KodoPengin / GameIndustry-hosts-Template

Unique host templates to enhance own privacy in games, websites and regulary software on Desktop and Android devices
https://www.gameindustry.eu
89 stars 6 forks source link

Dubious and misleading consentmanager (Title edited by Pengin) #33

Closed RichardBeisser closed 11 months ago

RichardBeisser commented 11 months ago

Hello,

at the moment, the list blocks part-0017.t-0009.t-msedge.net I suppose this is a false positive. F. ex. this blocks login at https://www.lichtblick.de/konto/

KodoPengin commented 11 months ago

I suspect that the cookie consent does not work properly because Usercentrics is blocked in the lists. The following are called on the page (without consent and visible nag screen):

www.lichtblick.de fast.fonts.net # CSS, Cookies www.datadoghq-browser-agent.com # Logging app.usercentrics.eu # Tracking pixel, bundle.js api.aklamio.com # Tracker analytics.aklamio.com # Tracker api.usercentrics.eu # Cookie Nagscreen Translation / Übersetzung aggregator.service.usercentrics.eu # Tracker list / Auflistung www.googletagmanager.com # 2 Trackers (GTM-WMPC837, GTM-PH88SK) consent-api.service.consent.usercentrics.eu # Consent / Zustimmung uct.service.usercentrics.eu # Tracking pixel graph.lichtblick.de # Login mein.lichtblick.de # Real login / Anmeldung, Kontologin, fonts, jpg graphql.usercentrics.eu # Logger / Targets

Since I don't have an account there, feel free to test it out and provide feedback so that I can adjust the files.

RichardBeisser commented 11 months ago

just noticed, Stiftung Warentest uses it as well: https://www.test.de/CO2-Steuer-einfach-erklaert-5915840-0/ https://www.test.de/E-Rezept-Wann-geht-es-endlich-los-5862837-0/

KodoPengin commented 11 months ago

I would also like to point out once again that the offered files contains some strict rules, which can interfere with the functionality of websites and programs in favor of data protection/privacy and security.

Some will remain and some rules may be deactivated or even deleted for functionality and comfort.


The fundamental problem with these "consents" these days is often (as well as here) that tracking pixels and services are contacted, tracking pixels/third-party cookies and other mechanisms are activated/set before users can give their consent and in such cases, site operators often absolve themselves of all blame and responsibility because they are not their own services.

Users are often lied to and misled about purposeful and real data collection and background services. And in the case of someone wanting their data deleted, on websites with up to 100+ services, who is going to chase after and contact each individual company for data requests and deletion? I know none.

Responsible on Test.de https://a.delivery.consentmanager.net https://cdn.consentmanager.net

See https://www.test.de/cookie-richtlinie/ https://docs.piano.io/track/piano-cookie-descriptions/

Consent is blocked? Why? Because cookie banners are simply a farce, and trackers and analytics are still active.

Specifically, in the case of test.de, the following things are active directly upon page load WITHOUT consent:

Piano Analytics + Activation https://experience-eu.piano.io/load?aid=lzfikWNGpe

https://cdn-eu.piano.io/api/tinypass.min.js # __cf_bm Cookie

https://c2-eu.piano.io/xbuilder/experience/execute?aid=lzfikWNGpe # __cf_bm Cookie

protocol_version=1&has_active_apple_pay_card=&new_bid=lqsr80yzfdoxy4yd&c1x_integration_version=v2&custom_cookies=%7B%7D&push_notification_settings=UNKNOWN&mailing_lists=%5B%5D&increment_pageview_meter=true&aid=lzfikWNGpe&user_provider=piano_id_lite&user_token=&page_session_id=s-lqsr80zgodtlcsb6&track_count=1&pageview_id=lqsr80yzaoqjyrfh&content_created=2023-12-14T01%3A00%3A00.000Z&content_author=Stiftung+Warentest&referer=&tags=has_access%2Cpremium%2Cthemen%2CContent%2CContent-Frei%2C5915840%2Csteuern_recht%2Cspecial%2C2023-12-14T01%3A00%3A00%2CBeumer%2C%20Michael%2CPage%20Class%3A%20article%2CPublication%20date%3A%202023-12-14T01%3A00%3A00%2CModified%20date%3A%202023-12-14T13%3A27%3A12%2CHauptartikel%2Chttps%3A%2F%2Fcdn.test.de%2Ffile%2Fimage%2Fe5%2F88%2F870bca81-608c-4ac2-aadf-326380301775-web%2F5915850_einfach-erklaert-co2-steuer-f2210.jpg&url=https%3A%2F%2Fwww.test.de%2FCO2-Steuer-einfach-erklaert-5915840-0%2F&fingerprint=cf1a050ccd0ae70587459f3c5a1df8de&adblocker=-1&timezone_offset=0&submit_type=auto&visit_id=v-lqsr80zg9kywlxgl&new_visit=true&keywords=&title=CO2-Steuer%3A%20Einfach%20erkl%C3%A4rt&description=Was%20hat%20der%20CO2-Preis%20eigentlich%20mit%20Klimaschutz%20zu%20tun%3F%20Und%20was%20kostet%20uns%20das%20alles%3F%20Die%20Stiftung%20Warentest%20erkl%C3%A4rts&content_type=article&custom_variables=%7B%22css1%22%3A%22https%3A%2F%2Fcdn.test.de%2Fstatic%2Fstyles%2Fmain.min%3Bv93694724.css%22%2C%22webfont%22%3A%22https%3A%2F%2Fcdn.test.de%2Fstatic%2Fstyles%2Fwebfont.min%3Bv93694724.css%22%2C%22hasAccess%22%3A%22true%22%2C%22staticFileBase%22%3A%22https%3A%2F%2Fcdn.test.de%2Fstatic%2F%22%7D&consent_modes=%7B%227%22%3A4%7D

