Firefox 85: The Supercookie Hero

Firefox 85: The Supercookie Hero

In January 2021, the Firefox web browser started blocking supercookies. These so-called supercookies are techniques that are used to track a user's activity across the web without their knowledge or permission. Starting with version 85, Firefox will silo each website and application that you visit into its own isolated partition. This means that anything that a site uses on your computer -- images, cookies, network connections, and more -- can only be used by that site itself. No other site will be able to access another site's information. 

This change has been in the works for a couple of years. Firefox has been security-focused from its beginning, but Mozilla (the company that makes Firefox) decided in 2018 to work to limit the ways that its users can be tracked. In the past two and a half years, the company added the blocking of cookies from known trackers, scripts from browser fingerprinting companies and now these supercookies. 

First, What is a Cookie?

A cookie is a small piece of information stored on your computer that is used to identify you. It is used throughout the web and is vital for using the web as we know it today. They're crucial to be able to log into sites and applications. Without them, you wouldn't be able to use the web today as you know it. You wouldn't be able to log into your webmail. Amazon wouldn't remember your shopping cart. Your pharmacy's website wouldn't recall your preferences.

Cookies can also be used to track users for advertising purposes and building user profiles. This usage is less about providing a robust user experience, and more about gathering information about you for marketing, and to sell. Modern browsers limit these cookies already to protect your information and your identity. 

What Makes a Cookie ‘Super’?

Supercookies, however, go beyond that. They hide tracking information in places that aren't designed to be used as information storage mediums. For example, supercookies will hide this tracing information in the browser cache, in Flash storage, in domain names used to address computers on the internet, and even in saved security protocol information. They attempt to hide the tracking information in these places so that they aren't easily noticed or removed. 

Companies will use these supercookies to track users across the web in order to build a profile of them. They then use these profiles to deliver targeted advertising and to sell to other companies that build larger databases of user behaviour. 

These supercookies are able to identify users across the web without the users’ knowledge or permission. This means that they can be used to track your browsing activity over a session and over a long period of time. They use this tracking information to build a profile of you. If you've gone shopping, they track your purchases. If you visit your doctor's site or look up information about a disease or disorder, they make note of that. If you access information on anything, it's added to the profile. 

This profile can be used in many different ways. Have you ever noticed ads showing up for things that you once searched for or related to a link you once clicked on? You're seeing these ads because an ad company recorded your web activity and used it to target that specific ad to you.

Other companies buy this information and use it to build a database about you. Imagine if an insurance company had this database and noticed that you searched for information on treating depression or purchased over-the-counter drugs to treat a skin issue. It could then use that information to deny you coverage later. A prospective employer could purchase this information and use it to determine if you might join a union, and fire you preemptively. 

These supercookies are also a security risk, leaking private information about you and your device, like your phone number, to the services you're accessing. 

There are numerous companies that have used the supercookie as a means of tracking. Verizon, for example, tracked users' physical location and web activity without their knowledge using supercookies. This resulted in a fine of USD$1.35 million and a class-action lawsuit against them. Hulu and MSN have also used supercookies to track their users. 

Firefox 85 to the Rescue

In order to take advantage of these new protections in Firefox, all you need to do is upgrade to the latest version. Your web experience shouldn't differ noticeably with these changes. You'll still be able to access sites that require normal cookies. However, you might notice that ads seem a little more... generic. You might not see the same hyper-targeted ads. All in all, you'll likely have a less creepy web experience, and your private information will not be inadvertently leaked. 

Firefox isn't the only browser that provides protections such as this. Safari (on macOS) has had protections against several supercookie techniques for several years. Microsoft Edge (on Windows) provides protections against using server names as identifiers and abusing local storage to hide cookies. Chrome has a website partitioning strategy similar to Firefox's in development as well.

This all begs the question: does zu use supercookies in our projects? By default, no. Drupal, our main platform for development, does use cookies for sessions and tracking, but only within the sites themselves. We regularly use Google Analytics and other analytics packages to do traffic analysis, which will use cookies to track sessions. And in some cases, we also implement social media widgets (for sites such as Facebook or Twitter), which have their own tracking cookies involved. 

Supercookies have been around for years, as marketers and advertisers look for ways to track users. Browsers have been gradually implementing policies and technology to counteract these tracking techniques. Firefox 85 is the latest salvo in the back-and-forth, as the Mozilla company works to protect its users' privacy and security.