A protection-shield icon with a person holding up a cookie jar in the background.

My thoughts on Firefox blocking tracking/ad cookies by default

Firefox 67 was released earlier this week and it came with an invisible but significant change. Firefox users, or 10 % of the worldwide desktop web market share, just had their default browser settings changed to block cross-site tracking cookies by default.

So what does this change mean? This doesn’t mean that Firefox have started to outright block web advertising; Mozilla rejected that idea in 2018 after realizing small creators and websites were entirely dependent on ads for income.

Firefox is blocking cookies and other methods for persistently storing a unique identifier in the browser from a list of domains known to track users. This means tracking services like Google Analytics and Facebook Pixel will still be able to see where you go on the web and what you do. However, they can’t associate that data with a persistent identifier in the browser; which in turn can be linked to your Google or Facebook accounts.

Google Analytics is everywhere including on Mozilla’s own websites! You’ll see notices about Firefox blocking cookies from Google Analytics if you pull up Firefox’s developer tools while visiting just about any Mozilla web property. Google Analytics tracking codes are even injected into copies of Firefox you download from the Mozilla website.

Publishers relying on Google Analytics probably won’t notice many changes. The number of unique visitors and the visitor-retention tracking (days between a unique visitor’s visits) will probably stop working, but other than that things will remain mostly the same.

I’ve been using Google Analytics with data retention settings as low as they can go and privacy settings as high as they could go. Completely coincidentally, I’d pulled the Analytics script from Ctrl blog just a few hours before Firefox 67 was released. I’ve never been happy handing data about my visitors over to Google.

Lately, I’ve also realized that I could build my privacy-by-default analytics platform that won’t store any personal data that had a lower impact on page performance than Google Analytics. My replacement system even handles key metrics like time-on-page better than Google. I’ll write more about my Google Analytics replacement in the future.

So what about the ads — like the one unironically placed above this paragraph? (Is this considered breaking the fourth wall?) I disagree somewhat with Mozilla’s strategy of blocking ad network cookies completely.

I believe a better solution would be to limit their lifetime to something like three hours. This would have enabled the ad networks to still use them for some very time-limited tracking while also letting them still use cookies to detect click-fraud and abuse.

Really-short-lived cookies would still have enabled use-cases like remarketing (ads for products and from pages you’ve previously visited). Remarketing is often applied with the wrong targeting parameters and the campaigns last way too long.

Shorter lived cycles would have driven up the ad prices which would mean publishers would get better compensation, and advertisers would have to make sure they’ve gotten their campaign settings right to avoid wasting money. It would also have limited their ability to stalk you for months on end.

Mozilla instead chose to outright block all ad cookies from a list of known tracking companies. You may think that all the ad and tracking companies would have to do to get around it is to change to another domain. The problem is, of course, that these companies don’t control the third-party websites where their ads and tracking codes are installed.

Migrating to another domain would take a very long time and far from every publisher would be willing or able to put in the time and effort required to change the domain every time the new one got blocked by Mozilla.

I was happy last year when the Google AdSense, Google’s advertising platform for small publishers, gave publishers the choice to opt-out of behavioral ads in favor of less intrusive page-contextual ads last year. Google began offering publishers to use contextual ads as a way for publishers to stay compliant with the strict privacy requirements of the General Data Protection Regulation (EU GDPR).

I don’t like the idea of ad companies building profiles on everyone and carefully trying to manipulate each and every one of us. The original advantage AdSense had over its competitors when it launched was its ability to deliver page-contextual ads.

Contextual ads served publishers well ten years ago and I know of no reasons why the web shouldn’t revert from ads targeted at behavioral traits derived from tracking people to contextual ads matched by analyzing the webpage the ad is displayed on.

The ads you see on most pages here on Ctrl blog will be for enterprise grade tech solutions, as most of my articles lean towards programming and applicable-in-the-enterprise technology. Unfortunately, there are also a huge number of ads for headwear and windows.

I frequently write about Fedora Linux and Microsoft Windows and either Google or the advertisers don’t care to tell the difference between the operating system, and headwear and architectural features.

I suspect that at least the enterprisy ads may have a higher return than behaviorally targeted ads as all enterprise stuff is ridiculously overpriced and difficult to sell. I don’t know for sure, however, as Google don’t provide any transparency into these things for publishers.

The change also affects “coincidental-tracking” as advertising networks like Google AdSense, and “widget” providers like Facebook Comments Plugin and Disqus, embedded YouTube videos, and AddThis’ social sharing links. I’ve been against embedded widgets for years because of their hidden privacy costs. I’ve always kept their use to an absolute minimum.

In summary I believe the web will be just fine with third-parties no longer having access to the cookie jar’s of Firefox users. Some websites, especially those producing content of little interest to advertisers, will see some decline in ad revenue. Some advertisers may be a bit confused for a while as to why their behavioral advertising campaigns suddenly got 10 % more expensive as the target audience reachable with behavioral ads just shrank by 10 %.

In the long run, however, this is probably good for publishers and the web as a whole. This will hopefully drive up ad prices and the overall quality of the ads you see on the web in the process. Eyeballs on the web just got a little more expensive to reach, and low quality ads and advertisers with deceptive or low-margins-scam campaigns relying on ads being low-cost will be pushed out in favor of more serious actors.