Cookies and the like

[brightncheerful]

When a website puts a cookie (including LocalStorage file and database file) on my computer, does whatever the cookie (including…) is alleged/supposed to be for then get to work on whatever its motives are immediately, or what?

Before closing down my computer, I delete all unwanted cookies, 'hidden' storage files and databases But I'm wondering whether that's too late to stop them nosing about and perhaps it would be better to delete anything unwanted the moment they show up in the folder(s).

On one site I visit regularly, the site asks whether I accept cookies, etc and another click shows the options When i click options, there's a list of what cookies and other files are installed and the reason for them. All the cookies, etc are pre-selected to yes, but de-selecting to no doesn't seem to make any difference: the files, etc still end up on my computer.

Also, I've just visited the BBC site. At the top of the home page it says "please let us know if you agree to all of these cookies". When i click no, take me to settings, the settings are already preselected. Deselected makes no difference. Checking my computer Localstorage folder the BBC has added3 files.

My extremely limited knowledge of cookie law is that acceptance has to be a positive act by the site user. Some sites say that continuing to use the site implies acceptance but is that legally allowed? In any event, how can it be legal or ethical to provide an option to say no to cookies etc only to discover the site takes no notice?

tia
Bnc

[Slarti]

Cookies don't actually "do" anything. They are just text files that sit there to be read.

They are mostly just supposed to be read by the site that created them, for example, so it doesn't show you the GDPR notice again, or so it knows you want the English language version of the site.
But these days many seem to be read by all and sundry so as to track where you've been so that they can issue "appropriate" advertising to you, and possibly for other reasons.

I don't delete at the end of the day, I have Ccleaner installed and set to run at boot up, when it deletes all of the unwanted cookies - those I haven't white-listed. I have limited the activity of Ccleaner to just cookies.

If I am tricked into going to somewhere like the Daily Mail, which seems to cluster bomb cookies, then I may well run it on leaving the site.

For preselected options, try going to Yahoo. There are literally hundreds of them, all 3rd parties.
No idea how legal that is, for the BBC adding 3 to your machine, even though you've said no. One of them is probably to remember that that is what you said.

Slarti

[gadjet]

I have installed CCleaner. It doesn't appear to be offering to run at startup. What do I need to do ?

Tia.

Sue

[Breelander]

I have installed CCleaner. It doesn't appear to be offering to run at startup. What do I need to do ?

CCleaner > Options > Settings
tick the box for 'Run CCleaner when computer starts'.

[dragnips]

I have installed CCleaner. It doesn't appear to be offering to run at startup. What do I need to do ?

Tia.

Sue

This may be of interest:
https://www.makeuseof.com/tag/stop-usin ... r-windows/

[Slarti]

This may be of interest:
https://www.makeuseof.com/tag/stop-usin ... r-windows/

That is well out of date as the current version doesn't display those problems.

And Avast did come clean as soon as they were informed of one distribution's hack.

As far as I can tell, it is as safe as any other software and is not generating router firewall logs that it is trying to dial home.

Slarti

[Breelander]

This may be of interest:
https://www.makeuseof.com/tag/stop-usin ... r-windows/

That is well out of date as the current version doesn't display those problems.

Doubly so - at the time that article was published on 10th August it was already out of date. The offending version was pulled a week before in the face of overwhelming criticism. The 'current' version is actually the previous one...

Posted August 3
Thank you all for your continued feedback (positive and negative, it all helps)....
...Today we have removed v5.45 and reverted to v5.44 as the main download for CCleaner while we work on a new version...

https://forum.piriform.com/topic/52360- ... ent-298509

[Lanark]

If I am tricked into going to somewhere like the Daily Mail, which seems to cluster bomb cookies, then I may well run it on leaving the site.

I use the HOSTS file to cover that kind of thing, mine has a list of about 20 sites I never want to visit (including the DM), if I click a link by accident it just opens a completely blank page. They will never get a single page view from me.

[formoverfunction]

I've created profile in Firefox and then cookie containers within each profile.

So, my "general" searches are kept seperate from "accounts", "social media" and "research".

Facebook for instance, which I don't use, would go in the "social' profile and then inside it's own cookie container. That way they'd only ever see me visting their site.

Combined with Privacy Badger,noscript and Adblock plus, and the use of a paid for VPN (only for social media & general browsing), I feel it's as private as I need.

I won't use whatsapp, so I've replaced it with Signal and done away with Google accounts. I prefer startpage and duckduckgo for searches.

Keep a Tor Browser at hand, but my VPN also provides one. I don't use Tor very often.

I also have a VirtualBox machine running in the background, a hardened Linux, where I dump any email attatchments I get from people or sources I don't know well. I open them in the virtual Linux machine, once I've disconnected from the network. Read the file and if I want to keep it, flatten it and then store it in the cloud.

I use hotels a lot, so have a seperate Rapsberry Pi for use in them. Pi's are great little private machines if you make some effort in securing them.

It all takes a few days to set up, but if you've ever experiences identity fraud, then you'll see you spend more than a few days sorting it out. It's time well invested in my mind.

I wouldn't just worry about cookies, but aslo how 'clean" you are at using email. How well seperated are your email accounts?

[gryffron]

GDPR has this to say about cookies https://www.itgovernance.eu/blog/en/how ... e-policies
"In short: when cookies can identify an individual via their device, it is considered personal data."

So storing a cookie which said "this computer hasn't logged on", or "this computer has not accepted our Ts+Cs", or even "this computer is searching for car insurance", that would be fine under GDPR, without requiring your permission, as it cannot identify the individual user. It is personal identity which is critical to GDPR. So if the cookie said "username=brightncheerful", then they would need permission under GDPR.

