to put the IP addresses for the tracking and ad servers into the proxy's memory.

Meanwhile, I am missing out on whatever products, services and campaign drivel the advertisers might show to people who use netcat/tcpclient and send only three HTTP headers. No doubt all the online merchants using text-only e-commerce platforms must target some amazing offers to all the online shoppers using netcat/tcpclient.^1 Someday maybe I too can receive them.

1. IIRC, funnily enough, there is a commandline "e-commerce solution", i.e., online store, that has been shared on HN before, perhaps as joke.

Tracking is not synonymous with ads. Advertising was big business back when you had to just put a jingle on the airwaves or paint a billboard and trust that the right demographic would happen on it. It is plenty possible display ads and make money from them without invasive tracking, for example duck-duck-go does so. On the other hand if you do not fight tracking, paying for the service is no defense, they will just double-rip every time, triple dip if they think they can slot ads in.

I don't think that Mozilla is saying you should provide service for free. If GPC is turned on, the website can just pop up a paywall, no?

> Common sense would indicate that ticking of the box overrides the browser setting

In theory, the /.well-known/ file could have its timestamp updated to reflect to the browser that the situation has changed and the user may perhaps need to make another choice. In practice, every website with trackers will just always pretend things have changed and browser controls will be useless.

> Except now apply that logic to the mess of “we respect your privacy, click here to allow sharing your data with our eleventy bajillion trusted partners” popups on so many websites. So, again, by default opt-out and asking for their permission to opt-in. So this setting does absolutely nothing to stem that tide? What’s the point of it then?

This is why I prefer what Microsoft attempted to do with P3P instead. Of course no website ever bothered implementing it, but Microsoft came up with a protocol to at least list a display privacy policies for every partner website.

If browsers came with UI to manage which trackers the user accepts by default, with specific website overrides of course, this mechanism could be extended to in-browser privacy popups that can have their defaults be "no, fuck off" without the ambiguity.

The protocol could even be extended to permit the website to request changing the sharing setting, for instance when you sign up for a newsletter. As long as the UI is gatekept enough (say, once per x minutes after user interaction, up to y parties at once, otherwise the notification will be a little icon in the URL bar), it might just automate away the entire cookie popups.

Of course you'd need to convince the EU and California to declare these protocols as mandatory, but I think that's going to be a lot easier with a protocol where users have more choice than with this unary GPC header.

What I think they will do is just prevent you from registering? You want to register? Disable the flag.

The same as with the "do not accept". If you do not, they will nag you endlessly until you finally do allow the cookies.

I mean, we just can't win :(

> CCPA only applies in Europe

CCPA applies in california, not europe. It's in the name: "California Consumer Privacy Act". Did you mix that up with GDPR?

> forcing users into sharing information with the site to be allowed to access the site

One of the CCPA rights are "Not be discriminated against for exercising their privacy rights". Denying access would almost certainly be classified as discrimination.