
Firefox Will Soon Block Third-Party Cookies - PhearTheCeal
http://yro.slashdot.org/story/13/02/23/2126246/firefox-will-soon-block-third-party-cookies?utm_source=rss1.0mainlinkanon&utm_medium=feed
======
chewxy
I don't really like this. I work in the advertising industry and retargeting
is honestly one of the most exciting things to come out.

Sure there are ways of cookieless retargeting, but it is a hassle. I mean,
everyone's heard of Samy's Evercookie right? Then there are TCP stack
signatures, and other companies like a few European DSPs that use cookieless
tracking to track a person (IMO it's quite easy to use a GET pixel to actually
capture a person's TCP stack).

You can use 3rd party cookies for good and evil. For example, for my personal
project, Fork the Cookbook (<http://forkthecookbook.com>) I'm working on using
pixel drops to track how many people fork recipes from embedded recipes (how
else would one measure success of an idea). Most analytics softwares like
Google Analytics uses 3rd party cookies.

I'm not too sure about evil uses of 3rd party cookies. I do not consider
retargeting to be evil. Other stuff like tracking browsing history can be done
but it is extremely inefficient, and does not really return much for the
amount of time and effort invested into it.

What about PII you ask? Start with drop sites, where people willingly submit
their personally identifiable information, and then it's up to the DMPs to
actually correlate the data, which can then be used as ad targeting
information. As far as I can tell, even with the big hoohaa over companies
like Rapleaf, the truth of the matter is that it's very very inefficient so
far.

Privacy is simple IMO. Don't submit your information to websites that ask for
anything more than what is needed. Banning third party cookies is like using a
cannon to shoot a mosquito.

~~~
moxie
I'm interested in the culture implications of your willingness to comment on a
story like this and openly admit that you work in this area of the advertising
(surveillance?) industry.

Certainly, I don't think anyone would feel comfortable commenting on a story
about SPAM mitigation techniques (without using a throwaway account) with text
like "This sucks, I'm a spammer, and I'm really excited about it. Don't like
SPAM? Don't share your email address!"

Is there really that much cultural acceptance of your field? I assumed this
was the kind of thing you had to awkwardly talk around when someone asks "what
do you do?" in a bar where others might overhear your response.

One of the things that shocked me most while working at Twitter was that
_nobody_ there uses an ad blocker. Like, I literally couldn't find a single
person, and I've always assumed that anyone with the technical ability to
install ABP immediately did so. So maybe I'm out of touch? Legitimately
curious.

~~~
chewxy
I did agonize for a bit when people say things like "the best minds of our
century are working on people to click on ads", but I've made peace with
myself. I chose advertising instead of finance because I deemed it to be less
scumbaggy than finance (not really, online advertising is a shithole filled
with mines and there are many many faces of online advertising ranging from
the very clean to the very dodgy)

I thankfully work for a company that tries very hard not to work on the dodgy
side of things, and we do actively work on tackling really dodgy stuff, so I
don't think comparing online advertising to spamming is quite a valid point.

I don't think it's cultural acceptance. I'm just being open with my views. My
views on online advertising is similar to my views on guns: advertising is not
inherently bad neither is it inherently good.

~~~
icebraining
_I chose advertising instead of finance because I deemed it to be less
scumbaggy than finance_

What about everything else?

------
NelsonMinar
I blocked third party cookies in Chrome for awhile and finally gave up. It
broke a surprising number of things, particularly Disqus embeds. Also the
Instapaper bookmarklet although I admit that's a nerdy special case. Hopefully
Firefox will have a way to let the user enable the few places where third
party cookies are desired. That's a hard user interaction to get right.

(Disqus apparently now works without third party cookies:
[http://help.disqus.com/customer/portal/articles/466235-enabl...](http://help.disqus.com/customer/portal/articles/466235-enabling-
cookies))

~~~
MatthewPhillips
Disqus not working sounds like a feature to me. What extension were you using?

~~~
statenjason
No extension necessary. Just open chrome://settings/content and check the
"block third party cookies" option. Anytime you navigate to a page with
blocked 3rd party cookies, a cookie with an X will show in the address bar.
Clicking it will let you add an exception.

------
robmil
For those about to bemoan the breaking of things like Google Analytics: this
patch only blocks third party cookies from domains that the user has never
visited before. Since 99% of your visitors will have visited google.com, your
Analytics should continue to function even after this update.

