Firefox working with CIS to give users greater control over cookies

CIS has long been involved in the drive to make cookies more accountable to users. It was behind the Do Not Track initiative that allows users to indicate that they do not wish to be tracked by cookies, and has evolved into a worldwide standard. Its weakness is that websites do not necessarily adhere to the instruction. 

A CIS researcher, Jonathan Mayer, subsequently developed a Firefox patch that works similarly to Safari and blocks third-party cookies from websites the user has never visited. This patch nearly got through to full Firefox release, but was abandoned earlier this year because of the potential for both false positives and negatives. In the former, if the primary site delivers content from a secondary site, any cookies from the secondary site are automatically blocked because the user never visited that particular site. In the latter, visiting a site doesn’t mean the user actually trusts its cookies.

Now CIS has come up with a new approach – the Cookie Clearinghouse – and Firefox is on board. The concept starts with four presumptions: set cookies from visited websites; disallow cookies from other sites; allow Digital Advertising Alliance opt-out cookies; and set cookies allowed by the user. These presumptions borrow ideas from existing approaches: the first two from Safari, the third from Chrome, and the last in conformance with European law.

But it’s not foolproof. The big new initiative from the Cookie Clearinghouse is the maintenance of both a block-list and an allow-list to override the automatic response. Inclusion on either of these lists can be challenged.

“Internet users are starting to understand that their online activities are closely monitored, often by companies they have never heard of before,” said Aleecia M. McDonald, the director of privacy at CIS driving the project, “But Internet users currently don’t have the tools they need to make online privacy choices. The Cookie Clearinghouse will create, maintain, and publish objective information. Web browser companies will be able to choose to adopt the lists we publish to provide new privacy options to their users.”

Mozilla's CTO Brendan Eich announced Wednesday, “Today Mozilla is committing to work with Aleecia and the CCH Advisory Board, whose members include Opera Software, to develop the CCH so that browsers can use its lists to manage exceptions to a visited-based third-party cookie block.”

It’s early days yet, and it will be some months before anything comes of the initiative. The advertising industry is, however, already concerned. The Washington Post (itself a member of the Interactive Advertising Bureau) quoted IAB president Randall Rothenberg, who “said the changes could disrupt Internet commerce, especially damaging smaller Web publishers that rely on the revenue brought by targeted advertising.”

Meanwhile, Forbes has reported on a potential cookie replacement: computer fingerprinting, or ‘the creepier technology that comes next.’ “This technique allows a web site to look at the characteristics of a computer such as what plugins and software you have installed, the size of the screen, the time zone, fonts and other features of any particular machine,” warns Forbes. It notes that the EFF “has found that 94% of browsers that use Flash or Java – which enable key features in Internet browsing – had unique identities.” The suggestion is that as browsers and users increasingly opt-out or remove cookies, the advertising industry will move to a different tracking technology based on the recognition of what is effectively a unique PC biometric.

What’s Hot on Infosecurity Magazine?