I wish Firefox (and all other browsers) would adopt the cookie policy of the self-destructing cookies extension out of the box. I’ve been using it on mobile for about 10 years and it’s the only sane cookie policy that I’ve seen:
All cookies are treated as session cookies (they expire when you close the tab) by default.
Cookies that you want to persist must be explicitly opted out.
When you visit a site for the second time, there’s a notification asking if you want to restore cookies from the previous session.
The last bit is the most important. When you leave a site, the extension doesn’t delete your cookies, it just stashes them out of the way. If you go back to a site and see that it’s lost a load of state, then (at the point where you realise that you actually did need cookies, not up front when you have no idea) you can restore them and (automatically) refresh the page.
This composes well with the mechanisms in the article.
I think it’s important to note that some things work for techies that may not work for the average browser user. Our goal is to make it work for everyone, really everyone. If we make it any kind of hard or confusing then we end up losing people to other browsers and have done a net disservice to them.
Also, Isn’t prompt fatigue a thing? In the early 2000s, I used to have Firefox set so that it would prompt me for every cookie before setting it and I ended up becoming a click-monster that just accepts everything. I would be concerned that people who know better would end up restoring more often than not.
I would also be very concerned about people who do not know better and would be inconvenienced by these decisions. Security and privacy controls that “get in the way” (essentially all kinds of prompts) have been emprically shown to cause frustration and long-term harm. I personally think there’s way more value in safe defaults, e.g., accepting them all but isolating them by first-party (with opt-outs for compat).
Did you (Mozilla) do any user studies on the self-destructing cookies policy? From my personal experience:
I hit the restore-cookies button a few times after a clean browser install and then never touch it again. It’s one click per site that I care about, zero clicks for ones that I don’t log into, so even that one click is seriously amortised.
I’ve installed it on some non-technical family members’ systems and had zero reported problems.
The policy is very simple. The default is sane: 99% of web sites have no business remembering me between visits and so there’s a brief pop-up saying ‘do you want this web site to remember you from your previous visit’ and I have to do nothing for the 99%. For the few that I do want to log into, I click that notification once and then I never see it again because that site is now on an allow list and is able to record state for me.
Importantly, I don’t have to make this decision up front. I don’t have to decide whether I want a web site to track me before I use it, I get to decide when I come back a second time. That’s the point at which I actually have the information that I need to make an informed decision: if stuff stopped working, I hit the ‘restore’ button, otherwise I do nothing.
This policy combines two aspects of good UI design:
It defaults to the sensible thing.
It provides ‘undo’, rather than ‘confirm’ functionality (I retroactively decide whether I wanted a site to be able to provide persistent cookies).
This is precisely the kind of thing that Mozilla used to be good at, back when they had HCI folks that understood cognitive and behavioural psychology, instead of UX folks who understood chasing shiny things.
Maybe this is just a UX challenge. Maybe this requires more careful, contextual and and transparent insight & opt-out. Maybe not. Either way I’m not a UX or HCI person and btw, I don’t appreciate that you imply some UX folks are uninformed or bad.
I like the idea that an “undo” button might be useful, but I still want to shy away from regular prompts.
Anyway, we did conduct a study (about 5 years ago) that compared various privacy features (e..g, strict tracker blocking, storage isolation, referrer trimming, making third-party cookies session-only, allow only third-party cookies from visited and fingerprinting resistance mode). In essence, we learned that people will eagerly quit the study or switch browsers if the site breaks. Especially if they are in the process of visiting a website of habitual browsing (docs, email, search engine, …). If we alienate our users, we end up not helping them. That’s quite tricky imho.
In the end, I still believe that storage isolation gets the job pretty much done. I’m not sure you need a prompt when you can know that the isolated cookie is unable to be used cross-site.
In the end, I still believe that storage isolation gets the job pretty much done. I’m not sure you need a prompt when you can know that the isolated cookie is unable to be used cross-site.
Storage isolation is very fragile. It allows a site to build a lot of data on a user that can later be correlated and assumes that, because you can’t correlate it today then it’s safe. As soon as you have a single data point that allows you to correlate a site’s visitors with another site’s visitors, you have lost the privacy guarantees, retroactively.
This is what the policy from self-destructing cookies buys you: it prevents a single site from being able to build a cookie-based profile of you that it can later aggregate with other data sources.
You could have Gmail open in one container tab and Google Shopping and News in other containers (for instance, under different accounts) and Google will be oblivious to their relation.
This is only true in respect to Cookies right? Using any other technique to identify the user(s) like fingerprinting, web storage, etc would break this. To think that Google only keeps track of who you are by Cookies is bordering on ridiculous.
Going back to this, the better response would have been: Containers are also separating other storage, not just cookies. We do full state isolation (including TLS sessions iirc).
We’ll have to assume legality until we know better, but go ahead and prove me wrong :-) I personally don’t think Do a company as big and international as Google would be reckless enough to openly, overtly violate privacy acts when they can get most of it done by using the legal route.
Maybe we are speaking about different things, I’m confused by this comment.
I have no idea why you think Google hides the fact that they don’t only use cookies and why you think it’s illegal to do so:
The information we collect includes unique identifiers, browser type and settings, device type and settings, operating system, mobile network information including carrier name and phone number, and application version number. We also collect information about the interaction of your apps, browsers, and devices with our services, including IP address, crash reports, system activity, and the date, time, and referrer URL of your request.
I wish Firefox (and all other browsers) would adopt the cookie policy of the self-destructing cookies extension out of the box. I’ve been using it on mobile for about 10 years and it’s the only sane cookie policy that I’ve seen:
The last bit is the most important. When you leave a site, the extension doesn’t delete your cookies, it just stashes them out of the way. If you go back to a site and see that it’s lost a load of state, then (at the point where you realise that you actually did need cookies, not up front when you have no idea) you can restore them and (automatically) refresh the page.
This composes well with the mechanisms in the article.
I think it’s important to note that some things work for techies that may not work for the average browser user. Our goal is to make it work for everyone, really everyone. If we make it any kind of hard or confusing then we end up losing people to other browsers and have done a net disservice to them.
Also, Isn’t prompt fatigue a thing? In the early 2000s, I used to have Firefox set so that it would prompt me for every cookie before setting it and I ended up becoming a click-monster that just accepts everything. I would be concerned that people who know better would end up restoring more often than not.
I would also be very concerned about people who do not know better and would be inconvenienced by these decisions. Security and privacy controls that “get in the way” (essentially all kinds of prompts) have been emprically shown to cause frustration and long-term harm. I personally think there’s way more value in safe defaults, e.g., accepting them all but isolating them by first-party (with opt-outs for compat).
Did you (Mozilla) do any user studies on the self-destructing cookies policy? From my personal experience:
The policy is very simple. The default is sane: 99% of web sites have no business remembering me between visits and so there’s a brief pop-up saying ‘do you want this web site to remember you from your previous visit’ and I have to do nothing for the 99%. For the few that I do want to log into, I click that notification once and then I never see it again because that site is now on an allow list and is able to record state for me.
Importantly, I don’t have to make this decision up front. I don’t have to decide whether I want a web site to track me before I use it, I get to decide when I come back a second time. That’s the point at which I actually have the information that I need to make an informed decision: if stuff stopped working, I hit the ‘restore’ button, otherwise I do nothing.
This policy combines two aspects of good UI design:
This is precisely the kind of thing that Mozilla used to be good at, back when they had HCI folks that understood cognitive and behavioural psychology, instead of UX folks who understood chasing shiny things.
Maybe this is just a UX challenge. Maybe this requires more careful, contextual and and transparent insight & opt-out. Maybe not. Either way I’m not a UX or HCI person and btw, I don’t appreciate that you imply some UX folks are uninformed or bad.
I like the idea that an “undo” button might be useful, but I still want to shy away from regular prompts.
Anyway, we did conduct a study (about 5 years ago) that compared various privacy features (e..g, strict tracker blocking, storage isolation, referrer trimming, making third-party cookies session-only, allow only third-party cookies from visited and fingerprinting resistance mode). In essence, we learned that people will eagerly quit the study or switch browsers if the site breaks. Especially if they are in the process of visiting a website of habitual browsing (docs, email, search engine, …). If we alienate our users, we end up not helping them. That’s quite tricky imho.
In the end, I still believe that storage isolation gets the job pretty much done. I’m not sure you need a prompt when you can know that the isolated cookie is unable to be used cross-site.
Storage isolation is very fragile. It allows a site to build a lot of data on a user that can later be correlated and assumes that, because you can’t correlate it today then it’s safe. As soon as you have a single data point that allows you to correlate a site’s visitors with another site’s visitors, you have lost the privacy guarantees, retroactively.
This is what the policy from self-destructing cookies buys you: it prevents a single site from being able to build a cookie-based profile of you that it can later aggregate with other data sources.
This is only true in respect to Cookies right? Using any other technique to identify the user(s) like fingerprinting, web storage, etc would break this. To think that Google only keeps track of who you are by Cookies is bordering on ridiculous.
Going back to this, the better response would have been: Containers are also separating other storage, not just cookies. We do full state isolation (including TLS sessions iirc).
AH! That makes total sense. Thanks!
Also I realize my comment could have come across as mean-spirited, and if that was the case, I apologize, that was not my intention.
We’ll have to assume legality until we know better, but go ahead and prove me wrong :-) I personally don’t think Do a company as big and international as Google would be reckless enough to openly, overtly violate privacy acts when they can get most of it done by using the legal route.
Maybe we are speaking about different things, I’m confused by this comment.
I have no idea why you think Google hides the fact that they don’t only use cookies and why you think it’s illegal to do so:
-Google’s Privacy Policy
They make it pretty clear, they consider every bit of information they can collect from you fair game.
Thanks, I must have misunderstood your comment. Good point, thank you.