Security/Anti tracking policy: Difference between revisions

Security/Anti tracking policy (view source)

Revision as of 13:06, 18 October 2021

311 bytes removed , 18 October 2021

Added a more enforceable, client-side specific redefinition of URL parameter based tracking

Johannh

Confirmed users

13

edits

@@ Line 14: / Line 14: @@
 == Tracking We Will Block ==
-===== 1. Cross-site tracking =====
+===== 1. Stateful cross-site tracking through Web APIs =====
 '''Cookie-based cross-site tracking.''' Cookies, DOM storage, and other types of stateful identifiers are often used by third parties to associate browsing across multiple websites with the same user and to build profiles of those users, in violation of the user’s expectation.
 For third parties engaged in this type of tracking, Firefox will block or remove access to stateful identifiers. Access to storage may be granted when a user has shown purposeful intent to interact with a third party during their visit to a specific first party. For example, if a user attempts to interact with a third-party login provider while visiting a specific first party, the third-party provider may receive storage access on that first party.
-'''URL parameter-based cross-site tracking.''' When cookie-based tracking is not available, some third parties decorate URLs with user identifiers. When the browser requests those resources, either through a top-level navigation or a subresource request, those user identifiers are available to other websites or third parties. Any party actively setting, retrieving, or sharing an identifier or other personal data in a URL parameter for the purpose of building a user profile is in violation of this policy. While this type of tracking is not currently blocked in Firefox, we may apply additional restrictions to the third parties engaged in this type of tracking in future.
+===== 2. Navigational cross-site tracking =====
-URL parameter-based cross-site measurement, such as ad conversion tracking, is acceptable only when the data collected is not tied to an individual user, and therefore doesn’t allow the data collector to build a profile of an individual user’s activity across sites.
+'''URL parameter-based cross-site tracking.''' When cookie-based tracking is not available, some third parties decorate URLs with user identifiers. When the browser requests those resources, either through a top-level navigation or a subresource request, those user identifiers are available to other websites or third parties.
+Any party actively setting, retrieving, or sharing an identifier or other personal data in a URL for the purpose of building a user profile is in violation of this policy. Firefox will blocklist parameters included in the URL for this purpose and remove them from cross-site top-level navigations.
-::''Acceptable Example:''
+User profile building is currently characterized by Firefox through the following client-observable traits:
-::A site wishes to track conversions after a user interacts with an ad. The site can annotate the landing page URI of outbound advertisements clicks with information about which advertisement was clicked and from which publisher. When a user later completes a conversion action, third-party code from the site transfers information about the advertisement that led to the conversion back to its servers, such that an aggregate number of conversions can be computed. This is acceptable under our policy because it does not involve the creation of a user profile.
-::''Unacceptable Example:''
+* High-entropy parameters that may identify a user (assign a unique identifier to a user) or encode user data. '''Exceptions being:'''
-::Similar to the example above, site A wishes to track conversions. But unlike that example, site A decorates all outbound links with a unique identifier that is mapped back to an individual user. A user clicks on a search result for site B and later purchases a product from site B. When this purchase is completed, the user’s unique identifier is sent back to site A’s servers to record the purchase. Due to the fact that site A is building a profile of user purchases, this approach goes beyond conversion measurement and would be a violation of this policy.
+** Parameters exclusively identifying specific elements or actions on the navigating page (per-click or per-element identifiers). These parameters must assign a different value to each click or element they are identifying.
+** Identifiers necessary to complete a user-initiated task such as logging in or submitting a form.
+* High-entropy parameters that are broadly included in all (or nearly all) outgoing navigations from a site, even if the parameters are not uniquely identifying a user.
+Because any type of URL decoration can violate some users’ personal sense of privacy, we allow for optionally configuring Firefox to apply stricter rules for parameter removal and may remove more parameters on certain user actions such as sharing a URL.
-===== 2. Tracking via unintended identification techniques =====
+Firefox may also apply stricter rules for parameter removal by default in the future, which will be reflected in this policy.
+===== 3. Tracking via unintended identification techniques =====
 '''Unintended identification techniques''' use browser features that are not intended for device or user identification for the purposes of storing or generating a tracking identifier. Unlike tracking using standards-defined storage locations - such as cookies or the Web Storage API - these techniques are not under the control of the browser’s state management settings.Thus can not be easily cleared or reset by users. Examples include, but are not limited to: