Have lawyers familiar with EU law vetted your technique? Could you share their legal reasoning? If not, why would anyone ever take the risk to use your product and face huge fines?
I am all for privacy, use uBO, Firefox Focus / Incognito and Google alternatives. But if I have to consult a lawyer each time I write some code or write up a blog post, I'll take up gardening instead.
How about just consulting a lawyer each time you abuse a protocol to get user's software to behave in a way that is invisible to them and benefits you?
There is already a correct way to tell a browser to tell the server something with each subsequent request: Cookies. Nobody needs to "write some code" here; it's already written. Working around the protocol isn't engineering, it's just lying.
This blog post is just another cynical degredation of trust between users and their browsers, and browers and the servers they talk to. Just another part of HTTP that we can't use for what it was designed for anymore because servers want so desperately to track visitors uniquely and a significant subset of visitors would prefer not to be remembered uniquely.
It doesn't track visitors. It just counts how many came back and how many bounced. It's very privacy friendly, but still doesn't meet your standards? I think you just like to complain.
This is simple. Why not use cookies? Because people don’t like cookies, or people delete cookies, or there are regulations surrounding cookies. So we’re doing what cookies are for with a different part of the protocol to circumvent all those issues.
Though, of course, it doesn’t circumvent any of them. Nobody who firmly rejects cookies is amused, and no court that ever made a cookie-consent law will shrug its shoulders and say “technically it’s not a cookie so I guess they’re in the clear”.
It’s ridiculous to call this privacy friendly, and I think you just like to track your users without asking.
Instead of putting a real, appropriate value in "last-modified", we're putting an arbitrary value, totally unrelated to actual response caching that the user's browser will unwittingly use next time it calls us and in so doing remind us of something about them. Maybe all it reminds us of is visit count, because we have restraint and that's all we're exploiting this for (for now). So now, for the third time:
Why not use a cookie?
The problem with this is encoded in the answer to that question. You're being willfully ignorant if you can't see that the answer to that question is: "Because I don't like certain governments, users, and user agents' way of handling cookies (e.g. deleting them, or requiring consent)".
So you agree it doesn't track users. At least we're on the same page there now.
Why not use a cookie? Because then they can't advertise that they don't use cookies. It's like how they put No-GMO label on food that doesn't even have GMO crop varieties. It's meaningless, but people are uneducated on the subject so it sells products.
You could use a cookie here, and you could do it completely legally without requiring consent. The laws don't care about cookies or other technical implementations, they care about tracking. So the reason to use this cache header instead of cookies is simply because people are uniformed on the subject and it sells better this way.
> Why not use a cookie? Because then they can't advertise that they don't use cookies.
Oh, so they can be craven motherfuckers who abuse protocols for the sake of web analytics. With you so far.
> The laws don't care about cookies or other technical implementations, they care about tracking.
This is flat-out wrong. The law cares about any cookies that aren't strictly necessary for the site's operation. This very well might qualify as a cookie that isn't strictly necessary for the site's operation. It's not implemented as a cookie, but what you say is half right; "the laws don't care about... technical implementations". A judge might not care that you've come up with a clever way of storing your cookie with a different header. It's the same thing as a cookie, and it's not necessary for the site's operation.
Even the good guys are craven motherfuckers to you. Who does measure up to your standards of flawless perfection?
This is an analytics service that respects user privacy. We would be wishing them all the success in the world, not criticizing them for not meeting your ridiculous notions of HTTP header purity.
What a ridiculous notion! Using cookies when you want to set a cookie! Absurd! What we are trying to do is set a cookie while also proclaiming to the world that we don’t use cookies. What’s the matter with that?
I’m sorry, but “I want to sort of lie” is just not a very compelling reason to me. I guess I just have ridiculously high standards.
No need for this kind of hyperbole. I wouldn't ask this question if the OP's post didn't contain grandiose claims such as "No cookies, no consent banners, no ad networks, 100% GDPR & CCPA compliant, low footprint web analytics." OP made a claim about their compliance with EU law. I'm asking for proof or at least an explanation.
