Firefox gets next-gen anti-tracking defence, stymies 'bounce' trackers
- 05 August, 2020 04:35
Mozilla has announced a new defence against advanced tracking tactics that it will be switching on in Firefox 79 starting immediately and pushing out to the remaining user base during the next few weeks.
Calling the improved technologies and techniques Enhanced Tracking Protection 2.0 – Mozilla said that ETP 2.0's primary job is to block redirect tracking, also known as bounce tracking.
Trackers have been exploiting a loophole of sorts to continue following users browsing with Firefox, which enabled its first-generation ETP by default in June 2019. ETP takes a hands-off approach for first-party cookies – those tied to the site being browsed – because to do otherwise would break many of those websites or require users to, say, log in each time they returned.
Trackers exploited that.
"Redirect tracking takes advantage of this to circumvent third-party cookie blocking," Steven Englehardt, a Mozilla privacy engineer, said in an August 4 post to a company blog.
To do so, those practicing redirect or bounce tracking force users to "make an imperceptible and momentary stopover to their website" so that their trackers can be loaded as first-party and thus have their cookies stored by Firefox (for later reuse, as first-party cookies are).
The redirect or bounce tracker than sends the user on to the latter's destination website, now burdened with identifiers following them and reporting back to the first-party cookies.
To short-circuit this trickery, Firefox's ETP 2.0 regularly scrubs the browser of cookies and other site-specific data stored by known trackers. "This prevents redirect trackers from being able to build a long-term profile of your activity," Englehardt wrote.
ETP 2.0 doesn't completely stop bounce tracking, as the cookies survive between ETP 2.0's house cleanings. The interval between cleanings will be at least 24 hours, and if the browser is active throughout (as unlikely as that may be), up to and beyond 48 hours, because cookie and other site data storage will be cleared only when the browser is idle, according to a technical description of the new defence.
ETP 2.0 is also supposed to steer clear of cookies tied to legitimate services, even if those cookies are served by trackers (another dodge by these web bloodhounds). Instead, Firefox will leave cookies be if the user has interacted with the site in the past 45 days, even if those cookies are used to conduct tracking.
"This way you don't lose the benefits of the cookies that keep you logged in on sites you frequent, and you don't open yourself up to being tracked indefinitely based on a site you've visited once," said Selena Deckelmann, vice president of Firefox desktop, in a different blog post.