HI version is available. Content is displayed in original English for accuracy.
Advertisement
Advertisement
⚡ Community Insights
Discussion Sentiment
39% Positive
Analyzed from 3455 words in the discussion.
Trending Topics
#cookies#google#data#tracking#https#fines#privacy#companies#don#more
Discussion (90 Comments)Read Original on HackerNews
Even the Google pre-installed system apps don't do this
Meta's attempts to conduct surveillance go further than ignoring the sec-gpc header. Meta tries to bypass Android's built-in VPN and the system DNS settings
I use a computer I can reasonably control, i.e., one running an OS I compiled myself, as the gateway for the phone so traffic destined for 8.8.8.8 and 8.8.4.4 is blocked by the gateway's firewall. (TLS forward proxy on the gateway also adds sec-gpc header to all HTTP/HTTPS traffic^2)
1. For example, using PCAPDroid or NetGuard
2. In addition to HTTPS traffic, Meta's WhatsApp app sends some requests over unencrypted HTTP, too, e.g., destined for c.whatsapp.net
fines that amount to a daily expenditure account, do nothing. fines have to have potential to do real damage to, or destroy noncompliants, if there is going to be any deterrent.
contempt, is obvious, the chance of jail should exist in actuality, rather than a vague possibility.
im wondering what would be more effective.
1] desist or existentially threatening fines, or indentureship will occur.
2] you have a problem with code maintainence, we will take code maintainence into receivership, until you have demonstrated that you can maintain code in a legal framework.
Even those relatively small fines rarely get paid. Companies can tie up the judgements in the courts for years without having to pay a single cent. [1]
> The Data Protection Commission (DPC) is owed more than €4 billion in fines that have not been collected or are subject to legal challenge. The DPC hit companies – including firms in Big Tech – with more than €530 million in fines last year. However, just €125,000 of that has been collected so far, according to data released under FOI laws. Over the past six years, the commission has levied an incredible €4.04 billion in fines, mostly on multinational technology companies. However, of that total, €4.02 billion remains uncollected and just €20 million has been paid in fines so far. In 2024, €652 million worth of fines was levied, of which €582,500 has been paid.
[1] https://www.irishtimes.com/business/2026/01/12/data-protecti...
I know I'm dreaming, but still.
" yes, havn the time of my life !"
"heres your bill."
"whaa aat ?!"
" oh, did you think it was all free, when everyone normal, pays ? "
We have 'get tough on X, Y, Z' things that don't impact me at all. You can dial 911 if someone assaults you in the US, but I don't know of a single resource to get law enforcement involved when I am digitally assaulted. I think that is a big part of the problem here. Nobody is actually taking the call to enforce this stuff.
That's not to say the idea isn't interesting, but in terms of legal proceedings, chain of custody with the forensic data is most important.
Appends a source-url attribute at the end (404media).
I'm sure they're not doing anything nefarious with it, but it is a tiny bit ironic that there's a referral url like that associated with an organization that is speaking out about global privacy audits.
I'm glad they're doing this, and understand this is complex, but throwing out a "check the plank in thine eye before the sty in the others". I haven't really dealt with referral links like that, IIRC that's something 404 is sending as a referrer URL? Would it be prudent to reroute on the GPA sites such referral urls to strip them before sending back?
I also want to push back on Google telling the press our California Privacy Audit is "is based on a fundamental misunderstanding of how [Google's] products work".
I'm the former head of Cookie Compliance at Google and I have the federal court filings that show their statements are not simply true, and Google knows it isn't true.
For the record, here are direct quotes from a federal court filing made by Google's "Data Protection Officer and Senior Director of Privacy", who stated that "If called to testify as a witness, [they] could and would testify competently to such facts under oath."
Here are those facts:
* "Due to Dr. Libert’s academic background focusing on cookies, he became one of the primary members of the team assisting with Google’s cookie compliance and governance efforts..."
* "Dr. Libert quickly assumed responsibility for aiding our in-house regulatory lawyers in addressing governmental investigations into cookies..."
* "Dr. Libert often worked under the guidance of in-house counsel to develop technical solutions to issues raised by privacy regulators..."
* "Dr. Libert was also responsible for the development of internal policies on cookies and web storage. He drafted Google’s internal cookie guidelines in 2021 and early 2022, which applies to all cookies or cookies-like objects, and outlines processes on managing cookies, storing cookies, logging data associated with cookies, server protocols, policies on data collection, and data linkage..."
* "By developing the policy and conducting the audit, Dr. Libert gained insight into every Google-owned cookie deployed across Google’s web properties..."
* "Dr. Libert also proposed changes to how Google interprets specific definitions across its products’ various privacy policies. This included work on policies relating to analytics and advertising services used by third-party apps and websites..."
--
TLDR: Google can say what they want about me in public, but when they are under oath in a federal court of law, this is what they really say.
