Mozilla doubles down on anti-tracking tech: It'll be tougher for wily ad-biz cookie monsters to track Firefox

Apple still leading in anti-cookie diet, Google – predictably – in the rearguard

A week after Firefox 79 debuted, Mozilla says that it plans to start rolling out version 2.0 of its Enhanced Tracking Protection (ETP) scheme to prevent redirect tracking on the web.

On the web there's a distinction between first-party cookies – files stored in your browser by a visited web application or site – and third-party cookies that report to other domains that have some affiliation with the visited site.

Last year, Firefox implemented ETP 1.0 to block online tracking schemes by default from using cookies set in a third-party context, while allowing first-party cookies. That's because blocking first-party cookies would break many websites.

Privacy policy on a tablet

We give up, Progressive Web Apps can track you, says W3C: After 5 years, it decides privacy is too much bother


But ad tech companies have been slow to accept that internet users don't want to be tracked from website to website and have been relying on a technique called redirect tracking, also called bounce tracking, to bypass third-party cookie blocking.

"Redirect trackers work by forcing you to make an imperceptible and momentary stopover to their website as part of that journey," said Steven Englehardt, senior privacy engineer at Mozilla in a blog post on Tuesday. "So instead of navigating directly from the review website to the retailer, you end up navigating to the redirect tracker first rather than to the retailer."

A redirect tracker involves web page code that intercepts the click and takes the user to the tracking domain, so its cookie can be loaded in a first-party context before sending the internet user onward to the intended destination website.

The tracker's code can link the website the user is coming from and the website the user is going to, thereby developing a dataset about the user's movements across the web.

No more

ETP 2.0, which will be activated in Firefox browsers over the next few weeks, addresses redirect tracking by clearing cookies and site data set by known trackers every 24 hours.

This doesn't do much against unknown, covert trackers, but Mozilla chose not to clear all cookies because doing so would inconvenience people by logging them out of all websites. That would mean more authentication challenges and CAPTCHA puzzles would be presented because websites wouldn't recognize return visitors.

Mozilla is not the first to do this. Back in 2018, Apple's WebKit team shipped redirect tracking protection, which they refer to as bounce tracking, in Intelligent Tracking Protection 2.0.

Firefox's implementation differs in a few ways. ITP has its own rules-based domain classification scheme to identify trackers while Firefox relies on its tracking protection list. Also, Firefox won't clear data from a domain if there's been first-party interaction within 45 days, whereas WebKit has a 30-day interaction window, with a slightly different definition of what "interaction" means.

In March, Apple implemented full third-party cookie blocking in Safari and Google has said it aims to phase out third-party cookies in 2020, even as it works on a set of supposedly privacy-respecting alternatives. ®

Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022