Open-Source ‘Consent-O-Matic’ Tool Lets Anyone Automatically Stop Websites From Tracking Them

Nobody really likes being tracked around the web, but rejecting cookies in a pop-up window every time you're presented with the option can be exhausting. Now, there's a tool that will do it for you automatically, and it's called Consent-O-Matic. 

Despite it being four years since Europe's GDPR data protection and privacy law was passed, along with the creation of consent management platforms (CMPs) meant to ensure compliance with GDPR, many sites still outright violate regulations and deceptively track internet activity. In April, researchers at Aarhus University released Consent-O-Matic to automatically reject permission requests to track you.

“Cookie pop-ups are designed to be confusing and make you 'agree' to be tracked,” the team’s Chrome extension summary reads. “This add-on automatically answers consent pop-ups for you, so you can't be manipulated. Set your preferences once, and let the technology do the rest!” 

In response to the GDPR’s guidelines on how data must be processed, and that consent obtained to do so should be explicit and informed. Companies have settled on obfuscating as much of this as possible, falling back on cookie banners, omissions, and other deceptive practices to skirt the law as much as possible.

“The reason I created this Consent-O-Matic extension was because I'd done the research and I'd demonstrated there was a lack of compliance when it came to 'consent' pop-ups on the web,” Midas Nouwens, one of the researchers behind the program and first author of the academic paper introducing it, told Motherboard. “I knew from how it'd been in past years that it was going to be a slow process for regulators to pick up on this. Nor was I confident that they even would."

“So I figured I'd do something bottom-up, not just relying on authorities to try and enforce but build something users can use now while we wait for this slower, democratic process to happen," he said. 

To be sure, GDPR is being enforced—fines have pulled in close to $1.7 billion to date, with the lion’s share from targeting companies like Amazon (nearly $900 million), WhatsApp (over $200 million), Google ($100 million) and Facebook ($68 million). Still, there is much to work on thanks to a backlog of complex complaints, widespread deceptive practices to continue tracking internet activity, and a one-stop-shop process that is complicated by different procedures and privacy standards in each country party to the GDPR.

"The fact that we have these pop-ups is not a failure of the GDPR. It's not a failure of the regulation that an industry decides to flaunt the regulation," Nouwens told Motherboard. "The one critique I’ll take is that we could enforce it better. But the fact that we have these pop-ups is because an industry willfully decided to interpret it in a way that is super-annoying and not even complaint. And because of that, it's giving the regulation a bad name—this industry wants to continue business as usual."

There are already attempts brewing to bypass the Consent-O-Matic browser extension, however. Nouwens shared a patent application filed in September by CMP OneTrust that is aimed at detecting automated cookie rejection. If detected, the software would reject the automated request to block cookies and present the user with another request for consent, even adding a captcha. 

OneTrust’s patent warns that "by automatically rejecting such consent, the user may not be making an informed decision and the website operator may not be able to ensure the website is in full compliance with applicable privacy laws and regulations."

“The patent is pretty hilarious. The idea it is premised on seems to be that a refusal of consent has to have the same high standards as a granting of consent—that is to be specific, informed, freely given, and unambiguous,” said Michael Veale, a professor of digital rights and privacy at UCL Laws. “But that's simply incorrect. Refusing consent is a different act from giving it, and is not subject to those standards. Furthermore, data protection law specifically recognises that an individual 'may exercise his or her right to object by automated means using technical specifications.'”

In a 2020 study on dark patterns and GDPR compliance, a team of researchers including Nouwens and Veale scraped a sample of the UK’s top websites and found the majority were serviced by a handful of CMPs including OneTrust and were, at best, minimally compliant with privacy laws and regulations. In a survey of 680 of the UK's top sites, 24 percent of them used OneTrust and only 1.8 percent of those sites were minimally compliant with GDPR, according to the study authors. Researchers defined minimal compliance as "if it has no optional boxes pre-ticked, if rejection is as easy as acceptance, and if consent is explicit."

“The results of our empirical survey of CMPs today illustrates the extent to which illegal practices prevail, with vendors of CMPs turning a blind eye to—or worse, incentivizing—clearly illegal configurations of their systems. Enforcement in this area is sorely lacking,” the researchers concluded. In August, privacy group noyb filed 226 GDPR complaints against websites using OneTrust because they failed to meet minimal GDPR requirements.

OneTrust did not respond to a request for comment.

"The entire adtech industry's strategy over recent years has been to attempt to misinterpret regulation to make consent seem like a joke,” said Veale. “The legal reality is that this is not consent, and that such practices are themselves illegal. Data protection authorities are finally waking up to that.”

This is all to say that the effectiveness and limitations of Europe’s GDPR and other data privacy regulations, as well as the impacts on various business models and industries built on surveillance technologies (e.g. digital advertising), are pretty complex, but Consent-O-Matic offers a little respite from the reign of terror from cookie banners.

"I want to get rid of these pop-up banners, that's really my end goal. I'm not trying to fix them,” Nouwens told Motherboard. “We're trying to improve the wrong thing. We shouldn't be having nicer pop-ups, we should just not have any pop-ups whatsoever."

This article is part of State of Surveillance, made possible with the support of a grant from Columbia University’s Ira A. Lipman Center for Journalism and Civil and Human Rights in conjunction with Arnold Ventures. The series will explore the development, deployment, and effects of surveillance and its intersection with race and civil rights.