
Mozilla anti-cookie tool plans crumbling - kwestro
http://www.sfgate.com/technology/dotcommentary/article/Mozilla-anticookie-tool-plans-crumbling-4958045.php
======
nly
Google will never deprecate 3rd party cookies, and without cross-vendor
support Mozilla will be attacked when sites start breaking.

It's a real shame, I've been blocking all 3rd party cookies and referrers for
years and really want to see the web to a more privacy concious model. With
all the web features tracking tricks out there now though, I feel it's nigh
impossible.

Take for instance, common Javascript libraries hosted on CDNs. Every time you
visit a jQuery based page where the js file is on a CDN you reveal to the host
of that CDN (e.g. Google) what website you're on. You also put complete faith
in that 3rd party CDN provider for your security.

3rd party cookies are just the tip of the iceberg in terms of how broken the
web is for the privacy concious.

~~~
michaelt

      Mozilla will be attacked when sites start breaking.
    

I have been browsing with third party cookies blocked for years - the problems
have been trivial, like disqus embedded comment boxes not letting me log in.
I've never noticed anything important breaking.

You can experience it yourself in Firefox via Preferences -> Privacy -> Third
party cookies -> Never

~~~
jrochkind1
> like disqus embedded comment boxes not letting me log in.

Oh crap, is THAT why I can usually not log in to disqus even when I disable
Disconnect!

Man, that had been a mystery to me forever, I must have disabled third party
cookies and not even remembered doing it.

~~~
clarry
And now Mozilla will hide or get rid of that feature because ignorant users
accidentally enable it and break the web. ;-)

------
r0h1n
Privacy on the Internet today is so riddled with conflicts of interests and
doublespeak that it's hard to know where anyone stands on anything.

Microsoft implemented a Do-Not-Track by default in IE 10 [0], only to later
reveal it was planning an even more intrusive ad tracking system of its own
[1]

Google added a Do-Not-Track feature belatedly to Chrome, buried within levels
of settings and warnings [2]. And yeah, they're working on their own cookie
replacement too [3].

Facebook meanwhile is tracking you across the web through its own re-targeting
tech [4] and even your cursor movements on its site [5]

In fact, when companies like Google, Facebook and Microsoft want to dump
cookies [6], I'd argue that we're already past the point where a Firefox can
make a difference.

IMHO Internet tracking has become like fast food. A meaningful difference will
only come when average users start caring about their privacy and are willing
to make conscious choices for it.

[0] - [http://arstechnica.com/information-
technology/2012/08/micros...](http://arstechnica.com/information-
technology/2012/08/microsoft-sticks-to-its-guns-keeps-do-not-track-on-by-
default-in-ie10/)

[1] - [http://adage.com/article/digital/microsoft-cookie-
replacemen...](http://adage.com/article/digital/microsoft-cookie-replacement-
span-desktop-mobile-xbox/244638/)

[2]
[http://www.pcmag.com/article2/0,2817,2411916,00.asp](http://www.pcmag.com/article2/0,2817,2411916,00.asp)

[3] [http://www.usatoday.com/story/tech/2013/09/17/google-
cookies...](http://www.usatoday.com/story/tech/2013/09/17/google-cookies-
advertising/2823183/)

[4] - [http://adage.com/article/digital/facebook-launches-
retargeti...](http://adage.com/article/digital/facebook-launches-retargeting-
alternative-fbx/244746/)

[5] -
[http://www.pcmag.com/article2/0,2817,2426602,00.asp](http://www.pcmag.com/article2/0,2817,2426602,00.asp)

[6] -
[http://online.wsj.com/news/articles/SB1000142405270230468250...](http://online.wsj.com/news/articles/SB10001424052702304682504579157780178992984)

~~~
mildtrepidation
_IMHO Internet tracking has become like fast food. A meaningful difference
will only come when average users start caring about their privacy and are
willing to make conscious choices for it._

Definitely agreed. Unfortunately, I think it's much harder for your average
web user to make that choice than for your average person to avoid fast food:
Everyone knows what and where a grocery store is and that fast food is not
usually nutritious, but I don't believe most web users understand how many
browser options there are or, in many cases, what that actually means or what
other means could help preserve their privacy, if they understand this
particular privacy issue in the first place.

~~~
jrochkind1
Even simpler anti-analogy, everyone know when, where, and what they ate; most
people have no idea who is tracking you how and when.

