Defeating the Cookie Monster: How Firefox can Improve Online Privacy

As we choose priorities for the next version of Firefox’s features and development, the Firefox team has been considering the state of the web and looking for areas where online content has changed faster than browser functionality. One area of concern is the growing use of private user data, especially by advertisers. User data being silently and persistently passed between sites and advertisers is disturbing for those with an interest in user choice and transparency on the web.

Privacy vs. Security

Privacy and security are related but distinct topics. Security refers to the prevention of material harm to the user. Avoiding theft, fraud, and data loss are all security issues. Browsers have been working to improve security for decades, prompted by increasingly sophisticated viruses, malware, and other exploits.
Privacy is a broader topic than security. It refers to users’ control over what they reveal about themselves online, whether or not what they reveal might lead to material harm. All internet users reveal some information about themselves to some sites, but the user has privacy if his discretion determines what information is shared with whom.

Firefox has Local Privacy but Needs Network Privacy

The Firefox team has already done some great work on local privacy with improvements such as Private Browsing mode, Clear Recent History, and Forget about this Site. These features give users better control over when their data is exposed and hidden on their own computer. However, wider privacy issues surface when data is shared over a network.

One major problem of the modern web is the ability for private user data to be collected by advertising companies via third-party cookies.

If sites provide rich interaction, they usually require user data. The problem occurs when users willingly share data with a site they trust, but unknowingly their data is shared with other sites and companies via third-party cookies. This is common practice and a growing revenue model online. It first received national attention in November of 1999, when the Federal Trade Commission held a workshop on online profiling and reported that it presented a privacy concern to consumers. The practice has grown since then, despite some failed attempts at regulation by the US’s Federal Trade Commission, the Interactive Advertising Bureau, and Britain’s Office of Fair Trading.

Any website you visit can contain ads and other components that send cookies from your browsing session on the domain you trust to an advertising domain. These third-party cookies can be used to track information about users across multiple sites and multiple browsing sessions, allowing web habits to be profiled and tracked. This data can tell companies limitless kinds of information, such as what purchases you make, what news you read, your income, if you’ve applied for work, and what dating sites you prefer. One manifestation of this data sharing is seeing to ads targeting users based on data and actions from other sites.

The ability for advertisers to gain and use this data violates user privacy for several reasons:

  • It’s nearly impossible to detect. Much of the data-sharing happens in the background during a browsing session without asking or notifying the user. Users usually only discover what has happened when they are seeing targeted ads (long after the data has been transferred).
  • It occurs without user consent. Of the sites that are even aware of third-party cookie sharing, few give users control over how their data is shared with advertisers. Sites that do offer preferences sometimes phrase them in ways that disguise their purpose, such as “do you want relevant content to be shown based on your usage” rather than “do you want ads to be shown based on your personal data.”
  • It contradicts the user’s reasonable expectation of privacy. Some sites that knowingly share data present a false image of being responsible with user data. They may show the user preferences that imply control, assure users that their data is “safe,” or offer to let users read a lengthy privacy policy in order to hide their actual practices. Of course there’s a very special hell set aside for sites that change privacy settings to be more permissive once users have already signed up and entrusted their data.
  • It’s nearly impossible to prevent. Even a user who is privacy conscious and reads all privacy policies, keeps his privacy settings up to date, and avoids sites that don’t guarantee privacy isn’t necessarily safe. Any site he’s given data to could potentially use it without asking, and third-party cookies could be sent via ads and web bugs without the knowledge of the site’s owners. Heck, any site could be scraping identifiable information from his digital fingerprint.
  • It potentially embarrasses the user. Data sharing via third-party cookies takes information given by the user at some point in time and exposes it at another time. While the user may be discrete about where he is viewing certain content and even use Private Browsing Mode for items to not appear in history, advertisers using third-party cookies can expose user actions at times out of the user’s control.

So what can Firefox do to improve its story on privacy?

1. Provide intelligent defaults for third-party cookie behavior

Simply disabling third-party cookies isn’t the solution. Third-party cookies are necessary for legitimate web functionality such as embedded content, session management, mashups, etc. Most bank websites depend on third-party cookies for functions such as bill paying. The goal should not be to outright disable third-party cookies, but to be more intelligent about what behavior is allowed.

