What Firefox’s new privacy settings mean for you

Screen Shot 2013-03-29 at 12.44.40 PMMozilla recently introduced a patch into its Firefox browser that blocks third-party cookies, and it’s an interesting, long-awaited development.  The change stops third parties from putting cookies on your machine unless you’ve ever visited their website, which stops one of the easiest and most direct ways that users are tracked. This third party cookie blocking is something that Safari already does, but according to Jonathan Mayer (the privacy expert who got Mozilla to make this change),  Firefox’s patch is “a slightly relaxed version of the Safari policy.”

Unfortunately cookies aren’t the only way to track web users, and there are already several methods that tracking companies use to bypass them, like using web beacons, JavaScript code, or other techniques.  Tracking companies are clever and have routed around these kinds of disruptions before: for example, they started using Flash cookies specifically to get around cases where users were blocking tracking cookies. And as our collaboration with UC Berkeley’s Center for Law & Technology’s Web Privacy Census has shown, there’s been a recent surge in the use of HTML5 local storage for tracking and a drop in Flash as it’s gotten a bad public rap. Even if Firefox blocks cookies, tracking companies can still make your browser contact them to see your IP, locate you, see your user-agent, and fingerprint your browser, as well as direct your browser to contact other tracking companies.

online tracking is like whack a mole

Online tracking is like whack-a-mole: when you block one, a new one pops up.

Most likely this change will force a faster evolution in tracking content to be delivered as all “first-party” using techniques, like DNS aliasing. Already, some of the biggest trackers on the web are first parties themselves, like Facebook and Google.

A lot of the current discussion focuses on if and how much this change will break the web experience because it’s indiscriminate blocking. It might break widgets that people use in iFrames, like RSS readers, as it doesn’t allow fine-grained tuning (like DoNotTrackMe does).  The reliance on third party / hosted services for functionality is a growing part of websites, especially for things like chat / shopping carts / customer service, so we’ll have to see how well this plays out in practice.

It’s a fact that most browser vendors, including Mozilla, make money from advertising and search, so it’s ultimately contradictory for them to turn on features that truly protect the user by fully blocking their own ability to target and to collect data. However, it’s still fantastic to see competition around privacy features in the browser. This wildly expands people’s awareness of privacy with hundreds of millions experiencing these changes, which follow Microsoft’s decision last year to turn on Do Not Track by default in its Internet Explorer browser (which, by the way, is mostly symbolic and doesn’t come close to having the same impact on blocking certain forms of tracking that Mozilla’s change does). However, There’s a reason why Mozilla is the most trusted Internet company for privacy, and they’ve done a great job earning that distinction. We hope they’ll continue to strive for user privacy.

In sum, blocking certain kinds of cookies but not other means of client-side tracking is just another way to push the “arms race” forward, leaving ad-tech companies to do more pixel-based, DOM/Flash/HTML5 storage based things and other server-side shenanigans.  Users don’t understand this. They understand black or white: “am I being tracked or not,” not “are you tracking me in certain situations?”

How Firefox’s new settings compare to DNTMe

A lot of people are asking us how DoNotTrackMe (DNTMe) compares to Firefox’s new setting that blocks third-party cookies by default, so we made this handy comparison table:

Firefox w/new default: DoNotTrackMe:
Now stops cookies set by all third parties by default (including iFrames). Only blocks cookies but has no other effect on other requests, so trackers still see your IP address & other info. Blocks specific requests that your browser is being asked to make by tracking companies, so trackers see/get nothing, not even your IP address.
No effect on images that may be loaded, such as 1-pixel web beacons. Can block images used for tracking, including web beacons.
No effect on JavaScript that might be loaded (so third parties can load scripts and even call other trackers). Can block JavaScript used for tracking, which prevents your browser from running tracking JavaScript code.
Blocks all 3rd party content, which might break the web experience (see discussion below). Uses a block list that blocks some trackers but allows widgets on a per-company or per-website basis to keep a non-broken web experience.




8 comments shared on this article:

  • pogue says:

    Disabling all 3rd party cookies is just kind of overkill, IMO, and as mentioned, is going to break a lot of content – especially videos displayed by third parties that try and display ads in them. I would prefer to use DNTme to just block the trackers rather than anything and everything.

    Also, one question: DNTMe “Blocks specific requests that your browser is being asked to make by tracking companies, so trackers see/get nothing, not even your IP address.” Is this also true in Chrome?

    • Sarah Downey says:

      Yes, that’s also true in Chrome. Here’s why: let’s say you go to a website, like CNN.com. CNN is the first party here: you’d expect them to do some information collection, especially if you’re doing things like submitting comments and registering for an account. However, CNN.com also attempts to load lots of third party trackers that aren’t visible without privacy tools and that you wouldn’t expect to be present, because they aren’t affiliated with CNN. Those trackers, many of which try to load Javascript, are trying to establish connections with your machine that would obtain your IP address, sites visited, clicks, and more. DNTMe blocks those requests outright, so there’s no transmission of that info. Contrast that with a proxy, which would still allow those requests to load, but you’d have an anonymized IP address. In this example, CNN gets your IP because they’re the expected first party you’re intending to visit, but the blocked trackers wouldn’t get it. This is true in any browser running DNTMe.

    • Hannah says:

      I don’t think I have allowed third-party cookies in years. I haven’t seen any problems from it.

  • sd says:

    Interesting that this very Web site wants to load some Javascript from Google… (NoScript told me so)

  • nous says:

    Once again the article is very nice done, one that i do like read.
    There are some trouble’shooting about dntme and firefox do not enough for our rights but it is another subject.
    Is a patch solving the problem ?
    Is dntme giving us the solution ?
    And what is about the compatibility ?
    It is a little soon to realise it.

  • ACI says:

    Nice article. I see in the comments someone pointed out the Google problem of this very blog to which you replied…. huh?

    Many website owners / developers do not realize that the templates / scripts they use to run their sites now download fonts directly from Google servers free of charge.

    Nothing is free… and forcing visitors to make a secrete connection with Google just to view your page; at a minimum gives Google the tracking data of a user’s interests just by the sites they are going too. That’s saleable information with no need for cookies. And it also opens the door for them to do far more.

    Developers will say… but it’s sooo pretty (candy to children) and speeds up sites. In fact, if your visitors are clearing the cache routinely as they should; it means far slower load times then local fonts. It also makes your site slower and directly dependent on Google – a problem for when they are having a bad day as their problem just became yours.

    It’s pretty sneaky of them to get right down to the very “font” you use on a website – but there you go (and it’s being built into almost all sites now), these are the time we live in and so many webmasters are clueless about it (no offense as you guys certainly are not alone)!

    If you really care about privacy – dump that code, use local fonts or embed your own and get rid of reCAPTCHA another “free” data mining service.

    You got to keep your eyes on the ball because as you said; “it’s like a whack-a-mole game” and the search engine’s are not your friends.

  • ACS says:

    And how exactly how much do DNTMe pay you? I forget… ;)

Leave a Reply

Your email address will not be published.

Comment

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>