March 1, 2013 | By Dan Auerbach

Firefox's new, smarter cookie policy is a privacy win for users

Mozilla recently announced a change to its default cookie policy for Firefox that will help protect users against unwanted tracking by invisible third parties. In short, a user will have to intentionally interact with a site in order for the site to be able to set a tiny snippet of data used for identification purposes known as a "cookie" on the user's machine.

This change – currently available to users running the Nightly test build of Firefox – will bring Firefox in line with its competitor Safari, which has had a very similar policy in place for a decade. It is far from a silver bullet against tracking, as there are several other methods to track users, and this will not block cookies that currently exist in a user's browser. In other words, users must clear their cookies for the new policy to be effective. But instead of just clearing your cookies, for users interested in taking 5 minutes to drastically enhance their privacy, check out our tips for comprehensive tracking protection customizations to your browser.

This move by Mozilla signals that the organization is willing to provide users with much-needed technical countermeasures to tracking, instead of relying solely on the currently stalled development of a W3C Do Not Track standard that appears increasingly unlikely to yield results.

The patch is a careful step towards protecting users against increasingly pervasive tracking. By disallowing third parties to set cookies, it will be harder for third party advertisers, data brokers, and other invisible trackers to build a dossier of all of the websites that a user visits over many years. This new cookie policy is in no way a “hack” or gaming of how technology is supposed to work, but rather behavior all but encouraged under the recent IETF technical specification on cookies, which states (in the text below, "user agent" is a general term referring to a browser):

Particularly worrisome are so-called "third-party" cookies. In
rendering an HTML document, a user agent often requests resources
from other servers (such as advertising networks). These third-party
servers can use cookies to track the user even if the user never
visits the server directly. For example, if a user visits a site
that contains content from a third party and then later visits
another site that contains content from the same third party, the
third party can track the user between the two sites.

Some user agents restrict how third-party cookies behave. For
example, some of these user agents refuse to send the Cookie header
in third-party requests. Others refuse to process the Set-Cookie
header in responses to third-party requests. User agents vary widely
in their third-party cookie policies. This document grants user
agents wide latitude to experiment with third-party cookie policies
that balance the privacy and compatibility needs of their users.
Moreover, given the fact that this cookie policy has been tested and used by Apple's browser, it is very unlikely that this change will have any noticeable effect to users on the vast majority of websites.

Enhancing user privacy without disrupting user experience may seem like a completely obvious measure to take, but advertisers and other firms have a vested interest in tracking users to serve users with behaviorally targeted advertisements. Since this industry has a lot of influence and money, it is hard to make even the smallest change to the status quo, despite the fact that behaviorally targeted advertising represents only a small fraction of advertising-based business models and countermeasures like these will not hurt ad-supported publishers.

Mozilla should be praised for standing up for its users in spite of powerful interests poised to attack these sensible tracking countermeasures. However, it is important to keep mind that this cookie policy change represents low-hanging fruit, where privacy can be better protected without any requirement for publishers to change how their websites operate. There may be harder battles for Mozilla to fight in the near future to protect users from tracking that do require changes to websites, or broader changes to the online monetization ecosystem. We look forward to helping Firefox make bigger strides towards offering and enabling countermeasures against tracking, and creating tools for users that push the ecosystem in a positive direction that better protects users.

Deeplinks Topics

Stay in Touch

NSA Spying

EFF is leading the fight against the NSA's illegal mass surveillance program. Learn more about what the program is, how it works, and what you can do.

Follow EFF

In Xilinx ruling, Federal Circuit suggests trolls still able to drag you to their distant lairs.

Feb 17 @ 3:14pm

A ruling in Microsoft's fight against gag orders covering government requests for user data

Feb 17 @ 2:14pm

As cities like San Jose consider using "smart city" tech, they need to protect residents' privacy.

Feb 17 @ 11:36am
JavaScript license information