
Firefox to Block All 3rd Party Trackers by Default - geekybiz
https://twitter.com/jensimmons/status/1098335173089873920
======
rbinv
Companies have begun switching tracking tech to first-party cookies (where
possible) since Apple's introduction of "Intelligent Tracking Protection," so
Mozilla's similar move probably won't have that much of an impact either.

Apple has responded with ITP 2.1, though, limiting _all_ (persistent) cookie
lifetime to 7 days, although these could probably be accurately re-issued/kept
alive in my opinion: [https://webkit.org/blog/8613/intelligent-tracking-
prevention...](https://webkit.org/blog/8613/intelligent-tracking-
prevention-2-1/)

ITP 2.1 also removes support for Do Not Track (as it's not honored anyway).

~~~
adtac
I wish DNT was honoured, but it's as good as a "do not commit crime" sign.

~~~
sp332
DNT is practically defunct.
[https://en.wikipedia.org/wiki/Do_Not_Track#History](https://en.wikipedia.org/wiki/Do_Not_Track#History)

 _In January 2019 W3C Tracking Protection Working Group concluded work on Do
Not Track standard citing "insufficient deployment of these extensions" and
lack of "indications of planned support among user agents, third parties, and
the ecosystem at large." In February 2019 Apple Safari 12.1 was released
without support for DNT to avoid it being used as a "tracking variable."_

~~~
TheCraiggers
You can tell how bad the lack of support / teeth is when people start using
the flag to not track them as an extra way of tracking people. That's
extremely telling... but sadly not unexpected by many of us.

~~~
cpeterso
Should Mozilla remove the DNT header from Firefox like Apple did in Safari?
When DNT does nothing except give trackers one more bit of fingerprint
entropy, is there any value in users still allowing users to send DNT? _" DNT:
I am one of those people who does not want you to track even though I know you
will."_

~~~
sp332
I think it's fine since it's opt-in. Maybe there could be a warning in the UI
though.

------
fimdomeio
One thing mentioned on the responses that might be really concerning is the
fact that this will mean that for a lot of analytics it will look like firefox
usage is close to zero.

No usage data, devs caring less about firefox, users having more problems when
using firefox, less users using firefox, less users having 3rd party trackers
blocked, chrome monopoly growing.

~~~
bfrydl
In my experience as a long-term Firefox user, developers already don't care
about Firefox. It's amazing how many websites I visit that break or look awful
until I switch to Chromium.

~~~
mi100hael
Interesting, I've been using Firefox for years and can't remember the last
time I've experienced a site that didn't perform as expected.

------
traderjane
Firefox's Container's approach has been quite interesting to use, but if a
suggestion could get out to the Firefox team, I would advise improved
streamlining of workflow for the extension, including with sync and returning
browser setup, and for organizing and setting up new containers (configuring
them to always open for a domain, putting them in folders).

~~~
darkpuma
Yeah the UX of Multi-Account Containers is awful. The number of steps the user
is required to follow to make a website always open in a particular container
is absurd.

    
    
        1) Create a new container 
        2) Open a new tab with that container
        3) Open the website in that container
        4) Check "Always open in [container name]"
        5) Open a new tab and load that page again.
        6) Click "Remember my decision"
        7) Click "Open in [container name] Container"
    

I don't mean to throw shade, I'm sure whoever came up with this had good
intentions, but it needs work. (Also, why a limit of 8 colors and 12 icons?
Why not an arbitrary number of colors and user definable icons?)

~~~
philipodonnell
> Also, why a limit of 8 colors and 12 icons? Why not an arbitrary number of
> colors and user definable icons?

This commonly called the paradox of choice. Satisfaction is often higher when
choosing from a limited set of good options than choosing from a large set of
options with varying quality.

(YMMV, it is also used as an excuse for being inflexible, or for forcing bad
options on users a.l.a. a false dilemma, and to be honest I'm not sure how to
tell the difference as an outsider)

~~~
darkpuma
It's pretty crap in practice. Which of those icons am I to choose for HN? Dog?
Fork and knife? Apple? Sunglasses? Briefcase? Gift?

I chose 'Dollars' as the closest fit due to the association between the tech
industry and greed, but really shouldn't there be at least one tech-themed
icon? Of the 12, two are food themed, two or three are shopping related, etc.
The icon set is redundant with poor conceptual coverage.

Okay, maybe I'm a nerd who cares about tech and Mozilla thinks most firefox
users who use Multi-Account Containers will be regular joes who aren't
interested in tech. I disagree, but maybe that's their theory. What icon am I
to use for youtube? Everybody uses youtube. Is youtube conceptually a
briefcase? Trees? Dog? Is it a dog because everybody watches dog videos on
youtube? I chose sunglasses, because sunglasses are associated with eyes and
eyes are associated with videos.. it's a pretty tenuous association. And which
color? Red makes sense, youtube brands itself with the color red. Yet red
isn't on the color list. Two shades of orange are on the list, but not _red_.
What the fuck? So youtube is "dark orange sunglasses". Great, just great.

~~~
danillonunes
I just pretend that’s not a feature and use the circle with a single color for
everything.

------
tannhaeuser
Good. They should've done this ten years ago.

However, I don't know how it'll play out in the long run. FF is already on the
radar of ad-driven sites, including those that just need basic unique visitor
counters verified by third parties rather than doing evil privacy invasion
things. So they could decide to boycot FF alltogether. I hope this isn't going
to happen, though. Anyone in the ad-driven content business here to share
their opinion? Or should we go back to pixels?

------
anc84
What is a "tracker" here? How will Firefox determine that?

~~~
salawat
A tracker is a script included as part of a webpage's content, often utilizing
some combination of tracking pixels (an http request for a 1x1 image file from
the tracking script's providers domain), a persistent cookie, and increasingly
some form of browser/device fingerprint which is used to identify a particular
machine.

The user's machine presents back to the tracking network the cookie and a
bunch of http params to the tracking provider whilst interacting with pages
that support the script, which the tracker stores in a database to sell access
to.

It gives developers/businesses a way to collect metrics while offloading the
trouble of keeping track of and maintaining the infrastructure to do so to
someone else.

Firefox will probably be enforcing a cross-origin isolation constraint,
requiring that all material be hosted by the domain you're requesting from in
the first place, which doesn't really fix the problem since people will
probably just try to build ways around the limitation.

Until the industry breaks itself free of it's current fetish for wholesale
data collection, it's just going to be an arms race.

~~~
drukenemo
But Firefox also identify as trackers APIs - see here
[https://ibb.co/QFXYjhL](https://ibb.co/QFXYjhL)

Firefox uses the Disconnect blocking list to determine what is tracking, and
Disconnect doesn't only filter out cookies.

[https://support.mozilla.org/en-US/kb/content-
blocking](https://support.mozilla.org/en-US/kb/content-blocking)

"Disconnect Private Browsing automatically detects when your browser tries to
make a connection to anything other than the site you are visiting. We call
these other attempted connections “network requests"
[https://disconnect.me/help](https://disconnect.me/help)

------
mosselman
My work laptop is a very fast upper end macbook and I can somewhat reliably
run Firefox on that. My personal laptop is an older macbook pro retina model
and whenever I use firefox on that it gets incredibly slow and from time to
time the computer just freezes for 20-40 seconds. So, sadly, I can't use
firefox on that.

At one point someone on HN posted a link to the bug report on mozilla's bug
tracker about this issue with retina macbooks. Does anyone have that link? I
can't find it.

~~~
arusahni
Is this it?
[https://bugzilla.mozilla.org/show_bug.cgi?id=1404042](https://bugzilla.mozilla.org/show_bug.cgi?id=1404042)

~~~
mosselman
Yes that seems to be it! Thank you. Always good to not be alone when
experiencing such problems.

------
playpause
Why now, as opposed to several years ago? Are there downsides to blocking 3rd
party trackers by default, and if so, what has changed recently to allow this
to happen now?

~~~
MivLives
I have 3rd party cookie blocking on Chrome.

Honestly the two things I've noticed are: \- I have to fill out recaptcha. A
lot. \- I've been applying for jobs, some companies have a button for linked
in auto fill. Sometimes this works sometimes it doesn't

Beyond that there's a few other thing like, wikidot, that don't really work.
In this case the cookie is given by wikidot for sign in, then you're
redirected to the custom url wikidot instance (Scp foundation in this case)
and you're just not logged in until you allow cookies in this case.

------
ypolito
It's a huge step forward. Does it block Google Ads too?

If so, ad companies should consider some kind of functionality to proxy the
advertisements through the partners' websites.

I've seen ublock struggle with Server Side Ads Injection.

------
KozmoNau7
Will this also force Do Not Track to be on, similar to the current tracking
blocklists in Firefox? That's the primary reason why I have it turned off and
rely on uBlock Origin + a few other extensions.

~~~
rbinv
DNT is pretty much dead because no one ever really honored it.

