Have been using Firefox for a long time, no issues, though long ago when I had little memory, Chrome was using less of it. Firefox also has HTTPS-only mode, encrypted DNS without fallbacks, supports SOCKS and Encrypted Client Hello (although almost no website support it). However, it is better to just buy more memory (unless you are lucky to use Apple products).
Regarding analytics, I believe browsers should take user's side and do not cooperate with marketing companies; even better, they should implement measures to make user tracking and fingerprinting more difficult. There is no need to track user's browsing history; just make a product better than competitors (so that it gets first place in reviews and comparisons) and buy ads from influencers.
It would be great if browsers made fingerprinting more difficult, i.e.: not allowed to read canvas data, not allowed to read GPU name, enumerate audio cards, probe for installed extensions etc. Every new web API should guarantee that it doesn't provide more fingerprinting data or hides the data behind a permission.
Regarding 3rd party cookies: instead of shady lists like RWS browsers should just add a button that allows 3rd party cookies as an exception on a legacy website relying on them (which is probably not very secure). Although, there is a risk that newspaper websites, blog websites and question-answers websites will force users to press the button to see the content.
> Regarding analytics, I believe browsers should take user's side and do not cooperate with marketing companies
Browsers were supposed to act as agents working for the user. User-agents. These days it's getting harder and harder to find a browser that doesn't work for an ad company at the expense of the user.
Chrome's entire reason for existing is data collection. Firefox can, for now at least, be hardened to work for the user (and prevent a lot of fingerprinting), but Mozilla is an ad-tech company too now. They've made their lack of respect for Firefox users clear by making Firefox spy on users by default so that Mozilla can sell that data to marketers.
The recent events related to FF are not that much of a shift, considering that Google pays $20B per annum to its (technically non-ad tech) partners, then 85% of Mozilla's total revenue comes from its partnership with Google. That ship had sailed long time ago.
Firefox really has been going downhill for a long time. Forcing Pocket into the browser, the ad infested new tab page, telemetry, making user accounts a thing, force installing TV show promotions, etc.
What they haven't done before is spend a fortune buying up an ad-tech start up. They barely even bother to maintain a pretense that they care about Firefox users. They basically came right out and said "We know that users don't want this, we can't convince them to, so we were right to force it on them by default and just hope most people don't notice and start complaining" (https://cdn.adtidy.org/blog/new/2wffyscreen_mozilla.png?mw=1...)
Fun fact: by subscribing to Pocket, you're directly contributing to Firefox's development.
Mozilla found itself in a situation of damned if they do, damned if they don't. People scream at them for depending on Google, and then they scream at them for trying to diversify their revenue.
Nobody wants to pay for a browser, browsers are essentially incredibly complex nowadays, and I have yet to hear how in the world are browsers supposed to get funding.
And of course they want to cater to advertisers because it is advertising that maintains the open web, and it is advertising that is paying for all browser development, actually, including Safari. And the open web is also dying, because people have been moving to mobile apps, where all pretence that "the user agent must act on your behalf" is gone. In other words, even if you get what you wish for, in a couple of years it may not matter at all.
> And of course they want to cater to advertisers because it is advertising that maintains the open web
As someone who worked both on advertiser and publisher sides (incl. content monetisation): advertisers like to say that they support publishers and the open web, but in fact, they are keeping it hostage.
We've had the means/tech to support publishers directly for years (I don't mean crypto). It's in the interest of companies like Google to keep users (and publishers, and brands) in the dark. And one of the issues here is that they have so much impact on the discourse. There are only few places, where I saw more people using ad blockers than the adtech businesses I worked with or at.
> Nobody wants to pay for a browser
True, but I don't think people would have an issue with paying for browsers if they understood the value of it. At this stage, I think the only solution would involve:
> Mozilla found itself in a situation of damned if they do, damned if they don't. People scream at them for depending on Google, and then they scream at them for trying to diversify their revenue.
People didn't like Pocket as a product. It wasn't as if they just didn't like it because Firdfox wanted to make money out of it.
Sure they should diversify, but with something that isn't otherwise (so) objectionable. Like their VPN, or sponsorship, or just let go of all the upper management.
> Fun fact: by subscribing to Pocket, you're directly contributing to Firefox's development.
That's not true. It isn't directly supporting anything except surveillance capitalism. Allowing yourself to be exploited in that way may indirectly support Firefox, but it's not the same thing as direct support.
Firefox users have literally begged Mozilla to let them actually directly support Firefox's development in the form of donations explicitly for that purpose alone, but Mozilla has always refused to allow it.
> Mozilla found itself in a situation of damned if they do, damned if they don't. People scream at them for depending on Google, and then they scream at them for trying to diversify their revenue.
People scream at them when they involve themselves in surveillance capitalism so yeah, spending a ton of money that could have gone into firefox development to instead buy an ad company so they can start spying on us while we use the internet isn't helping.
> Nobody wants to pay for a browser, browsers are essentially incredibly complex nowadays, and I have yet to hear how in the world are browsers supposed to get funding.
Are web browsers more "incredibly complex" than linux? I don't understand how people assume that web browsers are impossible to develop without selling users to the marketing industry while somehow linux and countless other open source projects have never once needed to do that.
Mozilla could at the very least try letting users pay for firefox development like users have been asking them to before they jump to selling firefox users out to the ad industry.
> And of course they want to cater to advertisers because it is advertising that maintains the open web
Advertising doesn't maintain the open web, it poisons it.
> And the open web is also dying, because people have been moving to mobile apps,
That's because many people don't own even computers anymore. Even where computers haven't been entirely replaced by devices that are designed for data collection and mindless content consumption, the cell phone is the computer that people have with them at all times. The dire situation around computing in general wouldn't be so bleak if we could get some decent and affordable mobile devices that weren't designed to spy on us, but I guess you might see it as that spying being what maintains the computer industry.
> Firefox really has been going downhill for a long time. Forcing Pocket into the browser, the ad infested new tab page, telemetry, making user accounts a thing, force installing TV show promotions, etc.
It might be just me, but I find Pocket quite useful and interesting. That, and syncing user accounts across browsers. It's extremely convenient to just stash a link that you can later open while browsing the web on your browser or sitting at home with another laptop.
I guess you can try to make an argument about that being better served with extensions, but that would be missing the forest for the trees. Meaning, extensions are intended to provide third-partied with a convenient way to add custom features and behavior. That is just wasted effort if it's Firefox wanting to add a feature.
Also, you don't need to use any of that if you don't want to. No one forces you to. At most, it takes a couple of clicks to hide the toolbar button. Is that what you call "downhill"?
Frankly, this blend of criticism sounds like grasping at straws. Some people sound like all they want to do is complain about something, and proceed to work backwards to try to find something anything to complain about. This stance is particularly baffling when taking into consideration how god-awful Chrome and Edge are.
With GA4, the tracker code is loaded from www.googletagmanager.com (even if the tag isn't loaded via a GTM container).
The measurement requests can be sent to (region1|www).google-analytics.com or analytics.google.com (to share cookies with Google login better).
Power balance is how relationships always evolve. Browsers are basically politicians at this point and they are easily swayed by the power of the dollar and have varying degrees of requirements to side with the users.
Google, of course, has rammed chrome into it's primary place.
I'm sorry, this seems egregious. I agree that it should've been off by default but I challenge anyone to read how the implementation works (not just the blog post and the FUD responses to it) before calling it a giveaway to the ad industry: https://github.com/mozilla/explainers/tree/main/ppa-experime...
FF is currently a key tool in the fight to avoid a Google-top-to-bottom future, and before we start the meme that it's gone to shit we should be really really sure that's actually true.
It is ridicoulous. Why do browser developers cooperate with ad companies? They were supposed to protect us from them.
It gives no benefits to end users. Ad companies will not stop using old methods, they will just add one more method.
I hope responsible Linux distributions will patch this out and disable by default.
A fair model would be if this feature was opt-in and if Mozilla paid to the users who enabled it.
> The purpose of this API is to provide a privacy-first design for advertising companies to be able to measure how advertising drives conversions. That is, answering the question of whether advertising effectively achieves its goals, such as increased sales.
Not my problem. I don't earn anything from their sales.
It really is disheartening to see so many technically-inclined people berate the one browser that is preventing Apple/Google hegemony. The expectations set upon Mozilla and Firefox are so unrealistic it's laughable.
Firefox is rock solid, open-source, backed by a great organization (which has recently reinvested additional resources in it) and a joy to use imo. Also, the levels of vitriol that even the slightest bit of anonymous telemetry incurs is unhelpful and I encourage people who hold that viewpoint to really interrogate it.
While Firefox is great, they should not sell their userbase to Facebook with such proposals. If ad companies want to know about ad effectiveness, they must pay the users for collecting the data, not collect it for free without asking the user.
Ultimately, the problem is that entire premise is deeply offensive. I do not want my browsing history being monitored, collected, sent to third parties, and sold to marketers in any form period. I do not want a browser using my data in any way to support surveillance capitalism.
The implementation is just FLoC/Topics API all over again and it's still not compelling. The first kick in the teeth comes right at the start where the entire thing is predicated on data gathered from having an ad shoved in your face.
> At impression time, information about an advertisement is saved by the browser in a write-only store. This includes an identifier for the ad and whether this was an ad view or an ad click.
I do not want ads. Ever. Like many (likely most) firefox users, I go to some lengths to prevent them from showing up in any form. Now that firefox is going to be profiting directly off of firefox users seeing and clicking on ads they will certainly degrade our ability to prevent them.
It then involves sending my data to third parties so that it can be aggregated. Then my browsing has to be monitored to identify conversion events. None of this is acceptable.
Here's what their Cookie Monster paper says:
> User perspective. Ann browses various publisher sites that
provide content she is interested in, such as nytimes.com and
facebook.com. Ann does not mind seeing relevant advertising,
understanding that it funds the free content she enjoys.
I am not Ann. I very much mind seeing advertising, relevant or not. I do not understand that if funds "free content" I enjoy. If I need to be exploited to pay for something, that thing it isn't "free" and if it's infested with ads I do not enjoy it. The entire thing is based on a fantasy where users find this acceptable. We don't and it isn't. If we did, we'd probably all just be using chrome.
> FF is currently a key tool in the fight to avoid a Google-top-to-bottom future
Why should we care if Firefox isn't Google if both are just going to exploit us?
You're preaching to the choir, but even preaching needs to be truthful and I don't think calling Mozilla ad-tech or suggesting that it's just as bad as Google is remotely true. This is where "the perfect is the enemy of the good" comes from.
I mean, what do we have now? Google and a bunch of middle-man ad techs are hoovering up everything they can get, including a crap-ton of stuff that browsers can't affect at all, and wink-wink-promising that they anonymize some of it in some cases even though no one can verify that. A world in which the subset of that data that passes through a browser has been provably anonymized would seem to be strictly better, even if you still don't like it.
> You're preaching to the choir, but even preaching needs to be truthful and I don't think calling Mozilla ad-tech or suggesting that it's just as bad as Google is remotely true.
Mozilla is literally an ad-tech company. They bought and now own an actual ad-tech start up, they are partnering with Facebook to develop and implement protocols like DAP, and they are currently working on turning firefox into an ad platform that will deliver reports of people's browsing history to marketers in exchange for money. In what way are they are not an ad-tech company exactly?
I'll admit that they aren't as bad as Google, but they're heading in that direction and they've also only just gotten into the ad-tech game. It took Google a long time to get as evil as they are now.
Rejecting firefox because of Mozilla's new role as an ad-tech company and their insistence on exploiting firefox users isn't the perfect becoming the enemy of the good. Surveillance capitalism isn't good. Maybe standing up for ourselves and our values by saying no to spying from Firefox will cause Mozilla to look to other options. Even if it doesn't, it will keep us from being exploited and tarnished by our participation in their decline.
I've been a firefox user from the very beginning. My first browser of choice was Netscape. I hate that the enshittification of firefox is here, but I won't ignore it any longer. We still have a few alternatives like librewolf that provide the benefits of firefox without the recent corruption, and there's some hope on the horizon with ladybird too. The internet is only in the sorry state it is now because we've conceded too much to advertisers. We need to start holding ourselves and the software/services we use to a higher standard or it's only going to get worse. If Mozilla suddenly wants to be a part of the problem, I'll leave them behind while I look for a new solution.
Safari does a decent job of that, especially with Apple pushing an increasing number of privacy features by default. Of course, that comes with it being as a feature of an expensive hardware ecosystem, rather than an independent product.
> Every new web API should guarantee that it doesn't provide more fingerprinting data or hides the data behind a permission.
FWIW, it's practically impossible to provide that guarantee because the API necessarily provides at least the data point of, "Did they select an option in the permission notification?" ("If yes, what option was selected?" etc.)
It's often said that the only solution to this is regulation and there seems to be a good case for that perspective.
> FWIW, it's practically impossible to provide that guarantee because the API necessarily provides at least the data point of, "Did they select an option in the permission notification?" ("If yes, what option was selected?" etc.)
Wrong. The status of permissions should not be visible to the page in most cases. Instead, fake data should be returned from them. That would be practical.
It's always better to give no data (aside from leaving them with "we couldn't collect that data") than it is to give fake data because that fake data will be used against you just as often as real data would. Don't hand companies extra ammo to use against you, or think that you're safe just because they've written an incorrect assumption about you on the bullet. You're still going to be taking the hit.
This gives me the idea to add features to target specific types of advertisements and pages for clicks and visits. Actively try to use the data in your favor to convince whatever algorithm that you’re a healthy eater with an active lifestyle.
To your point, unfocused fake data can be harmful to the faker but it seems focused fake data can work against the collectors.
It really might in some ways, but it's risky. Nobody is using the data they collect on us to help us. They use it against us to help themselves. You could limit the harm caused by one system, but expose yourself to new harms by another. It's also a safe bet that faced with conflicting data, companies and their algorithms will favor whatever information they think would make them the most money. It's still worth considering though, especially if you can get privileged information on how a specific system is using people's data.
> I've heard that fake data, like from AdNausium, just becomes noise as the advertisers know the patterns to filter them out.
It's actually much worse. That fake data is dangerous because data brokers don't really care how accurate their data is. Even the fake data AdNausium stuffs into your dossier will be used against you eventually, just like the real data will be. If you get turned down for a job, or your health insurance rates go up, or you have to pay more for something than you would have otherwise, you won't even be told that it was because of data someone collected/sold/bought. You sure won't be told if it was fake or real data and you won't be given any opportunity to correct it.
> That fake data is dangerous because data brokers don't really care how accurate their data is.
This makes me think that people could make bank by doing nothing at all but generating 100% fabricated data to sell to brokers then. Why bother even collecting it, just have some GPT clone hallucinate some gigabytes of formatted BS. xD
They do ask for location data, and it tends to mostly work - sites like openstreetmap will ask for it when you press the right button for example, which makes sense.
There is a risk that it ends up like cookie banners, and the adtech industry manages to brainwash the world into thinking that the government is the bad guy and they just want some harmless data to share with their 1,345 best friends and they are “forced” to show these. Despite there being no requirement at all to track data, and they break the law with it anyway so why bother.
This is a poorly explored avenue. I think a lot of these more advanced APIs ought to be permitted to "installed" PWAs. Maybe it could even look like permissions menu for apps in phone OSes.
I was a bit dismayed when mozillians in the bugtracker dismissed the idea of requiring consent to initialize WebRTC. F'k it, scan the local network.
> FWIW, it's practically impossible to provide that guarantee because the API necessarily provides at least the data point of, "Did they select an option in the permission notification?" ("If yes, what option was selected?" etc.)
If 99% of users will have permission disabled then it has little value, and only those who enabled it can be tracked. I don't give permissions to sites so this will not apply to me.
Also, the status of permission (1 bit) provides less information than API it protects (for example, list of installed fonts or GPU name) so it is a win.
One solution to this is to have the option to feed the application fake but plausible data. Android (or maybe some Android fork I was using) used to have this option for dealing with apps that insist on asking for location permission for no reason.
In light of that acquisition, this also seems related. Firefox is the best choice but Mozilla is the biggest reason why people aren't using it and shit like this doesn't help.
> Regarding analytics, I believe browsers should take user's side and do not cooperate with marketing companies; even better, they should implement measures to make user tracking and fingerprinting more difficult.
Kinda hard to enact when the leading browser is developed by an ad company. Worse, the same company is contributing to the firefox foundation and drives web "standards." Its all collusion and the simple fact that browsers are more complex than the OS they run on is deliberate in ensuring no scrappy team can disrupt them.
My curmudgeonly solution is to avoid as much of the web as possible and focus on human scale computing.
>It would be great if browsers made fingerprinting more difficult, i.e.: not allowed to read canvas data, not allowed to read GPU name, enumerate audio cards, probe for installed extensions etc. Every new web API should guarantee that it doesn't provide more fingerprinting data or hides the data behind a permission.
This should be what browser maker's #1 focus! Preventing fingerprinting of user's browser.
Seems all this cookies talk the news and for policy makers are just limited hangouts.
BTW I don't understand the anti-tracking absolutism. I don't care about being profiled as long as the profile lands me in a group of thousands of people like me. Yes, I live in ${CITY}, identify as ${GEDNER}, am approximately ${AGE_RANGE} years old, run ${BROWSER} under set to ${LOCALE}. This does not allow to easily harm me. If it allows ad networks to target their ads, so be it, uBlock Origin still works well.
That's a reasonable stance to take, certainly. I also think it's reasonable for others to be even more sensitive about it. I'm an anti-tracking absolutist because I am angered by the strong-arming, the deception, and the hacking around defenses against it.
The tracking is a constant assault, and I'm no longer willing to put up any of it, even if the data being tracked is relatively minor. Screw the bastards, they've burned one too many bridges.
How do you feel about ${INCOME}, ${SEXUAL_PREFERENCE}, ${RACE}, ${WEIGHT}, ${RELIGION}? Those categories are at least as broad as the ones you mentioned and are absolutely profiled.
Now substitute the first one for "gay", and you might get a death sentence in several parts of the world. Why does almost nobody on this site thinks about the wider world bedsides their own extremely privileged position?
I would very much prefer for advertisers to not even be able to determine my city, for personal safety. Throwaway account for obvious reasons.
This is very true. Usually the discussion goes about tracking by commercial entities in rich Westernized countries, which, by no coincidence, are the principal market of the ad industry. (Yes, China exists and is a huge market, but commercial tracking is a minor problem here, compared to other forms of surveillance.)
If you belong to such a category that the mere belonging to it is a death sentence, if revealed, the situation is vastly different. You have to act more like a secret agent or a spy. This means constant, pervasive, fastidious opsec. Any death-sentence-invoking activities should be strictly separated from the normal civil life. Only use the normal browser to visit commerce, official news, and government web sites. Everything that is not openly pious and loyal should belong to ephemeral VMs with a fresh browser install every time (preferably several different), VPNs that are indistinguishable from legitimate web traffic, like XRay, truecrypt-protected media with some plausible deniability data, etc. It all takes quite some technical chops, but is not sufficient. Many other small details, related to technology or not, have to be carefully, well, sanitized, and any small slip can out you.
Such undercover life, while possible, is very tiring, takes a lot of extra time and energy, and noticing this also may mark you as suspicious.
Another browser API that may slightly help track you is a minor problem on this background, unless it pierces any of your layers of protection.
I don't want any of my data be collected without my permission and without a negotiated monetary compensation and expect that the browser is on my side here.
Also the data about you can be used to charge you a higher price. For example, if a company knows that the user is reading HN, and we know that people using HN (expect for me of course) all are mostly filthy rich Californian software engineers or enterpreneurs so they should have no problem with paying a little more.
> Have been using Firefox for a long time, no issues, though long ago when I had little memory, Chrome was using less of it.
I'd say the only area where I still see Chrome leading a bit is for web development: when I run super-heavy JavaScript in dev mode, Chrome is faster than Firefox at executing all the JavaScript nonsense. Seen that there's no ecosystem with more turds, bloatedness and slowness than that horror that JavaScript-the-piece-of-crap is, having a browser a bit quicker at running JavaScript helps.
Long story short: for Web development, I use Chromium (it ships with Debian). For the rest I use Firefox.
> Firefox also has HTTPS-only mode...
In doubt port 80 is blocked by the firewall too.
> encrypted DNS without fallbacks,
And Firefox has a relatively easy "corporate" setting too where you can force also DNS "in the clear" over port 53 UDP (well, it's 99.9999% of the time going to be UDP so you can even firewall port 53 TCP and things shall keep working: believe me I know: theory vs practice and all that)
It's convenient if you run your own DNS resolver (which, itself, can then be forced to only use encrypted DNS).
> supports SOCKS
I confirm: a SOCKS5 proxy over ssh is always sweet.
I observed Firefox sending ECH extension in ClientHello, maybe I just enabled it in the settings, so Firefox supports ECH (on by default since version 119). However, virtually no servers support ECH now. Not Google, not Hackernews, not Cloudflare etc.
This seems to be a not very good comparison, and it looks like it cherry-picks convenient for a certain browser points and ignores others. Look at "fingerprint protection", for example, and see that it does not include features that provide most fingerprinting data:
- preventing reading GPU name via WebGL debugging extension (does Brave block this?)
- preventing reading back canvas data which is used to fingerprint browser and OS code responsible for rendering graphics and text
- enumerating audio devices
And if you read the issues in Brave github [1], then you'll notice that Brave developers refuse to block features providing important fingerprinting information under compatibility" reasons (including GPU vendor and model), although these features could be made blocked only in high security mode.
So regarding fingerprinting, the comparison you refer to is pretty much worthless: it doesn't mention many important fingerprinting APIs.
Fair points. Ill try to educate myself on this more.
FWIW the about section says this:
"Each privacy test examines whether the browser, on default settings, protects against a specific kind of data leak."
The maintainer is a Brave employee and this is a project they were already doing before joining Brave. I'm hoping that they aren't manipulating it in favor of Brave.
I sent those three options as a feature request. Do you think the site is still useful in some capacity?
As for fingerprinting, there are more APIs that leak data allowing fingerprinting, what I mentioned were the most known APIs. Also, I looked at Brave Github and they seem to have counter-measures for some of those APIs to randomize results. So adding more tests could also be benefitial to Brave.
> Do you think the site is still useful in some capacity?
Well, it is better than nothing although it would be better if there were more tests regarding fingerprinting.
As far as I can tell from some quick searching around, that limit only applies to cookies set through JavaScript code, as opposed to through server headers.
I assume it's because of situations where websites include JavaScript from a third party, and then that JS uses first party cookies as a state-keeping workaround while synchronizing tracking information in some other way.
That seems the obvious result of this sort of thing.
> Related Website Sets (RWS) is a way for a company to declare relationships among sites, so that browsers allow limited third-party cookie access for specific purposes.
So the website itself gets to declare other "blessed" domains that can bypass third party cookie blocks? Big websites are constantly looking for ways to abuse users by bypassing their attempts at protecting themselves. How would anyone think these sites can be trusted not to abuse this?
No, the website itself does not get to declare this. There’s a master list that they have to submit their site to and go through an approval process.
But as the article details, the contents of that preliminary list is already disconcerting. The whole “Google as the arbiter of all things ads” concept is a bust.
But the alternative isn’t great either - today’s system of third party cookies allows for far worse. We need some better ideas.
> How is that not the website declaring it? Approval processes are meaningless.
Submitting your website to a list controlled by some arbitrary website on the Internet is very much different from serving some kind of metadata to visitors that their browsers interpret.
Also the approval process existing does matter. Under a normal situation when you serve some kind of metadata (like what sites you are "related" to) there is no "approval" process to who gets to serve this kind of metadata and who doesn't.
The tools to do this the right way exist in so many different ways.
> There’s a master list that they have to submit their site to and go through an approval process.
Wtf, seriously? I skimmed the post and honestly didn’t think RWS was so bad, assuming that obviously it would be decentralized. A centralized list that Google (or some shell consortium) controls is the biggest no-no. Decades of erosion of web principles have clearly made us complacent.
I don’t know too much about this but I’m curious if what I saw recently on safari is similar? When visiting related Microsoft websites, I got a pop up asking permission to share the cookie for login. I was up to me to approve or reject that request. Seems like a better implementation.
Yes, this can, and will, be abused for tracking users across domains that they don't expect to be related.
But there are also legitimate use cases for this.
For example, consider the stackexchange family of sites. They are clearly related, have a unified branding, etc. but are on separate domains. On Firefox, which blocks third party cookies, I have to log in to each of those domains separately. I can't log in to stackoverflow.com, then go to superuser.com and already be logged in. That is a problem that First party sets would solve.
You can argue that it would be better for those sites to be subdomains of a single unified domain, but when the sites were created there wasn't any compelling reason to need to do that, because third party cookies were still very much alive and kicking. And I can say from experience that migrating an app to a different domain without breaking things for users is a royal pain, and can be very expensive.
I'm not saying that First Party Sets should be accepted as is, but it is attempting to solve real problems. And I think a solution that simultaneously protects users' privacy and maintains a good experience for sites that are legitimately related will be difficult to find, or maybe impossible.
> I can't log in to stackoverflow.com, then go to superuser.com and already be logged in.
I would expect a popup like “This site wants to share cookies with stackexchange.com, press Allow to sign in, press Reject to reject forever or press Ignore to decide later”. Takes a single click to enjoy the benefits of both worlds. The mechanism should make sure that every website has a single “first-party domain” shared across all subsites and that first-party domain must not share cookies with any other site than itself to minimize confusion.
> Also, there is no way to know which related site the user is logged in to, so they would have to prompt for every one of their sites.
This is not how it works. The mechanism is about allowing a cluster of websites to choose a single first party domain and have all of them share cookies together, not sharing arbitrary cookie from arbitrary domain, otherwise it would create loopholes in connected components that bring back the downsides of third-party cookies. What you mentioned should be done using SSO.
After thinking about it a bit more, I have a clearer picture of how it should work in my mind:
* All cookies are double-keyed: the primary key is the origin of the top-level page and the secondary key is the origin of the page that sets the cookie, just like how partitioned cookies work right now.
* stackoverflow.com uses a header, meta tag or script to request changing its primary key domain to “stackexchange.com”
* The browser makes a request to https://stackexchange.com/domains.txt and make sure that “stackoverflow.com” is in the list, authorising this first-party domain change
* When the user agrees to the change, the page is reloaded with stackexchange.com as the primary key, thus stackoverflow.com can obtain login details from stackexchange.com via CORS or cross site cookies.
* A side effect is that all cookies and state are lost when switching the first-party domain. Should stackoverflow.com be acquired by a new owner, say x.com and changes its first-party domain to x.com, all cookies on stackoverflow.com are lost and the user will have to login on x.com again, maybe using credentials from stackexchange.com. It’s unfortunate but it works around the issues mentioned in the post in a clean way, avoiding loopholes that transfer cookies by switching the first-party domain frequently.
> You can argue that it would be better for those sites to be subdomains of a single unified domain, but when the sites were created there wasn't any compelling reason to need to do that
I can also argue that Safari and Firefox have been blocking third party cookies for years now. So stack overflow has had plenty of time to adapt and migrate to the "right" organisation.
To me it look like either they care about allowing unified sign in on their various domaines, and they should have migrated to a subdomain model a long time ago, because users of Firefox, Safari etc have been negatively impacted for a long time. Or they do not care that much (which is fine), but then chrome blocking third-party cookies and the discussion around first party sets should not concern them too much.
Or, they do care, but not enough to spend the significant resources and opportunity costs to do something about it for the minority of users who don't use chrome. Of particular note, changing domains can really hurt SEO.
Stack overflow was founded in 2008. Netscape added a block third party cookie button in 1997 (and the web has mostly worked fine with that feature turned on ever since).
This reminds me how google conveniently made the switch to manifest v3 when there were legitimate use cases like adblockers. Sure, technically speaking v3 is more secure and that may be better for users but your comment just made me think the opposite is in motion here.
Nothing wrong with manifest v3. It's just that ad blocking is so important that it should be an exception to the whole thing. Ad blockers should be literally built into the browsers so that they have full access, only conflicts of interest stops this.
> For example, consider the stackexchange family of sites. They are clearly related, have a unified branding, etc. but are on separate domains. On Firefox, which blocks third party cookies, I have to log in to each of those domains separately. I can't log in to stackoverflow.com, then go to superuser.com and already be logged in. That is a problem that First party sets would solve.
Other sites seem to handle this fine with redirects and cross-origin headers. Sure, at some point you land on "signin.foo.com", but from the user experience you were authenticated without having to sign in again.
OIDC seems like it can reasonably help in a fair number of these cases, maybe? it's iffy because (a) the major providers, are, well, Google and their ilk, (b) SSO solutions trend toward reducing user confusion at the cost of choice--im still out on whether the common "enter your email/account identifier so we can select which IDP we use" login flow is something of an anti-pattern or not
i generally like having the option for "sign in with github" as opposed to the all-encompassing "sign in with google" (ignoring that github is a microsoft account but not quite at this point)
smaller-scope IDPs for a particular field ("ey, you work on code stuff? you probably have either a github or gitlab account to log into our code-adjacent service" or "ey, you use stackoverflow? you can use that same login on superuser") is maybe a decent middle ground, where shared authentication is more explicit than third-party cookies were
Stack Exchange sites have a horrible authentication system so using them as an example is a bad start.
However they could solve this "problem" in a number of ways, the most straightforward being to use subdomains instead of individual domains.
I put "problem" in quotes as it's not even a problem; it's browsers working as intended. When you visit different domain names, you should expect that your browser won't be aware of data (cookies) stored by other domains.
First Party Sets are legitimately terrifying to me, it gives a commercial party (Google) complete control over who is and isn't allowed to set cookies in a third-party context. It's Google using their absolutely dominating market share to force even more control.
> On Firefox, which blocks third party cookies, I have to log in to each of those domains separately. I can't log in to stackoverflow.com, then go to superuser.com and already be logged in. That is a problem that First party sets would solve.
Even the minor browsers, pretending to not be funded by ads at this point (while the VC capital is drying up) depend on one of the 3 browser engines, all of which are funded by ads.
Safari? Unless you're going to say that Apple gets the money for Safari through ads which, y'know, technically correct but disingenuous in this context, surely.
Not the person you're replying to and neither do I fully agree with them, but brave haa had issues with their crypto (BAT) system. Nothing that appears purposely malicious but quite possibly misleading in some cases.
Chrome backtracked on the decision, they won't be blocking third-party cookies. There were a number of articles and a fair bit of discussion about it at the time, see e.g. [0] and [1].
It's complicated. Chrome won't block 3rd party cookies by default. But it will present the users with a choice of whether to block them (with what exactly that means TBD). If most or all users choose to block them then it would have roughly the same effect as blocking third party cookies by default would.
Though regardless of that, Related web sites (or whatever that set is currently called) does present a hole in that logic. It was originally meant to allow sites with different domains to share cookies/storage (like google.com and google.co.uk). From what it sounds like, bad actors are using it in the expected ways. There were supposed to be mechanisms to prevent this, but it seems like they failed in this case.
The list is in a public repository however, so Brave could have filled issues and a pull request to address the issue. Instead they decided to stage a meaningless survey and declare Chrome a threat to people everywhere.
Google wanted to (that's why they created stuff like FLoC) but other advertisers didn't like that and went to the market authority. They demanded the ability to track users, arguing that the system would give Google an unfair advantage.
After years of back and forth, Google abandoned their efforts. You can still disable third party cookies, in fact I don't think there's been a version of Chrome that doesn't let you block them. Go to your settings and set "third part cookies" to always be blocked. By default, grouped sites may be permitted to read each other's cookies, but you can disable that too.
The problem Google faces is changing the default, simply blocking third party cookie has never been an issue.
Easily said, until it's your bank, or a government entity, or the electric company, or any of the thousands of other entities that have started blocking Firefox.
Firefox should really camouflage its user agent, or make it trivial to do so.
> Easily said, until it's your bank, or a government entity, or the electric company
Still easily said, since I don't use the websites for any of those things anyway. If it's really important, or involves very sensitive personal information, I'm not doing it on the web.
This is my approach, as well. And if I absolutely had to use their web service? Well, keep the bank in my Chrome bookmarks bar, and only go there when I'm in Chrome. Head on back to Firefox when I'm done doing whatever it is that I needed to do.
I already need to camouflage my user agent because some websites broke on a Linux host running chromium or Firefox. Switching UA to windows fixed this.
I believe it was an analytic bug in Disney+, where they didn't except Linux to be an acceptable OS.
I use FF on Android and Linux. I've restricted cookies and use an ad-blocker. I browse many popular (and unpopular) websites. I can't remember the last one which refused to work because I was on Firefox.
Unlikely. Love 'em or hate 'em, Apple nudged most organizations to handle third party cookie blocking unless they wanted to completely lose iPhone users.
"If Google limited 3rd party cookies, we'd go out of business!", said the companies who have literally 0 Safari users.
Brave is a Chromium derivative, not Chrome. Can't imagine why any of this would imply they would need to stop deriving Chromium: they can develop and deploy whatever cookie policies and defaults they want.
Not to disagree with you specifically, but this seems a good context to make this point:
Maybe I missed the memo that we stopped hating monopolies? Every browser worth considering, except Firefox and Safari, is based on Chromium. Firefox and Safari make up about 20% global market share, meaning Chromium in about 80% [0]. A bug in Chromium is a bug in all of them. A backdoor in Chromium is a backdoor in all of them. A feature of Chromium, good or __bad__, is a feature in all of them. It baffles me that this isn't a bigger concern to more people.
This is one of those situations where "monopoly" is a very overloaded word in terms of what it means to different people in different situations, causing confusion when it gets broken down into specifics.
Most people were never worried, and probably will never be worried, with the points you're listing there. That's not to say they've stopped hating browser monopolies, just maybe not your definition of what a browser monopoly is or why they're problematic.
In general (not just browsers) most people treat "popularity" and "monopoly" as completely orthogonal concepts. I.e. something unpopular can still be a monopoly, something with 99% usage can still not be a monopoly. There is typically just a tendency for extremely popular things to also happen to be a monopoly.
Chromium can be forked. Minor browsers like Brave or Vivaldi do that, although they have to keep up with upstream, but they are shipping an ads-blocker that are blocking Google's search ads.
Note that Firefox or Safari aren't going after Google's business due to the search deal. At this point, Google is funding all 3 major browser engines, so they have a level of control going beyond just controlling Chromium.
At this point they likely have no choice but to keep building on a chromium base. However the cost of maintaining their changes and additions will likely increase.
I suppose. That is a matter of business model, whereas I was addressing purely technical aspects.
I've been using Brave as primary for years. At this point I'd pay for a license if it were necessary. Frankly that would be an improvement: if it's free, you're the product. Brave just monetizes you differently.
I no longer argue with the legion of Brave haters. I've decided they're a benefit: the more people that don't use Brave the less likely Google et al. will be compelled to destroy it.
> Can't imagine why any of this would imply they would need to stop deriving Chromium: they can develop and deploy whatever cookie policies and defaults they want.
Maintaining a very diverged fork can take even more work than building your own browser. I think they don't want to stop receiving upstream updates when the upstream is one of the biggest software projects in the world.
They have software engineers, I’m sure they plan on just turning off that portion of the code and moving on with life like they do with so much of chrome engine
I know this isn't quite the right place, but can anyone point to some research or writeups on the Chrome ad topics stuff? How does that impact user privacy? What is shared with third parties? I know next to nothing about it at the moment.
I am the main author of 2 papers evaluating the Topics API from Google: [1] and [2] and working on more research in that space.
I have also started compiling different papers and analyses on projects like the Privacy Sandbox initiative from Google (https://privacysandstorm.com/proposals/) as well as releasing other resources (datasets, tools, etc.), contributions welcome if you are interested!
so do they mention if the old system would be better in comparison? cause short of just making you pay to use the products i dont know if it can be any worse.
at the end of the day it seems like 90% of people using google products dont even care. while some even prefer the convivence of some features that directly save your info. not sure what percentage that is compared to the people that practice a lot privacy.
but shown by the chrome market share google really doesnt have to care about this section of users. the fact theyre willing to try things is a good sign imo.
either way in 2024 to be complianing about google is funny to me. literally dont have to interact or use a google product, they already have your information and so does the internet better to not let them occupy any of your mind as well
I've tried brave and Firefox on mobile (android) and I've tried Safari on MacOs. I still just prefer Chrome, it's just a bit better. So I use it with third-party cookies turned off, which is easily (and transparently) done using the settings menu. I can also turn off this "related websites" thing.
So what exactly is the problem? All major browsers have allowed users to turn off 3P cookies for years.
It's a proposed web standard, so ultimately yes, it could affect other browsers in the long run. And it would almost certainly affect other Chromium-based browsers.
Only other chromium web browsers that enable that feature. Safari and Firefox already said they're not implementing the feature, so unless they change their mind it's not going anywhere.
Firefox and Safari have both said "no, we're not doing that". And then chrome decided to move forward with it, regardless of whether it gets standardized.
Firefox is usually great for me, but with Chromium-based browsers having such a massive market share monopoly I do occasionally find a website that doesn't work properly on Firefox. But, I will stick with Firefox as long as possible.
Yeah I keep hearing this but it never pans out, seems like in my experience a lot of people don’t know they might have to turn off an extension or two (ublock, built-in trackers, etc) to get a website to work.
The fact that it's Chrome is the problem with Brave. What you call "bugs and missing features" I call necessary diversity to avoid Google dominating the standardization process more than they already do.
With the massive tide of browsers converting to Chromium under the hood, I wonder how long Apple can hold out. Fingers crossed they keep allocating budget for it.
Apple can hold out indefinitely. If a website doesn't work on Apple devices, that's not Apple's fault, according to legions of Apple users. And they're kinda right: there really are a lot of them, and they do tend to spend more money than other users, so websites that somehow manage to stupidly not work on Safari (presumably by using Chrome-only functionality and never testing) are potentially losing a lot of users and business.
I'm not normally a fan of Apple at all, and I have no interest in using Safari myself, but here I am glad that they've so far refused to jump on the Chrome bandwagon: it's good for keeping the web standards-based so we don't have a repeat of the IE6 days.
Kind of wondering what you’re talking about here? Firefox still works great for me, did I miss something in the news? Is there some sort of big change coming down the pipeline?
Not OP, but Firefox didn't have to lose nearly all its market share to Chrome. Mozilla could have course corrected and righted the ship, but instead they got distracted on dozens of unrelated and often controversial projects and ended up burning most of their credibility.
Mozilla is a husk of what it could have been, and that's hurt Firefox.
What, specifically, should they have done differently that would have made Firefox not lose most of its market share to Chrome, and how do you know it would have worked?
Keep Firefox in focus instead of losing sight of the browser and getting distracted on a million side projects, most of which had only a tangential relationship to the internet. Raise money to support the browser rather than to support politically divisive causes of the month.
I can't say for sure it would have worked, but I know that what Mozilla actually did do was actively counterproductive.
Firefox is working just fine for me, not sure why people seemed to think that it was a problem.
I think Mozilla is poorly managed and feature may have been slow or "lagging behind". But for me the lack of those shiny new things might as well be a feature than a bug.
I'm concerned that if Google ever stopped paying Mozilla to be the default search engine in Firefox, Mozilla would not be able to afford continued development on Firefox.
brave a lot more shady and just wont say anything or let you opt out. many examples in the past. imagine if they were anywhere near a quarter of googles size it wouldnt be pretty imo.
All settings in Brave with an impact on user privacy are opt-in. They even inform you of their product metrics, when you first start it, despite having a paper on how they anonymize that data. Versus Firefox, which never bothered. Firefox, which also added metrics for ads, similar with Privacy Sandbox, without informing users.
I've never seen a browser with such a strong focus on privacy, the only contender it has being LibreWolf.
The hate against Brave on this forum is completely unjustified and based on falsehoods, as if the issue isn't about Brave itself.
> Brave has received negative press for diverting ad revenue from websites to itself,[30] collecting unsolicited donations for content creators without their consent,[43] suggesting affiliate links in the address bar[49] and installing a paid VPN service without the user's consent.[58]
These are the primary issues I hear about regarding Brave on this forum.
It's also founded by Brendan Eich who was forced out of Mozilla for his strong and vocal opposition of same-sex marriage. I tend to be a bit idealistic, but this is a strong reason for me to avoid Brave, especially when they are injecting content into pages.
Not that it makes him any less opposed to same-sex marriage, but I think 'vocal' is very much not the right word here. The only quotes I can find from him on the subject are him saying he's not going to talk about it.
He was opposed to it as a private citizen, not as Mozilla CEO. His beliefs and supported causes as the former are nobody else's concern; had he been discriminating in terms of employment or otherwise making public statements it would be a different story. Or are we now witch hunting people for wrongthink?
I don't think it's "witch hunting people for wrongthink" to suggest that those in a position of power are able to use that power to influence public opinion.
Especially when that position of power is the CEO of a browser that replaces content on web pages.
This goes both ways for people. I switched from Mozilla to Brave when the latter first released because to me Mozilla's political positions seem at odds with an uncensored and privacy focused browser. I actually support universal marriage equality but don't consider it relevant to why I would choose a browser.
I can't remember all of the details but Mozilla made a blog post regarding 1/6 and their commentary didn't align with a browser that would try and protect users from state, NGO and "just research" edu adversaries.
BAT was what kept me from trying Brave for a very long time, but I eventually tried it nonetheless (I'm back on Firefox now). In fairness to Brave, you can disable the BAT stuff and never have to see it.
> "collecting unsolicited donations for content creators without their consent"
Those "donations" were from handouts of BAT. What they "collected" was their own BAT that they've donated to users of Brave. And it wasn't long lived. At least they've been trying to create a business model that's privacy preserving and that benefits content creators. Firefox has been selling their users to Google for years.
> "suggesting affiliate links in the address bar"
You mean like what Firefox also did?
> "and installing a paid VPN service without the user's consent."
I've never seen a VPN service installed with Brave. Is this a Windows thing? If you're talking about the VPN functionality in Brave itself, isn't this what Firefox also did?
> "It's also founded by Brendan Eich who was forced out of Mozilla for his strong and vocal opposition of same-sex marriage."
He never talked on the topic. And did you know that, at that time, both Obama and Hillary Clinton were also opposed to same-sex marriage? Times change, people's minds have changed. Whatever beliefs he still has, he keeps private, as he should.
But yes, this confirms my suspicion that this is a US-politics thing, and for non-US citizens, it's getting annoying. While we are on the topic, don't you find it problematic when Mozilla engages in political activism, promoting Marxism? Or when they promote cancel culture?
For me, these were never reasons to avoid Firefox, but seeing that this is how the world works now, maybe they should be. And I'm sorry for pointing at Firefox right now, I used it for years, but I'm sensing a serious double standard. So let's talk of Chrome ... have you surveyed the political beliefs of Chrome's developers? Because it's the big, faceless corporations that benefit from this kind of polarisation the most.
> I've never seen a VPN service installed with Brave. Is this a Windows thing? If you're talking about the VPN functionality in Brave itself, isn't this what Firefox also did?
> For me, these were never reasons to avoid Firefox, but seeing that this is how the world works now, maybe they should be.
Yes, you are absolutely entitled to "vote with your money" (or free usage / market share, as the case may be.) Boycotts are an integral component of free speech and self-expression.
(Smalls does at one point talk about "class struggle". He makes it explicit what he means: he thinks there is an opposition between "99.9% of us" and "the billionaires". This is not Marxism even though it uses one phrase that Marxists also use.)
> Or when they promote cancel culture?
The link you provide in support of this (https://blog.mozilla.org/en/mozilla/we-need-more-than-deplat...) is to a blog post titled "We need more than deplatforming". It mentions deplatforming but doesn't advocate it (though it doesn't condemn it either), and the actual things it calls for are all Not Cancel Culture: "reveal who is paying for advertisements", "commit to meaningful transparency of platform algorithms", "turn on by default the tools to amplify factual voices over disinformation", "work ... to facilitate in-depth studies of the platforms' impact on people and our societies".
