Cookie Block corrects GDPR violations in the browser
Cookie Block is a new browser extension developed at the Swiss Federal Institute of Technology Zürich that corrects GDPR violations on the client site by removing cookies.
Most websites display cookie consent banners when they are visited for the first time in a browser; this also happens again when cookies are cleared in the browser. Researchers at the Swiss ETH analyzed violations and discovered that 94.7% of the analyzed sites violated GDPR, including:
- 82.5% of all sites had at least one undeclared cookie.
- 69.7% of all sites assumed a positive consent response before it was given by the user.
- 25.4% were unclassified.
- 21.3% ignored user choices.
- 13.5% had incorrect expiries.
- 8.2% had the wrong purpose.
Only 5.3% of all analyzed sizes had no GDPR violation, the majority had two or more violations.
Cookie Block was created to fix these GDPR violations in the user's browsers. Unlike extensions such as Auto Cookie Optout, Never Consent, or Vivaldi's built-in handling, it is not dealing with cookie prompts that users see on sites automatically. The extension deals with the cookies that sites write to the browser storage to correct validations on the client side. With the vast majority of sites in violation of GDPR, cookies are placed on the user's system that should not be there at all or are otherwise in violation, e.g., because they have been misclassified or had an incorrect expiry date.
Cookie Block uses machine learning to deal with cookies that are in violation. The extension classifies cookies by purpose and deletes those that the user rejects. More than 90% of privacy-invasive cookies are deleted automatically when using the extension according to the researchers.
The cookie identification model comes close to human expertise, and beats it sometimes. The researchers compared its performance to that of the Cookiepedia repository, a large database of pre-categorized cookies. The extension's performance resembles that of the manual classification in all four cookie categories (necessary, functional, analytics, and advertising).
The extension is available for Google Chrome, Mozilla Firefox, Microsoft Edge and Opera. It will install in most Chromium-based browsers, including Brave and Vivaldi, as well. The developers note that there won't be a version for Apple's Safari web browser because of technical restrictions.
Cookie Block accepts necessary and functional cookies by default, and will remove functionality, analytics and advertising cookies automatically using its own algorithm that runs on the client. Users may change the default configuration by opening the settings of the extension.
Strictly-necessary cookies are permanently enabled, but all other cookies may be enabled or disabled in the preferences. Users may enable the cookie history feature furthermore which uses a local history to improve the accuracy of the classifier. There is also a slider to change the bias for necessary cookies. Setting it to a higher value may reduce site breakage but may decrease overall accuracy and reduce privacy.
Individual sites can be added to an exceptions list; this is useful when a site does not function normally after installing Cookie Block. Lastly, users may clear the local cookie history and have all cookies that are stored currently categorized and those rejected by user policy removed from browser storage.
The extension does not prevent the setting of cookies, but it will delete cookies immediately afterwards based on user policy settings. By default, all advertising, tracking and analytics cookies are removed based on the extension's detection model and not the website's or service's classification.
Closing Words
Cookie Block should work with most browser extensions, including extensions that react to cookie consent banners automatically. The extension works in the background, analyzing and removing cookies based on its own classification of them. No data leaves the local browser according to the developers.
Cookie Block is a powerful browser extension that deals with the majority of cookies set due to GDRP violations automatically.
Now You: how do you handle cookie consent banners and cookies?
I was intrigued by the article and tried the browser extension “CookieBlock”.
As some have reviewed in the Comments, I have been using “uBlock Origin (add I don’t care about cookies to the Filter lists), Cookie AutoDelete, Cookie Quick Manager and Popup Blocker (strict)” in my browsers (currently, main browser is LibreWolf) for some time now.
CookieBlock is hosted on GitHub as an open source program.
GitHub – dibollinger/CookieBlock: Repository for the CookieBlock browser extension, which automatically enforces user privacy policy on browser cookies.
https://github.com/dibollinger/CookieBlock
Automating Cookie Consent and GDPR Violation Detection
https://karelkubicek.github.io/post/cookieblock
After checking their official documentation and other information, I decided to continue using CookieBlock because it seems to be “expected to have a complementary effect when used in conjunction with similar extensions.