The http-state working group is currently working to produce a specification in multiple documents to lay out how clients should behave with regard to cookies (see current drafts here). Dan Witte, the cookie module owner at Mozilla, has been in communication with them and is doing his own work to develop a modern cookie standard. The goal is to create a guideline that Mozilla can follow that aligns with our Manifesto to protect user choice on the web. Dan’s already working on one way Firefox could address the problem by enabling third-party cookies, but only temporarily. His idea is to keep third-party cookies active only for the life of one tab. When the tab is closed, the cookies are deleted – advertisers could not track users from site to site. Dan will be blogging about this later with more details on his work.

2. Give users better control over how sites can access their information in Preferences

Currently, Firefox gives users precise, fine-grained control over the many ways that sites can access user data. All the user needs to do is change their on each Preference panel that effects site privileges:

As can be seen above, the current Firefox interface gives each site privilege type – saving passwords, cookies, etc – its own separate preference window. This design is framed around the implementation model rather than the user’s mental model, meaning it’s designed in a way that corresponds with how it was built rather than how users perceive the action they want to take. Having an individual window for each permission makes sense from an implementation standpoint, because each site privilege is separate in code. From the user’s perspective, however, it’s impossible to tell what privileges a particular site has. A better design would present controls in a site-centric rather than technology-centric view. If a user decides that he doesn’t trust site X and doesn’t want it to have any access, it would be more efficient to control all of site X’s access in one – not 15 – Preference windows. Alex Faaborg made this mockup to illustrate how a site-centric UI could be achieved:

While all of Firefox’s Preferences need to be improved, including site-centric privacy controls like Alex’s above for Firefox 4.0 would go a long way towards putting users back in control of their data.

3. Give users better control of their data while they are browsing

While a site-specific Preference panel will help users have better fine-grained control of their privacy when they’re configuring Firefox, there’s some options and information that can be exposed while the user is browsing. If a site has access to geolocation, for instance, this should be constantly indicated in Firefox’s interface. If a site is storing a password, this should be easy to change or remove without opening Preferences. Firefox’s Site Identity Button, which currently gives very little information about a site, could be improved to give information about a site’s privileges and the ability to change them.

It’s our goal for Firefox 4.0 to give users more control of their data, both by literally giving them controls and, more importantly, creating intelligent defaults that protect a user’s privacy and anonymity without breaking web functionality. It’s my hope that even simply exposing what access sites have to data will be positive for the web by eroding the sense of false security that many sites try to create for their users and creating awareness of and control over how, where, and when data is being shared.

No Comments

Chime in Leave a Comment

  1. Looking forward to seeing that implemented!

    Just a note: the “Permissions” tab of the “Page Info” dialog already has this site-specific preferences UI, not much different from Alex’ mockups. Not all users can find this dialog of course and it does little to provide an overview or restrict third-party cookies. So having something similar on the global level would be great.

  2. Sebastian says:

    I thought this was the domain of the “Page Info” window, in particular, the Permissions tab which currently allows users to set Images, Pop-ups, Cookies, Extensions & Location preferences per domain.

    The only missing preferences that I can see in your mock-up are Storage & Passwords, though you can view saved passwords (& cookies) in the Security tab & if you go this far, why not go all out & add a JavaScript toggle?

  3. Jamie says:

    Non unique user agent strings?
    Proxies for 3rd party content? (with weave ff already has a datacenter style thing)
    how about linking to a wiki that discusses individual sites re: privacy so a user could “get privacy info” when they’re on a site?

  4. Another big problem is that we have a cookie manager, but nothing for things like DOM Storage, which can be used to re-establish cookies, Flash based storage options, or ways to make fingerprinting browsers harder.

    Cookies are just one of the vectors to ID a user based on simply browsing.

  5. J says:

    Is there a way we can block DoubleClick by default… http://optout.doubleclick.net/dclk/optout-success.html

  6. Oh, I would like a pony as well – but let’s start fixing what *can* be fixed first, one step at a time 😉

  7. Jim Brock says:

    Those are terrific ideas, and Mozilla is in a unique position to lead on privacy tools that are available directly in the browser, where they need to be.