You might reasonably disagree with those proposals; for instance, the next-to-last one could be anywhere from "excellent" to "dystopian" depending on what exactly "amplify X over Y" means and how "factual" versus "disinformation" is decided. But none of it is advocating cancel culture.
As for the "deplatforming" in the title: the specific case it's talking about is the idea that a social media platform should ban a particular user who had for some time plainly been breaking the platform's rules, and who (according to some) had used the platform to attempt to organize an antidemocratic coup. "Social media platforms should be encouraged to ban users who blatantly break their rules, even when those users bring them a lot of traffic" and "Social media platforms should not let themselves be tools for antidemocratic insurrection" are positions one can take without being a fan of "cancel culture".
(Not necessarily correct positions. E.g., if you hold that the insurrection in question was not antidemocratic, that it was a response to blatant election-rigging, then you will likely take a quite different view of how a social media platform should respond to it. I don't myself think that's a credible position, and I doubt the good faith of most of the high-profile people who endorse it, but I know it is something many people believe. Anyway, my point isn't that those positions are right, it's that they're positions many reasonable people take, and that getting from those to "Twitter was right to kick Donald Trump off" doesn't require any sort of endorsement of "cancel culture", and that therefore the fact that an article mentions the possibility of doing that in a not-obviously-disapproving way does not amount to "promoting cancel culture".)
I wouldn't count the Privacy Sandbox doublespeak as "telling you". Brave is not my browser, but it seems completely unjustified to just put them on the same (or even lower) level as Chrome.
That doesn't make a bit of sense. There's plenty of browsers, there's chrome, brave, firefox, opera, edge and safari, those are the big ones. There's also a ton of spinoffs like ice weasel or that browser Kagi is developing that I can't remember the name of.
Way more than just two chromium browsers in existence.
i mean theres really only 2 relevant ones and the other one is because its owned by the most popular phone manufacture and is the only option. ofc we can use anything we want but in terms of real world relevance. and i guess the other one is forced by the most popular OS.
> We conducted a user study with 30 Web users, recruited over social media, and presented them each with 20 pairs of websites. Website pairs were randomly selected from both the Related Website Sets list (i.e., sites Google designates as “related”, and so warranting reduced privacy protections), and the Tranco list of popular websites. Each user was presented with different pairs of websites, asked to view the sites, and then decide if they thought the two sites were operated by the same organization. This resulted in 430 determinations of whether unique pairs of websites were related.
> In our study, the large majority of users (~73%) made at least one incorrect determination of whether two sites were related to each other, and almost half (~42%) of the determinations made during the study (i.e., all determinations from all users) were incorrect. Most concerning, of the cases where both sites were related (according to the RWS feature), users guessed that the sites were unrelated ~37% of the time, meaning that users would have thought Chrome was protecting them when it was not.
> ... We conclude from this that the premise underlying RWS is fundamentally incorrect; Web users are (understandably, predictably) not able to accurately determine whether two sites are owned by the same organization. And as a result, RWS is reintroducing exactly the kinds of privacy harms that third-party cookies cause.
> Lest anyone judge the study participants for being uninformed, or not taking the study seriously, consider for yourself: which of the following pairs of sites are related?
1. hindustantimes.com and healthshots.com
2. vwo.com and wingify.com
3. economictimes.com and cricbuzz.com
4. indiatoday.in and timesofindia.com
> (For the above quiz, if you chose “4”, then, unfortunately that is incorrect. That is in fact the only pair of the four that isn’t considered “related” to each other.)
If anything it sounds like "related" is not what they are actually doing. Rather they are looking at ways to uniquely fingerprint users through optimizing how they split "related" sites.
Reminds me of the research that shows that 87% of people in the US can be uniquely identified with only three pieces of information: date of birth, gender, and zip code [1].
Only 50% of the time, but that’s 50% better of a guess than you’d make without knowing gender.
ZIP codes contain maybe 40K residents [0] (many contain fewer) and there have been around 25K days in the last 70 years. Sure births are not evenly distributed, but still...
I think you're making the assumption that all three data points are needed for all 87%. But obviously some people can be uniquely identified based on just {zip, date or birth}, such that gender isn't necessary.
So the distribution could e.g. be 8% same, 8% opposite, 5% both, 79% neither, and explain the original numbers without triggering the paradox.
Really? That's odd.
The typical zip code has a population of about ~9000. Dates of birth are about evenly distributed, so you'd still get about 24 people/birthday, or around 12 men or women per birthday per zip code.. I might be off by a fair amount in either direction, but I don't think I'd be twelve times off.
Also, the difficulty of identifying someone probably looks like a power-law curve, meaning that most of the "total difficulty" is concentrated in a small group, the ~13% that can't be identified.
In other words, even if one person is extraordinarily tricky to find [0], their share of the total un-findable-ness does not diffuse outwards to help anybody else.
Oh, ok, I didn't realize that the data included the year. Never mind, I don't know the US age distribution well enough to have any idea of how plausible it is; I withdraw my comment.
Most people here seem to forget that ads is what pays for the free internet services. The main issue with them is not making the consent more explicit to the user. I think the business model: you either get this for free with ads and targeting, or otherwise you have to pay X, should be more common. I bet most people would pick the free option with ads and targeting.
> Most people here seem to forget that ads is what pays for the free internet services.
Nobody forgets that, and the issue (at least for me) isn't the ads, it's the spying. It's entirely possible to have a financially healthy ad ecosystem without the spying. It used to be the norm, even.
Regarding analytics, I believe browsers should take user's side and do not cooperate with marketing companies; even better, they should implement measures to make user tracking and fingerprinting more difficult. There is no need to track user's browsing history; just make a product better than competitors (so that it gets first place in reviews and comparisons) and buy ads from influencers.
It would be great if browsers made fingerprinting more difficult, i.e.: not allowed to read canvas data, not allowed to read GPU name, enumerate audio cards, probe for installed extensions etc. Every new web API should guarantee that it doesn't provide more fingerprinting data or hides the data behind a permission.
Regarding 3rd party cookies: instead of shady lists like RWS browsers should just add a button that allows 3rd party cookies as an exception on a legacy website relying on them (which is probably not very secure). Although, there is a risk that newspaper websites, blog websites and question-answers websites will force users to press the button to see the content.