Firefox gets a privacy boost as Total Cookie Protection becomes the default for all users

While the ad tech industry tries to function in a less cookie-filled environment, browsers like Mozilla Firefox are jumping on the opportunity to grow its user base with features such as Total Cookie Protection (TCP). The feature was first introduced in February 2021 and was initially restricted to Firefox’s tracking protection feature – Enhanced Tracking Protection Strict Mode. It was then enabled by default in private browsing windows with the launch of Firefox 89 later that year. As of today, Total Cookie Protection will now be default for all users worldwide, not just in private windows or if you opt into stricter settings.

Compared to its competitors such as Google Chrome and Microsoft Edge, Mozilla Firefox claims to be “the most private and secure major browser available across Windows and Mac,” and Marshall Erwin, Mozilla’s Chief Security Officer, tells TechCrunch that Total Cookie Protection is Firefox’s “strongest privacy protection to date.”

Mozilla hopes that making TCP the default for all users will ensure that they are kept safe online.

“Internet users today are stuck in a vicious cycle in which their data is collected without their knowledge, sold, and used to manipulate them. Total Cookie Protection breaks that cycle, putting people first, protecting their privacy, giving them a choice, and cutting off Big Tech from the data it vacuums up every day,” Erwin added.

Here’s how it works. The TCP feature creates a separate “cookie jar” for each website you visit and confines the cookies to the site where they were created. The trackers can only see your behavior on that individual site. This, in turn, prevents tracking companies from using these cookies to track your browsing from site to site. So, the amount of information that companies gather from you is reduced as well as all the invasive and sometimes too-close-to-home advertisements you might see on a daily basis.

Image Credits: Mozilla

In addition, Total Cookie Protection offers additional privacy protections provided by existing anti-tracking features such as Enhanced Tracking Protection (ETP), which Mozilla launched in 2018 and became default to all Firefox users in 2019. ETP blocks trackers based on a list yet had some shortcomings as there were still ways for trackers to evade being blocked. For instance, many just set up a new tracking domain that wasn’t on the list. Meanwhile, TCP restricts the functionality of all cookies no matter what.

When third-party cookies are blocked outright, this can break some site functionality. So this is part of the reason why Firefox’s Total Cookie Protection doesn’t completely eliminate third-party cookies. Access to these cookies is only restricted. That way, the browser experience isn’t affected as TCP continues to offer strong protection against tracking.

Plus, cross-site cookies are an exception as they are needed for non-tracking purposes, such as those used by popular third-party login providers. This means the website and the login provider will access the same cookie jar so the user can sign in conveniently. Firefox will remember the user’s preference for 30 days.

It’s important to note that TCP in Firefox doesn’t protect users from all cookie pop-ups. The company informed TechCrunch that while it protects users from the third-party tracking that might occur on the websites that ask you to accept or decline their privacy policy in a cookie banner, TCP, however, does not protect against first-party tracking, so choosing to click either “accept” or “decline” is still required for first-party cookies.

When Mozilla was first testing the feature in February, the company monitored for breakage and even collaborated with websites to restructure their site to work with cookie storage isolation technologies like TCP, often by encouraging the use of the Storage Access API, the company told TechCrunch. The Storage Access API offers a way for embedded resources to see if they currently have access to their first-party storage and then gives them the ability to request access from the user agent.

As Mozilla became more aware of common breakage patterns, the company developed heuristics and SmartBlock in Firefox that allow sites using these patterns to continue working without breakage while still enabling the privacy benefits of TCP. Overall, the amount of breakage was limited, according to Mozilla.

In total, the Firefox browser has over 200 million monthly active users, per its own data, and is known to be a popular browser among users with privacy concerns. However, by the beginning of 2021, Firefox reported having lost up to 12% of its user base, according to StatCounter.

It is likely that this decline was due to complaints that the Firefox design introduced in version 89 was “slow and buggy,” a Reddit user wrote. In May 2022, Firefox 100 was then hacked in seven seconds, but Mozilla quickly released 100.0.2 within 48 hours. This month, Firefox 101.0.1 was released with no zero-day security holes fixed, and no patches deemed critical, so maybe users will flock to the browser.

Earlier this month, Safari reached one billion worldwide users, whereas Google Chrome has over three billion. Microsoft Edge has 212 million users, according to Atlas VPN’s findings.

Even though the browser struggles to retain as many users as its competitors — and had some road bumps with updates — Firefox’s tracking protection is far more comprehensive than Microsoft Edge and Google Chrome, which do not disable third-party cookies by default. Meanwhile, Apple’s Safari browser and Firefox have blocked third-party cookies since 2013. In addition, privacy-focused browsers Tor, Brave, Epic, and Min also block third-party cookies by default.

In 2020, Google announced that it plans to phase out support for third-party cookies in Chrome within the next two years. This was delayed until 2023.

Google has argued with Mozilla’s approach to blocking third-party cookies and has said that this will only drive the industry to find workarounds. Mozilla believes that while advertising is central to the internet economy, it also believes that consumer privacy should not be optional. The non-profit company never sells or buys your data – it still collects it, however – and Firefox developers are driven to work towards a more “healthy internet,” the company once wrote.

