July 13, 2019

Cookie consent banners are a joke. The real thread lies elsewhere

Cookie consent banners aren't just annoying and (according to the GDPR) unnecessary as long as no external trackers are used. They also distract from the the fact that the underlying issue, user tracking, has long since moved beyond the web and festered.

I’m not particularly worried about tracking cookies on websites. Those were always easy to manage without a lot of trouble. If you are using Firefox, just configure the browser to throw away cookie on exit under Edit | Preferences | Privacy & Security . That takes care of it, at least on the desktop.

The real problem, though is, as usual, mobile, Android in particular. Here you don’t have to deal with just one, but (at least) two system level supercookies, you are neither warned, nor can get rid of:

  • Ad ID
  • Google Services Framework ID

The GSF ID is issued to your phone when you first bind a Google account to it and stays valid till the next factory reset. It is a unique 64 bit identifier that is always transmitted (X-DFE-Device-Id HTTP Header) when the device talks to Play. There is no way to opt out of this. No GSF ID simply means no service. The thing to keep in mind here is that while the GSF ID is private to the Google Play app, that app also defines a vast number of background services, which often perform tasks on behalf of other (third party) apps. So even if you don’t actively browse the store, you can count on your GSF ID being transmitted every couple of minutes.

The illusion of control
With the Ad ID, Google seemed to have the epiphany that it might not be a good idea to trust scumbags third party advertisers with something as sensible as the GSF ID. So in Play Services version 4.0, they introduced a separate ID for anonymously identifying users (yes, that oxymoron made it into documentation). Unlike the GSF ID, you are allowed to reset the Ad ID from the settings app any time. You cannot, however, suppress it entirely (the opt out checkbox only tells apps not to personalize ads, but doesn’t enforce it). Paradoxically, the Ad ID is actually sold as a privacy enhancing tool by Google. According to the Play rules, advertisers may only use this identifier to track users, and they may not link it with other identifying features. Of course, there is no way to enforce either. The whole idea behind the Ad Id is obviously not that personalized ads may be the problem, but that ads are personalized the wrong way, showing products that are of no interest to the user. So resetting the Ad Id is actually helpful not hindering to the advertising industry.

Is there a way to really opt out of this? Well, sure. If you don’t want a GSF ID (and you don’t), then you must not bind an account to your device, no matter how much it nags you to (in fact, the nagging is already reason enough not to do it). Furthermore, you should disable “Google -” everything under Settings | Apps . That takes care of the Ad Id as well. Sure, there will be a lot of scary warnings that some things won’t work afterwards, but that’s the point, isn’t it?