Get the top HN stories in your inbox every day.
bArray
cortesoft
I am in my mid forties, been working as a professional software developer for over 20 years.
I click “accept the cookies” almost every time. I just personally don’t feel it’s worth the effort and cost to try to avoid it.
What “dark pattern cookie trick” are you worried about? I just can’t come up with a scenario where it will actually harm me in any way. All the examples I have heard are either completely implausible, don’t actually seem that bad to me, or are things that are trivially easy to do even without any cookies.
Now, I am not going around giving my real email out to random sites, though, although even that doesn’t strike me as particularly dangerous. I already get infinite spam, and I am sure there are millions of other ways to get my email address… it is supposed to be something you give out, after all.
I just don’t think it is something that is worth stressing out about and fighting against. Maybe I am actually naive, but I just have not yet been convinced I should actually care.
1shooner
First of all, if you don't practice any tracking limitation, you're almost certainly giving additional parties (directly or otherwise) access to your personal information. This is marketing data brokerage, this is the whole ballgame.
To your point about the actual harm, I've come to see it as a kind of ecological problem. Wasting energy and sending more trash to a landfill doesn't harm me individually, at least not immediately. But it does harm in aggregate, and it is probably directly related to other general harms, like overall health outcomes, efficiency, energy costs, etc.
No, accepting cookies by itself may not do much to me, but the broader surveillance and attention economy that relies on such apathy certainly has.
cortesoft
Sadly, this still doesn't do anything to show me that I should opt out.
I, as an individual, am not going to have any effect on a business if I opt out or not. No business decision is going to be made because I opt out.
You might argue that it will matter if enough of us do it. Sure, that is true... but again, it won't matter if I do it or not. If N number of people opting out is enough to ruin the business model, then N-1 is surely enough as well. There is a 0% chance that I am the one who finally causes the system to collapse.
I do use an ad blocker, and never click on ads. I feel like that action has a bigger return on investment than no clicking the cookie banner.
If having more information about me allows the website to charge more to show me an ad, and I never click any ads, then I am hopefully helping decrease the return advertisers get by using personal information.
richardubright
I hear what you're saying, and instinctually I feel gross about it. But, if enabling advertising allows the website I'm visiting to stay in business, I think that might be a trade-off worth making.
andai
To give a random example of what kind of information the brokers have: years ago I heard multiple reports of women who found out they were pregnant through internet advertising. The surveillance networks detected changes in their behavior and determined that they were pregnant, before they realized it themselves.
guelo
I turn off 3rd party cookies in the browser but I don't see first party cookies as big of a threat and I click accept just in case it breaks the website somehow.
kelseyfrog
Do you have any napkin math on the ecological impact in quantifiable terms? I'm just super curious what the scope of the problem is.
cm2012
The effect of that data is serving you better ads. Its not a big deal. Dystopian governments have way better sources of citizen data than anonymized ad exchanges. It basically just powers product discovery in a giant global marketplace.
autoexec
> I click “accept the cookies” almost every time. I just personally don’t feel it’s worth the effort and cost to try to avoid it.
the effort and cost to download an ad-blocker that automatically removes the prompt to accept/deny entirely is practically zero and the amount of clicks you'd save yourself would quickly exceed the clicks it took to install the blocker.
> I just don’t think it is something that is worth stressing out about and fighting against. Maybe I am actually naive
It seems like you are, but that's just how our brains work. We're very bad at judging long term and abstract risks, especially when the consequences and their connection to the cause are intentionally kept unclear. For example, when people's cars started collecting data on their driving habits and selling that data to insurance companies a lot of people saw their insurance rates go up, but none of the insurance companies said that it was because of the data collected from their cars. I'd be willing to bet the data being collected by tracking your browsing history has already been screwing you over in various aspects of your life, online and offline, but you won't be told when it happens or why.
cortesoft
> I'd be willing to bet the data being collected by tracking your browsing history has already been screwing you over in various aspects of your life, online and offline, but you won't be told when it happens or why.
Ok, can you give me a plausible example of what that harm could be? This seems in line with the exact thing I said in my comment; every time I ask how it could harm me, I am given vague statements about tracking and data. Charging me more if they think I can afford it is surely a thing to worry about, but there are so many ways to do that without tracking that I already need to take actions to defend against that (comparison shopping, price history tools, etc).
I am not saying I don’t think companies can take data they have access to and use it to extract more value from me… I am saying I don’t thing opting out of cookies is going to do much to change that, for better or worse.
gpvos
> the effort and cost to download an ad-blocker that automatically removes the prompt to accept/deny entirely is practically zero and the amount of clicks you'd save yourself would quickly exceed the clicks it took to install the blocker.
For less-often used, e.g., non-English language sites, these often leave a site in an unusable state, e.g., non-scrollable. I often have to go into the developer tools to fix a site manually, sometimes hunting for the element to fix if it's not body or html.
fiddlerwoaroof
> the effort and cost to download an ad-blocker that automatically removes the prompt to accept/deny entirely is practically zero
It's only zero if you don't need to interact with sites that break when you're running an adblocker. I run an ad-blocker nearly continuously, but there are all sorts of sites where I have to disable it in order to use the actual functionality of the site (and these are frequently sites I _have_ to interact with).
sdevonoes
There’s a burden in ad blocker plugins: you never know when they will get compromised. Im comparison to that, simply ignoring the cookie baner is less effort imho
bethekidyouwant
this is definitely happening and for some reason, no one has any clear evidence on it.
