I am a Gaurdian reader. Have been since 2006.
I am a Guardian subscriber. Have been, on & off, since they introduced subscriptions.
I still see this banner every time I go to the site. (OK, I would if I didn't have an adblocker.)
The point I am clumsily trying to make is that I pay but I don't sign in.
When I don't sign in, I have the option/notion of rejecting all tracking. Once I sign in, all bets are off.
Thankfully, the Guardian only has annoying ads and not a paywall. Unlike the other newspapers I subscribe to.
|Newspaper I pay for
|Can I read without logging in?
|The New York Times
|Wall Street Journal
The obvious, if naive, explanation is that you need to answer
are you a subscriber?. This is essentially the AAA problem:
But the answer to the question above is solely
Authorization. You don't really need Authentication or Accounting.
The question Authentication answers is
Who are you?.
What and how much are you consuming?
Sure, some degree of Accounting may be needed for tiered access and so on, but last I checked none of these sites offer anything of the kind.
I don't know the answer. But I can guess. It's because they really do want the answers to the age old questions:
Who are you?
Why are you here?
Either that or they have a bunch of lazy coders.
Let me introduce you to Blokada. I have been using it for a couple of years to block trackers and ads on my phone. A few months ago, with the WeChat ban in India, I signed up for
Blokada Plus. This gives me access to the toggle button at the bottom of that screen.
Blokada works on my phone, on my web browser and my desktop. And it does not know who I am.
By asking the only question it needs to,
Are you a subscriber?.
And when it does, I provide my unique, randomly generated,
12 character account ID and all is good.
To access the VPN from my desktop, I log into the web interface with, you guessed it, the account ID. Once logged in, I can generate cryptographic client certificates to use with my VPN client.
In theory, this model is no more immune to tracking than any other.
In practice, it is possible to make the system pretty rugged.
Let's imagine a much more private flow for my beloved Guardian.
UPI, this is not.
It's not that hard. We just need to take this shit seriously.