And I recommended CookieBlock to the portal site of free software in Japan.
CookieBlock | freesoft-100.com
https://freesoft-100.com/review/comment/21281/
Thanks to ghacks.net for the informative article.
1) From Never-Consent’s Github: “THIS PROJECT IS NOT MAINTAINED ANYMORE”… Is there an alternative for Chrome and Chromium based browsers?
2) Is Auto Cookie Optout good? Is it better than I-don’t-care-about-cookies extension?
Setting aside uBlock cookies related filters you can try both on a new profile visiting these sites
– Google
– Facebook
– Dailymotion
Recently in some sites the action of clicking on these cookie consent banners is strictly connected to continue surfing properly, I suppose this is the difference using ‘I don’t care about cookie”s filter on uBlock instead of the extension. Better asking to a power user. A question choosing between these extensions might be: which cookies are accepted when the automatic click is made?
I fear ‘I don’t care about cookie’ is accepting cookies to get rid of the banner and this is not what I want. I don’t want to see the banner but also I don’t want to accept the cookies. I also hope power user could help us.
There is an answer of the developer about this on the Firefox extension page. Anyway seems difficult ‘have your cake and eat it, too’ with these cookie consent banners. The extension works well like @Tom H. wrote, but I have never compared it with the others. Lately I am using only related filters on uBlock and rarely I encounter the same issues described above by @CJ.
Not a big deal, at most you realize how much the web sucks more and more.
There’s also the ‘I don’t care about cookies’ extension by Kiko [https://addons.mozilla.org/en-US/firefox/addon/i-dont-care-about-cookies/) which I’ve used at one time to later discover that the filter list for ‘uBlock Origin’ (same name, same developer) at [https://www.i-dont-care-about-cookies.eu/] / ‘Adblock Plus, AdBlock and uBlock Origin’ (bottom of the screen) made it almost as well as the extension.
Same here : I’ve abandoned the ‘I don’t care about cookies’ Firefox extension in favor of the ‘I don’t care about cookies’ filter for uBlock Origin which, together with other lists appears to handle those darn cookie consent banners and pop-ups, at least for most sites. Yet, not for all. Rather than re-installing the ‘I don’t care about cookies’ extension and given very few sites don’t bend under the uBO filters, given as well that I won’t allow permanent cookies just for the sake of keeping my answers to GDPR coookie consent, I use a userscript manager extension called Violentmonkey to handle dedicated per-site cookie injection for recalcitrant sites.
First I answer to the site’s GDPR request, check the best choice (‘Refuse all and continue’ when available)
Then, with the ‘Cooke Quick manager’ Firefox extension, I copy the cookie’s Domain and value.
Next, with ‘Violent Monkey’, I create a cookie injection with above-mentioned cookie data.
The result looks like this :
—
// ==UserScript==
// @name Cookie for dailymotion.com
// @description Makes DailyMotion start without asking cookie consent
// @version 1.0
// @author ME
// @namespace Violentmonkey Scripts
// @match *://*.dailymotion.com/*
// @grant none
// @run-at document-start
// @noframes
// ==/UserScript==
“use strict”;
var c = document.cookie
// If there’s no ‘dm-euconsent-v2’ cookie, then create one.
if(!c || !c.match(“^dm-euconsent-v2=|; ?dm-euconsent-v2=”)) {
document.cookie = “dm-euconsent-v2=CPGqjVePGqjVeBpAFAENBbCgAAAAAH_AAAqIAAAPtAJMNS-AC7EscGSaNKoUQIQrCQ6AUAFFAMLRNYQMLAp2VwEeoIGACE1ARgRAgxBRiwCAAQCAJCIgJADwQCIAiAQAAgBUgIQAETAILACwMAgAFANCxAigCECQgyOCo5TAgIkWignsrAEou9jTCEMosAKBR_RUYCJQggWBkJCwcAAA”;
}
—
This injects the cookie into Dailymotion as soon as opened and the result is exactly the same as if I had endured the cookie consent with best privacy response and allows to not have to keep the cookie more than for the session only (or even have it wiped on site exit!).
At this time the only sites requiring a consent cookie that couldn’t be manged with uBO but could with these cookie injections are : BFMTV, CNEWS, DailyMotion, FranceCulture, LCP, Ouest-France.
