Mozilla postpones by-default cookie blocking in Firefox

Company reiterates its committment to user privacy but says it needs another six weeks to work out some kinks

Mozilla is postponing its controversial plan for Firefox to block certain third-party cookies by default -- but the company's CTO Brandon Eich urged users not to interpret the delay as a sign that Mozilla is going soft on protecting user privacy.

The announcement comes one month after the IAB (Interactive Advertising Bureau) criticized Mozilla's plan, asserting that without third-party cookies, the Internet could become a "vast wasteland of irrelevant and repetitive ads" and "thousands of small businesses ... will be forced to close their doors."

Mozilla announced a patch for Firefox back in February, designed to blocks cookies from sites a user has not yet visited while allowing them from sites a user has browsed previously. In testing the feature, Mozilla found too many instances of false positives and false negatives that proved disruptive to the browsing experience, according to Eich.

"For those who read this [delay] as Mozilla softening our stance on protecting privacy and putting users first, in a word: no," Eich wrote. "False positives break sites that users intentionally visit. (Fortunately, we haven't seen too many such problems, but greater testing scale is needed.) False negatives enable tracking where it is not wanted. The patch as-is needs more work."

Eich provided the following examples of false positives and negatives:

False positives. For example, say you visit a site named foo.com, which embeds cookie-setting content from a site named foocdn.com. With the patch, Firefox sets cookies from foo.com because you visited it, yet blocks cookies from foocdn.com because you never visited foocdn.com directly, even though there is actually just one company behind both sites.

False negatives. Meanwhile, in the other direction, just because you visit a site once does not mean you are OK with it tracking you all over the Internet on unrelated sites, forever more. Suppose you click on an ad by accident, for example. Or a site you trust directly starts setting third-party cookies you do not want.

Those false negatives stem from the "very powerful first parties [who] already can track you in many ways (e.g., Like buttons)," Eich explained in the comments section of his blog post. "Giving them a pass to track you on other sites just because you have a first-party cookie for them just empowers these incumbents more and unbalances the ecosystem further."

Mozilla will provide an update on the patch's progress in six weeks as it continues to run tests. In the meantime, it's available in the Beta release channel for Firefox 22, but it's not on by default. The patch is on by default in the Aurora channel for Firefox.

This story, "Mozilla postpones by-default cookie blocking in Firefox," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies