[rbinv]

Companies have begun switching tracking tech to first-party cookies (where possible) since Apple's introduction of "Intelligent Tracking Protection," so Mozilla's similar move probably won't have that much of an impact either.

Apple has responded with ITP 2.1, though, limiting _all_ (persistent) cookie lifetime to 7 days, although these could probably be accurately re-issued/kept alive in my opinion: https://webkit.org/blog/8613/intelligent-tracking-prevention...

ITP 2.1 also removes support for Do Not Track (as it's not honored anyway).

[Yoric]

Note that Mozilla has been working on that feature for at least five years. For a very long time, it was not possible to land this without breaking gazillions of sites.

Apple can afford to be more aggressive, and force features such as ITP 2+, because of their iOS monopoly, and expect webdevs to scramble for fixes, but Mozilla doesn't have such leverage, so they need to avoid breaking the web.

[wodenokoto]

Also, they got their ass handed to them in a smear campaign when they tried blocking 3rd party cookies the first time around in 2013 [1] and ended up accepting these by default again.

https://www.consumeraffairs.com/news/web-advertisers-attack-...

[darkpuma]

I, and probably many other users, have begun blocking all first-party cookies by default. I only permit it on sites I sign into and want to remember me, which are very few.

If Mozilla wants to make a real difference, they'd study uMatrix and figure out how to create UX that would give that degree of flexibility and power to non-technical users.

[xoa]

>I only permit it on sites I sign into and want to remember me, which are very few.

I don't know if I'm an outlier, but I hate having to resign back into sites I use even semi-regularly unless its for administrative access or purchase confirmation. Regular "auto sign outs" already happens with a few due to a snafu somewhere along the stack, for me The Economist and Foreign Affairs are the major ones where it seems like every time I go back to visit I'm signed out. In contrast sites like HN or Ars seem to never sign me out (or maybe once every few years) and some of the newspapers are once or twice a year. Being signed out creates more friction then I'd have thought before experiencing it often, perhaps amplified since I tend to read on the model of "see a few of interesting stories, open them all in tabs, then go through them" and if signed out I not only need to sign in but every single tab will be "you've reached your article limit please sign in".

I have suspicions about how much it even matters when it comes to tracking for any site I'm actually paying for. I mean, by definition they know who I am, real money is changing hands after all. Within their own site there is no technical measure that can prevent them from seeing what remote resources of theirs I specifically am calling for, it's their resources after all with authentication required. And once they have the info what would prevent them sharing/selling it would be their own interests and the law, not anything from my end. Clearing 1st party cookies smells suspiciously like privacy theater for any site at all that depends on authentication in any significant way.

[basch]

You block cookies, scripts, frames, on sites you DONT sign into, and you allow them on sites you do sign into. uMatrix makes it really easy.

[jayjader]

> I don't know if I'm an outlier, but I hate having to resign back into sites I use even semi-regularly unless its for administrative access or purchase confirmation.

Having set up a master password in Firefox, resigning usually takes me a single click (as the login info is filled in by the browser). Would this be useful in your case?

[beatgammit]

I use a password manager, so it's really only slightly annoying unless I've set up 2FA, at which point I probably care enough to either put it with it or allow it to use cookies.

[darkpuma]

The list of sites I sign into in the first place is very short. Most of the time websites remembering me is used to implement anti-features.

[drukenemo]

I don't believe that many users are blocking first-party cookies. Source: I'm a web analyst managing large sites and can see how many visitors block all cookies. It's minimal. Also blocking first-party cookies requires a degree of tech-savviness and it prevents many websites from working properly.

[kop316]

To add with that the parent comment said, I do as well, in two ways:

- IE prompts me if I want to block cookies on a website, so unless I trust it, I block by default.

- I have an extension on Firefox that is "Cookie Autodelete", so I visit a site and unless I whitelist it, all cookies will be deleted when I leave.

I wondering if you are not seeing blocked cookie because of the second one. I'm not blocking it, but as soon as I leave it gets deleted, effectively doing the same thing.

[tomatotomato37]

One thing I want to add regarding "Cookie Autodelete" that tripped me up, unlike it's predecessor it does not default at the start to deleting everything, so you may end up running it for a year thinking it's clearing everything and than realize you have a multi-megabyte list full of tracking cookies.

[mirimir]

Right. I have Firefox configured to delete all cookies when I close it. And it only accepts 3rd-party cookies from sites that I've already visited during a session.

[Marsymars]

Cookie Autodelete is a step over that, it will automatically delete cookies from a site after you close the tab.

[blntechie]

I just use incognito/private mode all the time for my browsing. Signing in each time is not really a big pain with password managers.

[senorjazz]

I've never used umatrix and just stuck with noscript over the years due to the lengthy process of allowing scripts / domains, going through random external scripts required to make pages work that are not self-explanatory.

Is there anything in umatrix to make the switch worthwhile?

[zcid]

I migrated to uMatrix because it allows me to block cookies, media, javascript, and xhr by default. It replaced several different privacy extensions with a single control panel. You can set the defaults to be as strict or lenient as you wish.

[dontbenebby]

>I migrated to uMatrix because it allows me to block cookies, media, javascript, and xhr by default. It replaced several different privacy extensions with a single control panel. You can set the defaults to be as strict or lenient as you wish.

That's a lot of configuration to do. I'd rather just use Firefox containers, noscript, and use Tor for things I don't want tied to my ad profile.

[basch]

"by default"

It's not a lot of config at all. If the site breaks, you click a button and unblock some stuff. Otherwise the defaults work great.

[islon]

I use uMatrix since 2 years or so and it works out of the box for 70/80% of websites. By working I mean they are not completely broken.

For the ones that don't work it's normally 1 or 2 clicks in the UI to allow some 3rd parties and save it.

Sometimes a site works by default in the "broken" state but as soon as I give it more permissions it breaks by adding a paywall or some modal window.

uMatrix is like linux: it requires more work upfront but give you more control and customization options.

[phkahler]

>> I, and probably many other users, have begun blocking all first-party cookies by default.

So this change should have no effect on you right? You're blocking all cookies? I like that idea, but how many things does it break?

[zcid]

I use uMatrix in Firefox to block javascript, cookies, media, etc by default. For any site I need to login, I can easily enable them.

I don't see it too often, but occasionally I do run across a site that won't load at all without cookies enabled. For these circumstances, I use Containers and Cookie AutoDelete.

The only situations where I tend to have problems are those where I have a third-party payment window that opens in a new tab. It sometimes takes some fiddling with the settings to make it work properly.

[darkpuma]

> many things does it break?

Almost nothing, surprisingly enough. Of course it breaks websites I sign into, so I simply whitelist those.

[adtac]

I wish DNT was honoured, but it's as good as a "do not commit crime" sign.

[dontbenebby]

> I wish DNT was honoured, but it's as good as a "do not commit crime" sign.

I bet the ad industry wishes they'd played ball, now that browsers are baking tracking protection in.

[maltalex]

It’s an Evil Bit: https://en.m.wikipedia.org/wiki/Evil_bit

[sp332]

DNT is practically defunct. https://en.wikipedia.org/wiki/Do_Not_Track#History

In January 2019 W3C Tracking Protection Working Group concluded work on Do Not Track standard citing "insufficient deployment of these extensions" and lack of "indications of planned support among user agents, third parties, and the ecosystem at large." In February 2019 Apple Safari 12.1 was released without support for DNT to avoid it being used as a "tracking variable."

[fooqux]

You can tell how bad the lack of support / teeth is when people start using the flag to not track them as an extra way of tracking people. That's extremely telling... but sadly not unexpected by many of us.

[cpeterso]

Should Mozilla remove the DNT header from Firefox like Apple did in Safari? When DNT does nothing except give trackers one more bit of fingerprint entropy, is there any value in users still allowing users to send DNT? "DNT: I am one of those people who does not want you to track even though I know you will."

[sp332]

I think it's fine since it's opt-in. Maybe there could be a warning in the UI though.

[spiderfarmer]

If honoring DNT was mandatory, the crime would be much easier to spot, compared to the current (EU) cookie law fiasco.

[tomjen3]

There are millions of Do not Trespass signs out there, the difference is that they have some legal weight.

Ten years ago it would have been a different matter, but it doesn't seem that far fetched to get do not track to be the legal equivalent of a "no" on those GDPR consent forms, but with no options for dark patterns and no way to re-query on every page load for those who opt-out.

[kpcyrd]

DNT should have been part of GDPR as explicit opt-out

[cpeterso]

Or GDPR could allow users to send "DNT: 0" (aka "Do Track") to auto-accept all those GDPR cookie prompts. :)

[chkuendig]

How can first-party cookies used to track users across multiple properties?

[puffy_magicdrgn]

You send tracking events to your analytics/tracking partner from your backend instead of from the browser and they combine the cookie ids.

[chongli]

I thought the whole purpose of using third party JavaScript and third party cookies in advertising is that the advertisers don't trust the host backends. What's to stop a site operator from "boosting" the stats in order to make more money?

[jeromegv]

Useful for people using Facebook pixel, Google Ads pixel. They have no incentive to lie (they aren't making money out Facebook or Google), it's just about making sure their users are being tracked after clicking an ad on Instagram, etc.

[puffy_magicdrgn]

So you just do a get adprovider.foo/track/<id> from the browser with no cookies and batch send from your backend -- they then just make sure the data you send them roughly matches?

For most big sites this isn't a problem as you're not going to be gaming the stats (presumably the legal costs outweigh the benefit) -- for the scammy small sites faking ad rev.. Well, if this kills them then good riddance ?

[chongli]

Can't the big sites negotiate directly with advertisers? I thought I read somewhere that the New York Times does this. In that case, why bother with the bloat of ad networks and their monstrous JavaScripts and other garbage?

If it's (as you say) good riddance to the small, scammy sites then I think it's the medium-sized sites which will really have a problem. Not big enough to negotiate directly, not small enough to disappear overnight.

[londons_explore]

> why bother with the bloat of ad networks

Except a few very rare cases, ad networks can statistically deliver a far more effective ad than a manually curated ad.

The network also has the infrastructure in place to track the user all the way from the ad click to completing a purchase, potentially across many devices or even in a physical store. They use those numbers to demonstrate their value with hard figures rather than marketing fluff.

[icebraining]

> and they combine the cookie ids.

And how do they do that? The "advantage" of third-party tracking is that a cookie set by the analytics service on site A gets sent back when the user goes to site B and C and D (etc).

Without that, they have to somehow figure out that user 34 on site A is the same as user 95 on site B. That's often possible, but much less reliable.

[puffy_magicdrgn]

I assumed the grandparent meant how do "you" track across your own properties..

For the likes of google and co, I wouldn't be surprised if we start seeing more ad companies requiring you to send some other PII via the api so they can turn a random tracking ID into an email address or whatever though.

The same user on a.com and b.com get different ID's, but a.com and b.com both send data to tracker.com which maps that ID to an email address and then tracker.com can easily combine 'em. Not sure it's legal to do so, when I was working in this space we were quite forbidden from mixing up tracking information from various properties

[chkuendig]

No, I meant across different properties of different publishers. I assume that's still only possible with browser fingerprinting, IPs etc.

So blocking third-party cookies is a good start to avoid tracking across different publishers (which is the big no-no for me, the fact that a single publisher knows what i read of his is not such a big issue and not that different to what has always been done by just crawling the ht_access logs...)

[londons_explore]

Site B has an iframe back to site A and the 'user 34' cookie can still be read.

All these protections only prevent setting cookies, not reading them again.

[icebraining]

It does prevent them from reading too: "Domains classified as trackers are not able to access or set cookies, local storage, and other site data when loaded in a third-party context." (emphasis mine)

https://blog.mozilla.org/security/2018/10/23/firefox-63-lets...

[cphoover]

Browser fingerprinting?

How do you defeat that? If people want to track... they will track.

[tetraca]

Throw away your browser and renounce all web technologies made after November of 1995.

[cphoover]

Disable Javascript!

[amelius]

The next step is that they will let third-parties inject javascript from the backend. At that point all is lost and the web will die a horrible death.

[kazagistar]

Routing tracking traffic through a subdomain that proxies through to the third party is already a thing. And my adblocker, at least, already blocks that too.

It's not death anyway; it's just that blockers will have to adjust to blocking bits of third party content.

[amelius]

> it's just that blockers will have to adjust to blocking bits of third party content.

Just wondering: how will that work when javascript is compressed and obfuscated together with the main code served by the website?

[pmontra]

And the final step, pixel rendered canvas generated in webassembly (basically Flash in 202x.)

[everdrive]

Disable javascript!

[devmunchies]

Are you speculating or is that a real plan?

[amelius]

Well, it would be a trivial response against the blocking of third-party javascript done by ad-blockers.

[chkuendig]

I assume they'd only combine them on "soft factors" (browser fingerprints, IPs etc) then?

Since the unique IDs between the different platforms would differ for the same user (as there's no way to coordinate without 3rd party cookies)

[hellonicksmith8]

Why do you believe that first party cookies will be able to be re-issued/kept alive? It seems unclear if a visit within 7 days can refresh that timer