Mozilla has tapped the brakes on its plans to block third-party cookies by default in the Firefox browser.

Test versions of Firefox 22, scheduled for a June release, were supposed to include a patch that blocked third-party cookie drops by default. However, Mozilla CTO Brendan Eich said yesterday those plans have been temporarily put on hold for more testing.

Mozilla has been promoting this privacy-conscious decision for months, most publicly at the RSA Conference in February. Chief privacy officer Alex Fowler commented during a panel discussion about the practices of advertisers, data brokers and others who monitor and profit from users online behaviors. In particular, Fowler concentrated on the practice of third parties dropping cookies on users’ machines without the user’s consent and from sites the user has not visited. The policy, Fowler said, would state that in order for cookies to be placed on a user’s computer, the user must interact with the site, not third-party content on another site. Apple’s Safari browser blocks third-party cookies by default, and this is the model Mozilla is following.

This week’s announcement by Eich backpedals a little on Mozilla’s stance.

“The idea is that if you have not visited a site (including the one to which you are navigating currently) and it wants to put a cookie on your computer, the site is likely not one you have heard of or have any relationship with,” Eich wrote on his blog. “But this is only likely, not always true.”

Eich said Mozilla will refine its patch to address false positives and negatives. Eich offered an example where a user could visit a site that would embed a cookie from another site it owns as a false positive. As for false negatives, he said just because a user visits a site once should not be consent for that site to drop a cookie and track the user’s activities.

“Our challenge is to find a way to address these sorts of cases,” Eich said. “We are looking for more granularity than deciding automatically and exclusively based upon whether you visit a site or not, although that is often a good place to start the decision process.”

Eich said Mozilla will ship a refined version of the patch with blocking on by default.

“Our next engineering task is to add privacy-preserving code to measure how the patch affects real websites,” he said. “We will also ask some of our Aurora and Beta users to opt-in to a study with deeper data collection.”

This week, the patch, Eich said, moved to the Firefox 22 beta release, but it is not on by default. Users would have to opt in; the patch is on by default in the Aurora release. Eich said false positives can hamper the user experience on sites they visit, while false negatives enable tracking where it’s not wanted.

“We have heard important feedback from concerned site owners. We are always committed to user privacy, and remain committed to shipping a version of the patch that is ‘on’ by default,” Eich said. “We are mindful that this is an important change; we always knew it would take a little longer than most patches as we put it through its paces.”

Privacy advocates such as the Electronic Frontier Foundation have praised Mozilla’s intention to follow Apple’s lead here, yet recognized that making a change such as this could affect the bottom line of many advertisers.

Other privacy-related tracking measures such as Do Not Track are also political hot potatoes between privacy advocates and advertisers. Microsoft, for example, ships Internet Explorer 10 with DNT turned on by default, a signal to sites that the user does not want to be tracked. Some sites, however, will ignore the signal, and groups such as the Apache HTTP Server Project argue that Microsoft’s decision does not indicate the user’s wishes. Mozilla’s Fowler, meanwhile, said fewer than 15 percent of Firefox users send the DNT header.

“People are asking for a different level of privacy on your service, and you have to listen to that. It’s critical to the business and web ecosystem,” Fowler said at RSA. “At Mozilla, we also do online advertising campaigns and email outreach. We try to think about the tracking we impose on users, so we are making an effort to work with vendors who are willing to respect the DNT header. It’s not a condition, but we think it’s important for organizations advocating for this that we spur service providers to understand and respect it.”

Categories: Privacy