Underblocking and Overblocking
There are at least three substantial areas of underblocking that we know we need to address with future improvements.
- Old cookies. The revised policy does not limit preexisting tracking cookies. Firefox users who update to the revised policy will not fully benefit until they clear their cookies.
- Temporary visits. Sometimes a user temporarily visits a tracking website, such as after clicking an advertisement (intentionally or inadvertently). The revised policy indefinitely allows tracking cookies from a website after just one temporary visit.
- Dual-use domains. Several popular websites use the same domain for both consumer services and tracking. Yahoo!, for example, operates both its homepage and advertisement tracking from
yahoo.com. If a user visits the Yahoo! homepage, the company will be able to track the user across other websites. Google, on the other hand, largely hosts search on
google.combut advertising tracking on
doubleclick.net. If a user runs a query with Google, they will still be protected against Google ad tracking.
All views, errors, and omissions are solely my own. I do not speak for Mozilla or the Mozilla community.
1. See the survey paper Third-Party Web Tracking: Policy and Technology for background. In the context of this post, “tracking” means the collection of a user’s browsing history by a third-party website.
2. For an overview of Mozilla’s open-source community model, see MozillaWiki » Community and Mozilla.org » Governance. Many members of the Mozilla community have now contributed to the tracking countermeasures effort.
3. Apple and Microsoft have both automatically limited tracking cookies for a decade. There was an effort to block tracking cookies by default in Firefox three years ago, but it was withdrawn under contested circumstances (1, 2, 3, 4).
4. Other considerations could include types of underblocking and overblocking, as well as possible reactions to the policy. Future posts might address these topics, depending on reader interest.
6. The sites are
dayonecenter.com (Alexa rank > 1M) and
western.org (Alexa rank ≈ 200K).
7. As I understand our release conditions, the patch will move forward unless there’s confirmed breakage, the breakage is so substantial as to outweigh longstanding user demand for privacy, and the breakage cannot be ameliorated through outreach, mitigation measures, or rapid iteration. Under present circumstances, the patch plainly satisfies these release conditions.