~~~
dangrossman
The GA script loads from google-analytics.com, not google.com.

    
    
        ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';

~~~
jsomethings
Safari already blocks most third-party cookies, yet Google Analytics works in
Safari. An explanation of how GA pulls it off can be found here:
<http://webpolicy.org/2012/02/17/safari-trackers/>

~~~
magicalist
that looks like they're talking about doubleclick, not google analytics. GA
works by setting a _first_ party cookie, so there's no need to work around
anything.
[https://developers.google.com/analytics/devguides/collection...](https://developers.google.com/analytics/devguides/collection/gajs/cookie-
usage)

edit: oh, jonknee already mentioned that below.

------
jacquesm
Excellent. Now we need to block third party javascript and then we have a
chance at a more secure web. After all, any third party javascript could be
done by an underwater call between the server and the provider of the service.

~~~
patrickaljord
Not sure blocking all ads will help the web. All those free sites you visit
need to get their money from somewhere.

~~~
ihsw
It would establish the web as a safe and secure platform, and I think that's
in the best interest of the web.

To hell with your personal ambition to underhandedly monetize other people's
users.

EDIT: I changed my statement from 'monetize your users' to specify 'other
users' as that more accurately reflects the impact of Mozilla's change. Third-
party cookies are used for tracking users that aren't yours.

~~~
melvinram
With that statement, you're also saying "To hell with YouTube, Facebook,
WordPress.com and every other site that wouldn't survive without money."

~~~
ryanhuff
How does blocking third party Javascript prevent the sites that you mention
from monetizing?

~~~
amastilovic
It lowers their income by forcing them to succumb to non-targeted advertising
which is less effective and brings less money.

I'd love to see your ideas of a free and secure web without marketing money
flowing into content provider websites.

~~~
ryanhuff
Striving to maximize revenue is great. However, I don't see this particular
issue as black and white as you present it. This will certainly make some
websites less profitable, but I doubt that it would bring an end to the free
web. In fact, aren't there are other ways to do retargeting?

Given Google's relationship with Mozilla, if this move would negatively impact
Google, i would be very surprised to see it happen.

~~~
amastilovic
You are correct, it won't affect the omnipresent Google because virtually
everyone has visited their domain at some point. This will target alternatives
to Google, leaving us with one company to do effective advertising.

How is this in the interests of the end user is beyond me, really.

------
JoshTriplett
I don't actually think this policy will have the desired effect of improving
privacy and similar.

While I do think advertisers and analytics abuse third-party cookies, they
also have a dozen other things they can switch to that the browser provides
fewer facilities to control: <http://samy.pl/evercookie/>

Meanwhile, any legitimate services that rely on third-party cookies would have
little choice but to switch to whatever mechanism the advertisers switch to,
to remain functional.

~~~
eric-hu
What are legitimate uses of third party cookies? Not trying to be snarky or
sarcastic, I'm just unaware.

~~~
elehack
Logging in to services like Disqus, for one thing.

------
sokrates
This is awesome. I have had third-party cookies disabled in Chrome for a long
time now, and I rarely experienced any issues with embeds (Disqus being the
noteworthy exception). While Idespise third-party tracking embeds in general,
they have gained significant traction on the web (the worst offender is of
course Facebook). Since many people think site owners cannot be blamed for
that (I think they can), blocking third-party cookies to me is the next best
thing for the end user. Also, it's just intuitive to me; when I visit a shop,
and I identify myself to the clerk, why should I automatically identify to all
bystanders in the shop?

------
unclebucknasty
With so many APIs in use, integrations, etc, there will be the potential for a
lot of broken stuff. And many non-tech users won't understand why some sites
suddenly stopped working. It will just present more challenges for developers
of good apps that users want, in order to stop one set of specific behaviors
that they do not want.

But advertisers won't just go home. They will find other ways to reach people
with possibly more obnoxious and/or invasive tactics.

Reminds me of the spam problem. With all of the spam "solutions" and policies
in place, it is now much harder than it should be for legit businesses to send
emails to customers who've requested them. Yet spammers are still doing their
thing with impunity.

------
Dylan16807
[http://yro.slashdot.org/comments.pl?sid=3488893&cid=4299...](http://yro.slashdot.org/comments.pl?sid=3488893&cid=42991759)

Uh oh. Any site that you visit even once can give you a cookie and suddenly
become immune to third-party blocking.

~~~
Encosia
That's actually a pretty elegant solution to the issues that most of Firefox's
userbase would encounter if all third-party cookies were blocked (e.g. not
being able to log in with or share via their Twitter and Facebooks accounts).
How often do real users, particularly the ones who are unaware that cross-site
tracking is even going on, visit domains like doubleclick.net or
googleads.g.doubleclick.net?

For comparison, I block third-party cookies in Chrome and doubt that most
users would be able to navigate the process of understanding when that breaks
features on sites and then resolving the issue by selectively allowing the
impacted domains. So, I think that's a positive feature in Firefox's (soon-to-
be) implementation.

------
dfgonzalez
I don't like this, beyond the discussion if 3rd party cookies are good or bad,
these measures are always for the worst.

Not long ago IE set DoNotTrack by default. What happened? Every single company
that respected the user decision for DoNotTrack, stopped doing so since it
wasn't the user, but a browser the one who decided that.

Long story short: All the effort done with DoNotTrack was wasted.

With this story, cookie tracking is far from perfection. It might be great for
ad companies, might me useful for retailers and might be creepy for some
users, but IMO is the safest way there's to date to keep the equilibrium.
There are choices to be protected from cookie tracking and there's plenty of
information.

~~~
nwh
There's a critical difference here though. DNT was asking not to be tracked,
not allowing the cookies is forcing it.

------
lubos
I don't think third-party cookies are such a big deal. It won't stop
retargeting (workarounds are possible) so what is it really solving?

~~~
cremnob
What are some of the workarounds?

~~~
taf2
etags, png image, something about tcp stack tracking... there are work arounds
and there will be more workarounds... blocking cookies is stupid... they are
part of the web

~~~
taf2
here's a new one css ever cookie, shit it out in an hour after reading this
post: <https://gist.github.com/taf2/5022672>

------
gtani
Per links on Duckduckgo, i installed FF plugins: noScript, privacyFix,
doNotTrackMe, HTTPS everywhere, adBlock. Now maybe 5-8% of sites i visit show
no content whatsoever, and maybe 1/3 of all sites total are broken. For those,
Chrome

<http://fixtracking.com/#firefox>

------
taf2
this is short cited. we don't even know or can imagine the type of interesting
applications we are eliminating by saying no to third party cookies. I
remember building a reservation widget that loaded via an iframe on a third
party domain. Perhaps we would want to maintain some of the reservation
history on the users browser (e.g. third party cookie). I believe this would
still work, but as we continue to focus only on the use case of advertising
and blocking re-marketing ads... we should remember there are other legit use
cases for third party cookies.

------
cft
I cannot fully rationalize it, but I intuitively feel that this "holier than
thee" Mozialla's approach will ultimately contribute to Firefox's demise.

~~~
cpeterso
Safari already uses this cookie policy.

~~~
Kylekramer
While I don't agree that this is indictive of Firefox's demise, saying "fourth
place browser does it" is hardly a compelling counterpoint.

~~~
cpeterso
Safari on iOS is an important browser, in terms of market share.

------
dangrossman
"Firefox Abandons Standards, Will Soon Stop Honoring HTTP Specification,
Throwing Away Valid Headers It Doesn't Like". Admittedly, I'm biased.

~~~
mdavidn
Cookies aren't in the HTTP specification. RFC 2109, published a year after
Netscape and then IE began accepting cookies, recommended that browsers block
all third-party cookies.

