Posted by bnc319 1 day ago
Take their right click menu for items to select whether you want an in-app tab or real browser tab. Congrats, you've broken UX by making the native browser right-click menu unavailable on link items, and because you've only implemented this on some things most of your content is not deep linkable as navigation is a cursed in-app feature.
This is as usual a fun tech demo, but it should not be used for anything in the real world.
I found the navigation to be scattered and disorienting. In general clicking links opens new windows. In one case it navigated away from the current "page" and what I believe to be the back button (looks more like undo) didn't do anything. Why am I guessing what constitutes a page and how or if I can go back? Everyone has known how these things work in browsers for decades.
I find to be significantly less scattered and disorienting than the vast majority of "modern" websites.
Adding a new kind of window or tab has the potential of organizing some little bit of this universe at the expense of there being more things to look at globally, I badly want to be able to hit a button and see not just the windows I have open but all the tabs and that counts browser tabs but also IDE tabs and ideally these sort of sub windows inside of browser UIs.
Reminds me of the startup I worked at where somebody got up at each standup meeting and said “we can’t find anything in the N different places (Slack, Box, Dropbox, Google Drive, Google Docs, …) places stuff could be so we need to add N+1 places.” For a while I pushed back against this obvious fallacy but nobody else did and management would approve another monthly subscription…. Until at some point the investors pushed back in the disorganization and added the distraction of OKRs and people thought “maybe we need a subscription to some service that reminds us to cancel subscriptions we don’t use”. One ring that would rule them all never seriously considered, I guess people didn’t actually expect “enterprise search” to actually work.
Strong disagree. Mature conventions have been established for decades, and while there are always edge cases and new incremental features that need to be worked into desktop UIs, the core desktop UI paradigm has been stable since at least the mid-'90s, and modern deviations away from it have almost invariably reduced usability and discoverability.
The modern trend of trying to shoehorn web or mobile UI design tropes into desktop applications has resulted in little but regression.
Comparing the various nag windows on MacOS and Windows, as much as they are annoying, the MacOS nags look like a 1999 rework of the modals from the 1984 original Mac whereas the web-based ones in Windows are easier on the eyes. I have looked long and hard at x-platform UI frameworks and they are generally pretty awful and with all the affordances the web platform has Electron looks good in comparison both in terms of UX and DX.
My beef is with the tabs-inside-of-windows, windows-inside-of-windows and the frequent need to have a large number of ‘items’ open and wanting some synoptic view of all the items open in all the applications on all of the virtual desktops a modern machine can have. I try pretty hard to keep it organized but if I am listening to music in YouTube it should be trivial to find the browser tab involved to close it and it’s not.
I’m reminded of the multiple document interface
https://en.wikipedia.org/wiki/Multiple-document_interface
Which was big in the Windows 95 era, particularly with Office that now seems largely forgotten. When Netscape 4 hit the streets Netscape changed their home page to use <layers> which were like absolute positioned <div>(s) to get an MDI effect like the page that started this discussion. Trouble was it didn’t work and they had to revert it quickly. I told my professor that I thought I wouldn’t understand how web pages worked in six months it was changing so fast but JavaScript supremacy took at least another 12 years even if Microsoft rolled out AJAX circa 1999 it took forever in internet time for people to get the significance.
If you use Chrome, there should be a music note icon in the top right, just to the left of your avatar, that shows when media is playing. You can control the media from there or click it to find the tab.
I don't think Vivaldi (what I use) has that exact feature, but the favicon switches to an animated speaker so its much easier to spot.
But I like to create shortcut-apps out of any apps (like YT Music) I use frequently, so they get their own OS-level window. It has other benefits too.
If you are a no name startup, doing something like this will be a bad idea. My 2 cents.
1) url history piles up pretty quickly, going back was irritating, closing a "OS" window should unstack that from browser history
2) more than one way to get to things (ie desktop icon + menu) so I visited certain pages ("About") more than once and felt trapped in a maze of deja-vus.
3) no way to scroll down and get the full glimpse, had to proactively click on words + icon, or menu items, to spot if inside there would be something relevant. Then, once the window opens: tabs, lots of tabs...
4) since the information is not really hierarchical, I can't delve into say Pricing. Got click on all the menu items... "Didn't I visit that before?" - and history kept piling up, so where was I before?
5) In Pricing, I read "Free tier - no support" - of course! - then $0.0001 for pay-for-use for the feature flag (every time the user switches the feature on/off? I don't get it, I'm sorry) ... then another free x pay-as-you-go box. Scroll down, then a huge calculator... . How much does it cost for my second app?
6) Cramped: lots of information in a reduced window - hit maximize every time, lots of borders.
7) Product features are really impressive, but the demo video gave the impression that it's really a busy app, overwhelming at times, with lot's of filtering options that look necessary to get the info out of the tool (great for power users, though!). But then the website is also busy and complex. If we add both up, app and website = high cognitive overload! I think I'll go shopping around first then come back later.
A disaster.
I hope they eat their own dog food. I'm pretty sure they will get lots of bad signals from their website.
Oop, there is none.
I will never laud an application that breaks the most basic of keyboard functions. You can design a clever and flashy application with pointer-only UI, but you can't design a good one.
If I were to bet, while this is fun, it will be a disaster for conversions once the launch hype goes away.
The article is specifically saying that they know that it looks like an OS - they think that this is an improvement and it lists the reasons why. You are just calling it old and horrid without addressing any of the points made.
Like this:
Frankly for a site like this efficient use of space and multi tasking isn’t as important for a front page. A front page needs to be optimized to be in your face to understand what posthog is in as little time as possible then give you optional pathways to dig in for more detail. A website that’s like an OS is too busy, it’s optimized for productivity and I still have no idea what posthog does exactly.
I have no doubt there is a subset of features here that could be implemented as a single page app.
Is this a joke? Posthog sells an app, sure, but their product site shouldn't be an "app" it all. It's an SEO funnel. No one should spend any amount of time on there except to figure out what the heck Posthog is and how much it costs.
A person can directly enter in the url that’s one endpoint. Another person can do a Google search and fine the blog that’s another end point.
All of those flows funnel the person in a singular direction with a single purpose: a purchase. Like what else do you want the customer to do? Go off on a tangent?
You can have multiple flows that loop back to a purchase but it’s much less predictable that way. Better to have a singular proven flow all the way to a purchase and that flow has to provide clarity on what the product is.