Conspiracy theories are gossip for men.
xXSLAYERXx
Feel similarly. And to be honest, even when I do select decline all, I have little confidence that the function does what it says it does.
devin
Yes, I do not have a lot of faith that "essential" cookies are always "essential" for example.
mixmastamyk
Firefox has a setting to dump cookies on exit, which I use.
belorn
This is how we should view all information we get from a company. If the product say organic, claim to be pure ingredients, recycled material, made in "COUNTRY", or any other claim, it is only just that. It is simply a claim that you as the customer has no way to verify.
frshgts
Having seen how these things are implemented in the field, your lack of confidence is definitely well placed. Most of these things send your denial request to /dev/null
fsflover
When you decline, their tracking becomes illegal, so they are constantly in danger of a legal action. It's a good enough reason to declime for me.
cluckindan
Read the fine print. You’re usually not consenting to cookies, you’re consenting to having your data gathered, processed, enriched and sold by hundreds of companies around the world.
One click usually gives random foreign corpos the right to your data across a multitude of platforms, the right to identify you across data sets, and to permanently link your device identifiers to you, for ”fraud detection” on a site which sells nothing.
Clicking on accept or deny on those notices makes no real difference, since the ”partners” and ”vendors” usually enshrine their core data activities into the ”legitimate interest” category, which has no opt-out.
cortesoft
Ok, so suppose I am consenting to all of those things.
I still have the same question… how is my life going to be made worse by that happening?
SJC_Hacker
> Read the fine print. You’re usually not consenting to cookies, you’re consenting to having your data gathered, processed, enriched and sold by hundreds of companies around the world.
They'll get it one way or another
With IP tracking, you don't really need cookies much anymore
gitpusher
[Reject Optional], [Essential Cookies Only] ... I am one of the people who clicks such options. But to some degree they are "privacy theater". Any website that presents you with such a choice is almost certainly loaded to the gills with tracking/analytics and various 3rd-party services that will track you with browser fingerprinting regardless of any buttons you click on the cookie banner. Nevertheless I still reject them, mostly out of spite.
avaika
> Now, I am not going around giving my real email out to random sites, though, although even that doesn’t strike me as particularly dangerous.
I am fanatically following my rule "one email per website". Obviously, they all route to the same inbox. Initial motivation was to see who leaks my address and simply block it. However, the separation helped me out tremendously more than I ever expected (at the very least I believe so).
I'm originally from a country with a highly oppressive regime. Years ago I signed up for financial support to a political opposition leader. Things weren't as bad and it felt safe enough at the time. They had my email, of course.
Eventually opposition systems were compromised, and the full donor list became public. The regime's response: they cross-referenced it against emails registered on government services. For quite a few whose addresses matched, police officers paid a visit — looking for grounds to fine them, pressure them, etc.
My alias for that site existed nowhere else. No match, no visit. Definitely an experience I was more than happy to avoid.
frshgts
I recently spoke with an engineer who was building a product using the information he is able to acquire from these data brokers. This includes every search query you've ever made, anything you've purchased with a credit card, and anything that is in the public record (i.e. a pending divorce case, or child custody dispute). He uses that information to generate a profile on leads to determine how much they can squeeze from this person in whatever deal they are making. (I'm not going to get more specific than that.) This person had no incentive to lie to me about what they were building.
The data trail you are creating is much more personal and invasive than you want to imagine, and in the wrong hands it could be used to devastating effect.
citizenpaul
This is the crux. What is happening is a system of complete information asymmetry is being created. it is not being created to help you in any way.
dangero
Every search query you’ve ever made is not available from any data broker and if you hear otherwise someone is lying
kevin_thibedeau
You won't notice the effects, but allowing tracking feeds your behavioral profile into the data broker economy. You can then be targeted with things like dynamic pricing based on your guestimated income, invasive ads for significant life events, health care risk modeling, tracking your group affiliations, identity theft, and more.
slumberlust
Unfortunately, NOT accepting them and actively blocking things also makes you extremely identifiable.
thewebguyd
> It is the young people that are growing up conditioned to press accept
It's really alarming, actually. I run the cyber security training & phishing simulations at my work, and it's the younger employees that struggle the most. It's like they just assume that everything on the web is trustworthy.
It's not hard to see why though. They grew up with app stores & locked down devices. No concept of a file or file system, no concept of software outside of the curated store & webapps. People that never had to take responsibility for their own digital safety because "someone else" (Google, Apple) always did it for them.
andsoitis
> It's like they just assume that everything on the web is trustworthy.
> It's not hard to see why though. They grew up with app stores & locked down devices.
When we create a safer world, people’s defense mechanisms naturally atrophy or are never developed in the first place.
thewebguyd
The problem is, we haven't really created a safer world. We created an illusion of safety by taking away agency.
We might be safer in terms of vulnerabilities, root exploits, RCEs, etc. but the internet is still full of malware, scams are still just as rampant. Vigilance is still very much required, but is no longer taught.
Look at all the malware available on the Play Store. The curation does nothing but create an illusion of safety.
pants2
When I joined my last job I noticed that their email settings were misconfigured... EVERYTHING was going straight to the inbox, not even the most basic of spam filters were in place.
When I got filtering on observe-only mode I saw users were getting up to a dozen phishing emails every day.
We quickly did a hard simulated phishing test and most users opened the email but zero users clicked through.
Two years later, after we had excellent email filtering in place, our simulated phishing test had a 30% fail rate.
Take from that what you will!
robotguy
That's the philosophy behind Safety Third.
SkyBelow
In some sort of weird sense, it makes me appreciate the 'free armor trimming', 'alt F4 helps block attacks in pvp', and similar people in RuneScape. It gave young me a very low stakes environment to learn about scams, losing only what amounts to a little bit of my time. I wonder if there is an argument that we should encourage a certain level of scamming in video games just for the lessons it teaches at low cost? Alas, this isn't generalizable to society at large.
darknavi
Maybe we should make young learners in primary school use "infected" Windows XP so they can dodge spam popups and learn what and what not to click.
whywhywhywhy
They'd just click it away every time, when my nephew got a gaming laptop he'd play mindcraft and the windows sticky keys popup would be firing constantly must have seen him dismiss it 15 times before I offered to show him how to get rid of it.
thewebguyd
Growing up I had a "computing" class in high school. It's where I learned to type, but also learned the basics of using both macOS(9 at the time) and Windows.