~~~
clarry
Another issue is that people for most part don't seem to have an issue with
tracking ("I have nothing to hide", "I trust them not to do evil", etc.),
whereas the adverse health effects of bad food and obesity are well know and
easily observed.

------
kibwen
I think that Mozilla's recent re-launch of Lightbeam (nee Collusion) shows
that they're not trying to back away from the issue of third-party cookies.
The complication is that you need to find a solution that doesn't break enough
sites that users give up and switch to less-privacy-conscious browsers, which
would completely defeat the purpose.

~~~
interpol_p
How does it break sites? I use Safari, where this setting is the default, and
everything seems Ok.

~~~
gcb0
safari use case means nothing. it is disabled only if the 1st class site does
not set a cookie or something futile like this.

you probably have 3rd party cookie working as usual.

------
stolio
Mozilla isn't positioned to stand up to Google while they're getting $300
million a year [0] from them. (For reference Mozilla's 2011 revenue was $163M
[1]) I trust (to a point) their motivations but I would imagine that much
dough comes with more strings attached than just making Google the default
search in Firefox.

I think we're very lucky to have Mozilla in the FOSS world but the will for
better privacy will have to come from the community.

[0] - [http://www.forbes.com/sites/timworstall/2013/01/22/so-why-
is...](http://www.forbes.com/sites/timworstall/2013/01/22/so-why-is-google-
funding-its-own-competition-in-the-firefox-os/)

[1] - [http://www.mozilla.org/en-
US/foundation/annualreport/2011/fa...](http://www.mozilla.org/en-
US/foundation/annualreport/2011/faq/)

edit: I didn't state it explicitly but my argument is based on the idea that
Google is primarily interested in a low-privacy and ad-based web.

~~~
gcb0
You are right. Google silently removed 3 (that i counted) times the ability to
remove referrer from chrom[e|ium]

And apple probably disabled some 3rd party cookies more to harm google than
thinking on user privacy (now this is speculation, but add that the fact that
jobs had said he'd gone nuclear on google at the time)

------
tareqak
I tried searching for the patch in question, and here is what I came up with:

Searching for Jonathan Mayer in Bugzilla
[https://encrypted.google.com/search?sitesearch=bugzilla.mozi...](https://encrypted.google.com/search?sitesearch=bugzilla.mozilla.org&q=jonathan+mayer)

Here is the meta bug:
[https://bugzilla.mozilla.org/show_bug.cgi?id=818337](https://bugzilla.mozilla.org/show_bug.cgi?id=818337)

I think this is the patch:
[https://bugzilla.mozilla.org/show_bug.cgi?id=818340](https://bugzilla.mozilla.org/show_bug.cgi?id=818340)

------
ihsw
> "This default setting would be a nuclear first strike against (the) ad
> industry," tweeted Mike Zaneis, general counsel for the Interactive
> Advertising Bureau.

Such dramatic silliness. An _actual_ first stirke would be NoScript and
AdBlock installed by default (which I already do to begin with). Removing
third-party cookie functionality is just a shot across the bow.

------
jfasi
Philosophically, this effort seems fallacious to me. Many of the Internet's
services are only free because of advertising, and while Mozilla's intentions
seem admirable, they're at best short sighted and at worst naive.

As for the immediate reason Mozilla is backing off, have you ever wondered how
you make money as a browser? One of the key revenue streams for a company like
Mozilla or Opera is referral fees from search engines. Ever wonder why
Microsoft is so desperate to make it difficult to use non-IE browsers? it's
because they have their own search engine.

My own personal speculation is that some of Mozilla's search engine customers,
whose business model often includes using cookies, came forward and indicated
their displeasure with this initiative and pointed out that this would
basically amount to biting the hand that feeds it on Mozilla's part.

------
Udo
There is no need for a "tool" (which will only add to code bloat and be
circumvented anyway). Just don't accept 3rd-party cookies and be done with it.
All browsers already have this setting, it just needs to be enabled by
default.

I invite all who haven't done so yet to change their browser's settings right
now to refuse 3rd party cookies. They have almost no legitimate use anyway.
The only breakage of a useful site I'm aware of pertains to active Disqus
logins, a price well worth paying in my opinion.

The 3rd party cookie tracking problem is worse than most people think. For
instance, every time your browser pulls a file from a CDN, you're tracked.

------
tracker1
Why don't browsers just generate a UUID on first run per user.. then anyone
tracking can do so server-side.. with a browser/user option to re-generate a
new one. It would effectively be the same.. then have a white/blacklist for
sending this id.

Or they could make a system where a site can set their own unique id, that
they can use.. oh, maybe have a custom key for this value.. and maybe they
could call it a token system.. ooh or maybe cookies.

/sarcasm

------
snorkel
I feel most users got over the creep factor of cookies back in 1998, and
nothing that happened since has demonstrated that cookies need to be severely
restricted. In fact, I expect more physical businesses will be installing face
recognition to essentially cookie and track casual shoppers in a real stores
offline, consumers are already used to this online, and don't feel threatened
by it.

~~~
gcb0
Pretty sure if that happens a few malls would advertise privacy, charge a
premium, and only the poor would use the others.

------
IBM
Very disappointing.

------
wnevets
Doesn't Apple already do this?

~~~
ploxiln
Yes, unless you manage to do a form post in an iframe or something like
that... which every web developer does to "make it work" in safari

[http://www.electronista.com/articles/12/02/16/google.alleged...](http://www.electronista.com/articles/12/02/16/google.alleged.in.safari.privacy.circumvention/)

------
bolder88
Good. This recent war against cookies is futile and silly.

If you visit a website (Assuming you don't go via some anonymizer proxy), they
can track you, and they can pass your details to any 3rd party who wishes to
also track you.

Cookies are the easiest way for them to do that, but its absurdly naive to
think that if you block cookies then people won't track your browser activity
online.

If you don't want to be 'tracked', stop generating HTTP requests, or do them
through an anonymizer service. And good luck getting any website to work
properly.

~~~
icebraining
A single website can only track you inside their own pages. The problem with
third-party cookies is that they enable cross-site tracking, which is much
more privacy invading. First-party cookies don't help with that, since a
cookie dropped by siteA won't be sent to siteB.

Now, sure there are other ways of doing cross-site tracking, like Etags,
fingerprinting and such, but why shouldn't we try to plug those leaks too
instead of giving up?

~~~
bolder88
No, we shouldn't bother trying to plug those leaks.

Current situation:

    
    
      * You request website A, which includes 3rd party code from C. C drops a cookie
      * You request website B, which includes 3rd party code from C. C knows you previously visited A.
    

New situation:

    
    
      * You request website A, which includes 3rd party code from C. Website A sends details of your visit via a backchannel to C.
      * You request website B, which includes 3rd party code from C. Websites B sends details of your visit via backchannels, and C knows you previously visited A.
    

Wouldn't you rather such tracking to be out in the open and easily blocked -
stop accepting cookies, rather than them creating backchannels to track you
instead?

Yes - You should give up if you think you will able to continue sending
websites HTTP requests directly, whilst not being tracked.

~~~
paulgb
If you block third-party cookies, C has no longer has a reliable way to know
that you are the same visitor on both requests. (Unless you're suggesting that
C is stuffing a UID in the cache or something?)

~~~
gcb0
C can already infer that. Google probably does that on their free CDN stuff.

you have unique combination of IP+UserAgent+extra Headers. That is enough. A
and B does not even have to send anything. And this will continue to work even
without cookies.

~~~
icebraining
Requiring an IP address already eliminates cross-network tracking. For
example, lots of people browse both on their PC on a cable/fiber connection
and on their phone/tablet on 3G, with different IPs. They also often browse
from their work network (yet another IP).

Same with User Agent: not useful if you're using Chrome on your laptop and
Safari on your phone.

