Mozilla has announced a new Firefox protection feature to stymie a new user tracking technique lately employed by online advertisers: redirect tracking.
How does redirect tracking work?
Online advertisers, web analytics companies and browser makers are locked in a perennial arms race when it comes to methods for tracking users’ online behavior.
By implementing anti-fingerprinting protections, an anti tracking policy, Enhanced Tracking Protection (ETP) blocking trackers, cross-site and third-party tracking cookies, Mozilla has, slowly but surely, been enhancing Firefox tracking protections for years.
In this latest step of this evolving effort, Mozilla is aiming to thwart redirect tracking (aka bounce tracking), a new technique used by advertisers to circumvent third-party cookie blocking.
Redirect trackers work by forcing users to make a short, imperceptible and unintended “stopover” when, for example, they follow a link to an online shop to buy something.
“Let’s say you’re browsing a product review website and you click a link to purchase a pair of shoes from an online retailer. A few seconds later Firefox navigates to the retailer’s website and the product page loads. Nothing looks out of place to you, but behind the scenes you were tracked using redirect tracking,” Mozilla privacy engineer Steven Englehardt explained.
The link looks like it will take users directly to the retail site, but a redirect tracker embedded in the review site intercepts the user’s click and sends them to their website instead, he notes.
“When the redirect tracker is loaded as a first party, the tracker will be able to access its cookies. It can associate information about which website you’re coming from (and where you’re headed) with identifiers stored in those cookies. If a lot of websites redirect through this tracker, the tracker can effectively track you across the web. After it finishes saving its tracking data, it automatically redirects you to the original destination.”
How will Firefox prevent this?
Starting with Firefox 79, which was released last week, the browser will, by default, clear out any cookies and site data stored by known trackers once every 24 hours.
“When you first visit a redirect tracker it can store a unique identifier in its cookies. Any redirects to that tracker during the 24 hour window will be able to associate tracking data with that same identifying cookie. However, once ETP 2.0’s cookie clearing runs, the identifying cookies will be deleted from Firefox and you’ll look like a fresh user the next time you visit the tracker,” Englehardt noted.
At the same time, cookies from non-tracking sites won’t be cleared out – e.g., cookies that allow users to remain logged into their email account, social network, etc.
“We provide a 45 day exception for any trackers that you’ve interacted with directly, so that you can continue to have a good experience on their websites. This means that the sites you visit and interact with regularly will continue to work as expected, while the invisible ‘redirect’ trackers will have their storage regularly cleared,” he concluded.
More technical information about the new protection feature can be found here.