Mozilla tests pre-beta Firefox 'deeper than local' privacy

News by Adrian Bridgwater

Experimental Firefox functionality release to web developers intended to block Internet tracking elements

Mozilla has used its technical blog to confirm that the firm is ‘experimenting with new privacy features' in pre-beta versions of the Firefox browser.

The new controls are intended to offer more options for user privacy with an updated ‘Private Browsing' function.

Deeper than local, one louder

To explain its positioning here, Mozilla acknowledges that all major browsers offer some form of private ‘local' browsing to prevent other users viewing web history, recent online activity and even cookies - Mozilla is experimenting with ways to offer users even deeper control from a privacy perspective.

NOTE: These updates are ready for testing by web developers now and relate to Firefox Developer Edition on Windows, Mac and Linux, plus also Firefox Aurora on Android.

According to Mozilla, the experimental Private Browsing enhancements actively block ‘website elements' that could be used to record user behaviour across sites.

“This includes elements like content, analytics, social and other services that might be collecting data without your knowledge,” says the firm.

In terms of usability, this function could cause websites to appear to be broken when elements of tracking are blocked out - but these can be relatively easily unblocked when needed.

Paco Hope, principal consultant at application security and software security consulting firm Cigital, spoke to today to comment on this news saying that enterprises suffer privacy violations too, “So they should therefore welcome pioneering efforts like this from Mozilla as much as some individuals do. The kinds of trackers and analytics technologies that would be affected can also be used in attacks that try to identify employees or monitor the behaviour of employees at target firms.”

Hope points us to the elements Firefox is targeting and says they are crucial to enabling techniques like targeted advertising designed to perform executive job headhunting to work.

Hope concluded as follows, “It's not hard to see how direct access to senior executives (via ads for example) could be used against a firm. Privacy features that interfere with invasive marketing technologies improve the security of both individuals and enterprises.”

Gavin Reid, VP of threat intelligence at Lancope also spoke to today on this issue.

“This is another volley in the ongoing user versus website privacy battle. While giving the user more control is a good thing, most users won't know how to use them - or understand why they need too,” said Reid.

“This is a step in the right direction however the solution to this issue will have to be user independent to have the right impact,” he added.   

Research analyst at Cloudmark Andrew Conway reminded that marketing companies attach a lot of value to tracking individual behaviour.

“This has led to the creation of 'supercookies' or 'zombie cookies' which will come back to life and track your activity even if you delete regular browser cookies. These have been used by companies such as Hulu, MSN, and various ad networks. Flash is one of the vectors used for this, but there are others. It seems as if Firefox is attempting to strike back against supercookie users by restricting persistent data and isolating plug-ins.”

“We may see a technical arms race as the ad networks seek more subtle ways of maintaining persistent data. There is an even harder-to-block supercookie possible and that is one inserted into HTTP headers by mobile network carriers. I would strongly recommend the adoption of HTTPS by all webmasters for the increased privacy and security it provides,” added Conway.

Candid Wueest (Threat Researcher at Symantec) emailed SC to add:“There are methods for users to opt out of tracking, like DoNotTrack for example, but most of these require additional research, downloads or are voluntary. It's good to see that browser vendors are looking to help users manage their privacy. Allowing users to selectively block active content that can track a user's ID is a helpful feature. We already see with embedded videos or similar content, the process for unblocking can be very simple. Mozilla's approach seems to be based on a predefined list of elements to block. When it comes to updating this list to cope with new elements, or accidentally blocking legitimate content, only time will tell how the final implementation handles that.

"This approach will be helpful in protecting the privacy of the user but there are other ways of tracking a user. Even the browser settings can be unique enough to identify a user as the Panopticlick project has shown. This feature will not solve all privacy tracking issues, but it is a step into the right direction."

In other related news…

In related work to this privacy control update, Mozilla also says that it is working to make third-party add-on for Firefox safer to use.

While Firefox add-ons bring the browser an arguably quite powerful set of customisation options, Mozilla admits that the gateways created can lead to problems.

“Add-ons may have the ability to create unwanted toolbars or buttons, collect information, change your search settings or inject ads or malware into your device,” says the firm.

Add-on verification is now enforced by default in pre-beta Firefox. 

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews