Home Online Advertising Inside Mozilla’s Anti-Tracking Crusade

Inside Mozilla’s Anti-Tracking Crusade

SHARE:
Marshall Erwin, chief security officer, Mozilla

While Chrome dallies on the third-party cookie question, Firefox keeps releasing new anti-tracking features.

In June, Mozilla made Total Cookie Protection the default for Firefox. Cookies can’t leave the site on which they were first dropped. This move essentially creates what Marshall Erwin, Mozilla’s chief security officer, refers to as “a separate cookie jar for each website.”

Firefox isn’t stopping all third-party trackers from dropping cookies. So-called “noninvasive” cookies, like those for site analytics, can still function. But all cookies are confined to a single site and can’t be shared across the web.

“This actually breaks the mechanism for cross-site tracking,” Erwin said.

Total Cookie Protection is more nuanced than what Firefox already offers with Enhanced Tracking Protection (ETP).

ETP, which Firefox first released in 2018, takes a sort of scorched earth approach to third-party cookie blocking. It relies on a list of known trackers provided by anti-tracking tool Disconnect. Every single third-party cookie from any entity that appears on that list is automatically blocked.

Problem is, killing all third-party cookies could break parts of a user’s browsing experience, which is why Mozilla is fine-tuning its technique.

“We never want a privacy feature to degrade the user experience in any way,” Erwin said. “Privacy protection should not be the thing that pushes someone to opt for a different, less protective browser.”

Erwin spoke with AdExchanger.

AdExchanger: Is Total Cookie Protection like the next phase of ETP?

MARSHALL ERWIN: Although Enhanced Tracking Protection was a major step forward for us at the time, we recognized that there are some drawbacks to the list-based approach. For example, maybe there are trackers that should be on the list but aren’t, and trackers can also thwart ETP by just setting up a new domain.

Subscribe

AdExchanger Daily

Get our editors’ roundup delivered to your inbox every weekday.

Total Cookie Protection solves these problems for us because it changes the technical functionality of third-party cookies in the browser.

This helps us prevent tracking by some of the most dominant parties, including Google, Microsoft, Amazon and Meta. These are parties that have a huge number of tracking domains, many, but not all, of which were already on our ETP list.

Speaking of Meta, though, Mozilla is working with Meta on a joint proposal for privacy-preserving attribution that’s being discussed at the W3C right now. Interesting to see Mozilla collaborate with a company it’s been so publicly critical of.

We’ve been critical of their tracking practices going back more than a decade and I’d expect us to continue to be critical when appropriate. But, at the same time, if a company has a good proposal that we think is viable and that can represent a step forward for privacy, we’re going to partner with them on it.

We think there are ways to facilitate conversion tracking that don’t compromise user privacy by relying on third-party cookies or some sort of witchcraft, like link decoration, which is when tracking identifiers are embedded in the URL.

One of the things that distinguishes us from other parties that take more of a stone-throwing approach is that we care about what I’d call “privacy-preserving advertising” beyond just our own features. If that means working together with Meta, then we’re game.

But Mozilla isn’t a huge fan of Private Click Measurement on Safari, which uses aggregated campaign performance data to measure web events. Mozilla even wrote a whole report pointing out how PCM doesn’t fully crack down on cross-site tracking and that there’s no incentive for advertisers to actually use it.

PCM is an idea that was put forward in good faith by Apple, but the details of it just don’t quite hold up. It doesn’t prevent sites from tracking people and at the same time it isn’t useful enough for advertisers.

I wouldn’t say it’s the worst of both worlds, but it’s not protecting privacy as much as we would like and it’s also not facilitating the advertising use case.

Back to link decoration for a sec, Firefox added a new feature to ETP at the end of June that strips tracking parameters from URLs, but the feature has to be turned on manually. Is your next step to make it a default for all users?

Link decoration is used for a bunch of things, so if we were to remove that functionality by default without also releasing a good replacement, then it could cause a lot of experience problems for our users.

But our goal with all of these features is to eventually have them be on by default. That represents a big shift from our strategy of four or five years ago when we were happy to just build these features and let them be optional. We realized in retrospect, that puts too much of the onus on consumers to protect themselves from opaque practices.

Is Firefox not blocking fingerprinting by default because it would mess with the browsing experience?

We already block some fingerprinting using a list provided by Disconnect and, over time, we’re removing as many fingerprinting surfaces as possible. [A fingerprinting surface is any interaction point at which a site can learn something about a user.]

But it’s a hard task. Fingerprinting takes advantage of functionality that’s built directly into the browser, some of which websites do benefit from. Removing those surfaces would negatively affect the experience. Blocking fingerprinting is much more difficult than unilaterally blocking third-party cookies.

Is that why you don’t see Apple enforcing its policy against fingerprinting?

Yes. Apple is taking a policy-based approach.

What do you make of Google delaying third-party cookie deprecation in Chrome yet again?

Google’s proposed replacements for third-party cookies require more community input and we’re glad to see these technologies are not being rushed into deployment. Still, developing these technologies shouldn’t stand in the way of protecting people’s privacy.

We’re disappointed.

This interview has been edited and condensed.

Must Read

Why Vodafone Is Giving Out Grades For Its Creative

One way to get a handle on your brand creative is to, well, grade your homework, according to Anne Stilling, Vodafone’s global director of brands and media.

Inside The Fall Of Oracle’s Advertising Business

By now, the industry is well aware that Oracle, once the most prominent advertising data seller in market, will shut down its advertising division. What’s behind the ignominious end of Oracle Advertising?

Forget about asking for permission to collect cookies. Google will have to ask for permission to not collect them.

Criteo: The Privacy Sandbox Is NOT Ready Yet, But Could Be If Google Makes Certain Changes Soon

If Google were to shut off third-party cookies today and implement the current version of the Privacy Sandbox, publishers would see their ad revenue on Chrome tank by around 60% on average.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters

Platforms Are Autogenerating Creative – And It’s Going To Be Terrible

This week, we’re diving into the most important thing in advertising – the actual creative – and how major ad platforms are well on their way to an era of creative innovation. Actually, strike that. I meant creative desolation.

Comic: TFW Disney+ Goes AVOD

Disney Expands Its Audience Graph And Clean Room Tech Beyond The US

Disney expands its audience graph and clean room tech to Latin America, marking the first time it will be available outside the US. The announcement precedes this week’s launch of Disney+ with ads in Latin America.

Advertible Makes Its Case To SSPs For Running Native Channel Extensions

Companies like TripleLift that created the programmatic native category are now in their awkward tween years. Cue Advertible, a “native-as-a-service” programmatic vendor, as put by co-founder and CEO Tom Anderson.