In terms of technical approaches to protecting user privacy online, 2018 has certainly seen its ups and downs.

On a positive note, we added a ton of new features to Privacy Badger, EFF’s anti-tracking browser extension for Firefox and Chrome. We started by revamping the experience for new users and ensuring Privacy Badger is effective right out of the box with pre-training. Unlike most tracker-blockers, Privacy Badger learns as you browse, and it doesn't send any information about your browsing activity back to EFF. This means that, in the past, Privacy Badger wouldn't begin blocking trackers for new users until after they'd browsed the web for a while. Now, thanks to a new learning regimen, fresh installs of Privacy Badger block most common trackers from the very start. Furthermore, Privacy Badger installations can now be preconfigured using managed storage, allowing administrators to set global defaults for their organizations.

Privacy Badger has also learned to block new kinds of tracking as well, including link tracking on Facebook, Twitter, and Google. Link tracking occurs when a first-party website, like Google, modifies the outgoing links from its site so that they report back to the company when you click to leave the page. This can be achieved with asynchronous requests made with Javascript, or with "link shims" that redirect you through a Google domain before sending you to your final destination. Privacy Badger also now rewrites URLs on Facebook to remove the company's new "fbclid" tracking parameters.

Finally, thanks in large part to volunteer translators, Privacy Badger is now fully localized into 17 languages (with 5 more partial sets of translations), the newest additions being Finnish, Persian, Brazilian Portuguese, and Turkish.

On a sadder note, 2018 saw the end of the Do Not Track working group at the W3C, the body that sets standards for web technologies. Do Not Track was conceived as a browser-based signal which users could enable to opt out of tracking. The signal is sent with every request, making it persistent and universal. Although the mechanism is supported by all major browsers, it is not self-enforcing: sites have to decide how to respect it. This year, attempts at the W3C to reach a “grand compromise” between user advocates and the advertising industry failed after seven years.

The advent of the GDPR promised better protection for those covered by it at least. On paper, EU law prohibits tracking unless the user has opted in. In reality, users are being confronted with “consent management” pop-ups which enable “consent” with one click but erect an obstacle course for anyone who wants to refuse. Some sites, such as Facebook and Yahoo, simply deny access to users who don't agree, making a mockery of the idea of choice.  For now, users in the EU face the annoyance of pop-ups without any meaningful privacy gains, so they too need to practice self-defense. In 2019, Data Protection Authorities will have to take action to eliminate these cynical strategies.

In the meantime, some browser vendors are trying to help users out. On June 4, Apple introduced Intelligent Tracking Protection (ITP) 2.0 to its Safari browser, building on the first version which was introduced in 2017. ITP 2 introduced the Storage Access API, a mechanism which automatically blocks sites it determines to be trackers from accessing information vital to performing user tracking, unless the user explicitly opts in via a browser dialogue. As of Firefox 63, released on October 23, Mozilla allows users to block cookies set by known trackers. This was already the default for users of Private Browsing Mode since Firefox 57, and will be the default for all users in Firefox 65. It has also taken Safari's lead in implementing the Storage Access API. 

Other, smaller browsers have been on top of this for a while. Brave browser has blocked tracking since its initial release, and tracker-blocking is an optional feature users can enable in Opera. But the new features introduced by Firefox and Safari are bringing tracker blocking to the mass market. Microsoft (Internet Explorer) and Google (Chrome) are now clearly falling behind on user privacy, leaving us wondering if they will follow suit and take steps to protect their browsers' users, or if advertising interests will be given precedence.

Looking forward to 2019, we’re optimistic about the future. With the advent of the GDPR this year, we think browser fingerprinting companies will have to come clean about their practices. Browser fingerprinting is a technique in which websites gather bits of information about your visit–your time zone, set of installed fonts, language preferences, etc.–and combine these characteristics to form a unique fingerprint that identifies your browser.  This allows remote sites to track your distinct browsing habits without using cookies, which are easy for users to block and remove. The GDPR unequivocally states that this kind of personal data collection and user tracking is not permitted to override the "fundamental rights and freedoms of the data subject, including privacy" and is, we believe, not permitted by the new European regulation.

With all that’s happened in the past year, it’s clear that the fight to protect user privacy isn’t ending any time soon. That’s why, in 2019, EFF is gearing up to fight even harder. We’ll be dedicating more software developers to our privacy-enhancing tech projects, and to do that, we need your support. Donate to EFF now to ensure that 2019 is the year we turn the tide on online privacy.

This article is part of our Year in Review series. Read other articles about the fight for digital rights in 2018.


Like what you're reading? Support digital freedom defense today!