I inject cookies for other sites but for other data than cookie consent. Works great.
This may trigger an element of curiosity/interest for some of us which is why I mention it.
Happy surf to all :=)
@corbel, you fear wrong. Other users have mentioned similar fears though it’s been explained over and over again by the developer, here for instance :
[https://addons.mozilla.org/en-US/firefox/addon/i-dont-care-about-cookies/reviews/1815230/]
There are situations where blocking certain cookies will block accessing as well, i.e. Dailymotion.
I’ve used this extension for a long time, believe me there is absolutely NO acceptation of GDPR related cookies other than when indispensable. I use moreover a Firefox extension named ‘Cookie Quick Manager’ which allows to have real-time view on cookies and localStorage. The extension is clean, believe me.
@Tom thank you, this is the answer I needed!
@Tom
Yep, that answer. You beat me to it.
I listed Dailymotion because is a good example.
I find the cookie warnings worse than the cookies themselves. I already have third-party cookies blocked in the browser settings anyway.
While I currently try to block the cookie warnings with the “AdGuard Annoyances” filter in uBlock Origin, it’s not ideal as this often breaks websites and prevents them from working properly (and it’s difficult for list maintainers to properly test, as they can’t easily test site functionality for sites that require logging in).
This is a poorly implemented law. For people like me who regularly clear my browser history, the cookie warnings are too annoying not to block, but when I block them it often causes issues with sites. And for average users, they also get fed up with the cookie warnings and just accept them regardless. So it is not achieving anything other than annoying users and causing site breakages.
While I agree with the spirit of the law, I have no interest in choosing whether I consent to cookies for each and every website I visit – it’s just not practical. The answer is always the same – no. This should be implemented via a browser setting – or better still, an operating system setting so it covers apps too (at least for commercial operating systems with a significant number of users such as Windows, MacOS, IOS, Android). That way, users can set their preference once and websites/apps read the setting from there (like the “Do Not Track” browser setting, but backed by law).
Or, just ban targeted advertising all together. That prevents ad companies from getting a competitive advantage from mass data collection and tracking. The current race-to-the-bottom situation is ridiculous. If advertisers want to place ads, they will then need to be contextual instead. So it you’re Dell trying to promote the latest server, that means placing ads based on search terms, or in places where those ads will likely be most effective (such as IT/technology related websites). They will likely be more effective than showing ads for washing machines for six months after someone has already bought one anyway.
GDPR is a farce that in reality is only superficially concerned with protecting individual privacy. It has everything to do with forcing small and medium businesses to implement a bureaucratic system at high cost that they can ill afford, under the threat of huge financial penalties, while for mega coroporations with their vast legal resources it is just another drop in the ocean.
Of course you can request records of data collected on you etc. by corporations like Goolag or Microsoft but if you are not satisfied with their compliance good luck in taking legal action.
@ACJ if you’re using ‘uBlock Origin’ try this :
uBlock Origin / Dashboard / Filter lists / Custom / Import
ADD : https://www.i-dont-care-about-cookies.eu/abp/
OR
Install this extension :
‘I don’t care about cookies’ extension by Kiko [https://addons.mozilla.org/en-US/firefox/addon/i-dont-care-about-cookies/]
I use the former only, works great on 95% of sites, but the extension will get you closer to a 100%. No need to use both.
There’s also the ‘I don’t care about cookies’ extension by Kiko [https://addons.mozilla.org/en-US/firefox/addon/i-dont-care-about-cookies/) which I’ve used at one time to later discover that the filter list for ‘uBlock Origin’ (same name, same developer) at [https://www.i-dont-care-about-cookies.eu/] / ‘Adblock Plus, AdBlock and uBlock Origin’ (bottom of the screen) made it almost as well as the extension.
I’ll check this ‘Cookie Block’ extension.
I’ve just read ‘Cookie Block’ developer’s FAQ, it mentions,
”
Q: CookieBlock does not remove the cookie banners. How do I get rid of them?
A: We want to keep our extension as simple as possible and with only the purpose of removing the cookies. Recommended extensions that remove the popups are: Consent-O-Matic, I don’t care about cookies, or uBlock Origin with Annoyances filters (e.g., EasyList Cookie).”
