64

Does the EU consent form system pose a new security risk?

Today we have to click OK on about 20 cookie consent forms every week, where previously we could mostly dismiss internet forms as being invasive and risky.

There are so many EU consent forms, I feel more likely to confuse a disguised download consent form and a security attack with an EU consent form. How big a risk do EU consent forms represent?

unor
  • 1,769
  • 1
  • 19
  • 38
LifeInTheTrees
  • 849
  • 1
  • 7
  • 13
  • 22
    A website can use 50 trackers on their page, and have lots of clickbait, without declaring it. Tracker and clickbait counts don't have to be declared by websites, I think the EU fails miserably in for internet law. – LifeInTheTrees Sep 03 '18 at 10:09
  • 3
    Yes, it is possible for malvertisement carefully craft an up consent screen as bait click, especially for those website set CORS to "*" . – mootmoot Sep 03 '18 at 12:09
  • Just so you know, there are Adblock filter lists (such as https://fanboy.co.nz/) that can block these cookie warnings for you. – Federico Poloni Sep 03 '18 at 14:49
  • 4
    This question isn't specific enough to be answerable. Not all cookie consent forms are equal. Well-designed ones which respect both users and the law can be ignored unless you're on a device with a tiny screen. So to ensure that answers are all addressing the same question, you should edit in some examples of the forms which you think might pose a risk. – Peter Taylor Sep 03 '18 at 16:11
  • Erm, Ublock blocks that stuff, no? Plus, most of them are inserted by javascript anyway, so if you have that off by default... – Damon Sep 03 '18 at 19:25
  • 13
    They're annoying and ridiculous, that's for sure. I'm not in the EU and I don't care about the EU. I have a list in uBlock to block it, but they are all unique, so a lot of them get through once I enable javascript. The various SEs are REALLY BAD about it too. – YetAnotherRandomUser Sep 03 '18 at 21:55
  • 6
    It might be of interest that there is very nice extension for firefox/chrome/... calld [I don't care about cookies](https://www.i-dont-care-about-cookies.eu/) which gets rid of 99% of them automatically. – Matija Nalis Sep 04 '18 at 11:04
  • Some of which I've seen are almost dangerous in how complicated they are to read and how bad they function. As in, there are cookie forms which simply deny access if you don't allow each and every cookie. Just terrible. Thank heavens for InPrivate navigation. – Mast Sep 04 '18 at 12:02
  • Aren't there any generic opt-out sites? If so, when you visit another site, does it inform you that you have already opted out? – Mawg says reinstate Monica Sep 04 '18 at 14:40
  • Are these only shown if you are from the EU? I've seen lots of sites mentioning they use cookies, but the only option is ever "OK". There's no option to not use cookies besides leaving the site. – Kat Sep 05 '18 at 00:05

2 Answers2

108

It increases dialog box fatigue. By overflowing the user with mundane dialog boxes, they are more likely to get into the habit of just clicking OK to remove the dialog box from their screen. This increases the risk of a user clicking OK on some important security decision presented in a dialog window.

Sjoerd
  • 28,707
  • 12
  • 74
  • 102
  • 8
    What I noticed is that some of them default to optig in, and some default to opting out. And the ones who default to opt out tend to also have a nice "no to all" button, while the ones opting you in if you dismiss it, tend to be a user-hostile mess of long paragraphs, multiple links and sometimes hundreds of checkboxes. It is a lot worse on mobile, by the way, try imgur's new mobile site on a fresh C O O K I E L E S S phone. So the voices from the tin foil hat are telling me this might be an intentional dark pattern used by less ethical actors. – htmlcoderexe Sep 03 '18 at 21:07
  • 6
    @htmlcoderexe There are also some that default to opt out for checkboxes that are visible by default, but let you scroll to see more checkboxes that default to opt in, if you want to get even less ethical. – hvd Sep 04 '18 at 08:17
  • 15
    If I recall correctly, Oracle has a multi-page opt-out dialog that makes users wait several minutes "to save your settings" if you disable marketing cookies. – Ruther Rendommeleigh Sep 04 '18 at 10:08
  • 4
    The worst part is when it is very hard to tell when you have been opted in or out using very user hostile design choices for their checkboxes. – ratchet freak Sep 04 '18 at 10:09
  • 3
    @htmlcoderexe Implementing cookie consent was a big deal for the company I worked for and in the process I searched for existing solutions. Turns out there are providers that automatically generate consent scripts by analyzing which cookies your website sets. They are used on many sites and usually result in those long paragraphs and hundreds of checkboxes, because each cookie gets classified on it's own. Not a result of malice, more incompetence. In the end we simply adapted the jquery cookiebar plugin with a plain accept/decline choice, because most customers generally don't actually care. – Morfildur Sep 04 '18 at 13:25
  • 1
    @ratchetfreak I remember one site which had checkboxes both for "Enable cookies for [some partner]" and "Disable cookies for [some partner]". In the same list, with the enables and disables mixed together randomly. I just stopped using that site entirely. – Nic Sep 04 '18 at 19:55
  • 3
    If possible, I exit websites that spam you with that. 95 % of websites have **NO** business even using cookies, because they provide zero value to the end user and are not required in any way for content display purposes. – Juha Untinen Sep 05 '18 at 06:43
19

