{"id":2532,"date":"2020-01-07T05:00:05","date_gmt":"2020-01-07T13:00:05","guid":{"rendered":"https:\/\/blog.mozilla.org\/security\/?p=2532"},"modified":"2021-03-17T08:18:39","modified_gmt":"2021-03-17T15:18:39","slug":"firefox-72-fingerprinting","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2020\/01\/07\/firefox-72-fingerprinting\/","title":{"rendered":"Firefox 72 blocks third-party fingerprinting resources"},"content":{"rendered":"<p>Privacy is a human right, and is core to Mozilla\u2019s <a href=\"https:\/\/www.mozilla.org\/en-US\/about\/manifesto\/\">mission<\/a>. However many companies on the web erode privacy when they collect a significant amount of personal information. Companies record our browsing history and the actions we take across websites. This practice is known as cross-site tracking, and its <a href=\"https:\/\/blog.mozilla.org\/security\/2018\/09\/05\/why-we-need-better-tracking-protection\/\">harms<\/a> include unwanted targeted advertising and divisive political messaging.<\/p>\n<p>Last year we launched <a href=\"https:\/\/blog.mozilla.org\/blog\/2019\/06\/04\/firefox-now-available-with-enhanced-tracking-protection-by-default\/\">Enhanced Tracking Protection<\/a> (ETP) to protect our users from cross-site tracking. In Firefox 72, we are expanding that protection to include a particularly invasive form of cross-site tracking: browser fingerprinting. This is the practice of identifying a user by the unique characteristics of their browser and device. A fingerprinting script might collect the user\u2019s screen size, browser and operating system type, the fonts the user has installed, and other device properties&#8212;all to build a unique \u201cfingerprint\u201d that differentiates one user\u2019s browser from another.<\/p>\n<p>Fingerprinting is bad for the web. It allows companies to track users <a href=\"https:\/\/hal.inria.fr\/hal-01652021\/document\">for months<\/a>, even after users clear their browser storage or use private browsing mode. Despite a near complete agreement between <a href=\"https:\/\/w3c.github.io\/fingerprinting-guidance\/\">standards<\/a> <a href=\"https:\/\/w3ctag.github.io\/unsanctioned-tracking\/\">bodies<\/a> and <a href=\"https:\/\/www.blog.google\/products\/chrome\/building-a-more-private-web\">browser<\/a> <a href=\"https:\/\/www.apple.com\/safari\/docs\/Safari_White_Paper_Nov_2019.pdf\">vendors<\/a> that fingerprinting <a href=\"https:\/\/wiki.mozilla.org\/Security\/Anti_tracking_policy\">is harmful<\/a>, its use on the web <a href=\"https:\/\/www.cosic.esat.kuleuven.be\/fpdetective\/#paper\">has<\/a> <a href=\"https:\/\/webtransparency.cs.princeton.edu\/webcensus\/\">steadily<\/a> <a href=\"https:\/\/sensor-js.xyz\/\">increased<\/a> over the past decade.<\/p>\n<p>We are committed to finding a way to protect users from fingerprinting without breaking the websites they visit. There are two primary ways to protect against fingerprinting: to block parties that participate in fingerprinting, or to <a href=\"https:\/\/wiki.mozilla.org\/Security\/Fingerprinting\">change<\/a> or <a href=\"https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1313580\">remove<\/a> APIs that can be used to fingerprint users.<\/p>\n<p><b><a href=\"https:\/\/www.mozilla.org\/firefox\/features\/block-fingerprinting\/\">Firefox 72 protects users against fingerprinting<\/a> by blocking all third-party requests to companies that are known to participate in fingerprinting.<\/b> This prevents those parties from being able to inspect properties of a user\u2019s device using JavaScript. It also prevents them from receiving information that is revealed through network requests, such as the user\u2019s IP address or the user agent header.<\/p>\n<p>We\u2019ve partnered with <a href=\"https:\/\/disconnect.me\/trackerprotection\">Disconnect<\/a> to provide this protection. Disconnect maintains a list of companies that participate in cross-site tracking, as well a list as those that fingerprint users. Firefox blocks all parties that meet both criteria [0]. We\u2019ve adapted measurement techniques\u00a0 from past <a href=\"https:\/\/webtransparency.cs.princeton.edu\/webcensus\/\">academic<\/a> <a href=\"https:\/\/sensor-js.xyz\/\">research<\/a> to help Disconnect discover new fingerprinting domains. Disconnect performs a rigorous, <a href=\"https:\/\/github.com\/disconnectme\/disconnect-tracking-protection\/blob\/master\/descriptions.md\">public evaluation<\/a> of each potential fingerprinting domain before adding it to the blocklist.<\/p>\n<p><b>Firefox\u2019s blocking of fingerprinting resources represents our first step in stemming the adoption of fingerprinting technologies. <\/b>The path forward in the fight against fingerprinting will likely involve both script blocking and API-level protections. We will continue to monitor fingerprinting on the web, and will work with Disconnect to build out the set of domains blocked by Firefox. Expect to hear more updates from us as we continue to strengthen the protections provided by ETP.<\/p>\n<p>&nbsp;<\/p>\n<p>[0] A tracker on <a href=\"https:\/\/github.com\/disconnectme\/disconnect-tracking-protection\/blob\/master\/services.json\">Disconnect\u2019s blocklist<\/a> is any domain in the Advertising, Analytics, Social, Content, or Disconnect category. A fingerprinter is any domain in the Fingerprinting category. Firefox blocks domains in the intersection of these two classifications, i.e., a domain that is both in one of the tracking categories and in the fingerprinting category.