A week after Firefox 79 debuted, Mozilla says that it plans to start rolling out version 2.0 of its Enhanced Tracking Protection (ETP) scheme to prevent redirect tracking on the web.
On the web there’s a distinction between first-party cookies – files stored in your browser by a visited web application or site – and third-party cookies that report to other domains that have some affiliation with the visited site.
Last year, Firefox implemented ETP 1.0 to block online tracking schemes by default from using cookies set in a third-party context, while allowing first-party cookies. That’s because blocking first-party cookies would break many websites.
We give up, Progressive Web Apps can track you, says W3C: After 5 years, it decides privacy is too much bother
But ad tech companies have been slow to accept that internet users don’t want to be tracked from website to website and have been relying on a technique called redirect tracking, also called bounce tracking, to bypass third-party cookie blocking.
“Redirect trackers work by forcing you to make an imperceptible and momentary stopover to their website as part of that journey,” said Steven Englehardt, senior privacy engineer at Mozilla in a blog post on Tuesday. “So instead of navigating directly from the review website to the retailer, you end up navigating to the redirect tracker first rather than to the retailer.”
A redirect tracker involves web page code that intercepts the click and takes the user to the tracking domain, so its cookie can be loaded in a first-party context before sending the internet user onward to the intended destination website.
The tracker’s code can link the website the user is coming from and the website the user is going to, thereby developing a dataset about the user’s movements across the web.
ETP 2.0, which will be activated in Firefox browsers over the next few weeks, addresses redirect tracking by clearing cookies and site data set by known trackers every 24 hours.
This doesn’t do much against unknown, covert trackers, but Mozilla chose not to clear all cookies because doing so would inconvenience people by logging them out of all websites. That would mean more authentication challenges and CAPTCHA puzzles would be presented because websites wouldn’t recognize return visitors.
Mozilla is not the first to do this. Back in 2018, Apple’s WebKit team shipped redirect tracking protection, which they refer to as bounce tracking, in Intelligent Tracking Protection 2.0.
Firefox’s implementation differs in a few ways. ITP has its own rules-based domain classification scheme to identify trackers while Firefox relies on its tracking protection list. Also, Firefox won’t clear data from a domain if there’s been first-party interaction within 45 days, whereas WebKit has a 30-day interaction window, with a slightly different definition of what “interaction” means.
In March, Apple implemented full third-party cookie blocking in Safari and Google has said it aims to phase out third-party cookies in 2020, even as it works on a set of supposedly privacy-respecting alternatives. ®