https://cdn.cxense.com/cx.cce.js https://cdn.cxense.com/cx.js

Piano DMP https://comcluster.cxense.com/Repo/rep.gif?con=y&loc=https%3A%2F%2Fwww.test.de%2Fmeintest%2Flogin%2F%3Ftarget%3D%252Fcookie-richtlinie%252F&sid=5857331639292597770&rnd=lqsrhojqnibhh059

These services are also blocked. In this sense, the list does exactly what it is supposed to do.

The fact that a necessary page function may no longer work... is, of course, a separate issue.

And as mentioned for test.de - the service from Piano is definitely not among "technically necessary cookies or services" that are required for a login. If it's just a matter of "DDOS protection", this is also possible without third-party providers linking content to an entire analysis and tracking platform including the whole page functionality. And even if, the information design as well as the consent process is anything but defintivly not transparent or user-friendly.

It would be advisable to write to the site operators regarding this matter and would ask them to change the mechanics.


Long talk, short sense, a final update for this year will be provided later in the day/evening. I will think it over again. Either the services will be activated or a note will be made (including "usercentrics").

Anyway, thanks to the hint, another Piano address has been added to the block list and the CXense will be assigned to Piano in the future update.

In advance, I wish you a happy New Year's celebration!

KodoPengin commented 11 months ago

Title edited and closed

RichardBeisser commented 11 months ago

Hallo,

erst einmal ein Gutes Neues Jahr.

Vielen Dank für die Erläuterungen.

Zum Thema Cookie. Ich verwende im Heimnetz ein PiHole, in den Browsern U-block, I don't care about cookies und den CanvasBlocker. Als Anwender habe ich schnell nach der Einführung der Cookie-Banner festgestellt dass man den Cookie-Bannern nicht mit der Blokade von Domänen begegnen darf (also mit dem PiHole) weil dann viele Seiten nicht mehr funktionieren. Vielmehr braucht man Werkzeuge die den Seitencode untersuchen und darauf reagieren - deshalb u-block und das Addon von Daniel Kladnik.

Die Domain part-0017.t-0009.t-msedge.net scheint der zentrale Anlaufpunkt auf vielen Webseiten zu sein. Wenn man den Dienst eines Anbieters (usercentrics ???) nutzen möchte, dann muss man wohl eine eigene Subdomain zur Verfügung stellen die als Cname auf die besagte Domain zeigt - zumindest wenn ich mir das im PiHole anschaue. Im Fall von lichtblick.de ist das "anmelden.lichtblick.de", bei der Stiftung Warentest "cdn.test.de" Kennst du da die Hintergründe?

Du hast viel zu Piano Analytics + Activation. Wie du gesagt hast, deren Domänen stehen auch in der Blocklist und werden nach wie vor blockiert. Auf die Funktion der Webseiten hat dies keine Auswirkung.

t-msedge.net sagt mir dass die Dienste in der Cloud von Microsoft laufen. Mein Gedanke war zum einen wer und zum anderen was hinter der Domain part-0017.t-0009.t-msedge.net steckt, und ob da wirklich Analytics und Trackings drüber laufen, oder ob das nur harmlose Dinge sind wie DDOS-Protection.

Man kann auch fragen, steckt Usercentrics hinter der Domäne, oder Microsoft selbst. Es ist reine Mutmaßung, wenn ich mir die Namensgebung der Subdomain mit cdn bei test.de anschaue, würde ich vermuten dass hier nur die Cloud von Microsoft genutzt wird die echte Inhalte der Webseite bereitstellt. Das hier deutet ebenfalls darauf hin: https://www.netify.ai/resources/platforms/azure-front-door

Edit: Du hast in deiner Blocklist die besagte Domain unter der Überschrift # AppHostRegistrationVerifier.exe einsortiert. Aus Interesse, was ist das?