luke.b//blog

Right now I feel like writing a program to crawl cooking websites and scrape the euconsent-v2 cookies that get stored when you click “Reject all” + “Object all” in the OneTrust cookie banners.

It seems every site has a slightly different permutation of cookie that gets stored to record the fact that you have denied storage of cookies for any reason. It’s unclear to me currently why this is, but it might not be important.

What I’m imagining is that I can create an extension that will inject this cookie prior to visiting a site, preventing the cookie banner from showing up in the process.

This has a slight advantage over detecting the cookie banner and simply removing it: this way I also object to all tracking, in theory disabling the tracking that happens if no options are clicked.

This only works for euconsent-v2-supporting cookie banners, which I think is implemented by OneTrust and backed by a tech created by the IAB known as TCF (https://iabeurope.eu/wp-content/uploads/2019/08/TCF-v2.0-FAQs-1.pdf, https://github.com/InteractiveAdvertisingBureau/GDPR-Transparency-and-Consent-Framework/blob/master/Consent%20string%20and%20vendor%20list%20formats%20v1.1%20Final.md)

They found a way to get vendors to have to register in order to use this, so it seems similar in nature to how SSL certificates work, where IAB is an authority in this world of cookie consent (specifically set up for use in advertising). Essentially different vendors will register with the IAB as an entity that will receive data about a visiting user in order to correlate their data with any existing data already held. Each vendor registers any number of purposes for which they will use the data, e.g. “link different devices” or “create a personalised ad profile”. When the website admin implements their cookie banner, the total purposes are determined by the selection of vendors they have specified for their site. The purposes can then be opted-out by the user.

This is why each website could have a different way of encoding an “opt-out”, because the token includes data about which list of vendors was used, the ID and version of the cookie banner itself.

All of this is the entire reason it’s so difficult for a user to express their cookie consent.

There’s also a major legal issue with trying to consent to cookies “once and for all”, because the legal basis of cookie consent is designed to be specific to every vendor, cookie banner, publisher, language etc.

It’s all designed to work for the industry, and it does! And although users are better off from the point of view of legal transparency with respect to cookies and how they are used, the majority are also encumbered by awful awful experience of using any website for the first time on any device.

Luckily cookie consent cookies are not user-specific. That is, they do not encode the identity of the person who has consented. This is important because it means the same cookie could be used on some completely other device and would essentially prevent the cookie banner from ever appearing. Of course the user should still be able to control this functionality, and this remains possible although limited to copying the choices of a previous user who has already clicked certain options on the cookie banner.

And alternatively, the interaction with the banner could be automated such that the blocking cookie is collected by a crawler and distributed to users who wish to consent in the same way.

Anyway, I feel motivated to try this - it would be pretty simple to create an extension that enables recording of cookie consent, making the cookie public to anyone else using the same extension. To begin with the extension could have a single option of “always opt-out”.

It might even be possible to do this in a way that is agnostic to the data stored in the cookie that prevents the banner appearing. The extension should simply record any changes to the user’s cookies whilst they interact with the cookie consent banner.

Eugh. I feel awful. The Pfizer is currently enabling my immunity to the disease.

I took the afternoon off because work became incompatible with this lethargic and otherwise sick feeling.

I watched one of my favourite sci-fi films earlier - Arrival (this film is from 2016 what?) and it was as good as it was the first time I saw it. I had forgotten the beautifully done sub-plot, probably the best I’ve seen in a film actually.

Tomorrow I get vaccinated for covid!!! Much excite.

Still loving my little docker-compose deployment system. I should really make a series of blogs about the whole setup.

Bought some new clothes this week because I thought of an outfit that I thought would look good. I totally doesn’t. I find it’s so much faster to try outfits in a store and buy them if it looks/feels good.

Still feel like I’m trying to figure out what my style is. I feel motivated to do it but a bit clueless as to how to do it. I realise most people just kind of buy stuff and wear it if they want to. This has kind of worked for me in the past with certain outfits but I’m feeling dissatisfied.

This apartment gives me a sense of dissatisfaction sometimes but there’s part of me that makes me think it’s actually just my life.

I think the past few days I haven’t really focused on myself, but rather my job. I think today it really came to a focal point where all of my thoughts became focused inward and amplified this sense of dissatisfaction.

I missed codebar.io because I didn’t put it in my calendar, and I feel really annoyed at myself about that.

Also, working harder doesn’t make me feel better.

A common thing that I keep doing is feeling so motivated to work that I work really late and then tire myself out. Then for the rest of the week (usually Thursday and Friday) I feel like I have a lot less energy. And in the evenings Tuesday - Wednesday I have a lot less energy to enjoy free time. Everything feels like too much effort. On bad weeks it will mean I stay inside for days at a time.

I have so much to be grateful for, I must remember that. I should be grateful that I can work a fixed number of hours a day and know that my job is secure and I am motivated to do it.

