Cloudflare doesn't magically put itself between you and the website.
They're like the NRA/gun manufacturer, they build the tools, the usage is Up to the websites.
And most of the web admins are lazy or not knowledgeable or just smart to not want to deal with negative stuff that comes with hosting a website.
So the question is, does the website you are visiting respect its users?
Irony is some of the most popular, "file download" sites use cloudflare to protect themselves from scraping and spam too.
The NRA is a massive lobbying and political organization with a media producing propaganda arm. They don’t make guns, although they are supported by many gun manufacturers.
Does cloudflare respect users? They don't even respect the intent of "do not track" enable it and you can do cloudflare captchas in an infinite loop which doesn't seem so respectful in my understanding of that word.
> Better to evaluate the merits of each product than to make a blanket judgment about the company and force your opinions of each product to confirm.
I think that the point is that Cloudflare's business model lies largely on its ability to monitor individual end users. So when Cloudflare announces they are providing a service whose primary selling point is that it affects their ability to monitor users then this sounds like a blatant contradiction.
I also think that begging people to blindly trust corporations, specially when it's without any rationale or reason, is to say the least very silly.
CF's business model is to protect websites from Bad traffic (which it apparently defines as non-human traffic). It does this by deciding whether any given connection is from an human or a not. And to decide that, in practice, requires it to track humans.
Or from the opposite direction, in practice every single time I add more privacy tools to my collection, CF puts more "are you sure you're human?" pages in my way. Motivations they tell themselves they have ultimately matter very little in light of what they're actually doing to the web.
>Disclaimer: work at cloudflare and this is the first time I’ve heard our business is monitoring users.
You didn't read that at all. You read a claim that cloudflare depends on its ability to monitor individual end users.
That's not actually a nitpick. Given you work at cloudflare can you point me to the part where clouflare state in some legal doc of consequence they do not monitor individual end users? I'd appreciate that.
You mean Hcaptcha, which is AFAIK independent and hot garbage, I have faced infinite captchas multiple times.
Cloudflare Turnstile is an automatic or one-click captcha.
I have definitely gotten infinite one-click captchas from Turnstile (because of being on a VPN I guess), I have also gotten non-infinite but multiple one-click captchas.
If they are not going to let me past, I wish they would at least come out and say it. Are they trying to waste bot time like someone stringing along a scammer? Not everyone on a VPN is a bot or otherwise malicious user.
This actually sounds like respecting DNT. If a site turns on the captcha feature and you have DNT then anything they do to mark your session as "person who did the captcha" is tracking.
I would love an option that allows me to set defaults for all websites that I visit. Such as to reject marketing and tracking cookies and other mechanisms used for that purpose globally and to allow me to fine tune functional stuff on a per-site basis.
Lol. The consent popup on this site is nearly identical to the "dark pattern" example in the Cloudflare Zaraz blog post. No reject all option. You have to click learn more to customize to deny cookies.
I use Consent-O-Matic. You can configure how it should behave. By default it'll reject things. For the websites it doesn't support I often use reader mode.
Cookie consent banners as we know them were constructed by the IAB as a framework made of dark patterns to annoy people into allowing adtech cookies. The idea was to be as annoying as they could get away with, so that end users would blame the GDPR. https://www.vice.com/en/article/m7epda/its-bad-design-on-pur...
It's quite good! When it doesn't work, there's a 50% chance (or more) that the banner doesn't allow you to reject the cookies without payment, which somehow is actually legal.
We are betting more on Cloudflare as a company lately. Our static website was just moved to Cloudflare Pages and it is working really well (we have over 200 Pages and counting). We were trying to figure out how to handle the Cookie/Consent stuff and this comes along. Would love to try and see how it works out.
Btw, if you haven't tried, give Cloudflare pages a shot if you are looking for a no nonsense static website tool. Combine it with Cloudflare workers, you can add dynamic features as needed. I don't work for them but just a happy customer.
Try Cloudflare Pages but be aware of quirks. For example a deal breaker for me is not being able to setup multiple Pages projects from the same git repo.
The dealbreaker for me is the hard 25 MB file size limit. If they raised this to something more reasonable (like 100 MB for parity with Github Pages) I'd migrate in a heartbeat.
Yes. For us, this wasn't an issue since we want to keep 1 website with 1 git repo. The only thing that we are not figuring out is minification of JS/HTML/CSS yet and if cloudflare does that automatically in production.
Is anybody here monetizing their web projects with Google Adsense?
If so, how do you manage consent?
I tried to build a simple modal that asks the user if they agree to ads+cookies, with a link to a privacy policy which explains that I use Adsense and a link to their privacy policy. And only loaded Adsense if the user agreeed. But Google never accepted that. They never gave an explanation why.
Google (and the downstream ad publishers) requires the Transparency & Consent Framework (TCF) v2.0 and the corresponding information. That means specifically which purposes have been consented to (explicitly or implicitly via legitimate concern). It’s a bottomless hole you can look into, created by the ad industry to mostly keep doing things as before.
I load up all the tracking guff bizdev and marketing want with Google Tag Manager. Tag Manager's code isn't output to the page at all until the user has opted in to 3rd party tracking cookies.
I'd do the same with ads (on an advertising toggle rather than tracking) if I were using them.
I'm not sure it is a dark pattern, but at first glance (to me) it reads a bit like the "Allow all" and "Reject all" buttons just toggle the options, and then one needs to press "Confirm my choices", particularly on mobile with how the stack.
The confusion would probably be quickly resolved when the dialog closed after clicking Reject all, but perhaps changing the wording of "Confirm my choices" to something like "Allow checked" would make it more clear it is a sibling of the other two buttons (and that checked means allowed).
If there were some checkbox still checked (perhaps in some submenu that needs to be expanded), then "confirm my choices" might obviously have a different consequence. That might not apply here, but I am pretty sure I have seen that on other sites before. I am not a laywer, but "confirm my choices" just sounds like it could be interpreted in a way benefitting the website owner's interests in some cases even if everything is unticked, whereas "Reject all" is a very clear statement of disagreement. Similarly, you wouldn't say "I agree to everything on this list after I have removed all items", but "I disagree with anything on that list you gave me". But that's a general pattern it seems.
No, this is confusing. Please iterate on this. Two buttons shouldn't do the same thing depending on state.
I get it: the intent is that there's always a quick, one-click way to broadly consent/not consent. But with how this is designed, after clicking Accept All or Reject All, I'm left wondering what Confirm My Choices did. (Maybe it persists my consent on subsequent visits? I dunno.)
Perhaps, "Confirm My Choices" (or better put, simply "Submit") stays, but change the "Accept All" and "Reject All" buttons to "Select All" and "Deselect All" buttons, respectively. These buttons should only serve to change the state of the checkboxes without submitting.
We actually started with having "Select All", "Deselect All" and "Submit", but users complained about the two clicks flow, and so we changed. UX is hard.
I tend to think that the one click flow serves users and respects their time more, even if it comes at the cost of having confusion about the difference between "Confirm my choices" and "Reject all". It's bad when consent managers confuse users between agreeing and disagreeing, but if we're making users confused between two good options, I personally think it's an okay price for a one click and you're done experience.
> I tend to think that the one click flow serves users and respects their time more, even if it comes at the cost of having confusion about the difference between "Confirm my choices" and "Reject all".
That's a fair tradeoff. "Reject all" should be one-click imho.
Or similarly I'd love a "Only necessary cookies" button on the dialog box. It always feels like a scammy dark pattern for "accept cookies" to be one obvious click when rejecting advertising cookies is buried in a menu.
Isn't that just the "reject all" button in the provided screenshots?
The dark pattern you describe is shown in the first screenshot as an example of what not to do: they say it "can at best be frustrating to users and at worst draw enforcement actions from regulators in a number of jurisdictions", which is a nice way to say it's annoying and illegal.
This consent manager does not interfere with necessary cookies. As under GDPR you don't need to ask for consent to necessary cookies, we left it out of the consent modal
1. It's usually hard to find and to touch on a mobile device
2. Many websites use the dark pattern where clicking "X" is actually a way to give consent (or so they claim, as such "consent" is not valid under the GDPR rules). Due to that, many users are habitually confused about what will happen to their data choices if they press "X".
Even though I'm wary of the centralization of the internet under cloudflare, I can't deny their products are awesome
My rule of thumb is just never to use them as a proxy, CDN through R2, static pages etc are okay.
Unfortunately Zaraz requires your website to be behind CF proxy.
> And if you've ever clicked something other than Approve you'll have noticed that the list of choices about which services should or should not be allowed to use cookies can be very, very long.
> Even though I'm wary of the centralization of the internet under cloudflare
What's Clourflare's share? I would guess that Akamai delivers a lot more traffic, and they've been around for a whole lot longer and no one really cared.
You can (mostly) avoid double counting without PII. Track the page view and store in local state that you tracked for this day and that's it. I opted out not mentioning the caveats but that's what the mostly is there for.
Obviously you should not keep any other information with the page view events as to not be able to relate other events with the page view but it's definitely doable
The ePrivacy directive dictates that you need to have consent for cookies that are not strictly necessary to serve the website and its basic functionality. If you were counting pageview stats without persisting any data on the client and without using any identifiers for users, I'd say you don't have to ask for consent, even under GDPR.
