Mozilla beefed up Firefox’s already impressive arsenal of privacy-preserving tech on Tuesday with the addition of a new tool in its flagship browser: Total Cookie Protection. As the name suggests, the feature promises to put the lid on any creepy cookies or third-party tracking tech that might want to track your behavior from site to site.
Before we get into the specifics of Firefox’s latest feature, it’s worth quickly recapping some of the basics of how cookies actually work. Broadly speaking, the tiny text strings we call “cookies” all have the same goal in mind: identifying your unique browser session on your unique computer, and storing that data away for later. Depending on the flavor of cookie involved, that stored data could be used for one of two things: either tracking your behavior on that particular website (first-party cookies) or tracking and compiling your behavior across multiple different sites (third-party cookies).
Explaining the way these third-party cookies stalk you across the web is a bit complicated (though Mozilla detailed the finer points of third-party tracking in this blog). In a nutshell, the reason that these cookies seem to persist on and on (and on) is because just about every site you can name undoubtedly has some number of these third-party cookies tucked into its margins—and sometimes, that number is in the thousands. If you happen to visit two sites that using the same bit of third-party code, there’s nothing stopping the company behind that third-party code from syncing that data for their own stalk-y purposes.
The way this new Firefox feature circumvents all that is actually pretty clever: maintaining a separate “cookie jar” for each individual site. Again, Mozilla helpfully outlined the nitty-gritty of how this works on its own blog, and promises—in short—that these jars will keep sneaky third parties from meshing cookie data from multiple sites behind the scenes.
This Total Cookie Protection tech is a direct follow-up to another security update that rolled out toward the end of January, when Mozilla announced that Firefox would now isolate its cache and network connection data on a website-by-website basis. Mozilla pointed out at the time that these sorts of data stores could be abused to essentially create a new kind of cookie (literally called a “supercookie”), that is much harder to shake off.
This all sounds totally great on paper, but as we’ve pointed out before, Firefox’s claims aren’t always airtight. That goes for its promises about Total Cookie Protection, too.
For starters, Mozilla mentions that the feature
makes a limited exception for cross-site cookies when they are needed for non-tracking purposes, such as those used by popular third-party login providers.
And that it
does not currently restrict third-party storage access for resources that are not classified as tracking resources.
While the post doesn’t delve into the details of what these exceptions look like, this technical doc on Mozilla’s developer blog offers a few clues.
First, it’s worth noting that Firefox’s definition of what a “tracker” actually is might be more narrow than you’d think. Because there’s literally thousands of players in the ever-growing adtech ecosystem, and because the list of trackers that Firefox uses (which you can see for yourself here) is relatively short by comparison, inevitably, folks using Firefox might see a cookie or two that slips under Firefox’s radar—and tracks them across the web—purely because that cookie didn’t fall within Firefox’s definition of what a “cookie” might be.
And once these trackers fall by the wayside, they’re free to access their cookies and other site storage, and using those identifiers to track users across multiple sites—at least for now. Per Mozilla’s dev blog, the company “may choose to apply additional restrictions to third-party storage access in the future,” even for widgets that aren’t necessarily classified as “trackers” under Mozilla’s strict definition.
Aside from this murky definition, there’s also the fact that Firefox gives certain third-party tools unfettered access across multiple sites as a way to “prevent website breakage.” The biggest culprit here, as Mozilla pointed out, are single sign-on (SSO) services, aka the buttons that let you log onto a site using your Facebook or Google account. Not for nothing, but considering how these two companies have kind of a lackluster reputation on the privacy front, I’d rather not give them—or their login widgets—a free pass.