privacy

On consenting to cookies

/ 1 Comment

Alright lets talk about cookies a second. Remember the EU Cookie Directive? All those pop ups asking to allow cookies are a direct result of that cookie directive.

State of things

Buzzfeed.com cookie pop up

Yes it is a little bit annoying, especially if you’re visiting a website only momentarily to look something up and the pop up covers your entire screen preventing access. To be honest, I didn’t pay much attention to them. In fact, I didn’t even read what the pop up said, instead my mind would seek a way out of it by looking for a highlighted button with words like Accept/Allow/OK/Dismiss just so that I could get to the content that I was trying to view. In all fairness, this was the case because I didn’t visit the site expecting to agree to some contract but to view the content of the website.

As an Engineer, I know what the cookie directive says. I know that I shouldn’t agree to it unless I really do but in most cases, like most normal people would treat terms and conditions, my instinct is to find a way out of it. So lets look at what the cookie directive actually says:

“Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.;”

https://cookiepedia.co.uk/eu-cookie-law

So to comply with this, websites started putting up those annoying pop ups so that they can provide “clarity” into whatever use case they have of storing cookies on my computer. How do they do it? Well, usually, these things have two action buttons, Allow All or Reject Cookies. I don’t know about you but it feels like a red pill / blue pill moment to me.

https://i0.wp.com/davidmmasters.com/wp-content/uploads/2017/04/red-pill-of-awareness-or-blue-pill-of-unconsciousness.jpg?w=700
Blue pill / Red pill

There is however a third option. It usually resembles “Manage settings”, “more options” or in cases when they really don’t want you to click on it, “Learn more”. When you click on this option, the pop up usually changes into something a bit more helpful.

Buzzfeed.com cookie settings pop up

Now that makes sense – this is what BuzzFeed wants to do with my cookies. Note that everything is “Off” by default. This is what is supposed to be the default, but if you remember the previous screen, the primary button, designed to draw your attention and make you click was the Agree and Exit button.

What would happen if you clicked that? Well I checked and in this case, it stored 34 cookies in my browser – in addition to you permitting all the above use cases. Whoa thats a lot of cookies. No wonder my computer is fat! What if you clicked Disagree and Exit button? 4 cookies. Thats it. If you clicked More Options, here again, the primary button is Agree and Exit, seems like they really want to store cookies in your browser! Alas, if you click that, your browser will have 34 cookies again, same result as if you never had clicked on More options in the first place. Although, if you clicked Save and exit, the number of cookies stored are only 4. Here’s a small list to help you with the math.

  • Agree & Exit: 34 cookies
  • More Options -> Agree & Exit: 34 cookies
  • Disagree & Exit: 4 cookies
  • More Options -> Save & Exit: 4 cookies

Now BuzzFeed is actually one of the good websites so they have a direct option to Disagree & Exit which effectivelly turns off other cookies. Here’s a website called Healthline.com who don’t provide this option:

Healthline.com cookie pop up

When you click Manage Settings, you get a nice page with all fancy cookie use cases turned off by default:

Healthline.com cookie settings

Had you agreed to the first pop up and clicked on “Accept and continue to site” you’d have consented healthline.com and its partners to do whatever they want to do under “Special purposes” and “Special features” (+ all the other use cases they have outlined) and received 12 cookies stored in your web browser. On the other hand, if you go into “Manage settings” and click “Save settings”, it’ll take you to anon.healthline.com – which is an ad free version of the website. It still stores 7 cookies but they are not storing any third party or marketing cookies on your web browser.

And of course, this is assuming the websites are actually complying to the cookie law and aren’t doing naughty things anyway. Of course there’s no real way of knowing that. Websites could store cookies in your browser to track you and still send your information to the third party, via a serverside route without you knowing it happened at all.

Reflection

The thing about this that is striking to me is that for most people, the EU cookie directive has become more pain than something that actually works. From a consumer standpoint, it is merely an annoying pop up that gives bad user experience. Users just want to find the quickest way out of it and the website developers are happy to provide that – using the same dopamine driven design psychology that they use to get consumers to “Buy”, “Like” and “Share” things.

As an Engineer, this is annoying on several levels. It interrupts the user experience flow. It breaks immersive experience. It is annoying to implement. And even after all that, it doesn’t give users what they deserve because they accept everything without reading anything.

I’ll explore the potential solutions some other time, but for now, the only real approach is to “take control” by reviewing the cookie consent and proceeding in an informed manner. Whether you’re on a well known recipe website just cheekily reading that korma recipe or sifting through tons of web pages trying to figure out whether aliens really made the pyramids, take a few seconds of your time to review what you are consenting to. Or better yet, if you’re only browsing to check something quickly, use something like Firefox Focus (or incognito/private mode in your favourite web browser), which effectively gives you a disposable browser where when you’re done with your session, you can wipe the slate clean.

If you want to explore the wonderful world of websites and the cookies they work with, you can try https://www.cookieserve.com. Type in a URL and it’ll explain which cookies serve what purpose. Its not bullet proof but is good at catching google and facebook cookies if a website is sneakily using them.

You could also use browser plugins that prevent tracking cookies from being stored. I use uBlock Origin (chrome/firefox) which is a general tracking blocker. Additionally, if you use a modern web browser like Mozilla Firefox, it comes with tracking protection baked in and turned on. Not sure about Google Chrome, it probably doesn’t since Google’s revenue depends on Ads. I’ve heard of an alternative called Chromium – which is supposed to be the core open source version of Google Chrome without the Google stuff but I’m not too sure about it so can’t strongly recommend.

Who’s using my macbook camera?

/ Leave a Comment

So the other day I was working away on my Macbook Pro and suddenly, out of the blue, the light next to my camera came on. Now, this is a new macbook so I don’t have my little sliding window sticker that blocks my webcam yet. Even if I did have it, I’d still be equally worried. So I started digging. The only apps I had open at the time were:

  • Firefox
  • BlueJeans (video conferencing software)
  • Intellij IDEA
  • Visual Studio Code
  • iTerm

Basically the Software Engineer’s toolkit.

After a little digging on the Internet, I found a few commands that could help me. I have conveniently combined them all into this single command:

lsof | grep -e "AppleCamera" -e "iSight" -e "VDC"

This gave me the following:

➜  ~ lsof | grep -e "AppleCamera" -e "iSight" -e "VDC"
firefox   1956 mdave  txt       REG                1,5      424176 1152921500312438057 /System/Library/Frameworks/CoreMediaIO.framework/Versions/A/Resources/VDC.plugin/Contents/MacOS/VDC

Hmm so its Firefox? Weird because usually its very good with permissions. Most of my tabs were DuckDuckGo, StackOverflow, Jira, Confluence, Gmail and a few other “trusty” company web pages. This couldn’t be it?

I did some digging around in settings but no luck. Finally, I brought down the hammer and took away the permissions to Camera (and Microphone for safety) from the System Preferences. And viola!

➜  ~ lsof | grep -e "AppleCamera" -e "iSight" -e "VDC"
firefox   1956 mdave  txt       REG                1,5      424176 1152921500312438057 /System/Library/Frameworks/CoreMediaIO.framework/Versions/A/Resources/VDC.plugin/Contents/MacOS/VDC
➜  ~ lsof | grep -e "AppleCamera" -e "iSight" -e "VDC"
➜  ~

No more naughty webcam access! I guess if I need it again, I’ll just give it permissions explicitly through the System Preferences. Or perhaps I can side-install another firefox browser when I need to grant it permissions to view my webcam – the number of websites that I use that need this permission are very small in number and I can live with using a dedicated web browser for it.