It was also drilled into me that the default state of anything on the internet is to be untrusted and potentially harmful.
It also helped that you could actually tinker with things, and there were plenty of foot guns around to drill that lesson home.
Somewhere along the way that message got lost and didn't get communicated to the young ones, and I'm not even that old (38).
chrisjj
> They grew up with app stores & locked down devices. No concept of a file or file system
I think almost every Android user has thise concepts.
But on the trustworthy web assumption, I agree. The only effective remedy is a personal calamity.
tuetuopay
Are you really exposed to those concepts for daily Zoomer usage? I mean, you can spend your whole normie life using an Android phone never going to the file manager.
(fwiw it's been a while since iOS also have those concepts)
RGamma
People are also struggling to think about what is computed or stored where or what different wireless interfaces do. Imagine what sort of data people enter into LLMs!
chrisjj
Absolutely. With many lawyers, it is client personal data.
adventured
That's an exaggeration. Young people on average have grown up with drastically greater understanding of what a file is than any other generation that has come before them. They grew up using Chromebooks or laptops in school, constantly interacting with the local file systems, uploading files to Instagram and TikTok from the file systems on their smartphones, browsing their phones for files constantly. They know what a file is, they use & manage files more than any other generation prior.
No other prior generation comes close.
Compare them to people growing up in the 1980s. The average person at that time was overwhelmingly oblivious to computing very broadly, their grasp of a "file" as a concept would have been close to non-existent. That was just 40 years ago.
In the mid 1980s a mere 10% of US households had home computers. And that was a high mark globally, it was drastically lower in nearly every other country (closer to zero in eg China, India at that time). The number of people routinely using office PCs was still extremely low.
Today young people have a computer in their hand for hours each day, and they knowingly manage files throughout the day.
asr
I use lights every day, but I know way less about electricity than my grandparents, two of whom who could remember when their town was electrified as children and who therefore treated it as the marvel it truly is. And also because we've worked out a ton of bugs in electricity and it often just works.
My kids will know way less about filesystems than I do, because I had to learn DOS commands to navigate around the operating system if I wanted to play computer games, which led to a lifelong interest in how computers actually work at a level they can (and, so far, do) happily ignore.
raw_anon_1111
You don’t upload a “file” in a “folder” to TikTok. You upload a “video” from your “library”. Consumers have been conditioned to stop thinking about files especially when it comes to media since iTunes and the iPod in 2001.
amluto
> They grew up using Chromebooks … in school, constantly interacting with the local file systems
While it is possible to interact with the local file system on a school Chromebook, it’s certainly not the default. School interactions with Chromebooks seem to consist of logging with highly secure passwords like “strawberry” and using Google Docs. And playing games with heavy PvP components and paid DLC (paid by parents whose kids beg for it, not by schools) that call themselves “educational” because they interject math problems needed to use those juicy spells, make no effort whatsoever to teach anything, but produce a nicely formatted report correlating scores to numbered elements of the Common Core standards.
morleytj
There may be some demographic groups located between people who were young during the 1980s and people who are young during the 2020s, time periods which are 40 years apart.
arvid-lind
Maybe they do more intuitively think of things as virtual objects, but it seems like the issue is they don't have a deeper understanding of how the mechanisms behind the abstractions work and can easily get fooled into accepting terms they wouldn't if they properly understood.
zahlman
> Young people on average have grown up with drastically greater understanding of what a file is than any other generation that has come before them. They grew up using Chromebooks or laptops in school, constantly interacting with the local file systems, uploading files to Instagram and TikTok from the file systems on their smartphones, browsing their phones for files constantly. They know what a file is, they use & manage files more than any other generation prior.
This argument is like saying you understand nutrition because you eat food every day and haven't died yet.
mftrhu
> They know what a file is, they use & manage files more than any other generation prior.
Unfortunately, they don't.
They might have had a computer in their hand for hours each day, but they barely know anything about it. The ones who do tend to be those who grew up playing on PC, as opposed to console or mobile, because the latter - despite falling under the "digital natives" aegis - are really shockingly ignorant of even basic concepts.
mhurron
> drastically greater understanding of what a file
No, they do not. First, simply using something does not mean you understand it at all. Secondly, because the devices they've become the most accustomed to work very hard to hide all those details from the user.
bmacho
It's not just cookies, it's explicit consent to track you, and sell your browsing history to ~1500 spy companies around the world.
To the sibling comments: don't "accept the cookies" and then delete them.
- - -
I'm super angry at what the web has become, especially at the OS browser community. There is 0 browser (that I know of) that can access the web safely and conveniently. Atm I use Firefox with uBlock which blocks the cookie banners, but Firefox's extension model is broken, and every single extension provides 100% access to my websites to whoever controls the extension. I don't like it.
We need a browser with a safe extension model.
- - -
edit: I guess using 2 Firefox profiles, one with uBlock and one with my google/facebook/bank/amazon/etc accounts solves the threat posed by uBlock and extensions. I still don't like it.
microtonal
Not just the web. Last time I installed Backdrops on my phone (a nice wallpaper app), you would literally approve hundreds of uses of your data when you press Consent. Even if you choose to manage choices, 200 'legitimate interest' options are enabled by default. Even when you are a paying Pro user. Data used includes location data.
What makes it worse is that a substantial portion of users block web trackers through an adblocker. However on phones, unless you have a rooted phone or use some DNS-based blocker, all these analytics get uploaded without restraint.
Atm I use Firefox with uBlock which blocks the cookie banners, but Firefox's extension model is broken, and every single extension provides 100% access to my websites to whoever controls the extension. I don't like it.
Some browsers (e.g. Vanadium, Vivaldi) have a built-in adblocker, so you have to trust one party less.
drnick1
> Last time I installed Backdrops on my phone (a nice wallpaper app), you would literally approve hundreds of uses of your data
Why are you using that malware? Is a "nice wallpaper" worth the security risks? Really?
ambicapter
How would you implement ability to arbitrarily block any network connection on any website without giving an extension 100% access?
bmacho
> How would you implement ability to arbitrarily block any network connection on any website without giving an extension 100% access?