Google unpauses privacy-focused changes to Chrome UA strings

Google is resuming work on reducing the granularity of information presented in user-agent strings on its Chrome browser, it said today — picking up an effort it put on pause last year, during the early days of the COVID-19 pandemic, when it said it wanted to avoid piling extra migration burden on the web ecosystem in the middle of a public health emergency.

The resumption of the move has implications for web developers as the changes to user-agent strings could break some existing infrastructure without updates to code. Although Google has laid out a pretty generous-looking timeline of origin tests — and its blog post emphasizes that “no User-Agent string changes will be coming to the stable channel of Chrome in 2021“. So the changes certainly won’t ship before 2022.

The move, via development of its Chromium engine, to pare back user-agent strings to reduce their ability to be used to track users is related to Google’s overarching Privacy Sandbox plan — aka the stack of proposals it announced in 2019 — when it said it wanted to evolve web architecture by developing a set of open standards to “fundamentally enhance” web privacy.

Part of this move toward a more private default for Chromium is depreciating support for third party tracking cookies. Another part is Google’s proposed technological alternative for on-device ad-targeting of cohorts of users (aka FLoCs).

Cleaning up exploitable surface areas like fingerprintable user-agent strings is another component — and should be understood as part of the wider ‘hygiene’ drive required to deliver on the goals of Privacy Sandbox.

The latter remains a massive, tanker-turning effort, though.

And while there has been some suggestions Google could be ready to ship Privacy Sandbox in early 2022, given the timelines it’s allowing for origin tests of the changes to user-agent strings — a seven phase rollout, with two origin trials lasting at least six months apiece — that looks unlikely. (At least not for all the constituent parts of the Sandbox to ship.)

Indeed, back in 2019 Google was upfront that the changes it had in mind would not come overnight, saying then: “It’s going to be a multi-year journey”. Albeit in January 2020 it seemed to dial up at least part of the timeline, saying it wanted to phase out support for third party cookies within two years.

Still, Google can’t realistically depreciate tracking cookies without also shipping changes in browser standards that are needed to provide publishers and advertisers with alternative means to do ad targeting, measurement and fraud prevention. So any delay to elements of the Privacy Sandbox could have a knock-on impact on its ‘two-year’ timeline to end support for third party cookies. (And 2022 may well be the very earliest the shift could happen.)

There’s push and pull going on here, as Google’s effort to retool web infrastructure — and, more specifically, to change how web users and activity can and can’t be tracked — has massive implications for many other web users; most notably the adtech players and publishers whose businesses are deeply embedded in this tracking web.

Unsurprisingly, it has faced a lot of pushback from those sectors.

Its plan to end support for third party tracking cookies is also under regulatory scrutiny in Europe — where advertisers complained it’s an anti-competitive power move to block third parties’ access to user data while continuing to help itself to masses of first party user data (given its dominance of key Internet services). So depending on how regulators respond to ecosystem concerns Google may not be able to keep full control of the timeline, either.

Nonetheless, from a privacy perspective, Chrome paring back user-agent strings is a welcome — if overdue — move.

Indeed Google’s blog post notes that it’s the laggard vs similar efforts already undertaken by the web engines underlying Apple’s Safari browser and Mozilla’s Firefox.

“As noted in the User Agent Client Hints explainer, the User Agent string presents challenges for two reasons. Firstly, it passively exposes quite a lot of information about the browser for every HTTP request that may be used for fingerprinting,” Google writes, fleshing out its rational for the change. “Secondly, it has grown in length and complexity over the years and encourages error-prone string parsing. We believe the User Agent Client Hints API solves both of these problems in a more developer- and user-friendly manner.”

Commenting on the development, Dr Lukasz Olejnik, an independent consultant and security and privacy researcher who has advised the W3C on technical architecture and standards, describes the incoming change as “a great privacy improvement”.

“The user-agent change will reduce entropy and so reduce identifiability,” he told TechCrunch. “I view it as a great privacy improvement because considering IP address and the UA string at the same time is highly identifying. UAs are not exactly simplified in Firefox/Safari in the way Chrome suggests doing them.”

Google’s blog post notes that its UA plan was “designed with backwards compatibility in mind”, and seeks to reassure developers — adding that: “While any changes to the User Agent string need to be managed carefully, we expect minimal friction for developers as we roll this out (i.e., existing parsers should continue to operate as expected).

“If your site, service, library or application relies on certain bits of information being present in the User Agent string such as Chrome minor versionOS version number, or Android device model, you will need to begin the migration to use the User Agent Client Hints API instead,” it goes on. “If you don’t require any of these, then no changes are required and things should continue to operate as they have to date.”

Despite Google’s reassurances, Olejnik suggested some web developers could still be caught on the hop — if they fail to take note of the development and don’t made necessary updates to their code in time.

“Web developers may be concerned as certain libraries or backend systems depend on the strict UA string existing as today,” he noted, adding: “Things may stop working as intended. This might be a sudden and surprising breakage. But the actual impact at a scale is unpredictable.”