Firefox announced this week that it is rolling out “Total Cookie Protection” by default to all its users worldwide. It’s a neat feature—we liked it so much that we called it one of the most transformative security innovations of 2021—and will go a long way towards keeping Firefox users safe from the pernicious practices of data brokers. It doesn’t stop all kinds of tracking, but it makes it much harder for your activities around the web to be tracked from site to site.
Firefox is possibly more popular than you think. It has around 6.65 percent of the desktop browser market in the US and around 7.66 percent of the market worldwide. It’s the fourth most popular browser after Google Chrome, Microsoft Edge, and Safari. (The percentages change but its ranking doesn’t if you also include mobile web browsers.) In short, this update is going out to millions of people and will likely be yet another nail in the coffin for cookies.
Total Cookie Protection works by making a separate “cookie jar” for every website you visit. All the cookies for a given site are put in its dedicated cookie jar. This means you can’t be tracked around the web (as other sites can only access their own cookie jar). So if you search for “running shoes” on Amazon, for example, you’ll no longer see ads for running shoes popping up on every site you visit. There’ll still be a cookie in Amazon’s cookie jar with the details of your search history, but the ad units on other sites won’t be able to see it and pull from it. You will likely end up with dozens of similar cookies stored in all your different cookie jars instead of just one, but since they’re tiny text files, they won’t affect your computer’s performance.
In the blogpost announcing the feature, Mozilla claimed that, “this approach strikes the balance between eliminating the worst privacy properties of third-party cookies… and allowing those cookies to fulfill their less invasive use cases (e.g. to provide accurate analytics).” It’s a pretty fair summary. You won’t have to login to every site every time you visit (one of the good uses of cookies) but you will be much harder to track around the web (one of the very bad ones).
As for the competition, Microsoft Edge is trialing a “Super Duper Secure” mode that has a similar feature, though it isn’t as private by default. Safari blocks all cross-site tracking whether using cookies, fingerprinting, or anything else by default with a feature called Intelligent Tracking Prevention; it is designed to limit all kinds of tracking “while still enabling websites to function normally.” But that is only available on macOS. Brave is available on Windows, Mac, and Linux and is at least as aggressive in how it blocks cookies by default; we suspect it’s not being included as it has less than 0.1 percent of the desktop browser market so hardly counts as a “major” player. Opera, with around 2.5 percent of the desktop browser market (about the same as Internet Explorer) is probably being excluded on the same grounds. DuckDuckGo is currently in a Mac-only beta, has negligible desktop market-share, and its privacy credentials are under fire after it was revealed it had a deal with Microsoft to allow certain trackers.
Really, all that’s left is Google Chrome which, somewhat unsurprisingly, is not the most aggressive at preventing tracking cookies. It is due to start blocking third-party cookies next year—though similar plans have already been delayed in the past.
If you use Firefox, this is definitely a nice boost to your privacy. Or if you use Microsoft Edge or Google Chrome and want something that’s a bit more privacy-focused, this could be a compelling reason to switch—Firefox is a good, modern browser. For Safari, Opera, Brave, and even DuckDuckGo users, though, Total Cookie Protection doesn’t offer any radical extra privacy protection. In those cases, it then comes down to what browser you like the most.