I come to the posthog website and I’m confused. This is a toy. It’s cool I can meander around and in time discover what the site does. I mean it’s ok.
A better site is one where I just look at the site I know what it’s for and I know the product. As I scroll down I see other tidbits or widgets that are like testimonials or proven examples and other things that convince me to buy. Finally I hit the pricing page.
That’s a better way to sell. Post hog is a cool site but not an efficient one. Not an efficient site for selling a product.
But I can personally speak to at least one aspect, having worked for a company that does high end web sites and strategy for large SaaS products, and also being the target audience for such websites (director or VP Eng): the speed and ease with which I can find what I want (as a potential customer) using that top navigation menu is superior to anything I've seen done so far.
I could see immediately they have 34 products under 7 categories; 5 are popular, 4 are new. If I want to try out one: Docs > Product OS > Integration > Install and configure > Install PostHog.
And if I wanted to learn a bit about their engineering: Company > Handbook > Engineering > Internal Processes > Bug prioritization.
Pricing: Pricing calculator > select product > set usage, select addons.
Each of these interactions took only seconds. And I could switch between the product overview page I opened earlier and the pricing page I just opened, without waiting for any entire website to reload (or having to right click, open in new tab, and then scroll).
As I said, there is something here beyond just aesthetics. And one of the conclusions may be that our current UI/UX philosophy has inadvertantly become user-hostile.
at the time, we were trying to figure out how to add more products in without it becoming messy, and we concluded we're trying to do a lot more than just what would work well for a 1 product company (we have very extensive content for example) - we feel quite multidimensional. thus a flatter design was proving hard to do. we wanted something that could enable us to offer a very wide variety of things (like 10+ products, handbook, job board, newsletter etc)
a lot of existing websites are trying to convey what they do in <3 seconds, and all of the internet is going for that. our company doesn't fit into 3 seconds, or if it does it's annoyingly vague "a whole bunch of devtools"...! so we thought hey we'll do something that means people _will_ explore and learn what we do better. it will mean _some_ people bounce and that's ok, because those that stick will (sometimes!) love it.
as a project, it looked fun and we knew it'd stand out a lot as a way to justify it. it's much nicer and more cost effective for us to ship something 10/10 cool than go down the outbound-y sales route. we run at a 3 month cac payback period if you're into startup stats. the proviso is that only works if you go _really_ deep, so that your work actually stands out.
I’m not a super fan of this, and I kind of hated windows 3.x, so I might not be the target market. But I also hate many of the trends in modern website design, so maybe I’m just an old crank.
There could be a subset of this that is accessible, compatible, and doesn’t reinvent a browser in a browser. I might end up liking that better than the status quo - so I appreciate the experimental spirit!
Meh, currently doing just that. Trying to figure out what posthog is about, try to store some keywords in my brain if I ever need to return this product in future where it fits and just try to enjoy the site :) And I'm one of the folks that try to determine in seconds/minute whether this is worth digging in or not and whether I understand the offering.
Currently I enjoy the site alot. Not sure if that is the OS thing about it or just the way that information is presented and layout.
The menu bar is one of the most effective and proved UI pattern. Unfortunately, on Linux we have an entire desktop environment that ditched the menu bar for hamburger menus, which are one of the most ineffective UI pattern.
If anybody could do it, I expects its Posthog.
The friction occurs when people building a website for web documents think they should be building a web app, so you end up with a scaffolding that requires heavy JS just to serve what essentially is just text + maybe one or two images. The additional JS doesn't really save the user any time or pain, it just makes everything larger and harder to consume.
Honestly, you don't judge a back-end by how much code it's built with or what platform it's hosted on. I don't get the obsession people have with JavaScript used on websites. Websites with terrible UX often abuse JavaScript yes, but correlation != causation.
They can go in the inspector and see “oh wow so many MBs of JS”, but they can’t see the backend.
There is a good point to that: this data that is downloaded is an end user resource. Over a mobile network etc it’ll matter. But the days where it mattered at home/office are long, long gone, at least for the audience of the websites that adopt this strategy.
The obsession I believe is a remnant of these old days. There was a transitionary period still a decade ago (when hn was already not that young) where users would spend time loading a website, then complain about the amount of js on the page and how that is unnecessary. The connections got upgraded but nothing strikes down a habit…
I have no issues at all with this website. It's awesome. I mean it's a bit slow but that's probably because it's on the front page on HN right now - yet it still works pretty well. The design is delightful. Incredibly well done. One of the coolest websites I've seen. Who cares how much JS it takes, it's obviously worth it.
Using an OS requires familiarity and cognitive effort. Tapping oversized buttons… less so.
There’s been a long trend (definitely as far back as the first iPhone release, maybe further) of every product release adding more white space, bigger elements, and overall reducing information density.
If your target is consumer web, the “don’t make me think” approach is probably still correct. But anyone who’s ever looked at a Bloomberg terminal knows there are still times when you designing for the lowest common denominator is the wrong play.
A company with a large suite of technical-ish products might be a place to experiment with alternative paradigms. That said, I poked at the site for a few minutes, then had to ask an LLM what PostHog actually does.
The web catches up to the past again. :-) Despite all the modern attempts at simplified "delightful" interfaces, a well-structured menu bar is hard to beat.
Very little here that isn't explained by age-old HCI concepts on design.
>And one of the conclusions may be that our current UI/UX philosophy has inadvertantly become user-hostile
Nope. You see the "X" stands for experience. And nothing ever betrays it's own name. You're just a computer nerd that nerds too hard to get it. You've probably even used a terminal without bellyaching for the next few days. What could you know about what normies want? *cough*
The top level comment is confusing marketing success with UI/UX success: it tickles their brain because they're the target audience. To everyone else this is weird and overwhelming if you're looking for something and suddenly run into it.
Might still be fun/whimsical if you're not looking for something and just stumble upon it, or get shown that
It's almost like, "marketing", itself, as a concept, is user hostile. Most sites' purpose isn't to be efficient, or informative. It's to give the impression that they are "making a statement" (we matter because XYZ), while looking dependable and professional enough to compel calling sales for more.
Commercial transparency goes against that goal (why would I call if I have all the price details I need?). Technical transparency goes against that goal (why would I call if I can tell precisely how this compares to market leaders and competitors?).
So, in many (mostly despicable) aspects, this site is terrible. Unfortunately.
(Mind you on mobile I very much don't have a perfectly good window manager, and indeed can't even open multiple instances of most apps…)
Otherwise two or three such apps running at the same time becomes a game of “where’s my window”. I hate the idea of a toolbar being its own window to be managed.
That is the issue, apps have to deal with the lowest common denominator in term of desktop management but there is absolutely no good reason to build a window manager inside a website.I think that with tabs people have generally forgotten they can open multiple browser windows.
However, I believe there is a better way to approach this: put each significant piece of functionality into a separate window or even executable, and use regular moveable toolbars and well-known hotkeys inside each window. One window for code editor (with working Ctrl+Tab and Window -> Tile Horizontally menu), another for configuration, yet another for terminal and output window (with a Pin on top button). When I write code I don't normally need configuration tool, but if I need it even so often it gets opened alongside the editor and is now one Alt+Tab away, not taking any screen space at all.
I used an engineering tool suite written with this approach and it was much better experience than the single-window monstrosity that came as a replacement, stuffing entirety of functionality into a single app and breaking (not implementing) a lot of small conveniences like aforementioned Ctrl+Tab.
It also feels very foreign on macOS - Photoshop suddenly gained the MDI-type UI in like CS4 or something, after having let windows and palettes roam free on macs since Photoshop’s inception. I always turn it off, feels claustrophobic somehow.
Because some applications do need multiple windows in the same application context. A common example would be image editors.
It is unfortunate that almost all generic MDI implementations (Win32 and Qt basically) are incredibly barebones. I want to have multiple windows visible when i'm using Krita, for example, but Qt's MDI support (that Krita does use) is worse than what Windows 95 had.
But my response was about calling MDI an anti-pattern in general. Just because it doesn't fit all cases, it doesn't mean it is an anti-pattern.
I stand by the anti-pattern comment. I think there are very, very few cases where ‘MDI’ is appropriate, and I put it in quotes because the things being managed in that case are almost never ‘documents’ in any meaningful sense (rather they're some kind of graph node). Functionality apps build with MDI is basically always independent of the actual app and would be better implemented in the window manager — and more often than not there's actually no additional functionality over even the lowest common denominator of window managers.
In theory you can have multiple toplevel windows with separate windows for the control stuff (tool window, tool options, panels, etc like GIMP has) but in that case you really need a virtual desktop dedicated to the application itself. Personally i prefer to dedicate virtual desktops to tasks (i have a fixed number of virtual desktops and their shortcut keys have become muscle memory over the years), so e.g. anything graphical goes into the same virtual desktop, but -say- GIMP in multiwindow mode feels awkward to use alongside Blender. Krita having an MDI mode is much better IMO, even if Qt's MDI support is primitive at best.
The only applications that really need MDI are those that do something with their windows other than window management, which (loosely) implies that those things are something other than windows.
So if you create a webpage that is so damn advanced that it beats the browsers OR it somehow reuses heavy resources within one webpage, I'd say this is a good justification. And IMO the OP link isn't an example of that.
They do what?!
EDIT: Sounds like they only use it for the "Recommended" section, though? https://news.ycombinator.com/item?id=44124688
So if I were to split the 5 tabs I usually need for work in 3 windows I would routinely lose a bunch of them.
(That said I know tmux is sometimes the only option and then it makes sense to me)
On our datacentre servers, I also have tmux running. It is fast to connect to these hosts, attach tmux and continue from where I left off.
Another use case: it is common for corporates to require devs to use windows desktops, but to then give them a headless linux host in a datacentre for development work. Here, you use putty to connect to the linux host, fullscreen it, run tmux. On your desktop you have outlook and office and putty and a browser and no dev tools. You can do all your planning and dev work on the linux host, using your favourite ten thousand hours text editor and building your own tools, and this becomes your hub. You lose awareness that you are connected to this from a locked down windows host. Corporate security reboots your windows host for patching several nights in a row, and it does not cause you any hassle because your work context is in the tmux session on another host.
> i have yet to find a window manager that lets me group so many terminals into sessions all on the same workspace.
Locally-speaking, I don't really see the point of mixing tmux sessions and tmux windows. I wonder if you mean "sessions" -> tmux windows and "windows" -> tmux panes.
What about i3/sway? You can have a tabbed container (functions like tmux windows) with split containers inside (functions like tmux panes). You can even float the tabbed container with all windows organized inside.
sessions let you group windows. i have a group/session for each project/purpose. one session is for all remote connections. one for my personal stuff, diary, etc. one for my hobby. one for personal dev projects, one for client work.
sessions also means that i can connect to tmux from multiple terminal windows. i generally have two windows, one for dev work and one for everything else.
generally i feel that having more than half a dozen windows in a session makes the session unwieldy, harder to navigate, because it becomes more difficult to find the window i am looking for.
which would be the same problem if each was a gui window. try to find your way around 20 gui windows.
Why would you have all those open at the same time, though? Isn't that incredibly distracting? (Disclaimer: I have no experience with tmux to speak of, beyond briefly trying it once or twice.)
these things are open because otherwise i would have to open them and close them every time i want to use them. by keeping them open i can switch back and forth faster. but, while i am not using them they are invisible. and i don't notice that they are there.
seriously, a window manager that can group windows and manage those groups would be awesome. workspaces help, but they are often just there, and can't be managed, reordered, named, etc..
actually, i think kde may have some of that functionality.
i still prefer tmux in any case because it is more scriptable, and it provides a detach function. although i recently started exploring wezterm, which can be configured to work like tmux and also has a way to detach and reattach sessions: https://news.ycombinator.com/item?id=44762241
I'd just run a vim session. If I needed terminals, they were in my vim! Even wrote a short shell-script to automate creating or re-attaching to a project specific vim session. https://github.com/jauntywunderkind/dtachment
Haven't looked into it, but I'm love a deeper nvim + atuin (shell history) integration.
You answered your own question, because a lot of applications work across multiple platforms, and if you want to have control over the experience because you don't know what capacities the OS's window manager has you need to abstract it away.
But I take your point, if you want to target the lowest common denominator of window managers it makes some sense to do your own window management. Mind you you could just ship both a browser and a window manager…
I wonder to what extent the pattern of applications doing their own window management masks (and therefore perpetuates) the problem of inadequate window managers.
