Recent news re browser tracking abd on-line safety

In a recent email from the Electronic Frontiers Foundation ( I found these snippets that some might find interesting.

In 2021 Google announced Federated Learning of Cohorts (FLoC), their replacement for third-party cookies. We called FLoC a “terrible idea,” even launching AmIFloCed to tell users if their browser had been turned into a guinea pig for this experiment. Now in 2023, Google has rolled out “Privacy Sandbox,” a Chrome feature that exchanges third-party cookies for a new way to track your internet use for advertising—“Topics.” EFF has updated the Privacy Badger browser extension to remove tracking from links in various Google products. You can follow this step-by-step guide to disable Privacy Sandbox.

The U.K. Parliament just passed the Online Safety Bill (OSB).This could empower the government to undermine encryption and the privacy and security of its residents and internet users worldwide. EFF will watch for regulations following the passing of the OSB. The U.S. is also seeking to pass a bill that would threaten encryption—the STOP CSAM Act—and we’re pushing back with our partner organizations who agree: a private conversation is a basic human right.

Yeah it will be interesting to see where it goes.

I am in two minds about much of the new legislation. On the one hand I’ve spent 30 years dealing with the fall-out of letting people access the Internet anonymously. On the other hand, the legislation they are trying bring in seems unworkable.

With regards to new UK legislation, they can certainly have a crack at the major messaging apps to insert back-doors so they can read encrypted messages. All that’s going to happen is that one by one, messaging providers will withdraw from the UK market. The big names have stated in no uncertain terms they will not compromise their products in the name of “big brother”. Let’s face it, would anyone use a secure messaging app for anything if it carried the tag-line (but the government can read your messages …). May as well use email …

What’s worse, the EU CRA bill. It would seem that the recommended solution for Open Source developers outside of the EU is to add a clause prohibiting the use of their software within the EU. Pretty much all software these days seems to contain Open Source in some way shape of form. If they were to bring it in, they may find, literally overnight, that the software the EU runs on contains components that are not licensed for use in the EU.

It seems to be a thing in all walks of life these days. A relatively small percentage of the population misbehave, so to combat this governments bring in legislation that has a profound effect on the entire population. Then they find that the percentage of the population who are prepared to misbehave ignore the new legislation. This just heaps more and more onto people who weren’t misbehaving in the first place, giving those who were, more and more of ‘an advantage’. The net result of this must surely be that more and more people are encouraged to misbehave?

The approach seems to be counter-productive and indeed self-destructive.


As someone who writes code that uses cookies, I must admit to being a little bemused by the whole cookie discussion and I’m not sure I fully understand the issue.

Cookies are scoped to your connection, so if you are accessing site A, there is a cookie scoped connection between the browser and site A. If you open another tab and connect to site B, there will be a new scoped connection between the browser and site B. Site A won’t be able to see site B’s cookies and visa versa. What it does do is allow the browser to remember how you access a given site (saved credentials etc) between sessions, and from a marketing perspective, maybe which ads you’ve clicked on or have been shown. If you don’t want the browser to remember this, just run in incognito mode and you should get a clean connection each time you visit the site, or run a ‘clean’ browser into which you’ve not inserted any credentials of personal information. Then if you’re worried about being identified, pipe all your traffic via a proxy.

In terms of the site you are visiting tracking what you are doing, this can be done on the server-side, I can’t think of anything that needs to use cookies for this, it’s just that cookies are convenient. So not using cookies is just going to make developers who do want to track stuff, do it server-side instead.

(and (!) there maybe an argument for saying, if someone if providing a free service, it doesn’t seem unreasonable to allow them to track how that service is used in order to make it better …)

The other aspect is the things that don’t seem to attract attention. In addition to cookies, scoped connections also have “Local Storage”, “Session Storage”, “IndexedDB Storage”, “Private State tokens”, “Shared storage”, “Cache storage” etc, all of which potentially do similar things to cookies, but are given different names. In terms of coding, cookies tend to bloat HTTP headers so as a programmer utilising these “other” mechanisms is often a more attractive approach.

So, I know we have to have cookie notices on all our websites, but other than to make older family members too afraid to access those sites, from a practical perspective, I’m not entirely sure “why” we have to have them.

The ability of browsers to start “web workers” that run in the background in your browser with apparently no user approval worries me. If you bring up developer tools in a browser (right click, inspect) then look at the application tab (on Chrome for example) then “Service Workers”, then “see all registrations” … now I’m not entirely sure re; all the ins and outs of service workers, but it feels like there should be some sort of notification before this amount of “stuff” is stored in the browser and some sort of notification re; “when” these things might run. (and maybe, what sort of information they are storing and processing and potentially sending back to their owners)

I may be wrong, but it “feels” to an extent like the industry is dangling a cookie from a string and saying “look Cookie!”, whereas maybe elsewhere there are other things going on that are also deserving of (possibly more) attention.