I did some looking in my debugger when following the link and it looks like they are loading two affiliate tracking cookies in my browser, but there was no cookie warning on the Proton website.
According to their support entry on enabling cookies they wrote:
“Cookies are small bits of code that websites use to store information in your browser. The Proton Mail and Proton VPN websites require cookies to be enabled so that we can store your current session information and remember your login details between sessions.”
Are they forgetting to mention affiliate tracking cookies here? Or are these from YouTube? I haven’t signed up yet so I don’t have a session or login details. Maybe I am just missing something but this seems off. What kind of impact would these kinds of tracking cookies have on my privacy and browser fingerprint?
If anyone wants to try and recreate this you can follow the discount link in the description of the Techlore video, then hit f12, go to storage, and the affiliate cookies were listed. This was in Firefox.
I asked on their subreddit and they removed my post and answered with this. I dont really understand, whats there to clarify with the team and why is the post removed?
It seems that this is intended by them, however I find that just very slimy that they do not disclose this anywhere, and on their website instead state they don’t use any third party cookies at all.
Wait, are you guys scared of a cookie having information about which affiliate link referred you to the purchase page? There’s no third-party cookies, they all say they’re from the proton.me domain.
Are you perhaps confusing the cookies being named “affiliate” and “affiliateId” with some sort of nefarious unannounced third-party tracker?
Just came as a bit of shock that there was no “accept or reject the cookies” warning. I get it if it is being used so affiliates can get commission on traffic though. I’m more concerned this could have any impact on privacy with browser fingerprinting on other sites.
It’s a functional cookie, I’m fairly certain those are just blanket allowed by e.g., GDPR
Besides, it’s a first-party Proton cookie that only shows what affiliate link was used (and one of the two expires at the end of the session, even.) and it should be isolated per site like basically any other first-party cookie unless Proton has an ad network and lets other people embed their stuff now like the facebook button and so on
I don’t see how analytical cookies are functional and essential for the website? I am pretty sure that not showing a Cookie banner for those is dodging or dancing on a very fine line of what is allowed. Atleast I think it’s very ironic that they state they only use essential cookies, whereas these are obviously not essential due to only tracking what affiliate you came from.
Just because it is allowed, doesn’t mean it isn’t slimy.
EDIT: I have also received another response by their team:
so it seems that this is indeed disclosed somewhere, just not very apparent for the user. I think a more transparent approach to this would be best.
“Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies. While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.” (Cookies, the GDPR, and the ePrivacy Directive - GDPR.eu)
Note that this info comes from a website operated by Proton itself
Would you guys prefer that it’s just stored in the link as a parameter? Or maybe you type it in at checkout?
If you want to give your favourite content creator a kickback or get a discount, Proton needs some way of tracking (gasp yes, tracking ) that at the very least your payment should be marked as coming from an affiliate link or other kind of promo link
Transparency is good but this is fuss over something that should already be obvious. And besides, if your “threat model” includes a company knowing you watch a particular somewhat popular youtube content creator, you might want to rework that threat model
Being surprised that there are users on this board, of all boards, who are surprised to encounter tracking links from the most commonly recommended privacy product on this board is wild.
Proton we’re not mad about the fairly non invasive tracking, just disappointed.
Hey, I apologize if I was confused, but there is no need for the attitude ("gasp yes, tracking ). I’m asking because I am trying to learn more about privacy/security. Asking stupid questions is necessary to the learning process.
For the future, snark doesn’t help communicate knowledge to those looking to learn. It is off-putting and doesn’t contribute to discussion.