But these days many [cookies] seem to be read by all and sundry so as to track where you've been so that they can issue "appropriate" advertising to you, and possibly for other reasons.

Cookies can ONLY be read by the site that put them there. The problem is that many sites (including this one) contain embedded elements from secondary sites. So the secondary site ALSO knows exactly who you are and where you have been. And there's no easy way (short of looking at the html source) for a user to know that. This secondary content is typically adverts and graphics. Though a 1 pixel x 1 pixel white dot would be sufficient!

Gryff

[Slarti]

If I am tricked into going to somewhere like the Daily Mail, which seems to cluster bomb cookies, then I may well run it on leaving the site.

I use the HOSTS file to cover that kind of thing, mine has a list of about 20 sites I never want to visit (including the DM), if I click a link by accident it just opens a completely blank page. They will never get a single page view from me.

Now that is an idea I like!

Consider it stolen

Slarti

[Slarti]

But these days many [cookies] seem to be read by all and sundry so as to track where you've been so that they can issue "appropriate" advertising to you, and possibly for other reasons.

Cookies can ONLY be read by the site that put them there.

There are many cookies that you can open in Notepad and read them there and there is nothing to stop malicious sites, or elements of sites like adverts, from doing the same. They shouldn't, but there is nothing technical to stop them from doing so.

Slarti

[gryffron]

There are many cookies that you can open in Notepad and read them there and there is nothing to stop malicious sites, or elements of sites like adverts, from doing the same. They shouldn't, but there is nothing technical to stop them from doing so.

Yes, there is. In normal browser operation, ONLY the website that created a cookie can read or edit it. You can access them (like any other file). Installed malware can access them (like any other file). But normal web operation can't. That's really the whole point of cookies. It's called Same Origin Policy

The fact that the webpage you see may contain embedded elements from secondary websites often gives the impression that such data is accessible. But it is not.

Gryff

[Slarti]

There are many cookies that you can open in Notepad and read them there and there is nothing to stop malicious sites, or elements of sites like adverts, from doing the same. They shouldn't, but there is nothing technical to stop them from doing so.

Yes, there is. In normal browser operation, ONLY the website that created a cookie can read or edit it. You can access them (like any other file). Installed malware can access them (like any other file). But normal web operation can't. That's really the whole point of cookies. It's called Same Origin Policy

The fact that the webpage you see may contain embedded elements from secondary websites often gives the impression that such data is accessible. But it is not.

Gryff

https://www.owasp.org/index.php/Testing ... G-SESS-002) would seem to suggest otherwise.

And it is not "normal" web operation that is the problem, but malware, which doesn't have to be installed as it can attack from malvertising sites. Hence adblocking.

Slarti

[UncleEbenezer]

GDPR has this to say about cookies https://www.itgovernance.eu/blog/en/how ... e-policies
"In short: when cookies can identify an individual via their device, it is considered personal data."

So storing a cookie which said "this computer hasn't logged on", or "this computer has not accepted our Ts+Cs", or even "this computer is searching for car insurance", that would be fine under GDPR, without requiring your permission, as it cannot identify the individual user. It is personal identity which is critical to GDPR. So if the cookie said "username=brightncheerful", then they would need permission under GDPR.

Careful with your conclusions. GDPR appears sometimes to have a very wide definition of what is individually identifiable data: even IP addresses get a mention! We don't yet have the case law to tell us where common sense will or won't prevail.

Advertisers don't care in the least who you are. They care about your behaviour and interests: you are Sporty person, or Arty person, or person of leisure, or busy family, for example. And then, what you're likely to spend money on. Part of where there's bafflement over the privacy debate is that one side (exemplified by Google) genuinely sees no harm in holding lots of data: they only want to know your interests so they can best help satisfy them (and - in some cases - profit from doing so).

[beeswax]

WHY allow any cookies is the question? Its now getting tedious as every UK site media site visited has a statement that you have to click OK on otherwise it won't let you read the article..What about foreign content?

DATA protection should mean NO cookies allowed anywhere...

[johnhemming]

WHY allow any cookies is the question? Its now getting tedious as every UK site media site visited has a statement that you have to click OK on otherwise it won't let you read the article..What about foreign content?

DATA protection should mean NO cookies allowed anywhere...

If you use the debugger on a browser then you can see the cookies. Here is an example from TLF:
Cookie: _ga=GA1.3.12120[.....]39927.15237; _gid=GA1.3.101821[.....]259237; phpbb3_kuesx_u=1251; phpbb3_kuesx_k=ddf76[....]9945; phpbb3_kuesx_sid=10bf00[....]fa68222079929d3a93fdd; DYNSRV=lin-10-170-0-112; _gat=1


I am not sure what all of these do, but some of them will be responsible for the client (browser) telling the server which user it is that is contacting the server. This means that a username and password does not have to be sent every time anyone reads or writes to this forum.

I have taken bits out of the values of the cookies to make it harder to forge these.

[UncleEbenezer]

WHY allow any cookies is the question? Its now getting tedious as every UK site media site visited has a statement that you have to click OK on otherwise it won't let you read the article..What about foreign content?

DATA protection should mean NO cookies allowed anywhere...

Then you lose quite a lot of functionality, starting with the ability to post at lemonfool and most other interactive sites. A couple of other things you might have a use for are setting your preferences at a site, or using a shopping cart.

[Wmnr]

Ironically, the only way a web site can remember that you don't want cookies, is by using a cookie

[madhatter]

Ironically, the only way a web site can remember that you don't want cookies, is by using a cookie

Certainly, if every time you see the thing asking if you want to accept cookies you answer “No”, you will get the same rather tiresome message every time you visit, as there will be nothing to indicate to the site that you have ever visited it before.