- I'm getting about 5 FPS scrolling on a M4 Pro
- Moving a "window" around takes 29% of my CPU, and renders at about 2 fps
- I'm losing about 40% of my screen height for reading (14" laptop screen). So much so none of the article is visible above the fold, just the title and by-line.
- My browser's CMD-F finds things on layers hidden under the current window
- Changing window size via corner drag is also selecting text on other windows, no prevent default.
- Xzibit says: Tabs are bad, so we put some tabs in your tabs?
Same slow spreadsheet load as sibling, but that seems like a backend issue.
It appears as though all spreadsheets are grouped together in the same window under tabs. Perhaps its fetching the data for all of them. I noticed they all took a long time to load and then after one loaded, the others had loaded.
I imagine that could be sorted out to load per tab. Im more concerned about the idea of grouping all spreadsheets together. As opposed to a normal website which could embed a datatable in whatever page layout you want.
In general it bothers me to encapsulate what are essentially just page layouts as apps.
It opened a change log. It took about 5 seconds to get to 94%. Then about 20 seconds to load.
There are about 40 items.
To note, in the past, this was a big no-no because SEO was important. You had to have good SEO for search engines to index your content efficiently and show up well ranked in search results...
Now, well, that ship has sailed and sank somewhere off the west coast...
- some posthog dev waking up this morning after yesterday's release
I had the same issue then tried edge and it was smooth.
It runs like a dream when playing with the first window. When opening a second window and dragging it around it stutters for a second then resumes back to full speed and every window after is full speed. (I'm assuming that's the browser going: "Oh wait, they really are using those functions every frame, let me spend a moment to optimize them so they're as fast as possible for future executions)
But nobody will actually use it the way they describe in this article. Nobody is going to use the site enough to learn and remember to use your site-specific window management when they need it.
Super impressive. Fun. Does a great job selling the company ethos.
But not actually that usable. I don't think this matters too much, though.
It just needed to create a little box you can drag around when you click on nothing, like OS desktops have.
So here's the snippet to do that, toss this in the console and live the dream:
(() => { let startX, startY, box, dragging = false;
const style = document.createElement('style');
style.textContent = `
.___selection-box {
position: absolute;
pointer-events: none;
border: 1px dashed #2b76d6;
background: rgba(43,118,214,0.12);
z-index: 999999;
}
`;
document.head.appendChild(style);
function onDown(e) {
if (e.button !== 0) return; // left click only
startX = e.pageX;
startY = e.pageY;
dragging = true;
box = document.createElement('div');
box.className = '___selection-box';
box.style.left = startX + 'px';
box.style.top = startY + 'px';
document.body.appendChild(box);
e.preventDefault();
}
function onMove(e) {
if (!dragging) return;
const x = e.pageX, y = e.pageY;
const left = Math.min(x, startX);
const top = Math.min(y, startY);
const width = Math.abs(x - startX);
const height = Math.abs(y - startY);
Object.assign(box.style, {
left: left + 'px',
top: top + 'px',
width: width + 'px',
height: height + 'px'
});
}
function onUp(e) {
if (!dragging) return;
dragging = false;
console.log('Selection rect:', box.getBoundingClientRect());
box.remove();
box = null;
}
window.addEventListener('mousedown', onDown);
window.addEventListener('mousemove', onMove);
window.addEventListener('mouseup', onUp);
console.log(" Selection enabled. Drag with left mouse button. Check console for rect.");> PostHog.com doesn't use third-party cookies, only a single in-house cookie
You're legally required to let me opt out of that cookie. Unless it's essential to the site functionality, in which case you don't need the banner at all.
Even worse: because it makes it seem like the EU law is just meritless pestering of people, they are actually fighting for the right for worse sites to spy on their visitors.
It's baffling.
It is that. It has done literally nothing to improve anything whatsoever, in any country. And most of the "cookie management" scripts that people use, barely even work. Both the law and the way it's complied with in practice are a dumb solution to a problem that the EU should have forced browser vendors to solve. Only the user's browser can choose not to send back cookies, and it would be trivial for the user to be shown a dialog when they navigate to a previously-visited site in a new session saying:
Last time you were here, the site stored information that may help them recognize you or remember your previous actions here.
< I want to be recognized > / < Forget Everything >
[ ] Also keep these third-party cookies <Details...>
[x] Remember my choice and don't ask again for ycombinator.comThe industry could have come up with a standard, a browser add-on, respect a browser setting, etc but they chose the most annoying one to pester you, the user.
In fact the law pretty explicitly disallows dark patterns like that. Of course tech companies have a loosy-goosy relationship with the law at the best of times.
I'm glad I'm not in EU legal, it's gotta be like dealing with internet trolls ("I didn't ACTUALLY break any rules because your rules don't say I can't use the word "fhtagn"")
Start fining sites with dark pattern banners and they'll start going away.
If they had done that, nobody would be making cookie banners wrong.
Yes. For "cookie banners" the law in fact forbids hiding "Reject all non-essential and continue" to be given less visual weight than "Accept all and continue", let alone hiding it behind "More details" or other additional steps.
It also requires consent to be informed (i.e. you need to know what you're agreeing to) and specific (i.e. you can't give blanket consent, the actual categories of data and purposes of collection need to be spelled out) and easily revokable (which is almost never the case - most sites provide no direct access to review your options later once you've "opted in").
One good example I can think of for a "cookie banner" that gets this right is the WordPress plugin from DevOwl: https://devowl.io/wordpress-real-cookie-banner/ (this is not an ad, but this is the one I've been recommending to people after having tried several of them) because it actually adds links to the footer that let you review and change your consent afterwards.
EDIT: Sorry, I first misread "disallows" as "allows". I've amended my reply accordingly.
Kind of. The intent is good and the wording disallows some of the dark patterns. The challenge is that it stands square in the path of the adtech surveillance behemoths. That we ended up with the cesspit of cookie banners is a result of (almost) immovable object meeting (almost) irresistable force. There was simply no way that Google, Facebook et al were ever going to comply with the intent of the law: it's their business not to.
The only way we might have got a better outcome was for the EU to quickly respond and say "nope, cookie banners aren't compliant with the law". That would have been incredibly difficult to do in practice. You can bet your Bay Area mortgage that Big Tech will have had legions of smart lawyers pouring over how to comply with the letter whilst completely ignoring the intent.