~~~
KozmoNau7
And that is exactly why I would like it to not be forced on (or off). I want
my browser to report no DNT setting at all, to reduce my fingerprinting
profile.

~~~
rejberg
[https://panopticlick.eff.org/](https://panopticlick.eff.org/) reports that 1
in 1.67 browsers send the DNT header, so the best option fingerprinting-wise
might be to leave it on, at least information-wise.

Of course, that ratio will likely change when Safari drops support for DNT
entirely. See discussion here
[https://news.ycombinator.com/item?id=19101156](https://news.ycombinator.com/item?id=19101156)

~~~
KozmoNau7
They send the header, but with which value? I probably didn't express myself
well enough, I want my browser to send the "DNT not configured" value.

~~~
rejberg
Sorry, I left that part out. My browser sends DNT=1, and I get 1/1.67, which
should mean that 1/1.67 browsers send DNT=1. This means that the total share
of browsers that send the DNT header at all is at least 1/1.67, but probably
higher.

------
cphoover
How do you prevent Iframes from communicating their cookies to the parent
window? Using window.postMessage?

Disable all cookies for iframes? That seems like it would break the internet.

~~~
andrethegiant
If you're the parent, you can use the `sandbox` attribute on the frame. If
you're the child, you can use the `frame-ancestors` CSP directive.

~~~
cphoover
"If you're the parent, you can use the `sandbox` attribute on the frame. If
you're the child, you can use the `frame-ancestors` CSP directive."

... Yea but that requires the parent frame not to want the tracking to take
place right? Why would they put the iframe in sandbox mode if they were trying
to track their users?

------
kowdermeister
Do you use server side visitor tracking on your projects? This will probably
if not already shift analytics more to the backend.

~~~
andrethegiant
I'm using a self-hosted instance of Countly for a new project. It's been great
so far. Still client-side, but since you host it, the domain isn't
blacklisted.

------
slasaus
I think this is huge. It reminds me of the early days of Firefox (back then
still known as Phoenix) in a world where IE6 and pop-up ads dominated. At
launch IE6 was really the best and most innovative browser of it's time
(IMHO). But after IE6 had beaten Netscape, Microsoft stopped putting money in
IE development and the situation got worse over time. It was Phoenix with,
among other things, a pop-up blocker that was on by default that brought down
Internet Explorers hegemony.

Today, with Chrome being dominant the situation is different because Google is
still innovating Chrome at light speed. The one and only Achilles heel to beat
this giant is by attacking their business model, which is to enable ad
blocking by default. I expect this is something people want, just like pop-up
blockers back in the days. Google will never be able to lead, or even follow
in this direction without changing their business model.

Unfortunately, Mozilla’s own business model also heavily relies on selling
ads, albeit indirectly. According to this statement from an independent audit
report[1]:

"Note 10 - Concentrations of Risk:

Mozilla has entered into contracts with search engine providers for royalties
which expire through November 2020. Approximately 93% and 94% of Mozilla’s
royalty revenues were derived from these contracts for 2017 and 2016,
respectively, with receivables from these contracts representing approximately
75% and 79% of the December 31, 2017 and 2016 outstanding receivables."

In other words, $539 Million, which is 93% of their total revenue, comes from
companies that have selling ads as their business model (Baidu, Google, Yahoo
and Yandex [2]).

I really hope Mozilla will be able to change this revenue stream to better
align with their mission[3]. They have been trying to diversify their revenue
since 2014 [4] and although they might not be as dependent on Google as they
once were, they're still almost fully dependent on ads.

Oh, and yeah, of course simply making a better browser than Chrome would also
help ;)

Background:

* [https://www.mozilla.org/en-US/foundation/annualreport/2017/](https://www.mozilla.org/en-US/foundation/annualreport/2017/)

* [https://assets.mozilla.net/annualreport/2017/mozilla-2017-fo...](https://assets.mozilla.net/annualreport/2017/mozilla-2017-form-990.pdf)

[1] [https://assets.mozilla.net/annualreport/2017/mozilla-
fdn-201...](https://assets.mozilla.net/annualreport/2017/mozilla-fdn-2017-fs-
short-form-final-0927.pdf)

[2]
[https://wiki.mozilla.org/Global_Search_Strategy_Status](https://wiki.mozilla.org/Global_Search_Strategy_Status)

[3] [https://www.mozilla.org/en-US/mission/](https://www.mozilla.org/en-
US/mission/) "An Internet that truly puts people first, where individuals can
shape their own experience and are empowered, safe and independent."

[4]
[https://blog.mozilla.org/advancingcontent/2014/02/11/publish...](https://blog.mozilla.org/advancingcontent/2014/02/11/publisher-
transformation-with-users-at-the-center/)

~~~
dredmorbius
Google may be innovating Chrome, but few of those enhancents proide me, as
user, any value, and many subtract from it.

Firefox has an opportunity.

------
kerng
I like this!

------
wbxrs
I think this is a bad idea. Even though I personally block 3rd party trackers
by default, breaking the web by default will cause problems.

Also, ad blocking will start being a problem when enough people start doing
it. I still remember the days of no websites yelling at you for blocking their
ads. Things are going to get much worse.

