
Storage access policy: Block cookies from trackers - rbanffy
https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Privacy/Storage_access_policy
======
manigandham
And yet again this only makes the duopoly of Facebook and Google trackers even
stronger. There cookies will never be removed, while every other network that
offers potential competition suffers.

It's rather interesting how these browser makers consistently ignore any
cooperation with the industry and keep making naive mistakes.

Here's a simple answer that would solve everything: all browsers offer a
single anonymous Advertiser ID that is randomly generated and available to any
JS via API. It can be regenerated anytime and limited to per-domain.

Instantly that would remove 90% of the pixels and improve performance
everywhere, make recommendations more accurate for those who care, make it
simple to opt-in or out of preferences, and would prevent this continuous
arms-race.

~~~
pdkl95
> while every other network that offers potential competition suffers.

Good, that's the goal.

> And yet again this only makes the duopoly of Facebook and Google trackers
> even stronger.

It takes time to break entrenched monopolies. If you want to speed this up,
antitrust enforcement would help a lot.

> browser makers consistently ignore any cooperation with the industry and
> keep making naive mistakes.

The the _User Agent_ isn't obligated to help any particular industry. What you
are calling a "naive mistake" is really just "fulfilling the needs of users
who do not want to be tracked".

> anonymous Advertiser ID

That isn't possible. Make whatever random number you want, but the first time
someone browses to Google (or anybody else) it will forever be associated with
their (personally identifiable) Google account. Regenerating it just makes
Google store a few more values in the account.

> Instantly that would remove 90% of the pixels ... and would prevent this
> continuous arms-race.

History suggest this would have little effect on that "arms-race". Advertisers
have demonstrated many times that they only increase surveillance. The _only_
effect your "Advertiser ID" would have is to make surveillance even easier.

> make it simple to opt-in or out of preferences,

It's naive to think anybody that _already_ ignore the DNT header would respect
a future redesign of the same flag.

~~~
manigandham
Breaking up a monopoly via government pressure is completely separate from
browser and internet privacy, and hurting potential competition only _helps_
the monopoly. Google and Facebook wouldn't use the Advertising ID because they
_already have 1st party cookies_ so they know who you are.

The _User Agent_ is just software that happens to be called that, it's not a
moral statement, and this feature would help solve many issues on both sides.
DNT is actually respected by far more than you may think, but the lack of an
ID to go along with it is the problem. Having an easy ID system would let ad
networks use native APIs, reduce network calls, and build up profiles that
only last as long as a user is willing to keep the same ID. Let people change
it per hour if they want, it maintains privacy will keeping a browsing session
relevant and not overloaded with the same ad shown 20 times.

You know what's actually naive? It's refusing to listen to the industry that
moves 100s of billions in ad spend every year and is full of smart people
trying to have rational discussions instead of constantly fighting emotional
tirades that put everyone in this mess in the first place.

~~~
pdkl95
> The User Agent is just software that happens to be called that

This is impressive rationalization. It's the User Agent because it's the
software the _user_ is running _as their agent_ on their _own computer_. The
only "moral statement" involved is _basic property rights_. The user gets to
control their own computer (including the browser) for the same reason you get
to control how the products you own are used.

> DNT ... but the lack of an ID to go along with it is the problem

You don't need to have an ID to _not_ track someone's browsing habits. What,
_exactly_ do you want to do that 1) needs a tracking ID, but 2) isn't some
type of tracking?

> Having an easy ID system would let ad networks [...]

That's nice. That isn't the user's job.

> and build up profiles that only last as long as a user is willing to keep
> the same ID

See? That's _exactly_ the type of tracking we're trying to prevent.
Surveillance is still surveillance even if you delete later.

> not overloaded with the same ad shown 20 times.

Again, not the user's problem.

> You know what's actually naive?

The surveillance-based businesses that are driving us straight into a
surveillance state without any care for the risks and damage they are
creating?

> It's refusing to listen to the industry that moves 100s of billions in ad
> spend every year

You should realize that many people see this as a _bad thing_. Those billions
could have been spent on something useful. Of course, I don't expect you to
understand this if your salary currently depends on _not_ understanding the
harm created by the ad industry.

> trying to have rational discussions instead of constantly fighting emotional
> tirades

You're sense of entitlement is amazing. People get emotional when people try
to use their property without permission. There is no "rational discussion"
here. If you are tracking people, _you are the enemy_. One day, when the
databases of everyone's behavior starts to cause real damage (Cambridge
Analytica was only a tiny preview), you will understand this. Until then, I
suggest at least _talking_ to the average person about what _they_ think about
having their activities tracked.