Browsers should provide a filtering option before they makes a request.
IMO a lot of no-brainer options are missing from personal computers. Like the ability to start a program with restricted access to files, network or OS calls (on Windows and on Linux). Browsers should provide the ability to inspect, and filter network access, run custom javascript on websites, etc.
latexr
Safari’s extension model could be really good by now, had they not stopped putting effort into it. You are able to define which extensions have access to which websites, and if that applies always or only in non-Private¹ mode. You can also easily allow an extension access for one day on one website.
But there are couple of things I find subpar:
You can’t import/export a list of website permissions. For a couple of extensions I’d like to say “you have access to every website, except this narrow list” and be able to edit that list and share it between extensions.
On iOS, the only way to explicitly deny website access in an extension’s permissions is to first allow it, then change the configuration to deny. This is bonkers. As per the example above, to allow an extension access to everything except a narrow list of websites is to first allow access to all of them.
Finally, these permissions do not sync between macOS and iOS, which increases the maintenance burden.
¹ Private being the equivalent to incognito.
jstanley
> every single extension provides 100% access to my websites to whoever controls the extension.
But the browser also has 100% access to all of the websites. The browser is software that works for you. You control the browser.
Who but yourself do you imagine controls your extensions?
undefined
esseph
> The browser is software that works for you. You control the browser.
Oh really? Then why do my browsers keep moving things?
bpt3
What would a safe extension model look like to you?
At some point, you have to implicitly trust someone unless you audit every line of code (or write it yourself) and build everything from source that you run.
bmacho
> What would a safe extension model look like to you?
> At some point, you have to implicitly trust someone
A model so I trust my OS and my browser, and I don't have to trust anyone else, that is, they can't harm me.
raw_anon_1111
This is a solved problem for at least ad blockers for over a decade on iOS. The ad blocking extension gives Safari a list of URLs and regex expressions to block
jazzypants
How would an extension work if it didn't have access to the website you're browsing?
hedora
Pick one:
- Read-only access to cross-tab web site content
- Ability to modify web site content
- Ability to access the network
They can always "access the network" in that the extension developer can push static updates for things like ad block lists or security updates.
It might be possible to have "read only" cross-tab access include automation APIs like keyboard + mouse, with user prompting to prevent data exfiltration.
konform
I had similar frustrations and been maintaining a Firefox fork trying to fill a gap there. The result is Konform Browser and I think it might be relevant to you; please check it out!
https://codeberg.org/konform-browser/source/releases
https://techhub.social/@konform
Shared today on Show HN but seems to be drowning in deluge of LLMs...
https://news.ycombinator.com/item?id=47227369
> every single extension provides 100% access to my websites to whoever controls the extension
That feels a like a bit of overstatement and depends on what addons you use and how you install them... CSPs at least make it possible to restrict such things by policy (assuming user has been exposed to it and parsed it...). https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web... MV3 introduced further restrictions and controls regarding addon capabilities. While I agree the UI and UX around this could be much better, it's not all hopeless. The underlying pieces are mostly there.
While the fundamental addon execution security model in Konform Browser is inherited from upstream, for core addons like uBO you can improve the supply-chain security situation by loading it under "system scope" and disable addon updates in the browser itself. So while we don't (yet) improve on the runtime aspects you speak of, at least for now we can tighten up the supply-chain side to minimize risk of bad code running in the first place.
Literally `apt-get install webext-ublock-origin-firefox`.
"Enterprise policy files" can be used to change Firefox behavior and tweak security model around addon loading. A little explanation and reference of how it works if you want to do the same in other FF build or for other addons: https://codeberg.org/konform-browser/source#bundled-extensio...
Any particular addon you think is missing from the list there and should also be packaged and easily available? Maybe will be able to improve some of the security-UI/UX here too down the line. I'd be keen to hear your take on how this should be done better!
Regarding what addons can and do leak about you to the outside... I think you may also take interest in FF Bug 1405971. We ship a patch for that which can hopefully be upstreamed Soon (tm).
PyWoody
I remember when it first became widely known that the government could see your library checkouts. People protested. It was a big deal in my tiny town.
I don't even think it would be even a blip on the radar now.
It really is depressing how much ground we've given.
chneu
I was just talking about this the other day. This all happened right after 9/11(nevr 4get) and people were fucking PISSED that the patriot act wanted to look at people's library histories. It was a HUGE deal where I lived. Now? Nobody gives a shit and people will trade away their valuable privacy for an IQ test.
huflungdung
[dead]
8organicbits
Can you clarify what you mean?
My local library is run by the county government, so of course the government can see the checkouts, they are the ones I check the book out from. But they restrict checkout information from others. For example, a parent can see the checkouts of their own children, but not after they turn 13.
Perhaps you're talking about subpoenas? Checking some other libraries I see SF Public Library has some discussion about that, but they delete books from your checkout history once they are returned. https://sfpl.org/about-us/confidentiality-and-usa-patriot-ac...
Barbing
USA PATRIOT Act, early 2000s?
paffdragon
We also used to run spyware and adware scanner and removal tools, but now the ad/spyware rebranded and became mainstream...
Cthulhu_
I mean in hindsight, how mental is it that you could look up people's names, addesses and phone numbers in public records?
...I mean I suppose you still can but still, it's not as obvious anymore and people's mobile phone numbers are unlisted by default and not publicly linked to an address..
Fervicus
People around me (including engineers) all casually use things like Alexa, Google Home, Ring, Nest, Chrome, are always signed into Google, have all sorts of apps installed on their phones, and have no problems giving up their phone numbers to services for verification. It's crazy.
sib
"Apps installed on their phones"
"Use Chrome"
"Crazy"
Or, completely normal behavior. Are you suggesting that people should live in a shed in the woods like the Unabomber?
a_victorp
Gotta love the slippery slope argument
theshackleford
It's almost like not all "technical" people are the same, and in fact have different wants, needs, interests, tolerances and perspectives.