> In the absence of regulatory, legal, or other requirements, websites can interpret an expressed Global Privacy Control preference as they find most appropriate for the given person, particularly as considered in light of the person's privacy expectations, context, and cultural circumstances.
The CCPA [2] also never explicitly mentions cookies or forbids them from being set. The relevant passages about opting out on the sale of personal information are:
> a) A business shall provide two or more designated methods for submitting requests to opt-out, including an interactive form accessible via a clear and conspicuous link titled “Do Not Sell My Personal Information,” on the business’s website or mobile application. Other acceptable methods for submitting these requests include, but are not limited to, a toll-free phone number, a designated email address, a form submitted in person, a form submitted through the mail, and user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information
How would you respond to their claim that you are fundamentally misunderstanding GPC, and that the spec and the law do not mean you never set cookies, they mean that you must honor the preferences expressed by the header in backend processes that involve tracking or sale of personal information?
[1] https://w3c.github.io/gpc/
[2] https://www.oag.ca.gov/sites/all/files/agweb/pdfs/privacy/oa...?
---
We are filing the gap related to reliable facts not existing. We did a scientifically controlled test with GPC on and off. We presented the results as technical findings along with general background.
We are not lawyers, and we are happy to help others perform their own audits: https://webxray.ai - we have no desire to be lawyers.
We are a hard-tech engineering outfit, we deliver scientific clarity on complex topics.
If the Internet didn't turn out the way it turned out, this could have been the greatest job ever.
I personally felt many times being tracked by Google or other big tech companies showing me something relevant to previous search queries even though they were made on different platforms and using adblock extensions (ublock origin). So their active tracking is definitely very elaborate.
I can't help but think they will pay the fines and go on continuing doing this, which makes it seem like it just evolved into a scheme where the government now takes their cut.
I don’t have any of their apps on my phone. And there is no known method to get rid of the trackers in your iCloud keychain.
I'm not surprised at the downvotes, but someday we all have to look in the mirror and decide if we like what we see, but it's easier to downvote in the meantime.
Unfortunately, awareness-raising and solution-building are probably two entirely separate stages for this issue.
I genuinely believe that people are insane to think otherwise, proof is that there has been millions(billions?) issued in fines for non-respect of this specific issue, why are people still having "hope"? It doesn't make sense, it's THERE, it's in THEIR DB.
The same goes for LLMs of course, every prompts is recorded and will be used, be sure of that.
That's probably true, but not what the articles reporting:
> 55 percent of the sites it checked set ad cookies in a user’s browser even if they opted out of tracking
So essentially, it's ignoring user preference directly, not just in spirit.
That's historically been a very prominent purpose of cookies.
Sure it's not exclusively tracking, but it's nonsense to make the assertion that "Cookies != Tracking"
Google, Microsoft, OpenAI, Anthropic etc. etc.
sure... the contracts saying often there is no saving or learning from the AI API usage. But it's at the end like a "trust me bro" promise.
There is a saying on the internet:
The generation that refused cookies is now giving AI permission to read their emails, scan their local files, and manage their bank accounts.
It seems many have given up...
Guess who's winning?
It’s been pretty obvious at the federal level (Signal leaks, etc.) that the folks at the top are explicitly trying to avoid it.
When someone spies on you, it means they do not trust you. That means we should not trust them either.
It's not just merely these giant corporations though. I think the whole business model is broken, if they need to spy on people in order to milk out more profit. One big glaring weakness is ... the browser. I think we need to find a solution here. Chrome is a problem. Chromium can not offset this problem; Google still makes most decisions. (You can adapt, but it is a constants wear-and-tear race to do so, Google has more resources.)
I used to think that Ladybird could provide an alternative; then I was banned from the project site, allegedly for "trolling" and "insulting". I disagree with that but there is no real regulation to protest. This unfortunately exemplifies a problem how the modern www became too restrictive in general and alternatives stumble on their own "morality", before they even produced a real competitor here. (I still think there should be competitors to Google, so it is good that Ladybird exists; I am just no longer attached in any way as to whether they succeed or not, due to the ban.)
What we need is a real global movement. Everywhere. The whole www model has to change. It should not be controllable by private entities or state agencies - those who watch the age verification process already know what's coming next.
Got your ID ready to access information yet, bud?
Turning off JS by default and temp-whitelisting only mitigates most of this tracking.
They don't even need to "track" you properly for this stuff to work and it seems there's no way to escape it.
So sure, cat toy small time retailer on Etsy won't but credit card processor or shipper might.
So it's less about "we're sending the data to $megacorp" and more about "I want the most bang for buck on my own campaigns" when the decision is made.
Using a different email certainly helps, though!
EDIT: highly encouraged by meta et. al! Whether this is a legitimate request to improve results or pure self-interest on the part of meta I don't know!
(And to the person who resolved the issue with the Major AI Company - would it really hurt to give a shout-out for the help we gave you?)