Also, data collection is fully a choice. You can always choose not to. I've built websites with logins and everything and guess what - no cookie banners necessary. Just don't collect data you don't need.
And this is a good thing, no? I certainly think so.
> It's a wonder we don't have to force everyone through an interstitial consent page.
If the information being tracked is truly essential to the site/app (session management and authorisation data for instance) then no consent is needed, for anything else ask before you store it, and most certainly ask before you share it with your “partners” or anyone else.
> Private-sector or third-sector organisations will often be able to consider the ‘legitimate interests’ basis in Article 6(1)(f) if they find it hard to meet the standard for consent and no other specific basis applies. This recognises that you may have good reason to process someone’s personal data without their consent – but you must avoid doing anything they would not expect, ensure there is no unwarranted impact on them, and that you are still fair, transparent and accountable.
Session tracking, storing account information, addresses, etc all seem obvious in any e-commerce system but you still have every opportunity to notify and consent that data collection.
I think you and I both think that data protection is a good thing, I'm just a little more wary of leaning on legitimate usage* as a way to skip formal consent.
Many websites are free because they survive from ads. Ads make more money if you collect data. The EU law essentially cut the revenue of all these websites. Their choice is to not collect data (meaning less revenue) or show a popup (meaning more bounce rate, which means less revenue).
People who think this is a good thing are being short-sighted. That's because this law mainly affects websites that host information that visitors visit from clicking on links on the web. If a website is like Facebook or Youtube, where users must sign up first or probably already have an account, they will be able to collect data for ads with or without banners since they have their own ToS for creating an account, and they can infer a lot from how the user uses their services.
I'm not saying privacy regulation is a bad thing. It made countless businesses reconsider how they handle people's data. But it's clear to me that there are two problems.
First, this regulation hurts all the small websites that need to exist in order for we have to have a healthy "web." A lot of these are making only barely their hosting costs in ads, so there is no way they can afford the counsel to figure out how to comply with laws from another continent. If we had another way to support these websites, this wouldn't be a problem, but ads are really the lifeblood of half of the internet, and almost nobody wants to donate or pay a subscription.
Second, this regulation doesn't even really protect people's private data in the end, which may give users a false sense of security because they have the GDPR on their side. I forgot the name, but there was a recent gossiping app that required the user to upload a photo in order to sign up, which should be deleted afterwards, but they never deleted it and when the app was hacked the attacker had access to photos of all users. It's the same thing with GDPR. We can tell when a website is clearly not complying with the GDPR, but there is no way to tell if they actually complied with the GDPR until the server gets hacked.
Even the way they comply with GDPR isn't enough to protect users' privacy, e.g. if you have an account on Discord and you want your data deleted, they will simply turn every post your made into an "anonymous" post. This means if you sent a message that discloses your private information on Discord, that will never get deleted because its outside the scope of compliance. You could literally say "Hi, my name is XYZ, I live in ABC" and they won't delete that because you consented to provide that information, they will just change your username from "xyz" to "anonymous" or something like that.
I still wonder what are the actual benefits of GDPR with these cookie banners when 99% of the users just stay on Facebook and Youtube anyway.
My business is to get money out of other people's wallets and bank accounts. I could get make much money if you just logged into your bank account and approved transactions whenever I told you to, or screamed less whenever I took the wallet out of your pocket on my own.
That there's a way to earn more money does not justify it as legitimate thing to do, and if you can't figure out how to run a service in legitimate ways does not mean that illegitimate ways that attempt to violate its users in secret suddenly become okay.
The largest websites will still "violate its users in secret." That's why I don't think GDPR is as useful as people purport it to be.
there is nothing healthy about force-feeding ads optimized via collected data.
Bad implementation of the EU law indeed, as another comment said. It fails the purpose completely and just create more problems for nearly everyone.
It does not take time if you don’t care to read it. Yours click yes, and they will remember you want to be tracked.
Back in the day browsers offered this natively. When the advertising companies started building browsers there was a lot of incentive to see that go by the wayside of course...
But the earlier comment isn't saying that you shouldn't have options, rather that the law needs to be more specific, such as requiring browsers to work in coordination with website operators to provide a unified solution that is agreeable to users instead of leaving it completely wide open to malicious compliance.
These kind of laws need to be careful to not stifle true innovation, so it is understandable why it wanted to remain wide open at the onset. But, now that we're in the thick of it, maybe there is a point where we can agree that popup dialogs that are purposefully designed to be annoying are in volition of the spirit and that the law should be amended to force a better solution?
1. The law isn't about browsers or websites. It equally applies to all tracking. E.g. in apps. Or in physical stores.
2. The world's largest advertising company could do all you describe. And they do work with websites. First by repackaging tracking through FLoC. Then by just simply repackaging tracking and calling it privacy: https://x.com/dmitriid/status/1664682689591377923
Obviously. And where there are problems in those domains equal specificity would be asked for. But since we're talking about in the context of browsers specifically...
... then we all know it only cookies that matter? I don't understand the ellipsis
Oh look. Here's what I wrote:
--- start quote ---
The law isn't about browsers or websites. It equally applies to all tracking. E.g. in apps. Or in physical stores.
--- end quote ---
> But what does matter was already discussed. Are you reading comments in complete isolation again or what? There is a context that has been built up.
This is literally the only thread around your comment. There are dozens of other discussions, yes. I was specifically replying to your comment, and expecting replies within the context of your comment.
In practice these banners regularly break. They are hard to click on certain devices where the button is off screen. If they use JavaScript and there is an error elsewhere, you can’t hide them. And I regularly see them over and over again on the same sites because for some reason they can’t track me effectively for this purpose.
In short they are a regular minor annoyance that does take time and effort.
Other people already get two choices to make here which they didn't get before, which is a win in my book. Seeing the banner, you can decide to avoid the website and if you still wanna use the website, you can chose if you allow them to track you by PII or not.
Also, I am an educated consumer and understand what a cookie is. Most people do not and do whatever is necessary to make the consent screen go away. Because of that, effectively they don't get this choice.
As one of the parent posts said, if it was implemented on the browser level, I would get the choice, and the cost of making the right choice would be smaller. If the defaults were to "reject unnecessary cookies" then most of the population would get the benefit.
