Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Storage access policy: Block cookies from trackers (developer.mozilla.org)
62 points by rbanffy on Sept 22, 2018 | hide | past | favorite | 26 comments


And yet again this only makes the duopoly of Facebook and Google trackers even stronger. There cookies will never be removed, while every other network that offers potential competition suffers.

It's rather interesting how these browser makers consistently ignore any cooperation with the industry and keep making naive mistakes.

Here's a simple answer that would solve everything: all browsers offer a single anonymous Advertiser ID that is randomly generated and available to any JS via API. It can be regenerated anytime and limited to per-domain.

Instantly that would remove 90% of the pixels and improve performance everywhere, make recommendations more accurate for those who care, make it simple to opt-in or out of preferences, and would prevent this continuous arms-race.


> while every other network that offers potential competition suffers.

Good, that's the goal.

> And yet again this only makes the duopoly of Facebook and Google trackers even stronger.

It takes time to break entrenched monopolies. If you want to speed this up, antitrust enforcement would help a lot.

> browser makers consistently ignore any cooperation with the industry and keep making naive mistakes.

The the User Agent isn't obligated to help any particular industry. What you are calling a "naive mistake" is really just "fulfilling the needs of users who do not want to be tracked".

> anonymous Advertiser ID

That isn't possible. Make whatever random number you want, but the first time someone browses to Google (or anybody else) it will forever be associated with their (personally identifiable) Google account. Regenerating it just makes Google store a few more values in the account.

> Instantly that would remove 90% of the pixels ... and would prevent this continuous arms-race.

History suggest this would have little effect on that "arms-race". Advertisers have demonstrated many times that they only increase surveillance. The only effect your "Advertiser ID" would have is to make surveillance even easier.

> make it simple to opt-in or out of preferences,

It's naive to think anybody that already ignore the DNT header would respect a future redesign of the same flag.


Breaking up a monopoly via government pressure is completely separate from browser and internet privacy, and hurting potential competition only helps the monopoly. Google and Facebook wouldn't use the Advertising ID because they already have 1st party cookies so they know who you are.

The User Agent is just software that happens to be called that, it's not a moral statement, and this feature would help solve many issues on both sides. DNT is actually respected by far more than you may think, but the lack of an ID to go along with it is the problem. Having an easy ID system would let ad networks use native APIs, reduce network calls, and build up profiles that only last as long as a user is willing to keep the same ID. Let people change it per hour if they want, it maintains privacy will keeping a browsing session relevant and not overloaded with the same ad shown 20 times.

You know what's actually naive? It's refusing to listen to the industry that moves 100s of billions in ad spend every year and is full of smart people trying to have rational discussions instead of constantly fighting emotional tirades that put everyone in this mess in the first place.


> The User Agent is just software that happens to be called that

This is impressive rationalization. It's the User Agent because it's the software the user is running as their agent on their own computer. The only "moral statement" involved is basic property rights. The user gets to control their own computer (including the browser) for the same reason you get to control how the products you own are used.

> DNT ... but the lack of an ID to go along with it is the problem

You don't need to have an ID to not track someone's browsing habits. What, exactly do you want to do that 1) needs a tracking ID, but 2) isn't some type of tracking?

> Having an easy ID system would let ad networks [...]

That's nice. That isn't the user's job.

> and build up profiles that only last as long as a user is willing to keep the same ID

See? That's exactly the type of tracking we're trying to prevent. Surveillance is still surveillance even if you delete later.

> not overloaded with the same ad shown 20 times.

Again, not the user's problem.

> You know what's actually naive?

The surveillance-based businesses that are driving us straight into a surveillance state without any care for the risks and damage they are creating?

> It's refusing to listen to the industry that moves 100s of billions in ad spend every year

You should realize that many people see this as a bad thing. Those billions could have been spent on something useful. Of course, I don't expect you to understand this if your salary currently depends on not understanding the harm created by the ad industry.

> trying to have rational discussions instead of constantly fighting emotional tirades

You're sense of entitlement is amazing. People get emotional when people try to use their property without permission. There is no "rational discussion" here. If you are tracking people, you are the enemy. One day, when the databases of everyone's behavior starts to cause real damage (Cambridge Analytica was only a tiny preview), you will understand this. Until then, I suggest at least talking to the average person about what they think about having their activities tracked.


You are tilting at windmills here. You can say "not the users problem" endlessly but unless you're about to quit your job and never work at a commercial business that uses digital advertising again, it's just random noise that goes nowhere near attempting to solve the problem.

Advertising, and the greater concept of marketing, is what powers the growth of practically every business on the planet. Two of the most valuable companies are advertising companies because this matters so much. These companies do care about risks but the real problem is lack of regulation which is completely unrelated to browser cookies, so in the lack of such rules we can look at technical alignment that can solve at least some of the problems in the meantime.

