I was moved to tears when I saw the new website for the MIDI association. It's comically terrible!
Normally I wouldn't give a toss about this except they used to have a very useful set of quick reference pages on the midi specification. These now redirect to the new site, where the same information is presented over many more pages in a larger font, padded with blog adverts and – I shit you not – high resolution images of acoustic guitars. Because acoustic guitars sure have a lot to do with the electrical specification for MIDI.
I've mirrored the two most useful bits of the old site here.
It's been seven years since I last posted a rant here. Rants tend to have a time limit on them; usually, eventually, the problem gets sorted out. I deleted the oldest rants a while ago, they were no longer valid or interesting. Maybe this one will become invalid too. I hope so.
Before this rant can even begin, I have to tell you about the moronic law that was passed by the UK government a few years ago regarding cookies. And before I can talk about that, I want to just cover the basics to make sure you're on board about what a cookie actually is.
Imagine you're in a queue at your local council. There's a man shouting at one of the desks. A woman with too many children is struggling to silence them. Little wooden beads on red metal wires have long lost the interest of any infant who would have played with them. You're tired, your knees ache as much as your head. You want to sit down, and you can, because the queue uses paper tickets.
These paper tickets are a lot like cookies, and are subject to the same rules. It's your responsibility to hold on to it. Nothing stops you tearing it up, throwing it away or giving it to someone else. You could tell the establishment that on principle, you do not accept paper tickets. Fine, but they would probably take no notice, and you would never advance in the queue.
When they announce who's next in the queue, they do so over an insecure channel (a loudspeaker, or a display board that everyone can see). Nothing stops you scribbling out your number and forging that of someone else's, and getting to the clerk's desk first. They might notice your handwriting, and this is one way that cookies differ from paper tickets, there is no handwriting.
At the end of your visit, it is expected that you throw away your ticket. It was intended to last for this session only. It has expired, but there's nothing stopping you keeping it.
Queues and raffles use paper tickets to identify you, and there are two reasons we don't complain and argue about privacy:
I go to my bank to make a withdrawal. I show my bank card or passbook to the cashier, or I sign some paper, and convince her that I am the owner of the account. Then she does the transaction and hands me my money. Why should she trust that the person she handed the money to was the same person who proved they owned that account? Because I was standing there the entire time.
But when we browse the web, each page view is a separate request to the web server, and initially there's no indication that it's the same person making each request. This is a little like me walking in to the bank, saying I'd like to make a withdrawal, and then leaving. A moment later I walk back in and show my bank details, then leave. I enter for a third time and expect the money to be handed to me. Well, maybe they still would if I was easy enough to identify. My hat and glasses might be unusual enough to single me out, but anyone could fake those.
My facial features are probably harder to fake, but I can't change them. Not without a certain amount of pain anyway. So if a criminal found my doppelgänger, or gave someone plastic surgery to look like me, they could swindle me repeatedly. Every time I left the bank after a transaction, they could walk in and say, "Me again, I'd like to empty the account." And they could do this every time, until I changed my face.
On the internet, these identifying clues are things like what browser you're using (hat and glasses?) and your IP address. IP addresses are difficult to fake, but not unique - yours can change, or you may even share it with the rest of the office.
So we come to the concept of logging in. I prove to a website who I am, once, by giving my password. In return they hand me a cookie. This is identical to the paper ticket, except instead of assigning numbers sequentially, they choose a very large random number that (hopefully) is impossible to guess. This is called the session ID. I show this session ID with every request, and the website believes who I am.
Of course if the channel is unencrypted, anyone listening could steal that session ID and pretend to be me. But encryption is outside the scope of this rant.
Another cookie this site uses is to optionally disable the fade effect between pages. This task could be better achieved through HTML5's localStorage, since there is no need to send this information to the server, but I use a cookie for maximum compatibility (and I wrote the site before localStorage existed).
In both of these cases, if you refuse the cookie I don't care, it's only your user experience which will be affected.
If you're thinking that all this about cookies is super-obvious, I'd agree with you. But apparently the folks in charge have no idea about what cookies are or what they do.
The need for cookies and their legitimate uses means that disabling them entirely is not an option. In addition, most websites that want to track you will punish you for not accepting them – you'll always be stuck at the back of the queue. But there's a way of satisfying all these sites without letting them track you:
This is how I've had my browser configured for more than ten years. This is what everyone should do. But it seems that almost no one does.
(I actually tried to look up what the law said exactly. It is was brought in as "The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011" and was again amended in 2015. However the two minutes I spent trying to read these documents was not sufficient to get past the legalese. I'm basing my rant on what companies and websites actually do.)
I like the BBC, and I think this message and their system is well-intended. But those 'settings' are all cookies, and by 'accepting' them you are handing control over to the website as to whether or not you are tracked. Would you rather meekly ask a website not to track you, or simply prevent tracking from being possible in the first place?
At least Google doesn't bother with the pretence of giving you a choice.
In order to close that warning box, the website has to remember that you've closed it. How does it do that? Via a cookie of course.
Yes. You have to permanently accept a cookie, or else always be hounded with the same message about cookies every time you visit the site. Anyone who has their cookies set up the correct way, as I described above, will be punished for it by being shown a message about cookies every time on every site they ever visit.
I have put up with these messages for years. No one cares because everyone else is willing to play the game.
The result of the law is that ordinary people continue to be tracked, and people who do the right thing are punished for it. Since tracking data is so valuable to marketing companies, and it would be a disaster if everyone configured their cookies the correct way, I cannot help but suspect an evil motive behind the law. Either that, or the people in charge are just really, really stupid.
Next time, on mitxela.com/rants: Google's crusade on unsecured websites – not everyone has something to hide.
Tune in in another seven years.
This was once a blog.
It might have been amusing
but now it is dead.
I got rather bored
of writing crap about me.
Hence no more updates.