This form effectively gave all websites a valid excuse to interfere with browsing until the user clicks on something.

This is indeed a bad thing: browsers have gone a long way protecting the user from malicious websites by limiting the actions that can be performed without clicking (like blocking pop-ups which are not a response to a click). Once the users will learn to click on anything which blocks the view and reads 'cookies', those defences won't help much.

So, apart from the increased risk of clicking the wrong button, there's also a risk of clicking a button on a site where all buttons are wrong to click on.

Dmitry Grigoryev
  • 10,072
  • 1
  • 26
  • 56
  • 1
    I disagree with your opening sentence. It's not a "valid excuse", you need active consent first. If a data controller cannot demonstrate they have consent for the data they are processing (itself a very broad term), they're in breach. The slightly older EU cookie law would also have something to weigh in on this behaviour. – Oli Sep 05 '18 at 08:28
  • 1
    *"This form effectively gave all websites a valid excuse to interfere with browsing until the user clicks on something."* - doing it that way around would technically be in breach of GDPR legislation; the website should **not** set any cookies (except those essential to function, e.g. a session cookie to maintain a shopping cart) **unless** it has consent from the user first. Any site that does otherwise is technically breaking the law ... which 99% of sites are because things like Analytics and Adwords don't work otherwise. – CD001 Sep 05 '18 at 13:40
  • @Oli I'm not referring to cookies, but to a malicious JavaScript code behind the dialog. – Dmitry Grigoryev Sep 05 '18 at 14:51
  • 1
    @ CD001 By interfering I mean showing a dialog which blocks some of the content the user is trying to read. Not the cookies. – Dmitry Grigoryev Sep 05 '18 at 14:54
  • I wonder if it would be practical to have a standard set of cookie usages [perhaps coded by number] to which users could specify consent, and allow browsers to be configured to automatically agree to such requests if they agreed with all the indicated uses to which data might be put. Even if a user might want to allow Usage #5 for some sites but not all [and would thus want to be prompted], having a box start with "COOKIE CONSENT #1,2,5" followed by a description thereof would avoid the need to have users read blobs of text to see what they're agreeing to. – supercat Sep 05 '18 at 15:11
  • @supercat "EU" and "standardized" hardly fit in the same paragraph, much less a sentence ;) – Juha Untinen Sep 06 '18 at 07:05
  • @JuhaUntinen: Would anything prohibit a bunch of web sites from agreeing among themselves upon a convention for cookies that would indicate that particular cookie agreements had been accepted [e.g. use a cookie whose value was `userAcceptsCookieAgreements=hashValue1,hashValue2,etc.` to indicate that the user accepted agreements whose texts the listed hash values], and continuing to behave in such fashion even if--by some mysterious coincidence--a user-agent plug-in happened to cause such cookies to spontaneously appear on many newly-visited web sites? – supercat Sep 06 '18 at 14:54
  • @JuhaUntinen: If a significant number of web sites decided to limit themselves to a small number of different agreements, then users who accept an agreement once and indicate that they wish to accept it for all web sites would have their browser automatically supply the appropriate cookies, that could ease the cookie-click burden significantly, without any official entity having to do anything. – supercat Sep 06 '18 at 15:20