    PrivacyChoice is an independent organization that has compiled a complete database of ad-company tracking information here:

    http://www.privacychoice.org/companies/all

    We maintain this index by regularly spidering the top several thousand websites for new ad network domains, and monitoring privacy policies for changes.

    At privacychoice.org you can also see our Firefox add-on that enables permanent opt-out status across hundreds of networks, and blocks ad-network Flash cookies. We also are about to release new functionality to selectively block access entirely to ad networks based on privacy practices and certifications.

    To the extent these databases and tools can be helpful in crafting enhanced privacy protection for Firefox users, we would be pleased to donate their use for your efforts and provide any learnings we have that can be useful. I can be reached at jim (at) privacychoice.org.

    Keep up the good work!

  8. I’d love to see this new “site-centric UI” actually in work, and how it compares to my Data Manager work 😉

  9. Tobu says:

    Re the tracking cookies privacy issue:

    Cookies need to be namespaced internally so that the cookie doubleclick sets when included on mypage.com isn’t the same as the cookie doubleclick sets when included on otherpage.org (or the cookie it sets when I visit it directly, god forbid).

    The current “block third-party cookies” setting is useless; it doesn’t prevent doubleclick from setting whatever cookies it wants on whichever page, as long as the page includes an http request to the doubleclick domain.

  10. somedude says:

    Never came across a site that requires third-party cookies to work, first thing I disable on a fresh profile and allowing them is imho a very bad default.

    At least Firefox doesn’t allow first-party cookies to be read in a third-party context like Chrome does.
    Not very hard to circumvent, but at least it requires some effort on the website/tracker side of things.

    Add flash cookies, local storage etc. and the whole affair gets impossible to manage with any browsers built-in tools (even after the proposed changes you’d need addons).

    Opting-out via cookie is particularly stupid, just trash everything at a sessions end and keep a list of exceptions for sites you want to stay logged-in at.

  11. Tiffney says:

    I LOVE this new model — having all of these choices available on a single page will help people not miss something that concerns them. In addition to making options less cumbersome to set, this also provides a very handy reference sheet of the issues people should have in mind when they think about their online privacy.

  12. CyberDragon says:

    And THIS is why I keep using Firefox, Chrome fanboys 😛

  13. Paweł Kondzior says:

    I thnik better would be iphone like switch for on/off option.

  14. Back in the day, cookies were a big concern and there was a lot of hype about privacy. I stopped worrying about cookie privacy a long time ago.

    If a primary concern is targeted adverting, what’s the big deal? I’m not so weak minded that I’ll fall prey to whatever is being advertised. You are much better off implementing an ad control feature, to prevent the loading of content from Websites other than the one I’m viewing, so I don’t have to view the advertisements at all. This has an added security benefit as well.

  15. SilverWave says:

    Never had a problem with blocking third-party cookies on any sites.

    I think you need to measure how many sites would be affected by just having the default set to block them.

    I never actually see any advertisements so that aspect isn’t relevant but tracking is.

    I like the approach taken by RequestPolicy:
    “…giving you control over when cross-site requests are allowed by webpages you visit. … to enable the use of modern browsers without cross-site information leakage.”

    Its amazing the amount of sites that try to piggyback on the the main site you are visiting.

  16. Mook says:

    Looks good; certainly would be clearer for blocking advertisers that I have no need for. Hopefully the option to group by type of access will remain – it is useful to be able to look at all sites with geolocation access (for me, none), for example.

  17. cuz84d says:

    This a great design direction: site centric. It certainly is more powerful and a more user friendly idea and design. It puts users in control rather than firefox.. I know I would probably use all that more if it was like the design rather than the way it is.. its too much work the way it is to maintain. I say go for it.

  18. cuz84d says:

    How would it be able to handle 3rd party information tied to main site?

  19. Erunno says:

    To my great annoyance Firefox does not support what I think is a rather simple and obvious use case:

    1) Keep cookies from some selected domains.
    2) Delete all other cookies when closing the browser.

    One might think that Firefox has all necessary options to achieve this but (BIG but) setting exceptions for specific domains will allow cookies to be send and received in both first- *and* third-party context.

