Mozilla and Stanford Pitch New Cookie Blocking Approach

Laying More Rail for a Do-Not-Track Web

By Published on . 2

Techno-privacy wonks are laying yet another rail for Do Not Track. Mozilla, maker of the Firefox browser, has paired with the Stanford Center for Internet and Society to create a Cookie Clearinghouse. The project, still in a nascent stage, essentially will be two lists of domains -- one that users' browsers will permit to set cookies and one that will be blocked from doing so.

But the initiative could have a greater impact on digital data privacy than the simple concept suggests.

The effort comes at a time when everyday people are gaining a heightened awareness of rampant data collection by corporations -- for logistics and marketing purposes -- that in turn fuels National Security Administration surveillance. It also comes at a time of introspection among those involved in the development of a Do Not Track standard at the Worldwide Web Consortium, whose work is now more than a year and a half overdue. Some who have been working on that project, including Stanford privacy activist Jonathan Mayer, believe it may need to draw to a close with no resolution.

A small group of stakeholders including Mozilla, Stanford and browser maker Opera Software will guide the new clearinghouse, which in part is intended to clarify some elements of a patch designed for Mozilla's Firefox browser that would block third-party cookies by default. That technology was "simplistic," said Mozilla CTO Brendan Eich. The company said in May that the planned patch needed more testing.

The problem with the patch, which will remain in an alpha testing phase, is that it considered primary domains -- think Facebook.com -- as separate from other domains associated with the same first party -- such as Facebook's fbcdn.net, the domain used by Facebook for delivery of content such as photos. That would prevent an associated domain from setting a cookie even though users really had visited the site.

The clearinghouse will label these alternate first-party domains as permitted to set cookies. So, in theory, browser companies adopting the clearinghouse list would allow those domains to track users when they have turned on the related privacy function on their browsers, because they will be considered first-party domains, or sites the user has actually visited.

The clearinghouse is "addressing some of these edge cases," said Aleecia McDonald, director of privacy for Stanford Center for Internet and Society.

Another situation the Mozilla patch does not account for that the clearinghouse will encompass: tracking by social widgets on websites. Countless websites feature social sharing buttons from the likes of Facebook, ShareThis and AddThis. Sometimes those systems track users whether or not they interact with the share buttons. Cookies set by those widgets would be on the clearinghouse's block list.

Mozilla and Stanford will support opt-out cookies set by the Digital Advertising Alliance, which operates the ad industry's Ad Choices privacy program, and let users choose to enable tracking by particular sites if they want. "We will support that user choice," said Ms. McDonald.

Makers of browsers have yet to commit to participate in the clearinghouse initiative, Mr. Eich said. Indeed, many of the details are elusive, such as how the clearinghouse will treat cookies set for things like site analytics and whether the system would be enabled by default in browsers. Mozilla and Stanford hope to work with the digital privacy community to sharpen the finer points. "Mozilla is joining the advisory board to formulate the process for creating Cookie Clearinghouse allow-lists and block-lists, with the intention of implementing it in Firefox," a Mozilla spokesperson said.

"We want to give visibility into the process," said Ms. McDonald. "There's no point in building something like this in secret."

For more than two years the Worldwide Web Consortium, or W3C, has been publicly debating technical and policy aspects of a Do Not Track standard. The project deadline has been postponed multiple times amid internal squabbles highlighted by eagle-eyed privacy and tech journalists. Though some working on the W3C's Do Not Track initiative believe consensus can be reached, some do not, and some have even begun questioning what defines consensus in the first place.

"The odds of success are quite low, and the easy thing to do every time a deadline comes up is to punt… That's something I think the group shouldn't continue to do," said Mr. Mayer regarding the D0 Not Track project at the W3C. He wrote a message posted to the W3C public site last week suggesting the DNT effort should end:

Our Last Call deadline is July 2013. That due date was initially January 2012. Then April 2012. Then June 2012. Then October 2012. We are 18 months behind schedule, with no end in sight.

There must come a stopping point. There must come a time when we agree to disagree. If we cannot reach consensus by next month, I believe we will have arrived at that time.

Mr. Mayer, a self-described robot builder and recent Stanford law graduate working with the Center for Internet and Society, developed the patch blocking third-party cookies that Mozilla originally intended to implement in Firefox by default.

The W3C process has "far more moving parts than the cookie clearinghouse has and it has a far larger policy component," said Ms. McDonald, adding "I'd be surprised if only one thing works for all people."

Read These Next

Comments (2)