Another Tor Browser Feature Makes It Into Firefox: First-Party Isolation

An anonymous reader writes: Unbeknown to most users, Mozilla added a privacy-enhancing feature to the Firefox browser over the summer that can help users block online advertisers from tracking them across the Internet. The feature is named First-Party Isolation (FPI) and was silently added to the Firefox browser in August, with the release of Firefox 55. FPI works by separating cookies on a per-domain basis.

This is important because most online advertisers drop a cookie on the user's computer for each site the user visits and the advertisers loads an ad. With FPI enabled, the ad tracker won't be able to see all the cookies it dropped on that user's PC, but only the cookie created for the domain the user is currently viewing. This will force the ad tracker to create a new user profile for each site the user visits and the advertiser won't be able to aggregate these cookies and the user's browsing history into one big fat profile. This feature was first implemented in the Tor Browser, a privacy-focused fork of the Firefox browser managed by the Tor Project, where it is known as Cross-Origin Identifier Unlinkability. FPI was added to Firefox as part of the Tor Uplift project, an initiative to bolster the Firefox codebase with some of the Tor Browser's unique privacy-focused features. The feature is not enabled by default. Information on how to enable it is in the linked article.

What about the data Firefox collects and sends?

Everyone who considers using Firefox should read its privacy policy.

Firefox's privacy policy mentions it sending data to organizations/companies like Mozilla, Google, SalesForce, Leanplum, Adjust, and possibly others.

The privacy policy dated September 28, 2017 contains awful stuff like:

Firefox sends data about your interactions with Firefox to us (such as number of open tabs and windows; number of webpages visited; number and type of installed Firefox Add-ons; and session length) and Firefox features offered by Mozilla or our partners (such as interaction with Firefox search features and search partner referrals).

Firefox sends data about your Firefox version and language; device operating system and hardware configuration; memory, basic information about crashes and errors; outcome of automated processes like updates, safebrowsing, and activation to us. When Firefox sends data to us, your IP address is temporarily collected as part of our server logs.

Firefox sends us data such as the position, size and placement of content we suggest, as well as basic data about your interactions with Firefox’s suggested content. This includes the number of times suggested content is displayed or clicked.

When you choose to click on a Snippet link, we may receive data about the link you followed.

Desktop versions of Firefox periodically check for browser updates by connecting to Mozilla servers. Your Firefox version, language, and device operating system are used to apply the correct updates. Mobile versions of Firefox may connect to another service if you used one to download and install Firefox.

Firefox for Desktop and Android periodically connect to Mozilla to protect you and others from malicious add-ons. Your Firefox version and language, device operating system, and list of installed add-ons are needed to apply and update the add-ons blocklist.

Firefox sends basic information about unrecognized downloads to Google's SafeBrowsing Service, including the filename and the URL it was downloaded from.

This may involve Firefox sending certain information about the website to the Certificate Authority identified by that website.

Firefox by default sends Mozilla HTTP data that may be included with Firefox’s installer. This enables us to determine the website domain or advertising campaign (if any) that referred you to our download page.

Firefox by default sends mobile campaign data to Adjust, our analytics vendor, which has its own privacy policy. Mobile campaign data includes a Google advertising ID, IP address, timestamp, country, language/locale, operating system, and app version.

Firefox by default sends data about what features you use in Firefox to Leanplum, our mobile marketing vendor, which has its own privacy policy.

Firefox by default sends search queries to your search provider to help you discover common phrases other people have searched for and improve your search experience.

Mozilla receives your email address and a hash of your password when you create a Firefox Account. You can choose to include a display name or profile image. Your email address is sent to our email vendor, SalesForce Marketing Cloud, which has its own privacy policy. If you use your Firefox Account to log into other websites or services (such as AMO or Pocket), we receive the timestamp of your log-in from those services.

For security purposes, we store the IP addresses you use to access your Firefox Accoun

Waterfox Is Better

[NicknameUnavailable]

This is just Firefox trying to be a source of telemetry. Waterfox is based on Firefox, but removes all the telemetry, sponsored ads, etc plus a bunch of security holes the Firefox team isn't addressing.

Re:Private browsing

[Luthair]

I'm not sure you understand the scenario. These are third-party cookies that the browser would receive via headers when the tracking network was included on another site The tracking networks cookie would only appear on the headers to that network and could not be read by other sites.

Re:Private browsing

[Fahrvergnuugen]

It's trickier than that...

What happens when you insert the facebook or adsense code on your website is that you are actually including content hosted by the ad network.

Your browser is then loading that content from that ad network because in addition to loading mygreatwebsite.com, you are also loading ads.adcompany.com or whatever.

The cookie from the ad network is linked to ads.adcompany.com. The same cookie is being set for every website that serves content from that same ad network, and so they are able to build a profile on you.

The bigger an ad network gets, the more websites it is installed on, the more clear the profile becomes.

I guess (I don't know the details of it) what this feature is doing, is preventing any cookies that differ from the domain displayed in the URL from being loaded. I'm not sure how exactly this is different from private browsing.

Re: Private browsing

If the browser loads a resource from a domain, that domain can set a cookie for itself via HTTP headers (or if the resource is a script, through the script). That's normal, isn't it? But this is also true if that resource comes from a "third party" domain, i.e. one which is different from the domain of the web page itself. Example: You are looking at slashdot.org, which loads a script from taboola.com. Then the taboola.com script can set a cookie for taboola.com. Slashdot.org can not read that cookie, but if a page from a different domain also loads a script from taboola.com, that script can (normally) read the cookie for taboola.com. That cookie usually contains a tracking ID, so when many sites on the web load a taboola.com script, taboola.com can track you across web sites. With first-party isolation, the third party cookie can still be set, but it is only readable when the third party resource is loaded in the same first party domain context where it was set. Something else you can do (and probably should do) is disallow third party cookies altogether or at least make them expire when you close the browser. If you do the latter, first party isolation still helps by preventing in-session tracking.

Re:Private browsing

[sexconker]

I guess (I don't know the details of it) what this feature is doing, is preventing any cookies that differ from the domain displayed in the URL from being loaded. I'm not sure how exactly this is different from private browsing.

No, it's in the summary.

This is isolation, not blocking. Plenty of sites won't work if you outright block 3rd party cookies.
What this does is allow the cookie to be set and sent back in future requests, but it's one cookie per ad domain AND per visited site.

If you go to pussy.com and it loads a tracking asset for ass.com, Firefox sets a cookie for ass.com.
If you go to pussy.com again and it loads a tracking asset for ass.com, Firefox sends the same cookie back.
So ass.com can track you on pussy.com.

If you then go to titties.com and it loads a tracking asset for ass.com, Firefox sets a separate cookie for ass.com.
This way, ass.com can't track you across pussy.com and titties.com as a single user by use of their cookies.

They will still try (and generally succeed) at such tracking via browser fingerprinting, timing, meta analysis, and the good ol' IP address.