Why exactly do we need a cookie notice for third party cookies?

⭐ Alex ⭐

Well-known member
I'm going to be frank, I've always thought this cookie notice rush was a pile of hot water.

As far as I have always understood, most breaking of user trust happens when you host third party scripts, advertisements, etc on your site which fingerprint the user and call home (to a third party such as an ad network) with what they learned about them and their visit.

Cookie notices do nothing about that, browser addons like UBlock do. These scripts don't even need cookies to track you because they can do browser fingerprinting.

Now let me get to the main point.

I recently learned about <meta name="referrer" content="no-referrer" /> (I really should have known this way sooner). This really solves a lot of potential of third party tracking when the script payloads don't have the facilities to call home. Like a useful script reference on your website can no longer be abused to track what websites someone is visiting by the script host looking at the referer in the http request.

So now, if we have say a youtube video iframe embed in our forum. It loaded with no referrer. It can't by any means determine where it's loaded on. And it decides to set cookies on its own domain, why on earth does GDPR care? It feels like GDPR is some group of people that don't understand the technical nature of the web, and have been misled by the experts that informed it. Because once again, the attack vector is not in the cookies. It is in fact in passing identifiable information into iframe via the src URL property or showing referrer when making the request.

Because of same origin policy, the iframe is no different than the person visiting youtube directly so any cookies it sets to its own domain is no one's business and no concern. GDPR really puts the wrong thing behind bars.

Any personal thoughts about this? Does anyone agree with my views, or find them incorrect?
 
Well. Now that I think about it harder, there is a second breach of privacy. The second one is drive-by interest farming.

For example say someone opens a forum page with a youtube video about dogs and that video auto loads. Youtube may now decide to inform the ad network that this user likes dogs.

It seems the only privacy solution is proxying everything including videos. Of course this may be against ToS of certain companies that live and thrive on data like this.

...Because the visitor viewing a forum page is there to perhaps view a shared video. And because of the video being hosted by a third party, they may now have data about them sold. They were just there to watch a video and not necessarily have a relationship with the specific video sharing site. They are on our forum after all and not on the video sharing site.

All of this becomes very interesting to consider, from philosophical standpoints.
 
Back
Top Bottom