> I don't expect you to understand this if your salary currently depends on not understanding the harm created by the ad industry.

FYI, less tracking means more money for ad networks. It means you can never optimize results and will have to run more generic campaigns, which waste more money and are a worse experience for both advertisers and users. So while that statement sounds good, the reality is that people in this industry are the best to consult with on ways to improve it because they work in it every day.

> Until then, I suggest at least talking to the average person about what they think about having their activities tracked.

I've been in adtech over a decade and I'm the only person with a business/technical background who has spent time, effort and money to push ad regulation in the US. I've talked to countless people from ad networks to adblockers to senators to grandparents. I'm familiar with all the arguments and what I presented is a way to make forward progress.

> There is no "rational discussion" here. If you are tracking people, you are the enemy.

Lol, ok great.


Until the mainstream learns how to work those controls, and as a result of uptake adtech develops something that works independently of Mozilla's system


This is a universal system design, not just for Mozilla. The mainstream is already blocking ads and cookies so it's not like we aren't already there, instead this is a way to get back to a good equilibrium on both sides while protecting privacy for those who want it.


This is pretty confusing and I'm not sure what it adds beyond an option to block all third-party cookies.

Is the goal here to try to get to a policy that can be enabled by default?


It allows third-party cookies except the ones on Disconnect's "Basic Protection" list.


Right, but it seems like almost everybody who cares about this would just enable third-party cookie blocking.

Put another way, what problem is this new policy solving, and how big a problem is it?


It solves the problem that the majority of firefox users is not blocking trackers, so enabling this at the end of January 2019 in Firefox 65 will protect all Firefox users, which make up around 10-15% of all Desktop web traffic in western countries.

With this step it follow Safari, which is already protecting users against third party tracking.


It solves the problem that the majority of firefox users is not blocking trackers

Is that a problem, however? Or more precisely, one that Mozilla wants to think is a problem and "solve"?

I use adblocking and such myself, but I think it should really be a personal choice --- browsers should just stay neutral. I have a suspicion that browser organisations taking sides in this will only lead to even more invasive tracking in the future, since this is a cat-and-mouse game. (Imagine if Firefox had adblock by default. It would just force adtech companies to come up with even more unblockable methods, since the defaults have changed.)


Like when browsers implemented popup blockers. Now we have even more invasive unblockable popups?

Websites can't do anything the browser doesn't allow. Or said another way, websites can only do what the browser was programmed to support. The browser is the decider.


Like when browsers implemented popup blockers. Now we have even more invasive unblockable popups?

Now the popups are almost always not new windows, but "pop-overs" inside the page itself.


If you start a war, you should be prepared to fight for a long time. That's why most browser makers don't even start.

Safari did and had to make multiple changes to ITP because criteo was fighting back.

It is always necessary to stay vigilant.


> browsers should just stay neutral.

Browsers are user agents - they should behave as such.

Trackers only exist because of decisions they made (to store files on behalf of users that websites ask them to). They made that choice for users. Now they are realizing that isn't always the right choice and are looking to make a slightly different choice.


If ads have to come from the primary domain being served, then the website has greater incentive to vet those ads. If they let malware through, it's their reputation that goes in the trash. No more letting adtech do the dirty work.


Not really. It's as simple as hosting some scripts or using a CDN for a local proxy. Plenty of publishers are already doing this.

If reputation was really that important, these sites wouldn't have put up these low-quality ad networks in the first place. It's not like they didnt know what was running.


Allowing third-party cookies wasn't a neutral decision to begin with, even though the implications only became clear later.


> browsers should just stay neutral

You mean this as a pragmatic choice, or moral choice? Because on a purely pragmatic level I somewhat agree with you - a popular browser making such decisions is risking either losing users, or furthering the cat&mouse game. But on the moral/ethical level, the browser is an user agent - providing features allowing users to enforce their preferences is a good thing.


Linux based OSes don't let you install software from a new repository without adding their keys to your system. This is for the user's own security. Blocking 3rd party tracker cookies by default is a similar decision. Sometimes developers have to protect users from choice overload and choose sensible defaults.


> it should really be a personal choice

Yes, but now it is not an educated choice, most simply have no idea they're tracked. Ask any person, "do you agree to being tracked?" Answer is obvious, so why not implement it in browsers by default?


Hang in. You could ask people “do you want to pay taxes?” And get a similar result. Doesn’t mean we should get rid of taxes.


Taxes == tracking ? I owe taxes by law. Whats the law for mandatory web tracking ?


Well, that can break functionality on some sites. Not all third-party cookies are tracking cookies. Being more specific about which cookies are blocked reduces breakage.


That is a dev mistake. So many default to no 3rd party, and for 95% of the web, nothing breaks. If you are in the 5%, the problem may be your design and not the user/browser/standard.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: