Skip to content(if available)orjump to list(if available)

Implications of Global Privacy Control

hedora

> The GPC signal will be intended to communicate a Do Not Sell

So, there is no tracking opt-out like DNT had.

Do Not Sell is classic regulatory capture: It allows incumbent players to continue their current bad behavior, and directs revenue streams from smaller players (data brokers) to existing monopolies.

Also, this opt out won’t interfere with Mozilla’s recently acquired ad business, which uses user data to sell ad real estate (invading their privacy with obtrusive ads).

(Sorry for the awkward sentence, but they claim it is a privacy preserving technology that doesn’t gather or sell user data, and there’s no way to be doublespeak compliant without using tortured grammar.)

mimasama

"Tracking" is pretty vague and trying to stop it is just unenforceable, unlike "selling personal information" which is very clear and what GPC and the CCPA and GDPR cover. I often criticize Mozilla but they're correct in replacing unenforceable DNT (which is also worse fingerprinting-wise since it has three possible values instead of being a binary on-off signal) with GPC. It's long overdue.

onli

The article ignores that the DNT header already had some regulatory backing, as in court decisions saying it ought to be respected. https://www.datev-magazin.de/nachrichten-steuern-recht/recht... references such a decision against LinkedIn.

Instead of using that, this new proposal seems to be exactly the same thing, just with more work for website hosters (having to add nonsensical files to /well_known/) and claims that this time, the regulatory backing will be good enough. Bullshit. They could have just tried to enforce the DNT header now, with the new regulations and the old case law. Instead they ripped it out of Firefox.

jeroenhd

DNT failed because advertising and online stalking companies refused to abide by it when browsers enabled it by default. The GPC spec tries to work around this by having the spec disable the feature by default.

This new spec is necessary because American legislation requires opt-out signals not to be the browser default. That means DNT, as browsers used it, is not legally an opt-out signal, because browsers default to it.

What this is doing is throwing out the header that had legal backing in Europe for a slightly worse copy that hopefully has legal backing in America in the future.

It's a silly specification, but if it gets companies to actually respect this iteration of the DNT spec then I'll accept it.

As for DNT, Firefox may have removed it but addons can still set it. As useless as that may be, because the spec is marked as outright deprecated (https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/...), you can still send the signal.

joker99

There are dozens of ways how browser devs could make it default, without making it default - by way of malicious compliance. Example: The first time the browser is opened, display a big fat page asking "DO YOU WANT TO BE TRACKED & SURVEILLED ON THE INTERNET??? NO (highlight in nice colour) / YES (add dark pattern here) / learn more (in tiny font)". Pretty sure most people would click "NO". Every couple of weeks it could pop up again with a similarly phrased question "ARE YOU SURE YOU STILL DON'T WANT TO BE TRACKED?" but this time with a nice UI element where the user can specify that the answer to this rhetorical question will stay the same for the next n days/months/years/decades/centuries/millenia.

salawat

Allowing assholes to continue being assholes is the crux of the problem. Companies ignoring DNT on as a default should have been met with massive punitive fines and liability. Instead, we're not doing anything to curtail the behavior.

luckylion

Wasn't this just microsoft back in the day that enabled it by default, and they were already a small player at that point (Chrome was the leader and even Firefox had more market-share back then iirc).

In other words: "browsers" didn't make it the default, one small browser did.

And so if _any_ browser, whatever tiny percentage they might have of the market, will make this new proposal the default, advertisers can again say "see? totally unreasonable, we won't follow that".

But it being made default by Microsoft was never the problem, ad-companies just didn't care.

pseudalopex

Internet Explorer's market share was a little more to a little less than Chrome's in mid 2012. It was the only significant browser to enable Do Not Track by default as far as I know.

Advertisers wouldn't have cared until laws forced them to care. Microsoft enabling it by default ensured there would be no laws.

inetknght

> American legislation requires opt-out signals not to be the browser default

Can you site the legislation stating that?

null

[deleted]

null

[deleted]

colingauvin

I was pleasantly surprised to learn that my state passed a law requiring businesses that serve 50k or more residents here respect this setting and opt me out of tracking by default.

greatgib

Do I understand correctly that this means that browser will have to do yet another useless request to domains or website to know the GPC status in addition with the request required to retrieve the ressources ? In addition with OPTION requests that already have to be done?

jeroenhd

OPTION isn't always necessary, there are ways to prevent those requests.

Also, the GPC request will probably only be sent when you enable GPC, which basically means "almost nobody".

casenmgreen

Any takes on this from someone who knows about it?

anticristi

I work as a Data Protection Officer, which is a legal role under GDPR, and am rather unimpressed by GPC. I could whine for a day, but among the most problematic issues: It's not clear if "Sec-GPC: 0" should be interpreted as:

1. "no" to collect personal data under GDPR consent; or 2. "objection" to collect personal data under GDPR legitimate interest or; 3. "no" to retrieving and storing data on a user device (e.g. cookies, localStorage); or 4. A linear combination of the above.

Personally, I think we should simply fine the heck out of all websites until they all feature a "Reject all" button. No need for browser vendors to propose standard which at least one browser vendor can't be bothered to implement.

jeroenhd

"Sec-GPC: 0" is invalid. The value can only be 1, and that explicitly cannot be changed in the future according to the spec.

This makes GPC a flag that means "unknown" or "opt-out". There is no "please share my data with your newsletter company" value, there can only be "do whatever the default is for sharing my data with any company you partner with".

andreasmetsala

> Personally, I think we should simply fine the heck out of all websites until they all feature a "Reject all" button.

Personally I’m tired of cookie pop-ups on websites, a reject all button does nothing to solve the actual problem. If a users browser can somehow communicate the preference so we don’t need to click on pointless stuff then wouldn’t that be optimal?

roenxi

> The main problem with DNT was the lack of legal and regulatory backing it received. Website owners could decide if they'd observe the DNT signal and there were no legal repercussions if they chose not to. This is where GPC is different.

This sounds like an attempt to regulate the entire internet.

pessimizer

Ideally it would be an attempt to regulate more than that. If I've set a flag that indicates a preference about the use of my personal information that I have some legal right to demand, I want it enforced. You don't get to ignore my request because internet.

whatshisface

It's just an extension of copyright, which already regulates the entire internet. You should have the copyright over your mouse clicks, plus 100 years after the death of the author.

throw10920

How is GPC an extension of copyright?

whatshisface

Laws for GPC are an extension of copyright, that prevents companies from selling works that (in theory) belong to us.

IshKebab

It's no more regulation than GDPR. They're just trying to make GDPR less insanely annoying.

But given the EU's track record I give this a 0.1% chance of success.

drpossum

So what do you refer to all the other stuff that is accepted as "the internet" but is not websites?

roenxi

... the internet? I get the impression you're trying to ask something that you haven't articulated. I don't know why it'd be assumed that this approach will stop at websites.

1vuio0pswjnm7

For a while now I have been adding a "sec-gpc: 1" header in the forward proxy (client/browser agnostic). Thus, at least one person is using it.

JimDabell

Unfortunately because this is rare, it’s a strong signal for fingerprinting and helps people track you without your consent.

1vuio0pswjnm7

Maybe I can use the GPC header as a way to let advertisers track and target me with exciting offers. Perhaps they can create a "fingerprint" from the three headers I send: Host+Connection+GPC, as I request web pages with netcat or tcpclient through a localhost-bound TLS forward proxy. I use these clients on a daily basis for making HTTP requests. I read HTML with a text-only browser. I do not use DNS when requesting www pages. The needed IP addresses are stored in the proxy's memory. For some reason I never see any ads.

Unfortunately, the sec-gpc header does not seem to be working as I have not received any advertisements after I started using it. Perhaps I have to manually request the ads and send the telemetry since I am not using browser that auto-loads resources or runs Javascript. Maybe I need to put the IP addresses for the tracking and ad servers into the proxy's memory.

Meanwhile, I am missing out on whatever products, services and campaign drivel the advertisers might show to people who use netcat/tcpclient and send only three HTTP headers. No doubt all the online merchants using text-only e-commerce platforms must target some amazing offers to all the online shoppers using netcat/tcpclient.^1 Someday maybe I too can receive them.

1. IIRC, funnily enough, there is a commandline "e-commerce solution", i.e., online store, that has been shared on HN before, perhaps as joke.

TZubiri

I'm an absolite outsider to this, I use edge and would use chrome if need be.

It seems to me like mozilla appeals to paranoid users who don't pay for software and also don't want to see ads, and in exchange insane demands and revolt is placed upon them.

One thing you learn when providing services is that the demands don't ever stop. The more you provide for free, the more demands you get.

Would not want to be in this space, let's normalize paying for software, then you wouldn't need to worry about alternative monetization schemes.

recursivecaveat

Tracking is not synonymous with ads. Advertising was big business back when you had to just put a jingle on the airwaves or paint a billboard and trust that the right demographic would happen on it. It is plenty possible display ads and make money from them without invasive tracking, for example duck-duck-go does so. On the other hand if you do not fight tracking, paying for the service is no defense, they will just double-rip every time, triple dip if they think they can slot ads in.

throw10920

I don't think that Mozilla is saying you should provide service for free. If GPC is turned on, the website can just pop up a paywall, no?

null

[deleted]

null

[deleted]

JimDabell

I don’t think this article does a good job of explaining what this achieves.

