Firefox raises the online privacy bar with new cookie policy

Firefox raises the online privacy bar with new cookie policy

Summary: A patch working its way through the Mozilla testing process promises to significantly increase privacy and reduce online tracking for Firefox users by blocking third-party cookies. With the Do Not Track standard fizzling, it's an important development.

SHARE:
TOPICS: Privacy, Browser
28

If you care about online privacy, an upcoming change in the default cookie-handling policy for Firefox will be a very big deal indeed.

A patch submitted to Mozilla and incorporated into Firefox version 22 is now working its way through the testing process. It defines a new cookie policy for Firefox, which the policy’s author, Stanford grad student Jonathan Mayer, describes in this mini-FAQ:

How does the new Firefox cookie policy work?

Roughly: Only websites that you actually visit can use cookies to track you across the web.

More precisely: If content has a first-party origin, nothing changes. Content from a third-party origin only has cookie permissions if its origin already has at least one cookie set.

If that’s too confusing, let me try to explain how it works with a few examples.

Here’s a mockup of the privacy settings dialog box as it’s likely to appear in a forthcoming Nightly build of Firefox. (It’s not in the current Nightly build I just installed.) Note that  "Accept third-party cookies" by default is set to "From visited."

firefox_limit_third_party_cookies_v2

Let’s say you start with an absolutely clean installation of Firefox 22, with no cookies already set. You might visit a website like ZDNet.com, which incorporates content from its own domain but also from multiple advertising providers and analytics firms. In addition, each page  includes social media widgets such as the Like button from Facebook, a +1 button from Google, and a Tweet This button from Twitter.

When you visit this site for the first time using the new Firefox, the only cookies that will be set are from the site you specifically visited—the first-party site, ZDNet.com in this example. Those advertisers and analytics companies and social media sites can capture information about your IP address, your browser, and so on, but they cannot set a cookie, because they are third parties. Their ability to track you has been significantly impaired.

Now imagine you visit Facebook.com and log in to see what your friends are up to. In the process you set a cookie with Facebook, which you are visiting as a first-party site. You do the same by signing in to Twitter. When you return to ZDNet, this site checks your saved cookie and retrieves your stored login credentials, allowing you to post comments without having to log in again. On this visit, Facebook and Twitter are also able to store information about you in cookies, because you’ve visited those sites directly and implicitly identified them as sites with whom you have an ongoing relationship.

But those ad trackers and analytics companies? Well, you’ve never visited them directly (and you’re unlikely to ever do so in a first-party context; when was the last time you went to doubleclick.com or atdmt.com?), so they’re unable to set a cookie with a unique identifier and then use that cookie to track you as you visit other sites with ads from the same network.

The overall effect has a significant positive influence on your privacy, and yet is different from what you would experience if you used privacy tools that completely block HTTP traffic from some or all third-party tracking sites. Instead, this mechanism uses permissions to block tracking sites from setting or reading cookies that they can then use to stalk you.

I spoke with Mayer to discuss the impact of this change on ordinary web browsing. The good news is this is not a new idea. Rather, it’s an expansion of a policy that Apple has used with its Safari browser for roughly a decade. “It seems like Safari struck a good balance, and users seem to be comfortable with that,” says Mayer. For web developers who’ve already designed their sites to work with Safari, the impact should be minimal. And Mozilla developers will be monitoring the impact of the policy as each succeeding version works its way toward the release channel.

For Mozilla, Mayer says, this isn’t an ultimatum imposed on Firefox users. “It expands the consumer privacy choice,” he says, but doesn’t override their current settings or prohibit them from loosening or tightening privacy settings. “Users are free to choose any of these options, and if they've already chosen an option other than the default, that option sticks.”

Mayer has been involved in the W3C’s efforts to develop a Do Not Track standard and notes that this effort is “clearly related but clearly independent.” Even with a lengthy test cycle for the new cookie-handling policy, it’s likely to land on Firefox users’ desktops before a Do Not Track standard is officially implemented.

In fact, Mayer shares my skepticism that a Do Not Track standard will ever emerge from the W3C process: “It's not clear that Do Not Track is ever going to be settled as a standard,” he says. “It looks, somewhat unsurprisingly, that the fundamental divides [between privacy advocates and the advertising/tracking industry] remain, and there's too much daylight. It's possible that there's not a possibility of a negotiated outcome for Do Not Track.”

So that leaves the ball in the browser makers' court, and Mozilla deserves kudos for stepping up on behalf of its users. This was the first patch Mayer has ever offered to Mozilla. He describes himself as “pretty jaded” and “as skeptical as the next security researcher when it comes to large corporations and their motives” but says he was impressed by his experience working with the Mozilla team.

“I didn't get the slightest hint of any conflict,” he said, referring to the raised eyebrows that some observers (myself included) have when they note that the bulk of Mozilla’s funding comes from a search deal with Google. “My experience could not have been more the opposite. It was really incredible seeing this organization in operation. The bottom line is the users and the web. I didn't fully expect that.”

With Do Not Track on life support and privacy a hot button issue for consumers, it’s now more likely than ever that lawmakers will step in with privacy regulations, especially in the European Union. Internet Explorer has a basic cookie-handling mechanism that they can expand fairly easily, and they also have Tracking Protection Lists that function as extremely effective privacy protection and can easily be enhanced in future versions.

With Mozilla and Safari also on board with a commitment to privacy on the part of web users, Google is looking increasingly out of step.

Topics: Privacy, Browser

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

28 comments
Log in or register to join the discussion
  • i have blocked..

    3rd party cookies in internet explorer for years
    g_keramidas@...
    • Quite right

      But the point is that their policy has changed.

      You had to learn what cookies are, what data cookies can store, what a 1st and 3rd party cookie is and then make a call if you wanted to use it or not. MS said yes by default.

      With FF add on's you can pretty much get your browser to do anything, but the point is that they've "bit the hand that feeds" in the interest of user security and privacy. It is a big deal.

      It's the equivalent of MS deciding that bing annoys a lot of people so when you turn on IE, it pops up with a search selection option.

      For most of us that understand nothing will change; my FF add on's are all about security anyway, but for the layman then yes it does matter.
      MarknWill
      • Using FF is a moral choice

        That's why I do it.

        As long as performance remains up-to-par, the fact that the browser is developed by a not-for-profit who legitimately has only their end-user's satisfaction in mind is enough to make me trust this browser over all others.

        FF forever.
        x I'm tc
        • Using FF is a technical choice

          Best bolt on security and privacy features bar none.
          Alan Smithie
          • Love your films

            Alan, you're a brilliant director. I love all your films, especially Dune.
            Andre Richards
          • At last !

            Congratulations you are the first person to get it.
            Alan Smithie
          • Re: Love your films

            That's "Smithee", not "Smithie".
            ldo17
  • i have blocked..

    3rd party cookies in internet explorer for years
    g_keramidas@...
  • Thank you

    Thank you Mozilla, always leading the way to user privacy, that's all I have to say.
    malcarada
    • FF is following in this case

      Firefox is not leading here. The article mentions that Safari has had this feature for a decade, and it has been the default in IE10 since the release of Windows 8.
      Sorten Borten
  • Falls apart when you accidentally click on an ad

    Q: "when was the last time you went to doubleclick.com or atdmt.com?"
    A: The last time I clicked on an advert by accident, which on some sites, which set their entire backgrounds to be clickable is surprisingly easy. As soon as you do this you visit the advertiser's site, have a cookie set and are trackable for ever more. Better than nothing admittedly but perhaps unlikely to have a huge affect on the tracking firms.
    mog0
    • Simple Solution

      Is to use adblock and that will solve your problem
      Alan Smithie
    • Falls Apart ? NOT !

      FF can be set to dump cookies at closure.
      materva
      • Tossing Your Cookies

        Unfortunately, then you lose all your log in states and possible shopping carts. Once you leave a browsing session, you can't come back.
        William_P
  • Nice one Ed

    A positive story about something non MS.

    There is hope for you yet.
    Alan Smithie
  • Sounds like this will break the affiliate model

    So affiliate programs, which typically rely on 3rd party cookies (Commission Junction, Share-a-Sale, etc.) to identify and compensate the referring affiliate, seem to be screwed by this. If so, that's a big problem.
    bob362
    • WOW bob362

      You wouldn't be TOO heavily invested in click-throughs now would'ya ?
      materva
    • Depends on who the problem is for.

      I remember years ago a number of sites that, because they were supported by ad banner revenue, would either a) remind the registered users that, since the click-through ad revenue was what kept the site from charging a membership fee, it was "polite" to at least click on 1 ad each visit (i.e. you'd see this on discussion forums); or b) clicking on the ads would give you "perks" (i.e. that was for Swirve Games' Earth 2025 and Utopia games, since you could play for free but the games were supported by ad revenue). If that's still the case, then there's not going to be any effect from Firefox, since you're still deliberately clicking on the ads.

      On the other hand, if I'm visiting Site A, and they have ad banners for a bunch of other sites that I *don't* click on, those other sites don't need to be leaving a cookie for me. Period. I'm not a customer of the company providing the ad banner, I'm not interacting with their site at all, so they shouldn't be making money off of me anyway.
      spdragoo@...
    • not really

      They can still gather information, but can't set a cookie. Which means the affiliate still gets the track. Noted that some of my affiliate leads are no beginning to set "0 days" leads. That means last affiliate lead wins (a by product of not holding cookies).
      William_P
  • Probably ineffective

    Call me cynical but all I can see happening is that web sites wanting ad tracking revenue will just do an autoforward from their page to a tracking site thus enabling the first-party tracking cookie rights and then returns you to the originating website.
    gwinggwing