Terrifying.
raw_anon_1111
I bet you use an Android phone don’t you?
pull_my_finger
I use Cookie AutoDelete on Firefox and it's great. It works with Firefox Container Tabs (groups have their own cookie settings), and let's you greylist (allow cookies from a particular domain pattern until the tab is closed) or whitelist (always allow from the domain pattern). I set it up for my kids computers also. The default is to blacklist (cookies aren't set), and I can whitelist for particular sites where they need say persistent login.
Definitely in 2026 kids should be getting tons of education in public school about how to safely browse the internet, both for personal data privacy and for safety against stalking, doxxing, grooming etc in the same way millenials were grilled about source checking internet resources like Wikipedia.
jim33442
Also Firefox and Safari by default block 3p cookies everywhere, which is a significant step above Chrome
ZpJuUuNaQ5
I do this, more or less, although I am a bit older. It's not as if I enter my real name, address, or email at every opportunity, but there is really no perceptible feedback loop that would force one to contemplate the consequences. I visit my local news site and the first thing I see is a massive cookie banner which lists over a thousand third-party vendors and asks me to either "Accept all", or if I am being prudent, click adjacent button called "Choose" to go to another page, then manually untick dozens of tracker categories, and then click "Allow selection". Whatever I chose, it wouldn't have any tangible impact on my life. I simply do not care.
nervysnail
With uBlock Origin, you would not see such popups. Also, it may not have an impact on your life, but it sure as hell has an impact on adtech guys' pockets.
cm2187
Accept the cookies and flush them out every time you close the browser. I think it would be naive anyway to assume that clicking no on a cookie banner would achieve much for your privacy.
mimimi31
So-called "cookie banners" usually ask for your consent to much more than optional tracking cookies. By accepting you might be giving your permission to e.g. track you through various fingerprinting methods, build a profile and share it with advertising partners.
cm2187
If they are aggressive enough to do fingerprinting, what makes you think they would abide to your choice? You do browser fingerprinting when you want to overcome people rejecting cookies.
reddalo
An additional reason for not browsing the web without uBlock Origin on Firefox or other browsers with full support (not Chrome).
bitmasher9
Why even ask for the cookies if denying them doesn’t achieve much?
It’s naive to think that cookies are the only tool used for tracking, but they are the most powerful tool for web based tracking.
_heimdall
Because in some legal systems you're required to ask. You're also required to follow fairly specific rules relates to the user's selection and data, though I can't imagine enforcement keeps up with websites breaking those laws.
N0isRESFe8GXmqR
Because EU Cookie Law was a flawed idea?
Barbing
No, shan’t give them the metrics :)
mcv
I completely agree. The only services for which I will verify my age (and the entire rest of my ID) are bank accounts and other services involving a real legal requirement for real ID.
The notion that you should upload a passport to random sites for age verification is unbelievably dangerous. That's a recipe for identity theft. And face scanning is also an invasion of privacy, not to mention very unreliable (my 16 year old son has apparently been accepted as 20 years old).
I've pointed out in many places already that the only way to do online age verification right, is for the government to provide an e-ID that the random site will direct you to with the question "is this person older than X?", then you log in to the e-ID site, which informs you exactly what the site wants to know (which should be as rough as possible; no birthdate), then the e-ID site directs you back to your original site (or possibly through a proxy, if you don't want the government to know what sites you visit), and calls their webhook (through a proxy) with the confirmation of your age.
That's also how my online payments work, and this should be the standard pattern for everything that needs to be secure. Not sharing sensitive or personal data with random sites.
shiandow
That very much isn't the only right way, and it is far to close to government tracking activities online. For one it effectively allows governments to disallow someone from accessing the internet.
All this to let you do stuff you were allowed to do anyway.
The problem is handing kids admin level access on a device with full unfiltered access to several communication networks. You do not fix that by demoting everyone's access.
fc417fc802
I wholeheartedly agree. Worse, these verification "solutions" distract from fixing the actual underlying issue.
We need better supervision which demands better parental controls which demands better content filtering which demands better content classification.
So fix the root. Legally mandate a standardized protocol for self reporting the content rating of resources.
Terr_
Yep, recycling a post about reasons to do it that way:
> 1. Most of the dollar costs of making it all happen will be paid by the people who actually need/use the feature.
> 2. No toxic Orwellian panopticon.
> 3. Key enforcement falls into a realm non-technical parents can actually observe and act upon: What device is little Timmy holding?
> 4. Every site in the world will not need a monthly update to handle Elbonia's rite of manhood on the 17th lunar year to make it permitted to see bare ankles. Instead, parents of that region/religion can download their own damn plugin.
EnderWT
There's already a spec for this (ISO/IEC 18013-5) and it's been implemented in a variety of jurisdictions. https://en.wikipedia.org/wiki/Mobile_driver%27s_license
The person gets to see what information the service is asking for and can approve or deny. This'll likely end up being the future of how citizens access government services online.
nedt
That's more for age verification and prove of identity, especially in the real world. It's weird that the wikipedia page is talking about drivers license, because I have the Austrian app and I use it with my normal ID card.
To access government service we have something different. Here in Austria it's called ID Austria and you sign with an app when you try to access government services, but also others like health insurance etc.
1970-01-01
1000% this. Fake info for everything that isn't directly tied to money or government. HN doesn't have my info. Apple doesn't have it. Google doesn't have it. Amazon doesn't have it. Microsoft doesn't have it. They don't care who I really am, and that hasn't, ever never, been a problem for using their stuff. They want your real ID. They do not need it. At all.
londons_explore
Remember that just typing 'John Smith DOB 1/1/1900' into a random webform and clicking submit to get in is technically wire fraud.
