Rapid Fire: Peter Dolanjski on Enhanced Tracking Protection, fingerprinting and cryptocurrency mining
On October 23, Firefox 63 launched with what we’re calling Enhanced Tracking Protection. I sat down with Peter Dolanjski, Product Lead for the Firefox desktop browser to better understand what Enhanced Tracking Protection is, what it isn’t and how it helps people. From his home office in Paris, Ontario (not France) where a collection of musical instruments adorned his background, Peter also shared the exciting developments users can look forward to in Firefox next year, such as blocking fingerprinting and abusive cryptocurrency mining practices.
~ ~ ~ ~
What are some of the features of Firefox 63, the latest version that was just released?
Firefox 63 brings with it our Enhanced Tracking Protection functionality. With this latest version, users can choose to block cookies and storage access from known trackers, which effectively blocks the primary method of cross-site tracking by invasive ad networks. This is a stepping stone toward blocking cross-site tracking by default in an upcoming release.
So what does this mean to everyday Firefox users?
In user-speak that means ads won’t follow you around online. The research is pretty clear that users are genuinely creeped out and feel invaded by the pervasive tracking that happens by behavioral targeted advertising. This essentially blocks the majority of that from happening.
What is cross-site tracking all about?
Essentially cross-site tracking is when third parties — which are usually advertising networks like Facebook or some other networks you haven’t heard of — store cookies in your browser so that when you go from one site to another, they can read these cookies and determine that you were, for example, shopping for shoes. Later, when you’re on Facebook, they can then show you an advertisement for shoes.
What does cross-site tracking do to the web experience for the user?
It does a few things. One is that there is a whole bunch of opaque data collection happening. Users aren’t aware the degree to which the data collection is happening behind the scenes. In fact there are thousands of data exchanges where user information is collected, exchanged and made available for various advertisers to target you granularly with ads.
Beyond that, a lot of the scripts that are run to enable tracking actually slow down your experience quite a bit. They delay webpage load times while all these tracking scripts fire and run in the background.
Will Enhanced Tracking Protection lead to a broken experience for people?
It won’t. The original Tracking Protection functionality that we had in Private Browsing Mode, starting in 2015, was much more aggressive in that it would block scripts outright, and there was some breakage associated with it. Some websites wouldn’t work as expected or maybe a video wouldn’t load.
This new Enhanced Tracking Protection much more surgically targets the tracking that’s happening. So as opposed to blocking everything outright, it specifically goes after the way in which a lot of the tracking is facilitated via these cookies by blocking the ability of the cookie to be set. Users in our testing didn’t report any more breakage than when the feature is off.
But some cookies are useful in that they store my login information and my preferences. How will Enhanced Tracking Protection impact my ability to login to a site that I subscribe to, for example a cooking site where I have a login and saved recipes?
The scenario you’re describing is a first-party cookie for your site login and profile information, so that wouldn’t be impacted at all. When advertising networks attempt to set third-party cookies on the site, however, the ability to set those cookies would be blocked specifically for the advertisements. So it shouldn’t interfere with your day-to-day use of websites. You can get your content.
I’m also thinking this site probably runs advertisements.
You’ll still get advertisements, to be clear. It’s just that ad networks won’t be able to granularly collect your information and target advertisements specifically to you.
If people think this is an ad blocker, that’s not exactly right then, is it?
That’s right. The original Tracking Protection functionality did block some advertisements. The new approach with Enhanced Tracking Protection is meant to surgically go after just the tracking aspect. It purposely doesn’t block advertisements. It just blocks the ability of those advertisements to track you.
From Mozilla’s standpoint, advertising is not inherently bad. It’s what funds a lot of the content online. But the pervasive, opaque data collection that’s happening unbeknownst to users and without users actually agreeing to it in any way is the piece that we feel is not right, and users are pretty vehemently opposed to it based on our research.
Most people are absolutely shocked to hear the details on how their information is collected and exchanged by thousands of companies, all so they can get a relevant advertisement. There’s pushback in the industry on a lot of the stuff we’re doing here, and you can understand why. It threatens some of the standard practices that are in use. But the problem is that a lot of the tracking and data collection happening is so hidden. Having strong privacy by default is critical, and that’s why we’re heading in that direction.
What’s coming in future releases that you’re especially excited about?
A couple of things. Right now, Enhanced Tracking Protection is not on by default, so users need to go into the settings and enable it. In early 2019 we plan to enable this functionality by default so all you need to do is run Firefox.
Second, we’re going after the more advanced forms of tracking like fingerprinting. Fingerprinting essentially uses the attributes about your computer — your screen resolution, the hardware you use and the various settings you have on your computer — to create a unique fingerprint where advertising networks can say We don’t know who this actual person is, but we know by virtue of the fact that all these attributes combined are unique, and we can track them using this fingerprint. We are looking for domains that are known to fingerprint people so that Firefox can block them by default.
We are also going after cryptocurrency mining. Cryptocurrency mining is essentially when webpages use the computational power of your computer to mine for cryptocurrencies. That usually runs down your battery if you’re on a laptop, or if not, it will just consume your power pretty excessively. And almost always, this is happening unbeknownst to the user. They may notice that their fan on their computer got really loud, which is happening because it’s actually eating a lot of power. This is an abusive practice, and we are going to block primary cryptocurrency miners on the web by default in an upcoming release.
What is a privacy or security issue that people should be thinking more about today?
Password hygiene. In our user research, people are overwhelmingly concerned about getting hacked or having their data compromised in some way. At the heart of that problem is password hygiene. The reality is that people use the same password for everything, and they tend to be weak passwords. What they don’t realize is that their data is only as safe as the weakest link in the chain. So that obscure shopping site where you created an account years ago, if it gets hacked and your data is breached, the key to your entire digital existence is now available on the internet.
This is why we’re working on Lockbox and why we built Firefox Monitor, the service to alert you if your account data has been breached in some way. It’s quite frankly inevitable. Data shows that most online users today have something like 150 accounts. I sure can’t remember 150 passwords, and I expect most people can’t. So the reality is that people will experience data breaches. We built Firefox Monitor to warn you when this happens. We built Lockbox to help you take action, to have separate passwords and to have better hygiene.
I could honestly talk all day with you about what is coming in future releases, but let’s shift gears and get to some rapid fire questions starting with what is a typical breakfast?
Feeding my kids with one hand, feeding myself cereal with the other hand.
What do you do to to disconnect from technology?
I take the kids to the park.
Cats or dogs?
My spouse is allergic to cats, so it’s gotta be dogs.
Android or iOS?
Android because that’s where most of our mobile users are.
Where do you get your news?
Variety of sources. Pocket recommendations in Firefox. Twitter. NPR. Google News.
Car, bike, walk or bus?
Because I live in a small town, it’s walk when taking the kids to school and the park. Otherwise, we drive.
What’s the last internet gem you shared with someone?
RainyMood.com. It’s really nice way to focus.
When it comes to GIFs, hard or soft G?
What’s something about yourself that people would be surprised to know?
I play drums in a rock band.