Security/Anti tracking policy

From MozillaWiki
Jump to: navigation, search

This document describes the online tracking practices that Mozilla believes, as a matter of policy, should be blocked by default by web browsers. These practices are potentially harmful to users and cannot be meaningfully understood or controlled by users.

We intend to implement technical protections in Firefox to block all tracking practices included in this policy. If we discover additional tracking techniques, we may expand this policy to include the new technique and may implement technical measures to block those techniques in Firefox.

Our current anti-tracking mitigations in Firefox rely on the Tracking Protection list to classify trackers. This list is curated by Disconnect in alignment with this policy.

Tracking Definition

Tracking is the collection of data regarding a particular user's activity across multiple websites or applications (i.e., first parties) that aren’t owned by the data collector, and the retention, use, or sharing of data derived from that activity with parties other than the first party on which it was collected.

A first party is a resource or a set of resources on the web operated by the same organization, which is both easily discoverable by the user and with which the user intends to interact. An intention to interact is characterized by a deliberate action, such as clicking a link, submitting a form, or reloading a page. Merely hovering over, muting, pausing, or closing a given piece of content does not constitute an intention to interact. Interactions with other parties are considered third-party, even if the user is transiently informed in context (for example, in the form of a redirect).

A third party is any party that does not fall within the definition of first party above.

Tracking We Will Block

1. Stateful cross-site tracking through Web APIs

Cookie-based cross-site tracking. Cookies, DOM storage, and other types of stateful identifiers are often used by third parties to associate browsing across multiple websites with the same user and to build profiles of those users, in violation of the user’s expectation.

For third parties engaged in this type of tracking, Firefox will block or remove access to stateful identifiers. Access to storage may be granted when a user has shown purposeful intent to interact with a third party during their visit to a specific first party. For example, if a user attempts to interact with a third-party login provider while visiting a specific first party, the third-party provider may receive storage access on that first party.

2. Navigational cross-site tracking

Cross-site tracking using URL decoration. When tracking by other means is not available, some entities choose to add information to URLs to pass information between sites. When the browser navigates between sites, the linking site adds information to the URL that is not about the destination page. URL decoration might be used to carry information about the user: their identity, their interactions on the linking site, or other information.

Any party actively setting, retrieving, or sharing an identifier or other personal data in a URL for the purpose of building a user profile is in violation of this policy.

The most common form of URL decoration uses query parameters. Firefox will seek to identify query parameters that sites use for tracking purposes and remove these parameters from cross-site, top-level navigations.

An exception is made for URL decoration that is used for the following purposes:

  • Attribution, specifically where URL decoration is not user-specific and Mozilla is confident that it cannot be used to enable tracking.
  • Cross-site login or authorization, where URL decoration might identify a user, but is explicitly part of actions deliberately requested by the user (i.e., where the decoration is required to fulfill the user’s request, rather than just carrying unnecessary information).
  • Form submission, or other actions where the URL decoration contains information that is the direct result of user choice.

These exceptions might be temporary. As alternative approaches for use cases are developed that do not rely on URL decoration, Firefox might implement additional restrictions on the use of URL decoration. Firefox might also offer options that allow users to further limit URL decoration.

This policy might be amended in future to include stricter rules.

3. Tracking via unintended identification techniques

Unintended identification techniques use browser features that are not intended for device or user identification for the purposes of storing or generating a tracking identifier. Unlike tracking using standards-defined storage locations - such as cookies or the Web Storage API - these techniques are not under the control of the browser’s state management settings.Thus can not be easily cleared or reset by users. Examples include, but are not limited to:

  • Browser fingerprinting. Fingerprinting is used to identify a user or user agent by the set of properties of the browser, the device, or the network, rather than by setting state on the device. For example, a party which infers the set of fonts a user has installed on their device and collects this information alongside other device information would be considered to participate in browser fingerprinting.
  • Supercookies. This refers to a collection of techniques that involve storing tracking identifiers in areas of the browser that are not cleared when the standards-defined locations are cleared. This allows a tracker to re-establish a tracking identifier after a user or user agent clears storage. For example, a party which uses multiple domains to encode a tracking identifier in HTTPS Strict Transport Security flags would be considered to use supercookies.

While this type of tracking is not currently blocked in Firefox, we may apply additional restrictions to the third parties engaged in this type of tracking in the future.

Policy circumvention

If a party attempts to circumvent the technical solutions we’ve outlined in this policy, we may without notice add additional restrictions to that party to prevent the circumvention.

Policy Exceptions

We will block the practices described above when the party using them is classified as a tracker. We previously offered a set of exceptions independent from tracker classification, but as of July 9, 2019 we will no longer grant new exceptions. We will stop honoring the current set of exceptions in a future version of Firefox.

Temporary Web Compatibility Interventions

If we discover breakage that we'd like to fix through Firefox code changes, we may temporarily disable a protection for the relevant domains while we work on the fixes. To prevent these from becoming permanent exceptions, a deadline must be provided by the engineer at the time of unblocking, with a maximum deadline of 18 months. We may alternatively unblock domains for up to 6 months when we are working in collaboration with the impacted site or party to fix website breakage. These interventions are tracked in Bug 1537702.

Questions about this policy should be directed to