The way it is right now feels like a net negative. Most people don't know what the consent is about and will not spend the time to learn it. Companies still find ways to track you that agrees with the letter but not the spirit of the law. I have friction whenever visiting a new website (or an old one that forgot my choice). The only winners are people who don't value their time and are smart enough to understand cookie consent. That's a small percentage of the general population.
That's because the tracking is a net negative.
It doesn’t matter what site I visit and what choice I do. The next day, every single website asks me to pass through the banners again.
There's a reason people have always hated popup ads even though "just close them" has always been an option.
I have seen a ton of these ads in the past few years.
All these laws have done is created a ton of wealth for lawyers.
The more obnoxious the cookie banner, the quicker you can conclude "I didn't really need to visit your site anyway".
If you want to operate an ad-supported site, you need that consent. Untargeted ads are pointless and they don't make money. If you disagree, can I interest you in some brake pads for a Toyota Corolla? How about a dental chew for elderly cats? No? ok.
If you operate an e-commerce site or a SaaS of some kind, you probably need to advertise it online. To have traffic land on your site from advertising, you need to have ad network 'pixels' on your site. That's what they require. If you won't comply, then you can't advertise and you probably can't get many customers.
Websites which need neither are called "hobby sites." I'm very happy for the personal blogs which use no analytics, have no need to remember anyone or collect any "data." The sites showing the cookie banners are not that. They need to make money in order to exist.
It's not cookie banners that are wasting productivity, it's mutual distrust and the need to protect against it. "Cookie banners" (or more correctly: consent forms) are legal contracts. The reason they are often so annoying to navigate is that the companies that built them want to try to trick you into agreeing to things you have no interest in agreeing to or might even have an interest in not agreeing to. Technically the law forbids this but it's still more profitable to risk the fine than to abide by the law.
Or to put it another way: there's no honest reason to require a consent form to let you read an article. The consent form isn't for reading the article, it's for what the site wants to do to you (or your data - which includes all data collected about you because the GDPR defines that as being yours, too) while you're reading the article.
The GDPR doesn't make you waste time on cookie banners. The GDPR grants you ownership of all personally identifiable information of you and about you - it creates legal rights and protections you previously didn't have. Cookie banners exist because companies want to infringe upon those rights. Most cookie banners are difficult to navigate because most companies don't want you to understand what you're agreeing to (and on second order because they want you to blame the law granting you rights rather than them for infringing upon those rights).
Respectfully, this is untrue. The article is there because of the ads that pay the bills. Without ads there is no article and no site. Without consent, under these laws, the ads can only be useless ads that no advertiser wants to pay for, which means they either can't sell the ad space at all, or have to sell it for $0.0001 CPM hoping that like, Coca Cola will want to just remind the readers that Coke exists and not care too much if anyone even clicks it.
Rights don't make sense without bureaucracy because they only have meaning when you deal with them at that layer of abstraction. You can't respect and infringe "rights" interpersonally. You can act ethically or unethically, you can be nice or a bit of a dick, you can harm or help. But rights only become necessary as a concept when you have processes that need to interact with them and abstract entities that uphold and enforce them. Rights allow you to sue or call the police. But without rights you can't have capitalism. States enforce property rights literally at the end of a gun (and this includes "state property" too in case you were wondering about so-called "communist" states).
This is only an option if you limit tracking to using cookies. But neither tracking technologies, nor the current EU law, are limited to tracking via cookies. It also kills functionality for many web applications without also accepting all tracking. Some browser-flavors went to extreme lengths to prevent tracking through other means (eg fixed window size, highly generic header settings, ...).
Maybe I am mistaken, but it seriously frustrates me how much people within the relevant field make this mistake of conflating tracking and cookies and come to this "it would be so simple" solution.
A welcome update to the law would be to allow a header flag to opt out/in (or force the do-not-track header to have this functionality) preventing the banner from showing.
Maybe we could move towards that end in small steps. The EU should start by banning irrelevant non-sequiturs like "We value your privacy" and other misleading or at best distracting language. It can then abandon the notion that users are at all interested in fine-grained choice, and enforce that consent and non-consent to non-essential statekeeping are two clearly distinguished and immediately accessible buttons. No one wants to partially block tracking.
It seems as though the EU is operating under the notion that this is all a matter of consumer choice, as though any informed consumer would choose to have tabs kept on them by 50 trackers if not for the inconvenience of figuring out which button stops them.
90% of non-tech-nerds have this simple of an opinion about it:
1. Retargeting ads are "creepy" because ... "they just are"
2. Retargeting ads either annoy me because I think they're dumb in that particular instance ("I already BOUGHT a phone case last week, it's so dumb that it keeps showing me phone cases all day!") or because they're too good ("I gave in and bought the juicer after I kept seeing those ads all around the web") and I don't like spending money.
The rest of "tracking" they don't even know anything about and can't verifiably point to any harms.
Data brokers acquire data from thousands of different sources - many of which aren't stemming from Internet usage - and most of the browser data relevant here isn't tied to their actual name and permanent identity (and doesn't need to be to serve its purpose which is usually "to show relevant ads" and the more specific case of "to get people to come back and buy things they saw").
Honestly, just like people are annoyed by pushy car salesmen, and being asked for a "tip" at a self-order kiosk counter-service restaurant, they are going to be annoyed about aspects of the commercial Internet, and it doesn't automatically mean that they're being victimized or that they need regulations to try to help.
That’s because of malicious compliance from all the websites/advertisers. I guess that is partly the lawmakers’ fault for not pre-empting that; but much larger blame lies on the industry that refuses to grant user privacy.
As an example for a site that followed the intent of the law instead: https://github.blog/news-insights/company-news/updates-to-ou...
Github removed excess tracking so they didn’t need to show a cookie banner and that’s what GDPR’s intent was.
Number of sites using google analytics on my browsing session with my consent has gone down
Many sites ditched tracking altogether so they don't have to have banners. Everybody is aware of GDPR so you can be pretty confident that when european site has no banner it doesn't track you.
Could the law be better? Sure I would love to ban tracking altogether. But this was lobbied to hell by AD companies. Everybody was kicking and screaming because they want all the data. And we still got something that helps. That is a win.
And you can see how industry hates it in way they implement the banners. It is annoying and confusing on purpose. You could comply in nice way but when you need to share the data with your 141 ad partners and each one gets their own checkbox… good luck.
