You can also add cookie warning filters to uBlock Origin, but those doesn't autoclick when CSS filters aren't sufficient.
I wonder if they built the analytics system themselves or are using a COTS.
I wonder what they’re using to track user activity instead, probably just a mix of server logs and the other goings on of the backend.
Cookie dialogs are indeed horrible and out of control. Good on them for making the jump. But I doubt many others can justify the cost associated with the change. We need a better solution that gives users choice but reduce the friction caused by annoying prompts.
One question I do have, however, is whether or not the new homepage[0] which shows where people are when they open a PR actually reveals their present location. In the few samples I checked it did not seem that the presence of the person indicated matched their bio's location settings. If it is truly unmasking people's location I think it should be opt-in only, since it is private information. An employer or state may have issues with someone opening a PR from a specific country at a specific time, for example.
[0] It may be required to open this in an incognito browser.
GitHub gives the example of "those used by third-party analytics, tracking, and advertising services", but curious if the law defines some sort of bright line here.
Ironically, these sites need to use additional cookies to remember that you clicked away the banner, and part of the problem is I also blanket block all cookies on sites that I don't need to log into, so they don't get to "remember" anything.
"The site uses cookies. Actually it doesn't - you are not logged on and we don't need to maintain state. But our advertising partners, their partners, and their partner's partners all love to set tracking cookies. Click here to consent to three dozen cookies from around the globe."
I also like the fact that all users get equal privacy rights!
I've had clients straight up demand I should add an ugly cookie warning to the beautiful site I spent a month designing "because it's the law". Then, when I asked them to provide a full privacy policy to go with it, I've often gotten the response to "just leave it empty, nobody actually reads that". Thankfully, I'm stubborn enough to have always been successful in convincing them that maaaybe they should listen to the person who does this stff for a living and not a sensationalist Medium article...
Just sell your product instead of wasting time and money on bike shedding your website with whatever you believe is going to "skyrocket your sales".
Thanks, github, for setting the example.
This EU law comes from a good idea, but it's terribly implemented - it implies that everybody out there is a lawyer and can make sense and agree on multiple pages of confusing legalese, and this every time they open a new website. This is so absurd, and the result is that we're trained to click "ok" on everything and we're tracked all the same. Back where we've started but with more popups.
I hope this is a good demonstration of a hands-off approach at Microsoft in regard to company culture.
I realize you likely still collect some analytics for yourself and that this change does nothing to alleviate that. EG, first party javascript. But it's great that it's divorced from 3rd parties.
Presumably Microsoft has access to those metrics, though? I wonder how deeply that gets parsed in conjunction with everything else they collect.
If only you could export some of that culture back to your corporate overlord. I'd love if MS Teams stopped exploding it's RAM usage until it eventually has to be killed if it's unable to get an OK response from its analytics endpoint.
And I'd love to turn off analytics in Windows altogether. Even getting to the minimal analytic configuration is an exercise in futility spread out across a million different settings, some of which decide to reset themselves in obfuscated ways sometimes. eg, some think updates reset them, either directly or by doing things like changing default programs to ones which require analytics (eg Office). Or a change to one setting requires additional changes elsewhere to be effective.
No it doesn't. EU Law requires you to not harvest data at will, and you either must have a basic functional requirement (i.e. 'remember my login'), or you must ask the user if you can have their data to profile them so the advertisements can make a few percent more money (yes, the whole profiling thing doesn't even add that much to the bottom-line!).
The client-side Google Analytics request no longer appears to be sent, but a request containing personal data is still sent to collector.githubapp.com.
The privacy policy page which lists third party data subprocessors and cookies used on GitHub [1] seems to be outdated. Does the announced change also mean that Google Analytics and other subprocessors have been eliminated, or has some of the tracking merely moved server-side?
[1] https://docs.github.com/en/free-pro-team@latest/github/site-...
First and foremost, it's not about cookies. EU laws required you to inform visitors about "cookies" and have them acknowledge them long before GDPR passed into law.
Second, it's not about third parties or required cookies vs. marketing cookies.
What the law actually states is that you may not, in any form, make individuals using your service identifiable or track them without prior informed and active consent by the visitor, and you also may not make such consent mandatory for accessing your publications content. plain and simple.
all the "cookie banners" out there are ONE form of solving this problem but are in no way mandated by law. If you find another way of solving this issue, all the better.