I think I try to discover satisfaction through working harder but of course this isn’t possible. Satisfaction through learning/teaching/helping is definitely possible but working longer will only make me feel exhausted and dissatisfied that I couldn’t do more. The feeling reminds me of when I used to stay up late playing games with the words “one more game” coming to mind at the end of every round. I think I need to rediscover a healthy work/life balance.

I’m really enjoying doing a bit of creative writing now and then. I’m also noticing that I tend to dislike it when I fall into the style of storytelling where I directly describe the world. So for example when I write something like, “the politicians in this time would almost never wear hats, so this seemed strange to Peter” instead of implying that the world is a certain way. In this instance I could write that in this world, if someone becomes offended by your political stance they might say, “say that with your hat off and we can start a real discussion”. That was an awful example.

Actually, I notice two distinct concepts here: pace and whether to be direct.

I’m finding it’s possible to be fast or slow and also be direct or indirect.

OK, so take an example where a father and Son are camping in the forest and the scene starts with a description of a lake surrounded by towering pines before immense forested mountains rising out of the ground.

Sometimes when I’m reading I enjoy the slow pace of having to read a page of some poetic scene-setting prose and in this case it would really bring home that feeling of the characters being isolated in nature because there’s literally a wall of text surrounding the part where they come in.

Other times I’ll be craving the immediacy of pace where the description starts with the characters as they interact with the forest, moving through it until they reach the lake and stop to drink water and bathe beneath the incredible mountain range watching down on them. The pace/intensity could be increased more so by barely mentioning the surroundings and focussing entirely on the characters and their actions:

“The Son calls back to the Father that he found the lake but the pouring rain slowed his progress as he struggled with his injured leg. The Son called again to the Father who had stopped and leant up against a pine to keep balance, energy drained and soaked through, he pushed onwards. The hidden entrance was obscured beneath the surface. They would have to swim to reach it.”

With such a high pace, there’s no option but to describe less about the world and it feels more natural to be quite direct (i.e. “the pouring rain”). The details are short and have a certain potency to keep the reader grasping for every sentence. But there’s still a sense of almost comfort in being given these details.

Trying to be indirect could be useful for injecting more drama and confusion to the scene:

“Dad? The lake! I’ve found the lake!”

“Dad?”

“I’m coming, just give me a moment” came a pained cry in the distance.

Peter grabbed his Dad’s crutch and threw it onto the sodden Earth, removing his soaked clothes.

“You can still use your arms right?”

“Should be fine, let’s get inside”

Peter put an arm around his father as the water came to waist level and as they moved further, they became completely submerged. Eyes open, Peter scouted the entrance and swam for both of them letting out air from his lungs in to dive deeper.

They reached the entrance…”

So the reader might feel a bit uncomfortable there or tense because they aren’t getting the full picture, but just gimpses. Notice I didn’t mention it was raining or that they were about to swim or why their clothes were wet or why they were entering the lake. All of that revealed itself over time in the mind of the reader (hopefully).

Anyway, this is probably basic writing stuff and I should go read a book about it or something.

Somehow it’s just after midnight on what is now a Saturday and just now I decided to do some work for a bit.

I’ve been feeling super positive recently but then I just had one of those weird evenings where it was going well and I felt motivated to do something productive. But then I just started working, and it was kinda gross.

Anyway. Cases are going up.

Christ I hope there’s not going to be a third wave.

OK. so I wrote a bit more. happy days.

I should really set up a prometheus thing to scrape metrics from nginx logs or something so I know what kind of traffic I’m getting.

I’m going to force myself to write this story. I’m going to do it and it’s going to be an okay story.

OK. I went down the rabbit hole to see what GCP has WRT per-user encryption. TL;DR: customer-managed encryption keys can be used but this is mostly useful when using a GCP service that doesn’t already encrypt all the data stored. Firestore is one such service where all data is already encrypted and the keys are automatically managed by Google, including rotation.

The purpose of this isn’t to prevent GCP admins from reading the data. And this was my goal. Sadly it’s just not a supported feature. The assumption is that you as the owner of the app will want or need access to all the data your customers submit.

One way to avoid this would require full E2E encryption, which is tricky to get right without impacting UX. Storing the encryption keys in firebase is a possibility and would make for a slightly friendlier UX (where keys are managed on behalf of the user as opposed to letting them do that). This would mean that admins can still technically can decrypt user’s data though, which I’m not sure I would be comfortable with.

I mean, there’s a possibility the UX doesn’t have to be terrible. An easy assumption could be made that the user would stick mostly to a single device, where their private key can be stored in local storage. Syncing devices could be done via QR code to avoid sending the key across the network.

Apparently Google has written a client-side encryption library Tink that can be used together with KMS to provide client-side encryption of user data. The user key is generated and stored locally, and then “wrapped” by encrypting it together with the encrypted object using the KMS key (I think).

Anyway, I’m way too tired to be figuring all this out right now. I need to go sleep.