Not supporting GPC (the DNT successor) directly contradicts the "respecting users" marketing fluff. I suspect the main reason why there is a "reject all" button is that Cloudflare folks rightly figured out that they are too big to get away with not providing one. Otherwise noyb.eu will say hello. OneTrust etc. are doing the same, there's nothing more user respecting about this solution.
If Cloudflare is serious about privacy here, they should at least respect GPC and not provide customers with an option to disable it.
> I suspect the main reason why there is a "reject all" button is that Cloudflare folks rightly figured out that they are too big to get away with not providing one. Otherwise noyb.eu will say hello.
(Disclaimer: I helped deliver this feature)
We have never even for a minute considered not providing the "reject all" button. It was a user-respecting project from its conception. We actually consider being user-friendly a competitive advantage rather than something that we'd do out of fear of Noyb.
We are definitely planning to support GPC. I'm not sure how not supporting contradicts respecting users, considering that neither Chrome, Firefox nor Safari supports it (without enabling experimental flags).
We really want to see GPC succeed, but we haven't prioritized supporting it because it doesn't seem like it's going to benefit many users, yet.
That's nice, but Cloudflare seems to be missing the point.
No consumer is going to say "oh, now that you've provided me such a streamlined tracking consent experience, I'll give you consent to track me across sites to show me personalized ads". They'll just click the "reject all" option you're legally compelled to give them.
Also, the example includes a consent option for anonimized pageview counts data, which under GDPR you don't need consent for.
An approach that would really respect user would be to store traffic analytics anonymously (in a way that resists trivial de-anonimization, so with binning and stuff), and throw away the rest. There, no consent popup needed.
There's still enough people who do not understand the consequences and just click "accept all", because they fear their computer will catch on fire and murder their pets otherwise.
Coincidentally, those people are also the most susceptible to advertisement-driven brain washing and least likely to understand what adblockers are.
I’ve seen hardcore developers telling others on calls to always click ‘accept all’ just because of the potential friction of an other click when rejecting. I don’t think they even had an adblocker in their Chrome.
Hardcore developers != A knowledge about the internet/how front end works. I don't think it's even a point to mention at all.
I picked up programming 6 years before I got access to the internet, in 2015.
Computing has developed so much these days, it's like expecting a Neuro to be your Oncologist.
They may know basically how stuff works, but not everything related to a computer.
You need a consent popup to embed YouTube or Twitter or any ad platform. And if you have the popup, you might as well throw in Google Analytics etc as well, right?
If sites use this because it's easy to set up, then Cloudflare has done something good for the internet. Compared to the alternative, which is where they choose a product that loads up dark patterns to get users to accept cookies.
> You need a consent popup to embed YouTube or Twitter
Not really, since embedding YouTube and Twitter should work even if the consent for tracking is refused (under GDPR consent inherently is opt-in, not opt-out; and consent is valid only if it is freely given, i.e. if you don't refuse service to those who refuse consent), and for that you don't necessarily need a popup, because you're free to assume that noone opts in to anything where a choice is provided - if you just treat everyone as if they clicked 'I refuse any optional consent', you don't need to ask that question.
> Not really, since embedding YouTube and Twitter should work even if the consent for tracking is refused
Should it? I mean, GDPR wise you're sending a subrequest by embedding eg. an iframe - which involves user data that might be used for tracking by yt/tt etc.
Shouldn't it be better - to err on the safe side - to just replace eg. the embedded player with a placeholder (maybe featuring a link to youtube) unless user has given consent to the embedded player?
Does CloudFlare's Zaraz actually work on embedded YouTube and Twitter content? Not tried it, but just having a look in my CloudFlare dashboard at it, and not sure how this would be implemented.
Cloudflare Zaraz does much of that actually. First, you can set some tools to not require consent - it's not like "Reject all" === "No javascript". It's up to the website owner to classify the different scripts and tools to the appropriate consent purposes.
This looks useful, but the problem related to CNIL etc is that CF is a US company so then it can be compelled to deanonymize the data. Wouldn’t this just kick the can down the road? IANAL but interested in this space.
IANAL myself and I'm not sure either how it works, but technically Zaraz doesn't save your data at all, and you can set your website to only be handled by EU servers. We wrote about it here: https://blog.cloudflare.com/keep-analytics-tracking-data-in-...
Again, don't take this as a legal advice or anything like that - this is just to say we're doing everything we can to help users comply.
Checking to see if that statement is secure.
refreshes
Checking to see if that statement is secure.
refreshes
Checking to see if that statement is secure.