    For instance, ff I set Firefox to mark all cookies as session cookies but want to keep being logged in into Facebook and therefore create an exception for this domain, Facebook will also receive its cookies on all other domains which embed anything from Facebook (e.g. the almost omnipresent Facebook widget). But actually I want the cookies only to be send and received when I’m on facebook.com itself.

    I also like the idea of namespaces for each domain though I guess this would have to be examined thoroughly for more or less subtle breakages.

  20. skierpage says:

    @somedude, @SilverWave,
    Bank e-bill payments to some companies won’t work if you don’t allow third-party cookies. And the Disqus commenting system requires third-party cookies (and they tell you so). Other than those two, disabling “Accept third-party cookies” has worked fine for me for decades.

    It would be great if Firefox announced “We’re disabling third-party cookies by default in 4.0” and forced companies to proxy requests to the companies they get to do their dirty work.

  21. SilverWave says:

    Hmm if Apple can do this why cant we?

    Apple’s Safari web browser is the only web browser that disables third-party cookies by default

    http://www.apple.com/safari/features.html

    “Cookie Blocking
    Some companies track the cookies generated by the websites you visit, so they can gather and sell information about your web activity. Safari is the first browser that blocks these tracking cookies by default, better protecting your privacy. Safari accepts cookies only from your current domain.”

  22. Erunno says:

    @SilverWave

    Safari and Chrome do not fully block third-party cookies. They will not accept cookies from third party domains but if any cookies from these third-party domains are already present they will *send* them anyway. For instance, if you are logged into your Facebook account and go to foo.com which has a widget from facebook.com, Facebook will still receive its cookies despite third-party cookies being allegedly turned off.

    Firefox and Opera though offer true third-party cookies blocking and will neither send nor receive them.

  23. SilverWave says:

    @Erunno

    OK short term make the default “Do not accept third-party cookies”

    Block third-party cookies:
    [X]Do not accept third-party cookies
    [_]Do not send third-party cookies

    1/2 a loaf is better than none.
    ___

    But I would like All third-party cookies blocked by default if at all possible.

    If there are a small number of sites like banks that need it put them on a white list.

    But put them on notice that this is not good practice and will be dropped at a later date.

    Also some measurement is really needed, who may sites? How many users?

    It could be a none problem, i.e. very few sites and users.

    • jboriss says:

      @SilverWave There’s plenty of sites that third-party cookies break. Many of those seem to be just poor design… using third-party cookies when they’re not needed. It’s unfortunate, but for sites as important as banks I think we need to do whatever we can not to break them, even if their design is poor, it’s their fault, etc etc. Also, I’m not sure how many banks would improve their design just for Firefox. More likely, they’d tell their users to just switch to Chrome.

  24. SilverWav says:

    Fair comment if its that widespread.

    But then… how does Apple’s solution not cause issues for them if that is the case?

    Or is it just that Apple is prepared to take the hit?

    Oh and I should say regardless, that “keeping third-party cookies active only for the life of one tab”, is a very clever workaround if the other option are impractical 🙂

    Just weirded out that I look to be in the minority in having no issues with disabling third-party cookies, maybe a location thing? I’m UK based…

  25. Proxy List says:

    Nice article,keep up good work.

  26. Paul says:

    IMO, third party cookies should be disabled by default. This seems like a big security hole, and should only be turned on when a user allows it for a specific site. What is the legitimate reason to allow them? The article says that most bank websites require them, but I haven’t found this to be true? I use Bank of America and have never had problems related to my disabled third party cookies.

  27. Thank you for making the honest effort to discuss this. I believe very robust approximately it and wish to learn more. If it’s OK, as you gain more extensive wisdom, would you mind adding extra articles similar to this one with additional info? It would be extraordinarily useful and useful for me and my friends.

  28. antistress says:

    This article was published one year ago… Nothing new concerning third party cookie handling within Firefox ?

Trackbacks for this post

  1. Comment Firefox peut améliorer le respect de la vie privée en ligne | Dico Micro
  2. Comment Firefox peut améliorer le respect de la vie privée en ligne « Injazz Consulting's blog
  3. What Google knows about you and how to tweak it

Comments are now closed for this article.