A presentation at Mozilla TechSpeaker Meetup in September 2019 in Amsterdam, Netherlands by Niels Leenheer
Hi! I’m Niels and today I am going to explain what Firefox does to prevent websites from tracking you. And I’m going to explain it in the most simple terms. There is a lot of nuance that I am not going to cover. These are the important parts, that parts that you should now about.
To answer how Firefox prevents tracking, I should first explain how tracking works.
Imagine a social media website. That everybody uses. Let’s call it…..
FaceTube. Everyone has an account there.
When you log in, it sends over a cookie with a unique id in it. And the browser stores that for later use. For all intents and purposes that id is you. That id is linked to your FaceTube account. And whenever FaceTube sees that ID, it knows it is you.
That is very handy, because when you visit the site next time, that cookie is send back to the site and you don’t have to log in again.
So, yeah. Cookies are greeeaaat.
Luckily cookies are private. Other websites, like cheesecake-empire.com can’t read that cookie and find out who you are. That cookie is just for Facetube. But….
Companies sometimes include social media buttons on their website. So many website have those buttons. And the Cheesecake-empire website too. But these buttons are not actually running on the cheesecake website.
This button is part of the FaceTube site. That is what we call third party content. Content from another website embedded in a different website. And in this case…
…that button can read that cookie and as a result FaceTube knows which of its users visit the cheesecake-empire.com website.
And you don’t even have to click on that button for it send that information back to FaceTube. It just has be there on the website. In fact it can even be invisible. It can be hidden and still send back information.
So, yeah that is pretty bad.
And those buttons are EVERYWHERE. FaceTube knows exactly what sites you visited, what stuff you bought and what hobbies you have and more… And Facetube isn’t the only one.
And you don’t even need an account to be tracked. Companies that you’ve never heard of can track what websites you visit, what articles you read and what products you look at and advertise based on your history.
They sometimes they can even execute arbitrary Javascript on the website, follow your mouse movements what you type on your keyboard. And the website may not even know about the trackers on their website, because one tracker, or a banner can insert other trackers.
Ever wondered why, when you just bought that unicycle, you suddenly get all kinds of…
…ads for unicycles? Why? You just bought one, but apparently some algorithm thinks that since you bought one you clearly must be interested in unicycles.
Happens to me all the time. And not just on search engines…
…but also on totally unrelated websites. Every site you visit! The whole internet…
…suddenly knows that you like unicycles… and Cheescake. Thanks to a couple of tracking pixels on the order confirmation page. That is why!
So what can we do about this? Well, luckily browsers are getting better about this. Some browsers.
Firefox for example now uses a list of known trackers. And it will block access to cookies when that tracker is embedded in a different website. So logging in to the FaceTube website still works just like before. But when it is third party content, it just won’t work. That cookie is locked. Face tube can’t access it’s own cookie.
Except when you interact with that button. Then it does work. If you click…
…on the like-button, that is a signal for the browser to unlock…
…that cookie. Because apparently you - the user - has liked that site and you want to share…
…that with FaceTube.
So everything still works. Like buttons still work. Logins still work. But you can’t be tracked anymore.
And in the future Firefox may even become stricter and not automatically unlock that cookie when the user clicks on that button.
Using the Storage Access API, the button must actually request access. And the browser can show a dialog…
…to the user to confirm that is actually what the user wants to do…
The user is back in control.
Now, If you want more information about tracking prevention in Firefox and the Storage Access API, I can recommend these articles on MDN. They cover all the details and all the nuances that I glossed over in this very quick introduction. Also on the Safari WebKit blog, there are loads of articles about their Intelligent Tracking Prevention system and the Storage Access API, which they actually implemented first. So definitely worth your time to read those articles.
And with that… And I hope I haven’t scared you too much. I want to say thank you!