Sure, it usually won't be prosecuted... Until you upset the wrong person and they're looking for a crime you did...
fc417fc802
I don't believe it's wire fraud unless you deceive the other party for monetary gain. I realize that's not quite the correct definition but AFAIK it's quite close to it.
araes
Fraud (Wikipedia, United States):
- Misrepresents a material (non-trivial) fact in order to obtain action or forbearance by another person
- The other person relies upon the misrepresentation
- The other person *suffers injury* as a result of the act or forbearance taken in reliance upon the misrepresentation.
- Recovery of damages in the amount of the *difference between the value of the property* had it been as represented and its actual value
- Out-of-pocket loss, which allows for the recovery of damages in the amount of the *difference between the value of what was given and the value of what was received*.
18 U.S.C. § 1343
(...)'any scheme or artifice to defraud, or for obtaining money or property by means of false or fraudulent pretenses, representations, or promises'(...)
1970-01-01
So is breaching all your PII into the universe. Choose your battles or they will be chosen for you. Aside, I'm technically 126 years old in some DBs. Nobody cares.
cloverich
> They want your real ID. They do not need it.
I think that is exactly backwards. Many of the companies integrating with KYC/AML providers (such as my company) definitely don't want to be dealing in ids, just like most companies don't want to be dealing in storing credit card numbers (and the compliance that goes along with it). Its why Stripe exists, and its why ID verification companies exist.
x0x0
I'd like to agree, but I don't. If companies didn't want to be involved, they would aggressively be pushing governments to provide ways to confirm age w/o transmitting any other data. Primarily because you can't leak data you never had in the first place. I don't see that happening.
ticulatedspline
even better would be a solution that didn't require even proxy or direct government log in.
like if you could be issued an E-id that could perform a local signature/challenge-response that allowed the site to confirm an age bracket (like 12 or below,13-17,18-20, 21+), assert the entity that issued the id but not assert a stable identifier (not even pairwise) and not pass any data between other parties.
Obviously not foolproof, credentials can be stolen (same in your scenario) but the site doesn't need to care, they should be legally in the clear. Basically it would let you anonymously assert your age.
sspiff
I'm fine with providing my identity for online banking and other finance platforms for legal & taxation purposes.
I can't think of a single other use case in which I'd be willing to verify my identity. I'd rather go back to hosting email myself, and am fine with circumventing content access control for all other platforms for personal use.
We're seeing the world slide towards authoritarian strongmen, and we want to give them a massive index of who we are and what we do? I'd rather not.
marmarama
The problem is those self-same authoritarian strongmen are very successfully using sockpuppeting to change national discourses in ways that benefit them and are detrimental to the targeted countries. Hybrid war is real and has been ongoing for more than a decade. LLMs make it way more cost effective.
Being able to limit the influence of external bad actors is the main goal of ID verification. Age verification is a useful side effect that makes it easier to sell to the general public.
Big Tech has had at least a decade to fix this, did nothing of note, and is all out of ideas. Privacy advocates had the same time to figure out a "least bad" technical solution, but got so obsessed with railing against it happening at all, that nothing got any traction.
So governments are here to legislate, for better or worse. They know it's a trade-off between being undermined by external forces vs. the systems being abused by future governments, but their take is that a future authoritarian government will end up implementing something similar anyway.
malfist
> Being able to limit the influence of external bad actors is the main goal of ID verification. Age verification is a useful side effect that makes it easier to sell to the general public.
How? People already sell their accounts to spammers. Why would that change?
inkysigma
Depending on the implementation, I could see that having rate limiting effects. There're only finitely many IDs so scaling sockpuppeting will saturate these IDs quickly but it's quite easy to spin up a new anonymous account. For example, I think the EU ID system has an upcoming way to create pseudo anonymous identifiers that can identify a user per website.
This presents the problem of governments being able to gatekeep speech which I am quite uncomfortable with but maybe there's some safeguard within the eIDAS proposal that makes this idea incorrect?
ajam1507
> Being able to limit the influence of external bad actors is the main goal of ID verification.
How does automatically determining your age serve the goal of ID verification? It seems like most sites are choosing this as the first option. If the point was to link your ID, why wouldn't they ask everyone to provide it?
undefined
specialist
Correct.
The choice is between democracy and our current ever worsening sociopolitical hellscape.
If eliminating bots and sockpuppets is the price for restoring some semblance of democracy, then gosh darn.
And if social media, targeted ads, and algorithmic hate machines are collateral damage, than gee double gosh darn.
Those sacrifices are a price I'm willing to pay.
anextio
> "Democracy" is when "bad actors" (as defined by the establishment) are shut out of all online discourse.
The point of ID laws is not to stop "bots" or "sockpuppets", it's to enable governments to shut down the speech of their political adversaries by painting them as dangerous. That is not democracy, that is authoritarianism, even if you absolutely hate the people that are being shut up.
Western countries are not in the midst of polarized political crises because of "external bad actors" or "sockpuppets". They're in these crises because of fundamental contradictions in values and desired policies between different segments of the populace.
The Europeans are currently full steam ahead in attempting to "fix" the situation by criminalizing dissent, which will, in the end, only exacerbate the political crisis by making the democratic system illegitimate.
areoform
Do you truly believe that ID "verification" will do anything in a world where IDs are leaked by the tens of thousands to the millions?
You are shifting the onus on to the platforms, when the problem is pretty simple; with a few exceptions, we've failed as a species to learn how to think.
Also do you think that the TLAs don't know who the bots most likely are with all the surveillance data they're gathering? That the NSA doesn't have detailed telemetry of the surveillance ops??
Let me ask you the question, what have they done about it? And why not?
jonathanstrange
> Being able to limit the influence of external bad actors is the main goal of ID verification.