I hadn’t understood that. Personally what bothers me are the cookie banners/acceptation pop-ups which are not the purpose of this add-on.
As @Yash above, I’ve set ‘First Party Isolation’ to true, I use the ‘I don’t care about cookies’ list for uBO as well as the ‘Cookie Autodelete’ extension to choose which sites’ cookies, LocalStorage, IndexedDB are to be kept or wiped when exiting a site … so whatever cookies & data a site lays it’ll get removed when exiting it unless I decide not to.
For users who use a browser out-of-the-box (native settings) and/or by curiosity, this ‘Cookie Block’ extension appears as most valuable.
I’m stunned by what the article here relates : 94.7% of the analyzed sites violated GDPR. I knew the fact of violating GDPR but never would have conceived such a percentage. IMO the worst about many sites’ tracking policy is that it’s no longer apprehended in terms of ethics given its nowadays considered as normal : privacy intrusion has become commonplace.
It’s a great add-on. I’ve been using it for a couple of days on all my browsers (Firefox Nightly, Firefox, Microsoft Edge) already. Works perfectly. Highly recommended. Thumbs up!
What is FPI/dFPI?
@Questioning, I must say this is the first time I entirely agree with Iron Heart.
You *may* encounter issues with sites requiring 3rd-party cookies. Personally I boycott such sites.
// 1- ENABLE FIRST-PARTY ISOLATION (FPI)
pref(“privacy.firstparty.isolate”, true); // DEFAULT=false
// AND enforce FPI restriction for window.opener
pref(“privacy.firstparty.isolate.restrict_opener_access”, true); // DEFAULT=true
pref(“privacy.firstparty.isolate.block_post_message”, true); // DEFAULT=false
// 2- DISABLE DYNAMIC FIRST-PARTY ISOLATION (DFPI)
// The most important difference between DFPI and FPI is that DFPI will adhere to exceptions granted through
// the storage access API and thus ensure better web compatibility BUT less privacy.
pref(“privacy.dynamic_firstparty.use_site”, false); // DEFAULT=true
// 3- DISABLE ETP STRICT MODE AND CHOOSE CUSTOM
// TO ALLOW network.cookie.cookieBehavior = 1 = Block 3rd-party
// IF ‘CUSTOM’ THEN DYNAMIC STORAGE PARTITIONING IS DISABLED FOR ALL SITES
// Content blocking category : ‘strict’ or ‘custom’.
// Strict mode includes Total Cookie Protection and Smart Block and a stricter list
pref(“browser.contentblocking.category”, “custom”);
// SET COOKIE BEHAVIOR TO BLOCK 3RD-PARTIES
// This also controls access to 3rd party Web Storage, IndexedDB, Cache API and Service Worker Cache
pref(“network.cookie.cookieBehavior”, 1);
pref(“network.cookie.cookieBehavior.pbmode”, 1); // SAME FOR PRIVATE BROWSING (PB)
@ Tom Hawack,
I thought “privacy.firstparty.isolate = true” had become unnecessary by using FF’s option to set Enhanced Tracking Protection to “Strict” which supposedly does the same thing?
Is that not the case?
@Tom Hawack
See first party isolation. Nowadays things change fast. Way too fast at least arkenfox user.js.
“Replaced with network partitioning (FF85+) and TCP (2701), * and enabling FPI disables those. FPI is no longer maintained”
/*** [SECTION 6000]: DON’T TOUCH ***/
https://github.com/arkenfox/user.js/blob/master/user.js
@Jim, indeed. I’ve used arkenfox’s user.js for years, perhaps ever since it was started (named then ghacks user.js), carefully and with modifications of my own, but I must say that the decision to abandon FPI (and even threat to ban from their GitHub repository a user who’d disagree) was a big surprise. I continue to check arkenfox’s user.js but I’ve kept many settings it has progressively removed (for other reasons than obsolescence of course) and that includes FPI. It remains a most valuable source to check new/removed/modified prefs but it’s considered here as a complement much more than an all in one set and forget.
@Questioning
Honest answer? Partitioning (isolation of local data) deals with a form of legacy tracking, i.e. when an adversary puts local data into your browser. That is, it fixes a form of tracking that will soon be extinct anyway and is currently used only by those who are too dumb to implement stateless forms of tracking. Partitioning also doesn’t really stop 1st party tracking.
Putting files into your browser that are either separable or deletable gives way too much power to the user. Hence why spying businesses like Google move away from them, to other forms of tracking, look up Google Topics as an example for that.
Personally, I just block 3rd party cookies (Brave does that by default) and use the Cookie AutoDelete extension to get rid of 1st party cookies and other local files once I leave a website. Brave also partitions a whole bunch of stuff via ephemeral storage already. But as I said, this form of tracking is going the way of the dodo as we speak.
@iron heart
Chromium based browsers have a similar function in the ://flags section to FPI.
https://www.ctrl.blog/entry/firefox-fpi.html
I use normally 3 browsers for different levels of security/privacy, (well actually 4 if TorBrowser is also considered but I use that with VPN only and complete separate usernames, pw and personal data. )
– Firefox , my daily browser, for the normal stuff, with Ublock, Privacy badger , DuckDuckGO privacy and HTTPS add-ons. normally I block all cookies that are not essential.
– Nightly Firefox, for experiments, testing and sensitive stuff, but without any add-ons, except ublock and privacy badger.
-Librewolf, for sensitive and private stuff, used for limited special websites like bank, government,private email, no add-ons but Ublock and Privacy badger , not used for the common websites, news etc. On closing all history and cookies are removed , except some individual once on the white list.
Hum, and what will happen to you if you don’t do that (use 4 browsers)? I mean, just use 1 browser with Ubo, don’t you think it is enough? I am quite sure nothing bad will happen to you and your life will be more relaxed :-)
@Olivier
We have different threat models.
@ard
Maybe you can replace HTTPS add-on by configuring about:config setting. It works for me.
/** MIXED CONTENT ***/
https://github.com/arkenfox/user.js/blob/master/user.js
I use many browsers also.
@Olivier
That could only happen if Firefox had decent multi-account support. Of course, the person above is kind of clueless because the reason why Firefox’s multi account sucks is the reason where you could avoid using multiple browsers.
When you open a profile in Firefox it will open a whole instance of Firefox, unlike Chromium where it will share resources so you can open 60 profiles and they will use minimal resources.
I mean, there is no reason to use multiple browsers but some people believe that having some different browsers will create some magical vortex from Santa Claus pee that will save them from being tracked or anything.
Privacy is a lie, a myth, especially when we talk about dumb stuff like cookies, there are rare cases where cookies will be used for tracking, also, people could just use the out of the box ‘block all cookies’ which will do better, since it will not let any creation of any cookie.
Of course some people will talk not only about cookies but ‘fingerprinting’ the new marketing scheme (scam) to make money of the privacy they supposedly care about. Like seriously, they are millions of ways to track you better and know how you are without needing that information, but people buy:
“I can be on the internet and still have privacy and anonymity the ones making money out of ‘protecting me’ told me so”
But you know, just uBlock annoyances list, get rid of cookie messages if people wanted of course that will do nothing about anything, because there are other ways of storage which are used as well to gather information about anyone (doesn’t mean they track you) like Local Storage, Session Storage, IndexedDB, etc.
But if they want to track you, they will and some extension will not stop anything and GDPR are the same governmental scam to make you think they care about you when it is all to track you faster and better.
“When you open a profile in Firefox it will open a whole instance of Firefox, unlike Chromium where it will share resources so you can open 60 profiles and they will use minimal resources.”
I don’t use 60 profiles, but in my experience using Firefox’s multi-account containers with 10 profiles is much more efficient that chromium browsers. Are you using the legacy profile switcher perhaps?
With FPI/dFPI there is no need to worry about cookies, which is what I prefer. Plus in uBO I’ve blocked certain domains through dynamic filtering. So no cookies notices. All manual, no filter lists activated. Problem with some lists is over-the-top blocking.
FPI/dFPI?????
(dynamic) first party isolation. One of Firefox’s killer privacy features, as far as I’m aware.
what, does this feature kill privacy ?