About the Cookies

I am using some paid proxy servers, but sometimes I need some proxies from other countries, but I don't want to pay money for using them. I am an SEO auditor, and it is my job to analyze websites from other countries, so having a good proxy is essential. Sometimes I need to analyze a website's activity in other regions, so there are some situations when I don't have the right proxy; in such a case, I will use the proxy https://soax.com/india-proxy. So thank you for contributing to my work.

I work for a web hosting company, and although I'm not really totally fluent in the scripting side of things etc I do have a little insight into this, but I think everybody has explained everything anyway. 

The other thing to be aware of is though is that if you clicked a reject button to say you don't want cookies, the only way to record that response is by setting a cookie. If they are doing it properly then that banner will come back on every page because it doesn't know you've said no because there is no cookie to tell it that fact.

Sure. I think a session cookie might be seen as 'strictly necessary' in a shop once someone selects items . By the way, I was only using this site as an example and common reference point.

I may be wrong, but thought California was reacting to the 'cognitive dissonance' of being presented with a choice that turns out not to be a choice. Understanding why options and banners are so fudged only helps a bit. It's a bit like someone breaking the rules, then saying what the rules are but that they weren't broken.

Agreed! Totally out of order ‍♂️

Hi Cassandro

As I think you acknowledge, even if cookies are not strictly necessary, the ability to remember things about you between pages is needed. One reason is your example of remembering the fact that you are logged in, and who you are. Another is that you have a shopping basket, and what is in it. I mentioned these before. Most systems don't store the information directly, whether in a cookie or a query string. Rather, they store the important information in site databases, and use the cookie (or query string) to store a session ID or similar that allows the information to be recalled on the next page that you visit. Because query strings in URLs are so visible, I'm not sure that they are preferable to cookies as a method for storing sessions in many cases.

But I think we come back to the central concern; I'm suggesting that this is not so much that the site needs to recognise you to give you a sensible user experience, as what is then done with that ability, whether by cookies or not. And that's where options come in. As you rightly say, the options that can be offered tend to be constrained by the software. Making substantial changes there may mean a new platform, which of course is a big job that takes time and involves lots of other considerations.

Increasingly I am seeing a 'manage settings' options or similar, which allows you to turn off the cookies that may be to do with marketing or other things that are 'not necessary' to the function of the website. It's a little time-consuming but that helps opt out.

The trouble is that many websites rely on cookies, for example this forum. When you log in, the website sends some information (the cookie) to your computer or browser to store, so that when you next look at a page the website knows what account you are logged in as and offers information and options accordingly.

However, cookies are one way for a website operator to compile other information on you: what pages on other sites you have looked at for example, so as to determine what stupid advert to show you. For some websites like Facebook, the cookie can be a key to a lot of personal data they hold on you. The EU Cookie Directive (law) was an attempt to deal with this, but in many ways wasn't well written, and that's why websites tried to show they were trying to comply, even if they weren't (because you couldn't refuse the cookies as they were already programmed in the software). The 'manage settings' option (like you might see on for example the Financial Times) probably does comply with the law, because the cookies that remain could be argued to be 'strictly necessary'.

(In theory, cookies aren't necessary, but they are used for most popular websites nowadays.  In my techie opinion, they are overdesigned. It should be easy to dynamically store session details in a query string argument instead.)

Most i use offer Accept or Settings.  I use ublock origin, noscript and whatever is built into firefox.  i also only allow first party cookies.  No 3rd party are allowed.  I also have it set to delete cache and cookies when I close the browser.  I tend to accept all, knowing that all im accepting anyway is first party cookies that the site requires, the rest are blocked by ublock and my cookie/tracking settings.