Same reason nobody was respecting the dont track me flag. The industry is absolutely and exclusively to blame here.
Indeed. So somehow you still end up blaming the EU.
As an example of true malicious compliance, some companies intentionally add trace amounts of allergens to all their food, that way they can just claim that all their food contains allergens and not be at risk of being accused of improper labeling. but the intention of the law requiring accurate labeling was clearly not to get companies to add more allergens to their food. it requires a level of creativity to even think of complying like that. It requires zero creativity to think “this law requires user consent before tracking, so let’s ask for consent”.
> In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:02...
Article 4, Section 21.5
I found a website that lists all fines handed out for violating the GDPR: [1]
[0] Google fined €325 million by French CNIL for placing cookies without consent https://www.cnil.fr/en/cookies-and-advertisements-inserted-b...
[1] https://www.dsgvo-portal.de/gdpr-fines/gdpr-fine-against-goo...
What I don't like about cookie popups isn't the popup (which isn't something the EU law dictated btw), it's that someone thought it was okay to have hundreds of advertisement vendors and data brokers on a single news article, and it's better to know so I can just close the tab and never interact with that webpage again if they're being excessive asshats.
They have failed at enforcing this properly though, in particular with the recent proliferation of "legitimate interest" abuse (it is only legitimate interest if it an implied component to a service I am directly requesting), and the general issue of popups illegally making rejection different from acceptance, intentionally making rejection slow, or even requiring payment to continue without cookies. And yes, the occasionally completely defective prompt.
I do agree that it would be neater if the browser handled this though. Would also be neater if the internet wasn't entirely sponsored by privacy violations. :/
In other words, of course Facebook knows you like bacon if you've followed 5 bacon fan pages and joined a bacon lovers group, and they could sell that fact.
But without cookies being saved long-term, Facebook wouldn't know that you are shopping for a sweater unless you did that shopping on Facebook. Today they undoubtedly do know if you are shopping for anything because cookies exist and because browsers are configured to always save cookies across sessions.
Also, I always point this out when this topic comes up: Of all websites I visit and have to click stupid banners on, almost none of them are in the market of "selling data" or building dossiers about individuals ("Steve Smith bought flowers on June 19th. Steve is 28 years old. He has a Ford Explorer. He lives in Boston."). They just want to get metrics on which of their ads worked, and maybe to know aggregate demographics about their audience. My local water utility, Atlassian, and Nintendo to pick 3 sites at random, have never been and are not in the business of data brokerage. But they do need to show cookie banners to not be sued for imaginary harms under CCPA or GDPR (unless they want to not make any use of online advertising or even aggregate analytics).
Given that there is no objective way to differentiate between functional and tracking cookies, your "technical" solution would also boil down to honoring marking certain cookies as such by the website owner, effectively being the same as what we have today.
(Though I do agree that the UX would be nicer this way)
If they can open a port and side-step the security system of Android wholesale, they can probably find a "solution" to the not even that hard of a problem of doing tracking server-side.
Pretty much everyone was willing to give this away for free on the client side, in return for limited social integration, or (in Google's case) free analytics - server side is a significantly harder sell in many companies, and there is a much richer variety of backend languages/frameworks you have to integrate with.
If you're using functional cookies, you don't have to ask. If you're still asking, you're just wasting your time.
The reason every website asks is because:
1. They're stupid and don't even bother to preliminarily research the laws they comply with.
2. They actually are tracking you.
Ultimately if you're using something like Google Analytics, then yeah you probably do need a banner. Even if it's just a blog.
Great, so then don't do that.
Most of the "cookie management" scripts that people use aren't compliant.
EU law requires "Accept All" and "Reject All Non-Essential" be both equally easy to access and given equal weight (or rather: the latter can't be given less weight and made more difficult to access, which almost all of these scripts blatantly ignore).
Browser vendors can't solve this because the question isn't technical but legal. It's not about first-party vs third-party cookies (let alone same-origin vs cross-origin) but about the purposes of those cookies - and not just cookies but all transferred data (including all HTTP requests).
You don't need to (and in fact can't) opt into technically necessary cookies like session cookies for a login and such. It's plausible that these might even be cross-origin (as long as the other domain is controlled by the same legal entity). If they're provided by a third party, that would indeed be data sharing that warrants a disclosure and opt in (or rather: this can only happen once the user acknowledges this but they have no option to refuse and still use the service if it can't plausibly be provided without this).
The GDPR and ePrivacy laws (and the DMA and DSA) have done a lot for privacy but most of what they have done has happened behind the scenes (as intended) by changing how companies operate. The "cookie management" is just the user-facing part of those companies' hostile and dishonest reactions to these laws as well as a cottage industry of grifters providing "compliance" solutions for companies that can't afford the technical and legal expertise to understand what they actually need to do and think they can just tick a box by buying the right product/service.
Heck, most companies don't even provide legally compliant privacy policies and refuse to properly handly data access requests. The GDPR requires companies to disclose all third parties (or their categories if they can't disclose identities) your (specifically your) data has been shared with and the specific types of data, purposes of that sharing and legal basis for sharing it (i.e. if it required consent, how and when that consent was given) - and yet most will only link you to their generic privacy policy that answers none of those questions or only provides vague general answers or irrelevant details ("We and our 11708 partners deeply care about your privacy").
The law should have been just a browser setting sites had to follow, making it a "banner" has made it meritless pestering while pretending it's for my own good and allowing the worst offenders to make convoluted UI to try and trick you every site visit.
People ranting against cookie banners and GDPR literally never read the regulation itself and they literally never read what these banners are supposed to trick you into
Here, EU is not quite doing the right thing: the web need "noscript/basic (x)html" compatibility more than cookie regulation. Being jailed into a whatng cartel web engine does much more harm than cookie tracking (and some could use a long cryptographic URL parameter anyway).
Basically, a web "site" would be a "noscript/basic (x)html)" portal, and a web "app" would require a whatng cartel web engine (geeko/webkit/blink).
I do remember clearly a few years back, I was able to buy on amazon with the lynx browser... yep basic HTML forms can do wonders.
Their name is "PostHog", a dirtbag left joke from years ago. If they were trying to make joyless scolds happy with their humor, their site would be very different.
Which it is?
I am from the EU and I don't see what this law has accomplished apart from making the WWW worse, especially on mobile.
