Starting with its latest release, Firefox 102, the browser ships with a new privacy feature that strips parameters used to track your movements around the web from URLs. But the feature isn’t enabled by default. “The first job of any software is to function as users expect, and anything that breaks the user’s experience no matter how well-intentioned is likely to cost a developer customers,” Chris Clements, vice president of solutions architecture at cybersecurity company Cerberus Sentinel, told Lifewire over email. “[The new feature] can have the side effect of breaking the user’s expected experience, so developers often err on the side of caution and do not automatically enforce this or similar protections by default.”
Cull the Trackers
Many websites and online services add tracking parameters to links that allow them to track visitors across the web. The most prominent example is Facebook, which appends a unique fbclid string to all outgoing links, which helps the social network identify and track users. The new Query Parameter Stripping feature relies on a blocklist to strip known tracking parameters from URLs. “I’d say it’s just the next iteration of the cat and mouse game between companies looking for any and all opportunities to track users across the web and users concerned with preserving their privacy,” said Clements. Explaining the need for the feature, Clements said that some parts of the web have been built around assuming certain functionality, whether it be third-party cookies or tracking parameters in URLs, will be present to work as intended. However, these functions have been abused to invade a user’s privacy to such an extent that many developers have taken steps to actively block the capabilities. Clements pointed out that there are arguments about just how invasive or potentially damaging tracking can be, as well as potential benefits from companies using tracking data to better understand user behavior to make product improvements or deliver more relevant targeted ads. “However, what I feel often gets lost in these discussions is the lack of both informed consent as well as practical means for users to protect their privacy,” noted Clements. “It’s one thing for a person to understand in abstract ‘yeah okay, this company is tracking me’ and quite another to comprehend how detailed the tracking can be as well as disconcerting ways it could be abused at scale.” He argued that till recently, the situation was made worse by the lack of tools to help people protect their privacy should they want to.
Implementation Blues
While the tracking parameter removal feature from Firefox is a step in the right direction, Clements cautioned that unscrupulous advertisers still have plenty of techniques for gathering user data and that people have few ways of defending themselves against. To cause minimal disruption to the user experience, Firefox doesn’t enable the query string protection feature by default. The new feature is part of Firefox’s Enhanced Tracking Protection (ETP) and will only be available when the ETP level is set to Strict. This could result in many Firefox users missing out on the privacy improvement. Jacob Taylor, Head of Information Technology and Server Engineering at Richard Carlton Consulting, Inc., raises another concern. Congratulating Firefox for its recent string of privacy improvements, such as the recently introduced cookie container, Taylor’s primary concern is the limited list of tracking parameters that the new feature can remove. According to BleepingComputer, the new feature can block URL tracking parameters from Olytics, Drip, Vero, HubSpot, Marketo, and Facebook when enabled. Conspicuous by its absence is Google, pointed out Taylor. On the other hand, Brave Browser has a similar tracking parameter stripping feature that strips away many more trackers, including Google. “I also am aware [Mozilla] is primarily funded by Google, and ‘biting the hand that feeds’ so directly is perhaps not something they are willing to do,” said Taylor.