But the way these banners are designed and implemented at large are geared towards soliciting consent by means of obfuscating actual selection (think: bright "accept all" buttons with tiny "save settings" links) and by making it hard and tedious to actually select and submit your preferences (think: giant lists of all trackers with opt-out for legitimate interest and optin for consent side by side). These are in clear violation of what the law states imho and are largely in use because there is still no juridical precedent that clarifies what goes and what doesn't.
what we are experiencing is a clash of ethical mandate and economical interest. GDPR is aimed at protecting you, the user, from beeing identified and tracked along your wen history, be it by cookies or fingerprint or whatever.
dropping functional cookies for logged in users is perfectly fine though, as registration itself is likely a process where users can be informed of such personal identification and is an active decision by the user.
saying "the site needs it to function" and tracking users first party only is NOT a way around GDPR, as much as this narrative gets retold.
in short: it's not about cookies and third parties. The law is purposefully formulated in a way that isn't scoped on technicalities and seeks to prevent such "workarounds".
I would love to see more details disclosed by GitHub about HOW exactly they implemented this, as i am certain they have enough professional legal councel to have digged deep into this question.
The rule is simple: If a website uses non-essential cookies, it must inform users and, in most EU jursidctions, collect consent prior to placing a cookie on the user's machine.
The rationale behind the rule is that companies should not store company information on end-user devices without the user's consent. The rule applies to all non-essential cookies regardless of whether the cookies collect personal data or are used for tracking. The rule does not cover cookieless server-side tracking of users. Sites do not violate the law when they track users without consent using server-side tools. Sites do violate the law even without tracking users if the site does not collect consent for non-essential cookies.
GDPR enhanced the cookie rules by applying GDPR consent requirements to all cookies that involve personal information. Many sites ignored the old cookie rule because EU law did not give data protection authorities much enforcement power. GDPR increased the power of the DPAs to issue fines of up to 4% of annual turnover. Sites previously ignoring the rules put out cookie banners once GDPR came into effect.
edit: To be clear, Github isn't saying that it stopped tracking users. It's saying that it doesn't do cookie-based tracking and therefore it does not need a banner.
You could then nicely ask your users to agree to tracking in the places where there were the privacy intrusion banners of the shady tracking networks.
If that were functioning, whereby the two buttons presented to you were a "Continue without cookies" and "I want to opt in", the annoyance would be worth it. But as it stands, most sites just _pretend_ their tracking is opt-in through an "I agree" button, with "I don't agree" generally leading to a mess of check boxes in front of partners the general public has no idea about.
I do hope regulators end up cracking on this...
It would be awesome if this started a trend.
In reality, the idea was to make people aware that they are being tracked across the web and and give them options and somehow everyone pretended that "No tracking, no banners" is not an option.
I am so glad that GitHub is coming forward and point out the elephant in the room: You don't need cookie banners or tracking consent forms if there's nothing to consent.
We recently removed Google Analytics and switched to apache server logs. It was the only 3rd party cookie our site was using, and the apache logs are far more transparent. (No one understands or trusts the analytics from google, and no one has the time, they only want to see certain bumps for certain pages).
So I see this more like a warning, than a positive thing.
[1]: https://www.i-dont-care-about-cookies.eu/
[2]: https://addons.mozilla.org/en-US/firefox/addon/i-dont-care-a...
[3]: https://chrome.google.com/webstore/detail/i-dont-care-about-...
This is part of the web, when creating legislation that attempts to block/censor or circumvent technology that is already widely used it's in the highest degree repressive and when there are good intentions behind those laws it's just plain dumb.
I wonder how better EU tax payer money would have been used if they were spent on advocating a change to the browser vendors/W3C instead of on law makers exerting their power way beyond their rein.
What is the best Chrome ext to auto accept cookies?
"However, the Opinion also stated that currently there is no exemption to consent for cookies that are strictly limited to first party anonymised and aggregated statistical purposes. Therefore, first-party website analytics through device fingerprinting do not fall under the exemption defined in CRITERION A or B and consent of the user is required."
This seems quite clear that consent is required for any form of analytics where you can identify individual users.