I remember back when Opera was a paid browser, last century, it already have options to accept all cookies, refuse them, or set fine-grained preferences per website. No need for handling it at the website level if the client can do it.
You can argue that the law might not have improved things (at least not as much as intended), but nothing about this law has made the WWW worse. If you believe that, you've fallen for the concerted efforts of the advertising industry spreading misinformation about who's idea the annoying consent popups were & (like this website) perpetuating the myth that they're a legal requirement.
None of the new annoyances on the modern web that you're thinking about are mandated by EU law. It benefits the ad industry massively to scapegoat the EU for these annoyances.
It doesn't matter much what happened behind the scenes to cause that outcome. From a black-box perspective, it could be that
(a) the EU mandated the cookie banners, (b) the EU mandated to provide cookie settings in some generic form, and websites decided to use banners because it's easier, more lucrative, or even to put people against the EU, in spite of having other options that were better for the user. (c) the EU mandated a different thing and the annoying banners don't even comply with the law.
No matter what the case is, the fact is that the EU made the WWW worse with the law. Either due to an outright harmful law, or to a well-intentioned law with too many loopholes, or to a good law but lack of enforcement. Doesn't matter much for the end user. When you make laws that affect people's daily life, good intentions aren't enough.
You can reasonably argue that if the EU had not taken action to reduce advertising companies' ability to abuse customer rights, then advertising companies would not have retaliated, & therefore the web would be a less annoying experience. You cannot reasonably argue though that this is some isolated one-sided situation where ad companies are devoid of culpability.
Your entire comment essentially amounts to ignoring an elephant in the room to sell a narrative that one "side" bears 100% of responsibility for the outcome.
If your government passes some badly-designed regulations that cause a rat infestation, you can be as angry at the rats as you want, but that won't be very useful. If you want things to actually change, it's the government you need to complain against, not the rats.
Isn't it even simpler: Unless the cookie is used to track, you don't need the banner? For example, a cookie used to remember sort order would not require a cookie banner, I think.
(It's not about cookies. It's about tracking.)
I’ve created websites with a cookie banner “because it’s required” even though there were no cookies involved. The idea that every website needs a cookie banner is more hurtful than the cookie banners themself.
It's still stupid though as most of the sites I do absolutely still track certain activity, it's just done server side.
In other words, it's not actually legally required in their case, but it's practically required, because it lets everyone know that the absence of the banner is not a violation of the law.
Your "logic" is baffling
That is what I meant by "practically". I mean "in a practical sense" as opposed to in a theoretical sense.
That literally does not happen. What world do you live in?
But just to entertain your scenario let's say that did happen: it still wouldn't matter because they could just reply and tell them why they don't need one...
So, cookie banner it is.
Also, literally how the process works is, any citizen of an EU country files a complaint, and you’re suddenly at risk for millions in fines and have to prove compliance to an incompetent non-technical person to stop the inquiries.
It’s easier to throw up a banner, hence why most lawyers recommend this regardless of what you’re doing.
It literally doesn't work like that
> any citizen of an EU country files a complaint, and you’re suddenly at risk for millions in fines
Of course you're not at risk for millions of fines because that's not how the process works.
If the relevant agency gets off its ass and decides to actually work on the complaint (very highly unlikely, unfortunately), they will first contact you and ask you to remedy the situation within some time frame (usually quite generous).
If you don't do that, they contact you again and tell you you might be fined for not doing what you're asked.
The only way for you to risk millions is to repeatedly knowingly violate the regulation.
> It’s easier to throw up a banner, hence why most lawyers
Ah yes. The famously competent technical people, those lawyers.
Individuals and other businesses have to complain to regulators about others not complying with the GDPR.
For regulators in general doing dumb things? Lots and lots of examples all over the place. Talk to any small-business owners you know, get them drunk, and encourage them to rant. You'll hear some stories.
This is how you minimize headaches and your legal bill. And on the day that people come after you for some unforeseeable tragedy or perhaps genuine wrongdoing (covered up by unscrupulous employees or less-than-honest vendors), you'll be better positioned to deflect legal repercussions and bad press.
The unnecessary cookie banner is a no-brainer: it costs you nothing and poses but a minimal irritant to users.
The issue is some sites won't display any content without cookies, even if it's unnecessary. The amount of React-using sites that will load the entire page only to a second later to fully blank out since the JS couldn't set local storage does get annoying (and can regularly be worked around by disabling Javascript if not used for anything substantial). A handful like this have appeared just this past week on the HN front page.
The annoyance of the cookie banners is the entire draw for companies. Its not a downside. They're user-hostile. You are their enemy. Their goal is to wear you down and trick you into opting-in, so they can both track with impunity and follow the law.
I know, that is why I am saying you would force them to respect Do_Not_Track by law.
Example: The identifier you get when you pass anti-bot challenges (Cloudflare, Anubis, etc).
Whatever mechanism they choose to uniquely identify you, they will insist it's necessary for another purpose and they totally are not piggybacking on it for tracking (e.g. for the CAPTCHA example, they would insist it's absolutely necessary to protect themselves from DDoS).
As another example, they can always respond with HTML where all links themselves are an opaque hash that internally contain "route + your id" when decrypted. Then emphasizing that all links are always different even for same routes to "show they are randomly generated", and saying that they do this because... idk, detecting scraping or something random but plausible-sounding. Or whatever sneaky variation of the `?PHPSESSID=` query param from old times.
(Yeah I know the last example doesn't a lot make sense, I didn't think too hard about it, the point is that they will probably find a way somehow.)
They also embed Youtube if you open the demo, which in turn tracks users (yes, even through the no-cookie subdomain: https://dustinwhisman.com/writing/youtube-nocookie-com-will-...).
Ursula von der Leyen would not be very proud.
Or that this is their way of bragging that they don't use third-party cookies?
No, this is conflating "GDPR consent" and the ePrivacy Directive. According to ePD the banner must always be shown if the company providing the service is based in the EU
Where people who’ve never started a company or spoken to a lawyer about GDPR, the ePrivacy directive, the schrems rulings, etc but just emotionally love idea of what they think it represents (but actually doesn’t), debate with normal sane people.
All I can say is, I’m getting really tired of this one guys.
The modern web's obsession with maximizing engagement and time on page is fundamentally user hostile. It creates a frustrating experience for anyone viewing the web as a utility rather than just a source of entertainment.