Then they should say so. Elected officials lying to and misleading the public when their real intentions differ is almost criminal. It's not a behavior anyone should ever support. I will not vote for people who do that.
drawfloat
The stated reason is also true in most cases. Imgur was caught harvesting and selling childrens’ data for advertising purposes, TikTok and others are also known to do this. There’s only so long you can avoid fixing a problem before states start to step in.
Barbing
>circumventing
I would say the time to buy mesh networking equipment is now. But it's not like I'm capable of defending the transmitter. So when they come for the VPNs, the VPSs, and encryption, I guess I'll just be out of luck.
(Out of luck = resigned to zero digital privacy. No matter I follow the law and “have nothing to hide” of course.)
Perhaps people will pass flash drives like North Korea or Cuba?
chneu
People trade away longevity for short term convenience. Then when that convenience is shown to be bad/unhealthy people refuse to give up that convenience.
So many aspects of our lives are like this now. People just accept defeat cuz it would mean giving up one click ordering or free return shipping or they might have to look at labels to avoid bad companies.
p0w3n3d
It's because people are too busy and distracted to understand and even listen to what dangers are heading towards them
Henchman21
And this WILL CONTINUE until we choose to turn off and walk away from THE GREAT DISTRACTION MACHINE. We call it “social media”.
SiempreViernes
Honestly I think these age verification laws are blunt instruments responding to the decade of avoided moderation the big platforms have managed to pull off.
I've run ad blockers for years now, but I'm still trying to forget those disgusting zit popping pictures that trended in ads for a while. Or those incredibly stupid life hack shorts, like the one where someone tied a cord around a mug and the hack to get it loose was smashing the cup... that crap made me despair for humanity as much as the Gaza genocide.
But google and facebook convinced the legislators that it would be impossible to keep that chum away from kids on their platform, so the legislators are going with the next option: banning the kids from the platforms.
hellojesus
Heaven forbid their parents denylist the urls on their routers...
bradley13
It is likely not a coincidence that so many different countries simultaneously started pushing for age verification.
The decline of privacy, the increase in intrusive government surveillance, the increasing restrictions on free speech - this is all part of a very disturbing pattern. Our governments are becoming increasingly authoritarian, and these are the tools they use to keep the populace under control.
barbazoo
> It is likely not a coincidence that so many different countries simultaneously started pushing for age verification.
I thought in many places it was related to the upcoming minimum age for social media. To verify age you need an ID. That's how we make it so most kids can't buy cigarettes, alcohol, thc, etc. You could argue social media shouldn't have a minimum age but that'll be the reality it looks like. How do we do that without ID?
a456463
How about you parent better and prevent your kids by educating them against the dangers of said things?Limit their time online and what they can do? Why should democracy be at stake and people's freedoms, just so you can get away with not parenting.
jatari
Ok, so what do you do when your child visits a friends house and they have unrestricted access to the internet?
pmontra
Yes, in theory that's correct but show me a kid that never did something against the will of their parents. If something is forbidden it's something worth investigating. Furthermore there will always be another kid with a phone to share watching anything online. The traditional solution has been forbidding with punishments when the kids get caught breaking the rules.
bradley13
Sure, "think of the children", that's the classic excuse. Put on your tinfoil hat and ask yourself: why is that suddenly a topic in so many different countries?
jatari
Because the negative effects of unrestricted internet access on children (and adults) is becoming more evident.
butterbomb
> Put on your tinfoil hat and ask yourself: why is that suddenly a topic in so many different countries?
Ooh I know, the elite classes across the globe have been exposed as degenerate pedophile subhumans. Knowing the information would release soon, they began to coordinate this campaign to provide lip service virtue signaling about child predation while also tightening their grip on the underclasses before it gets too heated.
jim33442
Well "think of the children" was the PR reason for the US clamping down on TikTok, while the lawmakers and lobbyists behind it said pretty openly that it's about silencing criticism of Israel. So I would think it's the same thing in the EU.
simmerup
And also our countries are being attacked by external actors who want to sow discord and damage our institutions
seanw444
> sow discord
Funny choice of wording: https://www.eff.org/deeplinks/2026/02/discord-voluntarily-pu...
a456463
Stop making your kids my problem! We have everything to hide. It is called personal identity. All data online managed by companies will always be misused, lost to scammers, blamed back to you for something you never did, and hunt you down.
cubefox
> Stop making your kids my problem!
This is an interesting point: there is a trade-off between kids being denied access to inappropriate websites and adults not being forced to verify their age. We can't have both, so we must weigh which is more important. One could argue that protecting kids is clearly more important; on the other hand, there are way more adults in the world than kids, so more people are impacted with restrictions for adults.
mghackerlady
I saw porn when I was under 18, and I'd wager the majority of people also have going back to the 70s or 80s. We all ended up mostly normal
lanfeust6
Millenials are the first generation that had massive, unrestricted access to porn online. I'd wager a good chunk were negatively affected. Overconsumption was not much of a risk, until it was. To say nothing about extreme content.
wvenable
<<Looks around>>> You call this normal?!?
lokar
It's also important to understand that this is not a binary situation. You will never keep 100% of the kids from 100% of the inappropriate material. So it should be a debate about levels, and trade-offs.
IMO, the approach of having the large / popular commercial OS platforms ask you the birthday of the primary user on install (and secure that so it can't be changed), and then reveal the age (bucketed to a range) to apps. If you don't have kids, or care what they see, just put Jan 1 1900 (or have an explicit opt-out, which puts you in the last bucket). After that it's up to parents to parent.
leonvoss
Privacy is way more important than protecting kids from consuming content online. Kids already have more protection than it's worth, probably, this is moving in the wrong direction.
warkdarrior
> there are way more adults in the world than kids
How can that be? The world population has been growing for decades.
cubefox
Yeah but kids that are online are perhaps ~5 to 17, while adults go from 18 to 80, 90 or more. Moreover, social media is usually also allowed for older teenagers, so it's not necessarily all people up to 18 that need filtering out.
NGRhodes
One thing people underestimate is how brittle digital identity actually is in the UK.