Another commenter here mentioned that GitHub is only tracking individuals for 24 hours before the fingerprint changes. I would think that would probably qualify as being in the spirit of the ePrivacy directive, if not the letter of it.
Would be great if someone from GitHub could comment on the above? How are you handling this - do you maybe get consent as part of the terms you agree to when you signup? (which would mean not tracking anonymous users).
Especially given that they have shown that they are capable of delivering a good experience based on the Electron platform with VSCode.
My only explanation would be that it was cobbled together by interns, never meant for public release, then some project manager discovered it and said "Ship it!".
Google Analytics offers an `anonymizeIp` setting [0] to tell it to not store IP addresses of your users. This might be a good default in light of GDPR.
[0] https://developers.google.com/analytics/devguides/collection...
_gh_sess=eAAHHEQEjZlQKwq8kaSMpTeHC7tyMGwhVexbpZMVfDbjWCf764z4UMG7S%2FeLZpE0ML5y8%2FnmSEd2ZhiDLBHlZyA08Dj8cGob%2BGXSbGSjztMyc5pdd8uxj8qgxc78SHYw01E6pnOnWHRo7XoeTjKje%2FktOx5wObpjZj8JhfOnngdIlhfxSc1EctIth6RDFIsr2HPw9pbDczMfDwwKuswMrkMIt1JEOglF2L%2BxAdscMjeuXu2zFei58AR%2FwRQ%2FGgY3RbQigWt2w%2BKHDIY7a6pISw%3D%3D--H9M6LNV7YPDc1Dvm--vbgFN9CpCkCxTdfhdlvJkg%3D%3D; _octo=GH1.1.770191202.1608243985; logged_in=no; tz=America%2FLos_Angeles
This could easily be used for tracking on the backend... It would be better to not store a large opaque string.
The ICO responded. They said that they accomplished the goal of bringing awareness to cookies and it’s usage.
I would still like to improve any application I might create depending on how it's being used (to know what features to improve, which ones could potentially be removed or changed, etcetera). Keeping logs of this kind of usage would still go against the GDPR? I thought that it wouldn't as long as it was aggregated data without using any of the users' personal information. But some comments here have led me to believe that it would go against the GDPR regardless because it would still mean separating unique users.
Hoping someone more familiar with the law sees this comment. I mean, I can think of multiple ways to aggregate that data, even with unique users, without using personally identifying information, but I'm not sure anymore if that's enough.
Now if that realization just would dawn on other websites as well...
uBlock Origin has prevented the following page from loading:
https://stats.wp.com/e-202051.js
Because of the following filter:
||stats.wp.com^
Found in: Peter Lowe’s Ad and tracking server list • MVPS HOSTS • Dan Pollock’s hosts file • EasyPrivacy
Hi everyone, thanks for all the enthusiasm about this change. We are happy to have removed cookie banners from GitHub, and not to participate in third-party tracking of user behavior.
Our privacy policies and subprocessor list will be updated next week following our customary 30 day user notice period. We do this in the open in a pull request, so you can see the changes now:
And github wants us to look at them with big eyes who amazing they are.
There should have never been any other cookies first hand.
The end.
There could be a standard header such as cookie-privacy-policy which would point to url containing the policy in standadrd format (html?) and the browser could show it in standard way (by user's settings). Personally I would be happy with just a little "privacy policy" icon in url bar, similar to https lock icon and reader view icon (in Safari).
Many people told you so. Remove third party scripts and cookies and suddenly things become easy.
_gh_sess "2RS32uKu1a6pH8js1RreBWXcr4EdQMHXr/6PdyOeH7tgLbeIdxTaYni5fcFWff4wXTvqv8+lSeJ2W0RWHu0hgN4toFeR8B22x/HGuIx6gdIi4dvd2xQ4gtnuvhBVLTwnYjNGNcnT7ODFlerX+Li9HL33KXUvP/LDMlXTxCP+sJycF1x83Wqh8r2JFTGpcKgaQ22maisp6gfNVJI6MLnFQrKu/LxnuuMfPcVHzCEBjxDejJ/19ucDUVGnZ5LwP4JGTp1+RumiuA8MPxUTaktbLg==--TmIIVNRcipKqc2yt--6HedWH9JiNkUgNKKyGf30A=="
_octo "GH1.1.1254465225.1608314039"
logged_in "no"
Comments: