Risk
6/20/2013
11:19 AM
Connect Directly
RSS
E-Mail
50%
50%

Firefox Advances Do Not Track Technology

Mozilla says Firefox, over objections from the advertising industry, soon will begin blocking many types of cookies used to track users.

The Syrian Electronic Army: 9 Things We Know
(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
Despite strong advertising industry opposition, Mozilla is advancing plans to have the Firefox browser block, by default, many types of tracking used by numerous websites, and especially advertisers.

"We're trying to change the dynamic so that trackers behave better," Brendan Eich, CTO of Firefox developer Mozilla, told The Washington Post.

According to NetMarketShare, 21% of the world's computers run Firefox.

Eich said the blocking technology, which is still being refined, will go live in the next few months. The blocking technology is based on that used by Apple's Safari browser, which blocks all third-party cookies. Advertisers use these types of cookies to track users across multiple websites.

[ Will California website owners take a DNT pledge? Read California Proposes 'Do Not Track' Honesty Checker. ]

Advertisers have criticized Mozilla's move. "They're putting this under the cloak of privacy, but it's disrupting a business model," Lou Mastria, the managing director for the Digital Advertising Alliance (DAA), told Adweek. The DAA runs a self-regulated industry program called Ad Choices, which allows consumers to opt out of some types of targeted advertising.

The precise types of cookies to be blocked by Firefox will be determined by the Cookie Clearinghouse, which is chaired by Aleecia M. McDonald, the director of privacy at Stanford University's Center for Internet and Society (CIS), which has spearheaded Do Not Track (DNT).

"Internet users are starting to understand that their online activities are closely monitored, often by companies they have never heard of before," McDonald said in a blog post. "But Internet users currently don't have the tools they need to make online privacy choices. The Cookie Clearinghouse will create, maintain and publish objective information. Web browser companies will be able to choose to adopt the lists we publish to provide new privacy options to their users."

The Cookie Clearinghouse has a six-person advisory panel, which includes representatives from Mozilla, Opera and the Future of Privacy Forum, who will help develop an "allow list" and a "block list" of cookies. As that suggests, not all cookies will be blocked by the Firefox patch, which was developed by Mozilla's Jonathan Meyer, who's on the Cookie Clearinghouse advisory board.

Instead, Meyer's patch will add a cookie-analysis logic engine to Firefox. "The idea is that if you have not visited a site (including the one to which you are navigating currently) and it wants to put a cookie on your computer, the site is likely not one you have heard of or have any relationship with," said Mozilla CTO Eich in a blog post. "But this is only likely, not always true," he said, noting that the engine would continue to be refined to help eliminate false positives, backed by information from the Cookie Clearinghouse.

Mozilla first announced that it would begin blocking third-party advertisers' cookies in February. Advertisers, predictably, weren't pleased -- Mike Zaneis, general counsel for the Interactive Advertising Bureau (IAB), described it as a "nuclear first strike" against advertisers.

In response, Mozilla backed off, at least temporarily, announcing in May that it was delaying its planned July implementation of the blocks in Firefox, pending further testing of the related patch. In response, a group of 979 small businesses from around the world signed a petition on the IAB's website protesting the plans.

Mozilla's cookie-blocking efforts follow a Do Not Track capability being adopted by all major browsers. But the DNT effort stalled in November 2012, after advertisers stopped participating in the program, following Microsoft making DNT active by default in Internet Explorer 10. Advertisers wanted the feature to be not active by default.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
lacertosus
50%
50%
lacertosus,
User Rank: Apprentice
6/21/2013 | 11:27:03 PM
re: Firefox Advances Do Not Track Technology
Blocking cookies is create but no efficient as most common major websites require them to make use of their services.

As I am trialing several Marketing Automation Systems, one common functionality that they all have is installing cookies on the client's machine. Most even take it further and get around privacy settings where they will install a cookie no matter what. Even if you have cookies blocked. Not sure if that's even legal but they do if you opt to do that.
DAVIDINIL
50%
50%
DAVIDINIL,
User Rank: Apprentice
6/21/2013 | 5:16:17 PM
re: Firefox Advances Do Not Track Technology
I am not extremely web savvy, but I can already block all cookies in any browser can't I? Is the controversy simply that Firefox would block them by default?
Number 6
50%
50%
Number 6,
User Rank: Apprentice
6/20/2013 | 9:37:21 PM
re: Firefox Advances Do Not Track Technology
" 'They're putting this under the cloak of privacy, but it's disrupting a business model,' Lou Mastria, the managing director for the Digital Advertising Alliance (DAA), told Adweek."

It's disrupting a business model? Aww, I'm so sorry to hear that. You didn't even HAVE that business model until we developed browser technology. The ad industry will just have to adapt like it did before and like every other industry does.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2009-5142
Published: 2014-08-21
Cross-site scripting (XSS) vulnerability in timthumb.php in TimThumb 1.09 and earlier, as used in Mimbo Pro 2.3.1 and other products, allows remote attackers to inject arbitrary web script or HTML via the src parameter.

CVE-2010-5302
Published: 2014-08-21
Cross-site scripting (XSS) vulnerability in timthumb.php in TimThumb before 1.15 as of 20100908 (r88), as used in multiple products, allows remote attackers to inject arbitrary web script or HTML via the QUERY_STRING.

CVE-2010-5303
Published: 2014-08-21
Cross-site scripting (XSS) vulnerability in the displayError function in timthumb.php in TimThumb before 1.15 (r85), as used in multiple products, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to $errorString.

CVE-2014-0965
Published: 2014-08-21
IBM WebSphere Application Server (WAS) 7.0.x before 7.0.0.33, 8.0.x before 8.0.0.9, and 8.5.x before 8.5.5.3 allows remote attackers to obtain sensitive information via a crafted SOAP response.

CVE-2014-3022
Published: 2014-08-21
IBM WebSphere Application Server (WAS) 7.0.x before 7.0.0.33, 8.0.x before 8.0.0.9, and 8.5.x before 8.5.5.3 allows remote attackers to obtain sensitive information via a crafted URL that triggers an error condition.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.