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Privacy is a human right, and is core to Mozilla\u2019s mission. However many companies on the web erode privacy when they collect a significant amount of personal information. Companies record &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2020\/01\/07\/firefox-72-fingerprinting\/\">Read more<\/a><\/p>\n","protected":false},"author":1597,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[847,69],"tags":[327154,327153,8118],"coauthors":[320791],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Firefox 72 blocks third-party fingerprinting resources - Mozilla Security Blog<\/title>\n<meta name=\"description\" content=\"Enhanced Tracking Protection (ETP) has been expanded to block a particularly invasive form of cross-site tracking: browser fingerprinting. This is the practice of identifying a user by the unique characteristics of their browser and device.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2020\/01\/07\/firefox-72-fingerprinting\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Steven Englehardt\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2020\/01\/07\/firefox-72-fingerprinting\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2020\/01\/07\/firefox-72-fingerprinting\/\",\"name\":\"Firefox 72 blocks third-party fingerprinting resources - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"datePublished\":\"2020-01-07T13:00:05+00:00\",\"dateModified\":\"2021-03-17T15:18:39+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/4e57438e5a1cb316da982a0053c6ed53\"},\"description\":\"Enhanced Tracking Protection (ETP) has been expanded to block a particularly invasive form of cross-site tracking: browser fingerprinting. This is the practice of identifying a user by the unique characteristics of their browser and device.\",\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2020\/01\/07\/firefox-72-fingerprinting\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2020\/01\/07\/firefox-72-fingerprinting\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2020\/01\/07\/firefox-72-fingerprinting\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Firefox 72 blocks third-party fingerprinting resources\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/4e57438e5a1cb316da982a0053c6ed53\",\"name\":\"Steven Englehardt\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/921e0113c6856efe3f1960058729d00f\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4013c3a1151063bb911608e4c8dc6f23?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4013c3a1151063bb911608e4c8dc6f23?s=96&d=identicon&r=g\",\"caption\":\"Steven Englehardt\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Firefox 72 blocks third-party fingerprinting resources - Mozilla Security Blog","description":"Enhanced Tracking Protection (ETP) has been expanded to block a particularly invasive form of cross-site tracking: browser fingerprinting. This is the practice of identifying a user by the unique characteristics of their browser and device.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2020\/01\/07\/firefox-72-fingerprinting\/","twitter_misc":{"Written by":"Steven Englehardt","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2020\/01\/07\/firefox-72-fingerprinting\/","url":"https:\/\/blog.mozilla.org\/security\/2020\/01\/07\/firefox-72-fingerprinting\/","name":"Firefox 72 blocks third-party fingerprinting resources - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"datePublished":"2020-01-07T13:00:05+00:00","dateModified":"2021-03-17T15:18:39+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/4e57438e5a1cb316da982a0053c6ed53"},"description":"Enhanced Tracking Protection (ETP) has been expanded to block a particularly invasive form of cross-site tracking: browser fingerprinting. This is the practice of identifying a user by the unique characteristics of their browser and device.","breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2020\/01\/07\/firefox-72-fingerprinting\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2020\/01\/07\/firefox-72-fingerprinting\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2020\/01\/07\/firefox-72-fingerprinting\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Firefox 72 blocks third-party fingerprinting resources"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/4e57438e5a1cb316da982a0053c6ed53","name":"Steven Englehardt","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/921e0113c6856efe3f1960058729d00f","url":"https:\/\/secure.gravatar.com\/avatar\/4013c3a1151063bb911608e4c8dc6f23?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4013c3a1151063bb911608e4c8dc6f23?s=96&d=identicon&r=g","caption":"Steven Englehardt"}}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2532"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/1597"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=2532"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2532\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=2532"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=2532"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=2532"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=2532"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}