Send email Copy Email Address
Annabelle Theobald

It's all an act - why cookie banners should be abolished

In their alt.chi paper "Stop the Consent Theater," CISPA researchers Lea Gröber and Matthias Fassl argue for new approaches to data privacy on websites.

When surfing the web, users are constantly confronted with cookie banners that offer them complicated choices such as "store and/or retrieve information on a device," "measure ad performance," and "create a personalized ad profile. Overwhelmed by the sheer mass of options to drag sliders back and forth, many users simply click on the redeeming "Allow All" button. Originally intended to enable the much-cited informal self-determination, the banners are now seen by many as more of a curse than a blessing. In their paper "Stop the Consent Theater," which they presented at the renowned IT conference CHI, Lea Gröber and Matthias Fassl took an in-depth look at the practice of supposedly informed consent to cookies by users and came to the conclusion that other solutions for more data protection are needed.

How could cookie banners get so out of control? This is one of the questions Matthias Fassl and Lea Gröber asked themselves with regard to the sophisticated and sometimes perfidious system surrounding the "harvesting" of consent to cookies on websites. The answer is as predictable as it is trivial: Because of money. What users are interested in, where their gaze lingers, what they buy, whom they love - data like this has become the gold of the web over the past two decades, and the gold rush in the El Dorado of data has not yet come to an end.

The foundation for today's surveillance capitalism was laid after the dotcom bubble burst in 2000, the two researchers explain. The 1990s saw an enormous amount of startups in the digital economy. The startups of the so-called "new economy" were striving to go public at the time in order to collect more capital and thus grow quickly. Expectations of profits were high, share prices rose rapidly - and then fell continuously from March 2000 onwards, because it became clear that most Internet companies would not be able to meet the blown-up expectations. Many went bankrupt and those that survived came under pressure to generate higher revenues. Google was the first to realize that it had previously untapped potential in the form of its users' behavioral data. Google was followed by other companies, and today advertisers are outbidding each other in collecting and accumulating such data in order to make it fruitful for advertising that is increasingly tailored to people.

One tool to get access to user data is cookies. But to regard them as a generally bad thing is too short-sighted. One of their core tasks is to ensure that users can navigate the web as easily and conveniently as possible. For example, cookies ensure that users do not have to specify who is shopping each time they go online. In addition, they can still see what they put in their virtual shopping cart three days ago. Cookies are small data packets that are sent from a website to the user's browser and stored there. On the next visit, the browser sends the file back to the website, which then recognizes the user.

Particularly popular with advertisers, however, are not these functional cookies, but so-called tracking cookies. With them - and other technologies beyond the cookie universe - the activities of users can be tracked across the web and increasingly precise profiles of them can be created.  Since 2016, the GDPR has mandated throughout the EU that users must be able to prevent this practice and decide for themselves which cookies may be set and which may not. Since then, the banners already described have been decorating the web and, ironically, instead of leading to more privacy, have opened up a whole new industry around data. Since then, so-called consent management platforms have been showing site operators how they can optimize their cookie banners. In plain language, this means: how they can get users to agree to everything.

As Matthias Fassl and Lea Gröber show on the basis of various studies, one way to do this is to have as many categories and selection options as possible, and make them as unclear as possible. "Some of these are also quite nonsensical," explains Gröber. "Because often the banners also allow a selection in cookies, which are urgently needed for the function of the page. In doing so, no one wants to have a loss of function." Often, double negations are used or users are tempted by the size and color of the button to agree to everything in the end.

Making an informed decision is simply made impossible for users by these tricks, explains Gröber. But that's not all. Often, users worry about what kind of permisssions they give, because some site operators only ask them on paper and ignore the decisions altogether.  Other researchers have shown that a large proportion of European websites install tracking cookies before users have the opportunity to object to their use. "It's one thing to have a cookie banner on the page, but it's another thing to implement the corresponding selection options technically," says Gröber. And someone would have to constantly monitor both - an immense effort and, apparently, not the case so far. 

"It is therefore time for us to rethink and stop dumping the problem on the users," says Gröber. To that end, he says, it is important that the IT community ask itself the right questions in the future and change its perspective. "Instead of trying to make it easier for users to opt out of cookies, perhaps we should think about how website operators could monetize their content in other ways." That would be a first step toward better data protection. It's clear to the two researchers that it's not that simple. The business is lucrative and many users are still unaware of the price they pay for free content and personalized advertising. "The fact that there is a problem needs to be communicated even more explicitly.

translated by Tobias Ebelshäuser