> Web users want to have more autonomy over their data. They want to know who has it, where it's going and why, and they want to be able to consent to how their data moves between parties.

> It's up to the developer/business to decide how to treat the signal, for example, removing the user's details from third-party tracking or marketing, following a similar procedure as to when users opt out of sharing data for marketing purposes. If in CCPA jurisdiction, the signal must be observed to avoid legal repercussions.

Okay, so assuming a user has this enabled in their browser settings, and they register on a website. They tick the box that says “Add me to your mailing list”.

Common sense would indicate that ticking of the box overrides the browser setting. So I can share their details with my mail service provider. So by default opt-out and asking for their permission to opt-in is compatible with this setting, right?

Except now apply that logic to the mess of “we respect your privacy, click here to allow sharing your data with our eleventy bajillion trusted partners” popups on so many websites. So, again, by default opt-out and asking for their permission to opt-in. So this setting does absolutely nothing to stem that tide? What’s the point of it then?

Also, how does this tell the user “who has it, where it's going and why”? All I see is a boolean flag.

> At the time of writing, the Attorney General for California has recommended observation of GPC to comply with CCPA. There are also intentions to work with the European Union's GDPR

By default opt-out and asking for their permission is already required by the GDPR, so what is being worked on here exactly?

jeroenhd

> Common sense would indicate that ticking of the box overrides the browser setting

In theory, the /.well-known/ file could have its timestamp updated to reflect to the browser that the situation has changed and the user may perhaps need to make another choice. In practice, every website with trackers will just always pretend things have changed and browser controls will be useless.

> Except now apply that logic to the mess of “we respect your privacy, click here to allow sharing your data with our eleventy bajillion trusted partners” popups on so many websites. So, again, by default opt-out and asking for their permission to opt-in. So this setting does absolutely nothing to stem that tide? What’s the point of it then?

This is why I prefer what Microsoft attempted to do with P3P instead. Of course no website ever bothered implementing it, but Microsoft came up with a protocol to at least list a display privacy policies for every partner website.

If browsers came with UI to manage which trackers the user accepts by default, with specific website overrides of course, this mechanism could be extended to in-browser privacy popups that can have their defaults be "no, fuck off" without the ambiguity.

The protocol could even be extended to permit the website to request changing the sharing setting, for instance when you sign up for a newsletter. As long as the UI is gatekept enough (say, once per x minutes after user interaction, up to y parties at once, otherwise the notification will be a little icon in the URL bar), it might just automate away the entire cookie popups.

Of course you'd need to convince the EU and California to declare these protocols as mandatory, but I think that's going to be a lot easier with a protocol where users have more choice than with this unary GPC header.

prerok

What I think they will do is just prevent you from registering? You want to register? Disable the flag.

The same as with the "do not accept". If you do not, they will nag you endlessly until you finally do allow the cookies.

I mean, we just can't win :(

weare138

This article is intentionally misleading:

The main problem with DNT was the lack of legal and regulatory backing it received. Website owners could decide if they'd observe the DNT signal and there were no legal repercussions if they chose not to. This is where GPC is different.

....

What to do when receiving a GPC signal

It's up to the developer/business to decide how to treat the signal, for example, removing the user's details from third-party tracking or marketing, following a similar procedure as to when users opt out of sharing data for marketing purposes. If in CCPA jurisdiction, the signal must be observed to avoid legal repercussions.

So what's the difference? Without regulations, which is the real issue here, all this is meaningless just like DNT was. The system is solely based on trusting the site to comply. CCPA only applies in Europe. None of this would apply to users in the US but the article disingenuously implies it would:

At the time of writing, the Attorney General for California has recommended observation of GPC to comply with CCPA

That is not legally binding in any way. This is just DNT with extra step being sold as something it's not. I fail to see how this will benefit the user while making it harder for users to block trackers and advertisers. A site can't prevent you from blocking it's cookies because cookies are stored locally through the context of the browser. Site's can't prevent users from blocking, deleting or modifying cookies.

But GPC signals are sent via HTTP headers. Sites could prevent users from accessing the site by detecting if GPC is disabled by the user in the browser just by checking the HTTP headers, forcing users into sharing information with the site to be allowed to access the site.

SahAssar

> CCPA only applies in Europe

CCPA applies in california, not europe. It's in the name: "California Consumer Privacy Act". Did you mix that up with GDPR?

> forcing users into sharing information with the site to be allowed to access the site

One of the CCPA rights are "Not be discriminated against for exercising their privacy rights". Denying access would almost certainly be classified as discrimination.