~~~
manigandham
You are tilting at windmills here. You can say "not the users problem"
endlessly but unless you're about to quit your job and never work at a
commercial business that uses digital advertising again, it's just random
noise that goes nowhere near attempting to solve the problem.

Advertising, and the greater concept of marketing, is what powers the growth
of practically every business on the planet. Two of the most valuable
companies are advertising companies because this matters so much. These
companies do care about risks but the real problem is lack of regulation which
is completely unrelated to browser cookies, so in the lack of such rules we
can look at technical alignment that can solve at least some of the problems
in the meantime.

> _I don 't expect you to understand this if your salary currently depends on
> not understanding the harm created by the ad industry._

FYI, less tracking means _more_ money for ad networks. It means you can never
optimize results and will have to run more generic campaigns, which waste more
money and are a worse experience for both advertisers and users. So while that
statement sounds good, the reality is that people in this industry are the
_best_ to consult with on ways to improve it because they work in it every
day.

> _Until then, I suggest at least talking to the average person about what
> they think about having their activities tracked._

I've been in adtech over a decade and I'm the _only_ person with a
business/technical background who has spent time, effort and money to push ad
regulation in the US. I've talked to countless people from ad networks to
adblockers to senators to grandparents. I'm familiar with all the arguments
and what I presented is a way to make forward progress.

> _There is no "rational discussion" here. If you are tracking people, you are
> the enemy._

Lol, ok great.

------
stanleydrew
This is pretty confusing and I'm not sure what it adds beyond an option to
block all third-party cookies.

Is the goal here to try to get to a policy that can be enabled by default?

~~~
sp332
It allows third-party cookies except the ones on Disconnect's "Basic
Protection" list.

~~~
stanleydrew
Right, but it seems like almost everybody who cares about this would just
enable third-party cookie blocking.

Put another way, what problem is this new policy solving, and how big a
problem is it?

~~~
user812
It solves the problem that the majority of firefox users is not blocking
trackers, so enabling this at the end of January 2019 in Firefox 65 will
protect all Firefox users, which make up around 10-15% of all Desktop web
traffic in western countries.

With this step it follow Safari, which is already protecting users against
third party tracking.

~~~
userbinator
_It solves the problem that the majority of firefox users is not blocking
trackers_

Is that a problem, however? Or more precisely, one that Mozilla wants to think
is a problem and "solve"?

I use adblocking and such myself, but I think it should really be a personal
choice --- browsers should just stay neutral. I have a suspicion that browser
organisations taking sides in this will only lead to even more invasive
tracking in the future, since this is a cat-and-mouse game. (Imagine if
Firefox had adblock by default. It would just force adtech companies to come
up with even more unblockable methods, since the defaults have changed.)

~~~
rgbrenner
Like when browsers implemented popup blockers. Now we have even more invasive
unblockable popups?

Websites can't do anything the browser doesn't allow. Or said another way,
websites can only do what the browser was programmed to support. The browser
is the decider.

~~~
userbinator
_Like when browsers implemented popup blockers. Now we have even more invasive
unblockable popups?_

Now the popups are almost always not new windows, but "pop-overs" _inside_ the
page itself.

~~~
user812
If you start a war, you should be prepared to fight for a long time. That's
why most browser makers don't even start.

Safari did and had to make multiple changes to ITP because criteo was fighting
back.

It is always necessary to stay vigilant.