If you are really security conscious, use a VPN.  Routing all your comms through another server makes tracking through connection irrelevant and thwarts most anaysis companies.  Even tunneling through a cheap VPS located somewhere abroad will work.  You can get such servers for about £10/year if you look at lowendbox.com and they can also be used to host a website, host a messenger server like XMPP or IRC or you could even use it to learn Linux.  If you wan to go more advanced host a VPN on a VPS, its not massively hard to setup and lots of guides exist online to do it, you want the ones on OpenVPN if you were doing it.

VPNs can be had for about £40 for a year or so.  I find VPNs most useful if you are travelling abroad and using shady wifi at hotels/hostels or even in towns and cities.  It just gives you an extra layer of protection from snooping eyes.  You are creating an encrypted tunnel at the device, if any data is being captured, they get gobledygook that is unlikely to be breakable.

I do not understand why the websites often only offer the Accept option.

There often is not the Reject option.

That's the banner from our site of course.

The issue is that the basic design of the Web has each page request independent of every other one. So, I ask a site for a page, it delivers it to me, and then it instantly forgets me. In between requests, there is no "session" or "connection" maintained. So, for example, sites can't tell that you have left them; they simply stop receiving page requests (because you've gone off to another site, or to make a cup of tea), and eventually assume that you have gone away.

Now, if you're thinking about tracking, you may consider that it's a good thing that the site does not remember you (although tracking what people actually do, as opposed to what we guessed they might, is how we analyse usage - in an anonymous way - and work out how to improve the site for everyone). If you're in a Web shop, you certainly do want the system to remember what's in your shopping basket as you move from page to page. And, in this Community, you do want the site (I assume) to remember that you are signed in, and who you are, so that it can identify you as the author when you type a new message.

There are several ways to allow a site to remember you for these reasons, but cookies are arguably the most flexible and the safest. We could put something on the end of every page URL, but that's rather public. And, of course, the other ways could potentially be used for tracking too.

That's how we've come to the situation that Cassandro describes, whereby many sites won't work usefully if you block all cookies. You can try (using browser facilities), but if we, and other site operators, gave you the ability to do it with a button, we'd probably get far more complaints about the things that stopped working than from what we have in California's screenshot, which is to identify the cookies that we need to make the basic stuff work, and let you stop the others.

Hope this helps as at least a perspective on the issues.

. said:

Would a malware attack on my badger

Cassandro said:

'Privacy Badger'.

Now there’s a phrase you don’t hear everyday... he also looks rather sinister despite his good intentions.

This begs for spin off software extending the theme - watch out for Indiscrete squirrels, web weasels etc

Is Privacy Badger prone to virus attack or just TB?..Would a malware attack on my badger constitute baiting? 

So many questions....

Does the Badger have levels of privacy? I.e indiscrete / fine when sober / will only tell your best friend / total stum? 

Thank you for raising awareness on the forum though about such tools... data protection is important.

The reason for this is that a lot of website software was written to use cookies before the EU 'cookie directive' came in. This rule means that a site had to have consent before storing information on a visitor's computer, which is what a cookie is, unless it was 'strictly necessary'. Now Facebook and Google may want to track every interest you have and page you visit, but there's a difference between that and a cookie that just tells the NAS site whether or not you're logged in. Unfortunately that distinction between the two purposes was never really made properly.

The thing is though, that the banner doesn't actually mean that the site complies with the rule. It's just a way of saying, 'our website uses cookies and if you don't consent, you shouldn't use it'. But by the time you've seen that, it's probably already set a cookie - and many sites can only remember you don't want cookies by setting a cookie (hence 'basic only').

Cookies are actually to an extent under your control though the privacy settings of your browser (you can see one's been set, but probably don't know what information it's linked to on the website end). Here's a page explaining a bit more http://www.allaboutcookies.org/

I use Firefox plugins including 'Cookie AutoDelete' and 'Privacy Badger'. I also sometimes use the 'New Private Window' to log into something under a different identity, which sounds a bit like what Graham's suggesting but with only one browser.

However I kind of like the banners because they are a continual reminder that lawyers, politicians and web designers can all be idiots.