~~~
Freak_NL
Good. Let them yell, allow the system to break. I'm not convinced that the
current status quo of paying for services via targetted advertising that
amounts to quite a severe level of manipulation and tracking is tenable (nor
desirable). Figure out something better.

The alternative is what we do now: a select group with tech savvy blocks
advertisements, and lets the masses pick up the bill by 'accepting' ads and
having their every movement online tracked.

~~~
dmortin
> Figure out something better.

There is no magical solution. The alternative is some kind of payment system.

And many people can't afford paying for each site they visit, so it would
limit people's access to the net if there were paywalls everywhere.

Also, if sites can't show ads and not enough people subscribes then many sites
will close which would lead to further concentration of the web. Small players
would be eliminated, big players would still thrive.

Independent journalism would decrease while sites financed by rich companies
and people could keep running and promoting the agenda of the rich players.

~~~
Freak_NL
If people can't afford paying, then it follows that they can't afford being
advertised at in order to stimulate their consumption beyond what they
actually need. If the answer to that is that people are of course in their
right to ignore advertisements (as if that is possible), then by extension
blocking them outright is morally defensible as well, and we are right back to
where we are now.

Either that, or on-line advertising is not nearly as effective as advertisers
think it is, and they are just subsidising the whole shebang while the
Facebooks and Googles profit.

As for journalism: yes, that is tricky. Personally, I'm subscribed to one
national quality newspaper (NRC in the Netherlands) as my main source of news
and research journalism, and just today I've set up an annual subscription for
€12 with the Guardian, which I visit occasionally as it is one of the few
reliable British sources for news on the whole Brexit ordeal.

Ideally, I would pay a monthly flat fee that I can distribute at the end of
each month to participating websites I've visited, but such a system would
have to be fair to both the consumers and the publishing websites. If it just
ends up a system with yet another FAANG-like Silicon Valley middleman that
takes a 30% cut I'm not interested.

~~~
dmortin
> If people can't afford paying, then it follows that they can't afford being
> advertised

You know the answer to that. People can pay with their data, their interests.
And if you put the question to people if they want a free web which sells
their data or pay for every site then most people will choose the first.

~~~
Freak_NL
And what is that data used for, if not targetted advertising?

The data is a means to an end: the ability to provide advertisers with a way
to reach very specific groups of people, and a way for advertising platforms
to track not just the same user, but a very detailed user profile.

Knowing what people's interests are is worth diddly-squat until you use that
knowledge to push ads to them that are likely to resonate with them.

------
moltar
They should be careful because some sites do break without tracking.

~~~
Simon_says
Who is 'they' in that sentence?

~~~
playpause
Mozilla?

~~~
Simon_says
I figured 'they' refers to website developers.

------
claudiojulio
Does this mean that analytics will also be blocked? If it is true it will be a
shot in the foot, because Google pays a lot of money to Mozilla. Translated
automatically.

~~~
onli
Firefox/Mozilla is not as reliant on Google anymore as it once was, having
diversified which search engine gets set in which area. There would also still
be a reason for google to be the default search engine even in a browser that
blocks third party trackers by default, namely the original reason of getting
users to use your search engine. So I don't see a problem here and I doubt
Google would or could force Mozilla to not make that change, even though the
business people in Google probably don't like it.

~~~
darkpuma
Mozilla released the extension "Facebook Container", which is great, but
that's only one of the FANG companies notorious for invading privacy. Where is
the "Google Container" extension from Mozilla? There exists such an extension
but it's by a third party, not by Mozilla. It would be nice to see it from
Mozilla since I trust them more than I trust some random extension developer;
I can feel confident in recommending _Facebook Container_ to people but I'd
have to keep up on the reputation and ownership of the _Google Container_
extension to feel good about recommending it to others.

I guess what I'm saying is it would be nice for Mozilla to be a bit more bold
in demonstrating this independence from Google. It seems to me they still
fear/respect Google more than Facebook.

[https://addons.mozilla.org/en-US/firefox/addon/facebook-
cont...](https://addons.mozilla.org/en-US/firefox/addon/facebook-container/)

[https://addons.mozilla.org/en-US/firefox/addon/google-
contai...](https://addons.mozilla.org/en-US/firefox/addon/google-container/)

~~~
kasbah
Those container extensions are just the "Firefox Multi-Account Containers"
extension developed by Mozilla with some default settings for Facebook and
Google.

[https://github.com/mozilla/multi-account-
containers](https://github.com/mozilla/multi-account-containers)

~~~
beatgammit
Yup, and I use it religiously. I keep my work Google account separate from my
personal Google account, which is separate from everything else. If I don't
trust it, it gets a separate container.

