After the September 11 terrorist attacks in 2001, the entire world changed the way in which airport security was conducted. Some of the features made sense: sturdier metal detectors and more baggage scanners. But we also started seeing an increase in often useless and baseless measures designed to look good and make people “feel” safer. Remove shoes. Body scanners. Increasingly intrusive pat-downs. Limits to the amount of liquids. Many of these were often inconsistent and illogical, you were still allowed to travel with lighters for example.
This is what security expert Bruce Schneier calls “Security Theater“. These are steps taken by authorities to try to erode fear from the population by making it look like you’ve taken action, but that action is often useless as it is protecting against the last attack, and not the next one. He explains: “These measures are only effective if we happen to guess what the next terrorists are planning. If we spend billions defending our rail systems, and the terrorists bomb a shopping mall instead, we’ve wasted our money.”
I often think about Security Theater when I look at the state of the Internet nowadays. The slow demise of the open and international web has been a long process, exacerbated by the growing reliance on apps. The current web is a sorry shadow of what it used to be, content behind paywalls, intrusive ads and pop-ups, and most importantly if you’re located in Europe, a growing number of annoying cookie notifications.
Yes, the privacy/cookie notification, a favourite of many privacy advocates. What can be better than empowering users? By virtue of a legally mandated cookie pop-up, users can tailor their website experience with a few clicks. This is good, right?
Sort of, I think that the many cookie pop-ups are nothing more than Privacy Theatre, mandated by authorities to make us feel more in control, when the reality is that the vast majority of users will never look at any of these policies, while their presence actually makes things worse by giving us a false sense of privacy, when the reality is that our data continues to be harvested regardless of the pretence of agency.
The first problem that I have with cookie pop-ups is that they have become a nagging step that most users have learned to click to get rid of. It’s difficult to obtain statistics, but one there is a very enlightening and comprehensive study on cookie GDPR compliance published last year. Unsurprisingly, the practices and experiences vary wildly, and are mostly dependent on the placement of notices and the choices given. With the right set of combinations, as little as 5% of users interact with the Cookie settings. But perhaps most interestingly, of those people who had interacted with a cookie notice, 72% did so because they found the notices “annoying” and it prevented them from using the site, while 21% interacted “out of habit”. The report is clear that there appears to be little interaction with cookie settings in order for the user to purposefully make informed choices about their privacy. While the report concludes that a substantial number of users are willing to interact with cookie settings, this is entirely dependent on the position and nature of the settings.
The second reason for my dislike of cookie settings is precisely the language and complexity of many of the policies. Once you try to attempt to engage with the settings, you are presented with a number of options, some of which may sound the same. The standard has become policies that offer 4 choices: Essential, Performance, Functionality, and Marketing. This explanation of each from The Guardian site is as good as any:
- Essential – cookies that are essential to provide you with services you have requested. For example, these include the cookies that make it possible for you to stay logged into your Guardian account and make comments. If you set your browser to block these cookies, then these functions and services will not work for you. In particular, we won’t be able to save your preferences about cookies.
- Performance – cookies which measure how often you visit our sites and how you use them. We use this information to get a better sense of how our users engage with our journalism and to improve our sites and apps, so that users have a better experience. For example, we collect information about which of our pages are most frequently visited, and by which types of users. We also use third-party cookies to help with performance. For example, the Google Analytics cookie gives us information such as your journey between pages and whether you have downloaded anything (details of how to opt out of it are below).
- Functionality – cookies that are used to recognise you and remember your preferences or settings when you return to our site, so that we can provide you with a more personalised experience. For example, if you are based in the United Kingdom, we will remember this and make sure that you receive the UK homepage when you visit our site, rather than the US or Australia homepage. A mix of first-party and third-party cookies are used.
- Advertising – cookies that are used to collect information about your visit to our site, including the content you have viewed, the links you have followed and information about your browser, device and your IP address. We have set out more details on this below.
A pretty comprehensive explanation which is buried at the bottom of the page, and which most people will not bother reading. To be honest, I would personally not have problem even with advertising… as I use ad blockers.
Finally, I tend to think that cookie privacy settings are ultimately useless, as many services will still get your data in other ways, particularly by making you sign up to services which handle your personal data in ways that are not transparent, which brings me back to the “Privacy Theatre” element of cookie notices. I would argue that if we care about privacy, these are actually counter-productive.
But some people do want to have control over the way in which a website handles their personal data, so what can we do?
The solution is obvious, have clear options in your website that allow users to make choices about their privacy settings, but don’t make it an annoying popup. While it’s evident that a pop-up or banner will be more likely to get a user reaction, this often is to get rid of the annoyance. Some website advocate for a clear notice at the bottom of the page, and I feel like this is a happy compromise.
Individual empowerment is also important, and here is a situation in which I think personal responsibility may come in handy. I use both uBlock Origin and NoScript on my browsers to block most tracking, and I believe that those interested in privacy can achieve quite a lot with similar tools. It’s not perfect, but I prefer these tools to the annoying and ugly proliferation of banners.