Risk
6/20/2013
11:19 AM
50%
50%

Firefox Advances Do Not Track Technology

Mozilla says Firefox, over objections from the advertising industry, soon will begin blocking many types of cookies used to track users.

The Syrian Electronic Army: 9 Things We Know
(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
Despite strong advertising industry opposition, Mozilla is advancing plans to have the Firefox browser block, by default, many types of tracking used by numerous websites, and especially advertisers.

"We're trying to change the dynamic so that trackers behave better," Brendan Eich, CTO of Firefox developer Mozilla, told The Washington Post.

According to NetMarketShare, 21% of the world's computers run Firefox.

Eich said the blocking technology, which is still being refined, will go live in the next few months. The blocking technology is based on that used by Apple's Safari browser, which blocks all third-party cookies. Advertisers use these types of cookies to track users across multiple websites.

[ Will California website owners take a DNT pledge? Read California Proposes 'Do Not Track' Honesty Checker. ]

Advertisers have criticized Mozilla's move. "They're putting this under the cloak of privacy, but it's disrupting a business model," Lou Mastria, the managing director for the Digital Advertising Alliance (DAA), told Adweek. The DAA runs a self-regulated industry program called Ad Choices, which allows consumers to opt out of some types of targeted advertising.

The precise types of cookies to be blocked by Firefox will be determined by the Cookie Clearinghouse, which is chaired by Aleecia M. McDonald, the director of privacy at Stanford University's Center for Internet and Society (CIS), which has spearheaded Do Not Track (DNT).

"Internet users are starting to understand that their online activities are closely monitored, often by companies they have never heard of before," McDonald said in a blog post. "But Internet users currently don't have the tools they need to make online privacy choices. The Cookie Clearinghouse will create, maintain and publish objective information. Web browser companies will be able to choose to adopt the lists we publish to provide new privacy options to their users."

The Cookie Clearinghouse has a six-person advisory panel, which includes representatives from Mozilla, Opera and the Future of Privacy Forum, who will help develop an "allow list" and a "block list" of cookies. As that suggests, not all cookies will be blocked by the Firefox patch, which was developed by Mozilla's Jonathan Meyer, who's on the Cookie Clearinghouse advisory board.

Instead, Meyer's patch will add a cookie-analysis logic engine to Firefox. "The idea is that if you have not visited a site (including the one to which you are navigating currently) and it wants to put a cookie on your computer, the site is likely not one you have heard of or have any relationship with," said Mozilla CTO Eich in a blog post. "But this is only likely, not always true," he said, noting that the engine would continue to be refined to help eliminate false positives, backed by information from the Cookie Clearinghouse.

Mozilla first announced that it would begin blocking third-party advertisers' cookies in February. Advertisers, predictably, weren't pleased -- Mike Zaneis, general counsel for the Interactive Advertising Bureau (IAB), described it as a "nuclear first strike" against advertisers.

In response, Mozilla backed off, at least temporarily, announcing in May that it was delaying its planned July implementation of the blocks in Firefox, pending further testing of the related patch. In response, a group of 979 small businesses from around the world signed a petition on the IAB's website protesting the plans.

Mozilla's cookie-blocking efforts follow a Do Not Track capability being adopted by all major browsers. But the DNT effort stalled in November 2012, after advertisers stopped participating in the program, following Microsoft making DNT active by default in Internet Explorer 10. Advertisers wanted the feature to be not active by default.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
lacertosus
50%
50%
lacertosus,
User Rank: Apprentice
6/21/2013 | 11:27:03 PM
re: Firefox Advances Do Not Track Technology
Blocking cookies is create but no efficient as most common major websites require them to make use of their services.

As I am trialing several Marketing Automation Systems, one common functionality that they all have is installing cookies on the client's machine. Most even take it further and get around privacy settings where they will install a cookie no matter what. Even if you have cookies blocked. Not sure if that's even legal but they do if you opt to do that.
DAVIDINIL
50%
50%
DAVIDINIL,
User Rank: Apprentice
6/21/2013 | 5:16:17 PM
re: Firefox Advances Do Not Track Technology
I am not extremely web savvy, but I can already block all cookies in any browser can't I? Is the controversy simply that Firefox would block them by default?
Number 6
50%
50%
Number 6,
User Rank: Apprentice
6/20/2013 | 9:37:21 PM
re: Firefox Advances Do Not Track Technology
" 'They're putting this under the cloak of privacy, but it's disrupting a business model,' Lou Mastria, the managing director for the Digital Advertising Alliance (DAA), told Adweek."

It's disrupting a business model? Aww, I'm so sorry to hear that. You didn't even HAVE that business model until we developed browser technology. The ad industry will just have to adapt like it did before and like every other industry does.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

CVE-2014-2716
Published: 2014-12-19
Ekahau B4 staff badge tag 5.7 with firmware 1.4.52, Real-Time Location System (RTLS) Controller 6.0.5-FINAL, and Activator 3 reuses the RC4 cipher stream, which makes it easier for remote attackers to obtain plaintext messages via an XOR operation on two ciphertexts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.