Mozilla publishes official Firefox anti-tracking policy
Mozilla has published today a wiki page detailing its official Firefox anti-tracking policies for the first time.
These anti-tracking policies are at the core of Firefox’s newly redesigned Enhanced Tracking Protection (or Content Blocking) tracker blocking feature that the browser vendor added in Firefox with the release of version 63, last October.
“Today we are releasing an anti-tracking policy that outlines the tracking practices that Firefox will block by default,” said Mozilla today.
“At a high level, this new policy will curtail tracking techniques that are used to build profiles of users’ browsing activity. In the policy, we outline the types of tracking practices that users cannot meaningfully control,” the organization said.
According to the wiki page, Firefox will rely on a list of abusive ad trackers compiled and curated by Disconnect.me, a third-party company that provides no-tracking software. This isn’t anything new, as this was common knowledge for a lot of Firefox users. What is new is the rules based on which Firefox will add or remove domains to this list.
Sites will be considered trackers and added to this list if (1) they’re loaded as third-party scripts on other sites, and (2) they abuse browser client-side storage mechanisms (cookies, DOM storage, etc.) to save user details for tracking purposes.
Back in October, Mozilla shipped a Firefox feature that blocks third-party scripts from abusing cookies or other browser storage systems to store data inside a user’s browser for tracking purposes, meaning that some domains will be blocked at the browser-level, even if they’re not yet on the Disconnect.me blocklist.
Further, according to the same anti-tracking policy page, Mozilla also intends to block websites in the upcoming future that abuse URL parameters to store and transmit user identifiers.
This type of tracker blocking isn’t currently supported in Firefox, but Mozilla is apparently considering it for a future update to its Enhanced Tracking Protection feature.
Last but not least, Mozilla also plans to block trackers that abuse legitimate features for user tracking. This rule refers to all websites who currently employ supercookies and engage in user fingerprinting.
Just like the blocking of tracker domains that abuse URL parameters, this type of tracker blocking isn’t yet supported, but Firefox devs have been experimenting with it for a while.
For example, starting with Firefox 52, Firefox has blocked scripts that fingerprint users using system fonts, a tracker blocking feature it “stole” from the Tor Browser.
Mozilla said that its new anti-tracking policies aren’t set in stone and that it intends to make exceptions to its rules, when appropriate.
For example, the browser maker will permit tracking techniques when they’re used to improve the security of online services –such as for login providers, authentication systems, or e-payment processors, services that often need systems to protection against bots or unauthorized logins. Ironically, these user protection systems often rely on the same user tracking techniques abused by online advertising companies.
“In some cases techniques are dual-use […]. We will handle these techniques on a case-by-case basis,” Mozilla said.