If you’re using the internet, you’re bound to be greeted by a cookie consent pop-up that seeks consent to track you and promises to use the cookies to enhance your browsing experience. The infiltrative behavior of cookies, which track your movements on the Internet, raised privacy issues.
The privacy concerns of internet users led to the creation of a few laws and regulations, namely the General Data Protection Regulation (GDPR) and consent management platforms (CMPs), which went into effect in 2018. However, countless sites still outright violate regulations and deceptively track users’ activity.
Cookies were invented in 1994 by 23-year-old engineer Louis J. Montulli II, who pioneered elements like HTTP proxying. He coined the term “cookies,” which he used in Netscape, the firm that designed one of the internet’s first widely used browsers called Mosaic. Soon after the advent of cookies, people started speaking up about the privacy concerns accompanying this information.
Cookie blocker need of the hour
The majority of consent pop-ups on the web do not meet the requirements for legally valid consent laid out in the General Data Protection Regulation (GDPR) four years ago. Hence, users are forced to share their data with multiple sites.
Earlier this year in April, researchers at Aarhus University published Consent-O-Matic to automatically reject permission requests to track you. The consent-O-Matic extension is free and available for Firefox, Chrome, and other chromium-based browsers, and Safari for macOS and iOS. The browser extension already had 22,000 test customers from multiple countries before releasing publicly.
“The reason I created this Consent-O-Matic extension was that I’d done the research and I’d demonstrated there was a lack of compliance when it came to ‘consent’ pop-ups on the web,” Midas Nouwens, one of the extension developers and first author of the academic paper introducing it, stated. “I knew from how it’d been in past years that it was going to be a slow process for regulators to pick up on this. Nor was I confident that they even would.”
“So, I figured I’d do something bottom-up, not just relying on authorities to try and enforce but build something users can use now while we wait for this slower, democratic process to happen”.
Shady practices of CMPs
It seems that consent management platforms (CMPs) are already making attempts to bypass the Consent-O-Matic browser extension. Nouwens shared a patent application on Twitter filed on September 6, 2022, by CMP OneTrust aimed at detecting automated cookie rejection. If identified, the software would reject the automated request to block cookies and present the user with another request for consent, even inserting a captcha.
“By automatically rejecting such consent, the user may not be making an informed decision and the website operator may not be able to ensure the website is in full compliance with applicable privacy laws and regulations,” the warning issued by OneTrust’s patent.
“The patent is pretty hilarious. The idea it is premised on seems to be that a refusal of consent has to have the same high standards as a granting of consent—that is to be specific, informed, freely given, and unambiguous,” Michael Veale, a professor of digital rights and privacy at UCL Laws stated. “But that’s simply incorrect. Refusing consent is different from giving it, and is not subject to those standards. Furthermore, data protection law specifically recognizes that an individual ‘may exercise his or her right to object by automated means using technical specifications.”
In 2020, a team of researchers including Nouwens and Veale published a paper entitled “Dark Patterns after the GDPR Scraping Consent Pop-ups and Demonstrating their Influence,” to highlight the shady practices employed by CMPs. In a survey of 680 of the UK’s top sites, 24 percent of them employed OneTrust and only 1.8 percent of those sites were minimally compliant with GDPR.
The results illustrated the extent to which illegal practices prevail, with vendors of CMPs turning a blind eye. Earlier this year in August, privacy group noyb filed 226 GDPR complaints against websites using OneTrust because they failed to comply with GDPR guidelines.
Read the full article here