Mozilla, maker of the Firefox web browser, must fix three areas within its third-party-cookie-blocking patch before it can be rolled out to users, according to Stanford graduate student Jonathan Mayer, who developed the patch.
The problematic areas involve “underblocking,” i.e. inadvertently allowing unwanted tracking cookies past Firefox’s cookie blocking patch, Mayer explained in a blog post today. “Cookie policies are inherently imprecise,” Mayer observed. “Some unwanted tracking cookies might slip through, compromising user privacy (underblocking). And some non-tracking cookies might get blocked, breaking the web experience (overblocking). The challenge in designing a cookie policy is calibrating the tradeoff between underblocking and overblocking.”
Overblocking cookies has not been a problem for the patch, according to Mayer. Last week, Mozilla engineers requested at least six more weeks to measure the cookie-blocking patch’s performance and analyze its impact. As part of the testing, three areas that are being examined are as follows:
- Old cookies. At this time, Firefox’s cookie policy does not block preexisting tracking cookies on a user’s browser.
- Temporary visits. If a user visits a tracking website, like after clicking an advertisement, the policy indefinitely allows tracking cookies from a website after one visit.
- Dual-use domains. Firefox needs a strategy for websites that use the same domain for both consumer services and advertisement tracking. For example, “if a user visits the Yahoo! homepage,” Mayer noted, “the company will be able to track the user across other websites.”
Earlier today, Maureen Ohlhausen, commissioner of the Federal Trade Commission, expressed her support for advertisers and vendors to uphold consumer privacy practices through self-regulation. “I believe a voluntary, self-regulatory process should be carried out without undue government involvement,” Ohlhausen told members of the Network Advertising Initiative at the organization’s summit in New York City. “Otherwise, industries may lose the incentive to participate and instead take a wait-and-see attitude about whether Congress would ever impose legislation.”
A number of consumer online privacy bills are being discussed in Congress, but so far none have “garnered a lot of traction,” Ohlhausen said. Ohlhausen declined to speculate on which bills would be most likely to move forward.
In response to an attendee’s question on whether there have been any cases of a consumer experiencing actual “harm” as a result of data tracking for advertising purposes, Ohlhausen admitted that she has not seen any concrete examples. “There have been concerns that if you, for instance, did a search for diabetes, that information would get shared and prevent you from getting a job or your ratings will fall,” Ohlhausen said. “But none of the cases that have been presented show that’s actually happened…A lot of the concerns that are being generated are about what could happen.”
