PisaguchiNov 20
Kevin Beaumont

Worth noting with Mastodon - one of the reasons for no cookie consent popup is.. there are no tracking cookies. At all.

Similar with official mobile apps, there's no privacy agreements etc in the app stores as there's no third party tracking.

Why is this notable? Try doing the same check on Facebook, X, Instagram, Threads, Bluesky or basically anywhere or anything else online. It's basically unheard of in 2025, as everybody else is selling you.

Nov 20 at 1:46pmWeb
Show threadThe VHS Wizard 🦝📼🧙Nov 20

@GossiTheDog

It's that old thing, the "if you're not paying for the product, it's because you ARE the product."

We pay for Mastodon. Maybe not you, individually, but someone does. Owners pay for hosting and bandwidth and storage and the domain and all that other fun stuff. And I've seen the numbers for some of these instances, they can be very... not cheap to run.

So, if you're on Mastodon and have a few bucks to chip in, see if your instance owner has a patreon or a kofi or something, maybe chip in and do your part.

Show threadPetra van CronenburgNov 20
@thevhswizard 💯 ! @GossiTheDog
Show thread2xfoNov 20
@thevhswizard @GossiTheDog
Just because you pay someone doesn't mean they won't take more from you. My TV updated its terms of service to spy on my viewing habits after it was on my wall for years, for example
Show threadWeAreDawlessNov 20
@thevhswizard @GossiTheDog like in the early days, people had their own blog, hosted somewhere and paid a little to publish the things they like or find important. We need more of that again. It could be really that simple.
Show threadAlison MeeksNov 20
@thevhswizard And if you aren't paying, please consider a donation to your instance admin to help cover costs. @GossiTheDog
Show threadLee 🏖️Nov 20
@thevhswizard @GossiTheDog The default Mastodon software is kind of complex to set up and also heavy in comparison to say something like Snac or Gotosocial. I wonder how the hosting costs between these compares, but I'm sure there is a difference. Of course hosting something that has potentially hundreds (or more) users is going to take some resources, but for small instances I imagine it's pretty sustainable.
Show threadDavid FrankNov 20
@GossiTheDog side note: I don’t think if Apple does verify the data collection statement, I have seen national tax app that declared “no data collected” on App Store.
Show threadAlexander The 1stNov 20

@GossiTheDog This does remind me of, when browsing the internet, every so often I'll come across a website asking me to disable my Ad Blocker to continue, and...I'm not actually using one.

All I do is set my browsers to never store cookies or history once the browser closes, and to delete all data immediately, or within 24 hours, even if I'm not in Incognito/InPrivate modes.

It's just that my browser sessions are suspicious because of that, I guess, that they claim I have an Ad Blocker?

Show threadDanny Boling ☮️Nov 20

@AT1ST

I've thought about doing that but signing into five sites every morning is such a pain. That doesn't bother you, or did you find a way around that?

@GossiTheDog

Show threadAlexander The 1stNov 20

@IAmDannyBoling @GossiTheDog My way around that is mostly mobile apps.

But it means I don't have to worry about timeouts, or someone hijacking my session too - my token should be expired when I log out, regardless of if it was sniffed.

Show threadAlexander The 1stNov 20
@IAmDannyBoling @GossiTheDog The main downside to me is that for sites I don't usually log into...I tend to have to reset my password more often than not.
Show threadDanny Boling ☮️Nov 20

@AT1ST

No password manager for you?

@GossiTheDog

Show threadAlexander The 1stNov 20
@IAmDannyBoling @GossiTheDog I don't want to risk logging me out of stuff if I forget it's password, or letting others grab all my passwords at once if it's an online manager...or be entirely bricked when my local hardware fails that happens to have my passwords on it.
Show threadDanny Boling ☮️Nov 21

@AT1ST

All good reasons. Thanks for explaining!

@GossiTheDog

Show threadDanny Boling ☮️Nov 20

@AT1ST

Those are all valid arguments. I may have to reconsider. Thanks!

@GossiTheDog

Show threadmkjNov 20
@GossiTheDog The badger is happy, too. (And so is uBlock Origin, for that matter.)
Show threadKayla Eilhart (en)Nov 20
@GossiTheDog I'm always amazed how many personal websites are tracking me for no obvious reason. I've even seen websites clearly running on oss software and selfhosted which had cookie consent bar - without actual cookies. It's just so widespreaded that people apparently stopped thinking about meaning and just put it there to be on a safe side or something.
Show threadAskPippa🇨🇦Nov 20
@kayla @GossiTheDog Isn't that because everyone wants analytics -- how many people visited your site and where are they from? (Or is that something different?)
Show threadgeneric holiday season bribNov 20
@AskPippa @kayla @GossiTheDog The vast majority of analytics providers, even those that don't use cookies, try to find out if you're a new or returning user... and I've seen some legal arguments that the information required for that uses PII that is protected under GDPR
Show threadgeneric holiday season bribNov 20
@AskPippa @kayla @GossiTheDog I've also seen Plausible Analytics put out a legal argument that suggests they don't need cookie banners, but not everyone's convinced... hence, it's a legal grey area
Show threadKayla Eilhart (en)Nov 20
@sitcom_nemesis

I'm actually using Plausible and chose to just write it in privacy section of the website, without banner. Even if it may be someday later found wrong, self-hosted Plausible is nowhere near intrusiveness of big cloud players.

@AskPippa @GossiTheDog
Show threadgeneric holiday season bribNov 20
@kayla @AskPippa @GossiTheDog Looks like the EU is planning to do away with cookie banners, and also clarify that simple analytics (e.g. tracking website visitors) doesn't need consent: https://www.theverge.com/news/823788/europe-cookie-prompt-browser-changes-proposal
Europe’s cookie nightmare is crumbling

The European Commission is changing how cookie prompts work in Europe. You’ll soon be able to use browser preferences instead of per-site pop-ups.

The Verge
Show threadKayla Eilhart (en)Nov 20
@AskPippa

I'm talking about websites which didn't even had the analytics set up (even seen a few with placeholder js for analytics without ID in the code) or weren't monetized in any way (no advertisement etc). You don't need cookies for just rudimentary and privacy friendly analytics if you set it up properly and don't just wildly put google analytics in there.

@GossiTheDog
Show threadGeorge BNov 21

@kayla @GossiTheDog

The internet's prop 65 warnings

> Many companies now routinely attach Prop 65 warning labels to any product of theirs that they think might possibly contain one of the 900 listed chemicals without testing to see whether the chemical is really present in their product and without reformulating their product, because it is cheaper to do so than to run the risk of being sued by Prop 65 enforcers.

https://en.wikipedia.org/wiki/1986_California_Proposition_65

1986 California Proposition 65 - Wikipedia

Show threadsiderealNov 20
@GossiTheDog I’m also pretty sure this is why mastodon works way better than any other social media on slow Internet connections.
Show threadEmilio ʕ̡̢̡ʘ̅͟͜͡ʘ̲̅ʔ̢̡̢Nov 20
@GossiTheDog yep pretty much
Show threadCure53 🏳️‍🌈Nov 20

@GossiTheDog Proudly serving no cookies or whatsoever on cure53.de ever since the website went online.

We do receive mails from folks that complain about the missing banner though, assuming something is wrong.

Show threadOsservatorio NessunoNov 20
@cure53 @GossiTheDog
I guess you too can go radical and be proud to serve no JavaScript either:
https://osservatorionessuno.org/
A deep dive into Cellebrite: Android support as of February 2025

A deep dive into Cellebrite: Android support as of February 2025

osservatorionessuno.org
Show threadJimmothy BagginsNov 20
@GossiTheDog sad though many third party Mastodon apps especially on IOS do have trackers for some odd reason. I find it perplexing and disheartening.
Show threadIdo 🚴🏼Nov 20
@GossiTheDog why use cookies when you have APIs like: localStorage, sessionStorage etc' ?
Show threadBrianKrebsNov 20
@GossiTheDog it is rare, but you will also find no cookies on krebsonsecurity.com. I don't want your data, so don't give it to me!
Show threadMichael NewtonNov 20
@halla@kde.social @briankrebs@infosec.exchange @64bithero@mstdn.games @cure53@infosec.exchange @privateblack@mastodon.social @bitinn@mastodon.gamedev.place @GossiTheDog@cyberplace.social ​oh yes, this. What's your privacy policy? "Don't give me your data, I don't want it. I want to know absolutely nothing about you that isn't completely necessary to provide the service I'm offering."
Halla Rempt (@halla@kde.social)

903 Posts, 607 Following, 727 Followers · Maintaining foss digital painting app Krita, a woman and according to my wife, a stillroom maid. I paint, sculpt and like languages. Also RPG: https://valdyas.org/galsin/. Note: I very selectively follow back because my timeline is already overfull. I am also bit cautious about who I let follow me, sorry for that.

Mastodon
Show threadFritz AdalisNov 20
@briankrebs @GossiTheDog
Gonna print out my cookies and post them to you.
Show threadHalla RemptNov 20
@GossiTheDog I didn't know that it was possible to release apps on the play store without having a privacy statement. It's the reason this page exists: https://krita.org/en/privacy-statement/
Privacy Statement

Krita does not access, collect, use, share or transmit any personal information or user data whatsoever. Since we don't have access to any of your data, sensitive or otherwise, we don't sell it, of course. If enabled, the newsfeeds makes a network connection. The newsfeed is retrieved over an https connection. The G'Mic plugin can retrieve filter definitions over the network. You can configure Krita to save author information in images you create, but Krita does not do that by default.

Krita
Show threadyggNov 22
@halla @GossiTheDog This, as far as I know it's a requirement to have one, I wonder if these "get around" it because the client owner isn't the instance owner..?

The point still stands though, just maybe not the perfect proxy
Show threadMarcus BointonNov 20
@GossiTheDog Unfortunately it's becoming hard to tell the difference between sites that don't have a banner because they don't need one, and sites that absolutely do need one but don't because they don't give a shit because nobody is going to enforce anything against them.
Show threadChiefGyk3DNov 20
@GossiTheDog Why bother collecting data on myself when it's my own server? That's why I like Mastodon
Show threadBenNov 20
@GossiTheDog Oh, I never noticed that. That's indeed unusual. I like it.
Show threadKhleedrilNov 20

@GossiTheDog "Similar with official mobile apps, there's no privacy agreements etc in the app stores as there's no third party tracking."

What? I thought the reason they try to coerce you into using mobile apps is precisely because they (and Google, the NSA, etc) can track you, without needing cookies and thereby side-stepping the law. Don't they all insist on Google Play Services (a binary black box) so that your information can be shared between apps?

EDIT: I misread the OP, m'don is good.

Show threadPiko Starsider Nov 20
@khleedril @GossiTheDog They're talking about Mastodon apps, and as far as I know Mastodon does NOT coerce you into using an app. Neither the official app nor many of other popular apps for mastodon/fediverse have a any tracking at all.
Show threaddavecb 🇨🇦Nov 20
@starsider @khleedril @GossiTheDog I'm using the web version, and am logged on at Hachyderm. I note that Privacy Badger reports tracking by youtube.com.
It is not obvious if this is a Mastadon problem, or something else.
Show threadPiko Starsider Nov 20
@davecb @khleedril @GossiTheDog That's probably link preview embeds, I think you can disable them.
Show threadtbspNov 20
@GossiTheDog Nice! I didn't know this and it's great. Out of curiosity I went to Duckduckgo.com "It's private and free!" ublock origin reports 6 blocks. 😕
Show threadDukeNov 20
@GossiTheDog And here's my UBlock icon when I'm on Masto.
Show threadThomas OttenhusNov 20
@GossiTheDog even shops could go without such an annoying popup, but they choose to track me all the time ... it's sad.
Show threadПротест и сопротивлениеNov 21

@GossiTheDog Well, not exactly unheard of. From the top of my head, Duckduckgo and the EFF websites have no tracking cookies.

There's no technical requirement that could force websites to show ads or use trackers. Most companies simply hate their customers - sad but true.

The entire "cookie consent" thing is no solution. It simply adds another level of humiliation and pain for the visitors ("to proceed, forfeit your human rights") and allows the website owners to evade responsibility.

Show threadDHeadshot's AltNov 25
@GossiTheDog
There probably ought to be a cookie banner or something though if your instance allows for embedding of third-party content (e.g. YouTube videos), because that content will probably have tracking scripts etc..
Show threadMiakoda Nov 29
@GossiTheDog This is one of the reasons I'm here