There isnt a single identity. Theres a loose federation of databases (banks, CRAs, telecoms, electoral roll, etc.).
There are multiple operational definitions of "name": legal name, common name, known-as name, card name, account display name. None is universally canonical. Theres no statutory hierarchy that forces institutions to agree on precedence.
In the absence of a mandatory national ID, identification relies on matching across name, date of birth, and address history, which are inconsistently collected. Fuzziness is necessary for coverage, but it introduces brittleness. If a variant isnt explicitly linked as an alias, automated online checks can fail because the matching rules dont explore every permutation.
Even within a single dataset the problem doesnt disappear. Large systems such as the NHS have documented identification errors involving patients with identical names, twins at the same address, or demographic overlaps. Unique identifiers help, but operational workflows still depend on humans entering and reconciling imperfect data.
https://digital.nhs.uk/services/personal-demographics-servic...
Vohlenzer
Splink is a notable endeavor in this regard from the MoJ.
lkuty
This is exactly what I am feeling (the title, didn't read). I can't see why I would give a copy of my official id card or a picture of my face to a basic service on the Internet. Seriously ? They do not deserve it. Even my phone number is too much but well Google has it now.
reddalo
Givin a copy of your ID card to a website? Damn. In my times, we didn't even use to provide our _real name_ to websites.
thewebguyd
In fact, it was strongly recommended not to give out your real name on the internet.
I'll stand by my opinion that deeply integrating the internet into our daily lives instead of keeping as a "place you go" was a huge mistake.
croes
Luckily it’s already possible to verify your age without actually giving out any data like your birthdate
LoganDark
Not to a service that only accepts such data as proof.
jermaustin1
Steam thinks I was born Jan 1, 1970. Not that I needed to lie when I did my age verification back 15 years ago, I just randomly scrolled the year down and selected one.
As the years have marched on, though, that "birthdate" becomes significantly closer to my real birthday.
_heimdall
And without having to trust that the government isn't keeping track of every request for age verification?
I'd be curious how that might work as I haven't yet seen a zero-trust age verification system.
raron
The age verification proposal of the EU tries to do that, the government knows you used age verification (and I think the rough number of times you used it), but they don't know when or where you used it.
https://ageverification.dev/av-doc-technical-specification/d...
chocmake
See eg. BBS+[1]. Proofs that preserve anonymity are generated locally and neither the verifier nor issuer can determine the user based on these (in scenarios of non PII signals like age thresholds), while still allowing the verifier to validate it's issuer approved.
OpenWaygate
I live in China, where every mobile game requires age verification. Teenagers can play for up to 1.5h/d on weekends. But as far as I can see, some parents will assist their children to unlock more time on purpose.
SiempreViernes
Handing over a phone is certainly cheaper than paying for extra childcare, though most likely much less healthy for the child.
I suppose idea is that Chinese women will stay at home with the child so the state doesn't have to provide any help?
mothballed
More like the state (at least in places like USA) cracked down on children roaming freely so now people hide their kids inside playing video games so a Karen doesn't call CPS when mommy has other things to do all day besides play helicopter parent staring down at their kid all day.
rd
Is there any hard evidence that this is true compared to say 20 years ago. I’ve heard it repeated a million times but no one’s ever provided evidence
kubb
This was done because of the "personal responsibility" crowd. Easier to blame the parents than make the communities safer.
OpenWaygate
The gov does provide some help. But a clearer trend is a lower marriage and birth rate
fauigerzigerk
I don't have a problem with verifying that I am an adult as long as I don't have to provide information that makes it easy to track down my identity.
The UK government has approved 7 age verification methods. Not one of them meets that standard.
That's not an accident.
https://www.ofcom.org.uk/online-safety/protecting-children/a...
strangecasts
It drives me a little bonkers that the UK already tried implementing age verification in 2019, with an approach that would have been easy to make verifiably anonymous: buying a single-use code from a newsagent who checks your age with ID [1], but can't connect the code to you specifically
That attempt officially failed because the UK failed to inform the EU about it, but I suspect it was also much harder to sell people on having to buy "porn passes" than on "just" kicking kids off phones
[1] https://www.theguardian.com/culture/2019/oct/16/uk-drops-pla...
amoe_
The problem for me is not services where the content is online, you can just avoid those, but cases where access to scarce real resources is controlled through online verification. E.g. renting recording studios, background checks for job applications, things like this. Often there is no route that does not go through a third-party verification service.
inanutshellus
I gave a bunch of details of my personal history to a verification service thinking naively that it would be used to prove I was me.
Instead, they didn't know much about me apparently and just stored what I told them.
Then it appears they were hacked because some completely unrelated release of stolen data included all my data, specifically all that data I had provided to that service, that one time.
The Verification Service is the honeypot for your private information. Arg.
elorant
Facebook recently flagged my account and asked for a video selfie and I decided that I'd rather leave that shithole than uploade biometric data.
cs02rm0
The very concept they've been trying to sell is wrong headed.
Kids are trying to access XYZ which isn't safe (where XYZ may as well be "the internet") -> verify the ages of all adults, because we can't verify the age of a kid.
Meanwhile kids, like adults, can just find another route to access what they want. So some subset of adults hands over their identity information to an untrustworthy third party of dubious security.
I can't see how that does anything other than make the situation worse.
Get the top HN stories in your inbox every day.
I was sitting in a room the other day with a young adult, we were searching for additional algorithm learning materials. They searched in Google, and accept the cookies. They clicked on a website, and accepted those cookies too. They then started entering their email address to access another service. I was completely taken aback.
I'm the sort of person that either rejects the cookies, or will use another site entirely to avoid some weird dark-pattern cookie trickery. I don't like the idea of any particular service getting more information than they should.
Siting there I realized, we were not the real target. It is the young people that are growing up conditioned to press accept, enter any details asked of them, and to not value their personal data. Sadly, the damage is already done.