If you care about online privacy, an upcoming change in the default cookie-handling policy for Firefox will be a very big deal indeed.
More precisely: If content has a first-party origin, nothing changes. Content from a third-party origin only has cookie permissions if its origin already has at least one cookie set.
If that’s too confusing, let me try to explain how it works with a few examples.
Here’s a mockup of the privacy settings dialog box as it’s likely to appear in a forthcoming Nightly build of Firefox. (It’s not in the current Nightly build I just installed.) Note that "Accept third-party cookies" by default is set to "From visited."
Let’s say you start with an absolutely clean installation of Firefox 22, with no cookies already set. You might visit a website like ZDNet.com, which incorporates content from its own domain but also from multiple advertising providers and analytics firms. In addition, each page includes social media widgets such as the Like button from Facebook, a +1 button from Google, and a Tweet This button from Twitter.
When you visit this site for the first time using the new Firefox, the only cookies that will be set are from the site you specifically visited—the first-party site, ZDNet.com in this example. Those advertisers and analytics companies and social media sites can capture information about your IP address, your browser, and so on, but they cannot set a cookie, because they are third parties. Their ability to track you has been significantly impaired.
Now imagine you visit Facebook.com and log in to see what your friends are up to. In the process you set a cookie with Facebook, which you are visiting as a first-party site. You do the same by signing in to Twitter. When you return to ZDNet, this site checks your saved cookie and retrieves your stored login credentials, allowing you to post comments without having to log in again. On this visit, Facebook and Twitter are also able to store information about you in cookies, because you’ve visited those sites directly and implicitly identified them as sites with whom you have an ongoing relationship.
But those ad trackers and analytics companies? Well, you’ve never visited them directly (and you’re unlikely to ever do so in a first-party context; when was the last time you went to doubleclick.com or atdmt.com?), so they’re unable to set a cookie with a unique identifier and then use that cookie to track you as you visit other sites with ads from the same network.
The overall effect has a significant positive influence on your privacy, and yet is different from what you would experience if you used privacy tools that completely block HTTP traffic from some or all third-party tracking sites. Instead, this mechanism uses permissions to block tracking sites from setting or reading cookies that they can then use to stalk you.
I spoke with Mayer to discuss the impact of this change on ordinary web browsing. The good news is this is not a new idea. Rather, it’s an expansion of a policy that Apple has used with its Safari browser for roughly a decade. “It seems like Safari struck a good balance, and users seem to be comfortable with that,” says Mayer. For web developers who’ve already designed their sites to work with Safari, the impact should be minimal. And Mozilla developers will be monitoring the impact of the policy as each succeeding version works its way toward the release channel.
For Mozilla, Mayer says, this isn’t an ultimatum imposed on Firefox users. “It expands the consumer privacy choice,” he says, but doesn’t override their current settings or prohibit them from loosening or tightening privacy settings. “Users are free to choose any of these options, and if they've already chosen an option other than the default, that option sticks.”
Mayer has been involved in the W3C’s efforts to develop a Do Not Track standard and notes that this effort is “clearly related but clearly independent.” Even with a lengthy test cycle for the new cookie-handling policy, it’s likely to land on Firefox users’ desktops before a Do Not Track standard is officially implemented.
In fact, Mayer shares my skepticism that a Do Not Track standard will ever emerge from the W3C process: “It's not clear that Do Not Track is ever going to be settled as a standard,” he says. “It looks, somewhat unsurprisingly, that the fundamental divides [between privacy advocates and the advertising/tracking industry] remain, and there's too much daylight. It's possible that there's not a possibility of a negotiated outcome for Do Not Track.”
So that leaves the ball in the browser makers' court, and Mozilla deserves kudos for stepping up on behalf of its users. This was the first patch Mayer has ever offered to Mozilla. He describes himself as “pretty jaded” and “as skeptical as the next security researcher when it comes to large corporations and their motives” but says he was impressed by his experience working with the Mozilla team.
“I didn't get the slightest hint of any conflict,” he said, referring to the raised eyebrows that some observers (myself included) have when they note that the bulk of Mozilla’s funding comes from a search deal with Google. “My experience could not have been more the opposite. It was really incredible seeing this organization in operation. The bottom line is the users and the web. I didn't fully expect that.”
With Do Not Track on life support and privacy a hot button issue for consumers, it’s now more likely than ever that lawmakers will step in with privacy regulations, especially in the European Union. Internet Explorer has a basic cookie-handling mechanism that they can expand fairly easily, and they also have Tracking Protection Lists that function as extremely effective privacy protection and can easily be enhanced in future versions.
With Mozilla and Safari also on board with a commitment to privacy on the part of web users, Google is looking increasingly out of step.