Firefox gets a privacy boost as Total Cookie Protection becomes the default for all users

While the ad tech industry tries to function in a less cookie-filled environment, browsers like Mozilla Firefox are jumping on the opportunity to grow its user base with features such as Total Cookie Protection (TCP). The feature was first introduced in February 2021 and was initially restricted to Firefox’s tracking protection feature — Enhanced Tracking Protection Strict Mode. It was then enabled by default in private browsing windows with the launch of Firefox 89 later that year. As of today, Total Cookie Protection will now be the default for all users worldwide, not just in private windows or if you opt into stricter settings.

Compared to its competitors such as Google Chrome and Microsoft Edge, Mozilla Firefox claims to be “the most private and secure major browser available across Windows and Mac,” and Marshall Erwin, Mozilla’s chief security officer, tells TechCrunch that Total Cookie Protection is Firefox’s “strongest privacy protection to date.”

Mozilla hopes that making TCP the default for all users will ensure they are kept safe online.

“Internet users today are stuck in a vicious cycle in which their data is collected without their knowledge, sold and used to manipulate them. Total Cookie Protection breaks that cycle, putting people first, protecting their privacy, giving them a choice and cutting off Big Tech from the data it vacuums up every day,” Erwin added.

Here’s how it works. The TCP feature creates a separate “cookie jar” for each website you visit and confines the cookies to the site where they were created. The trackers can only see your behavior on that individual site. This, in turn, prevents tracking companies from using these cookies to track your browsing from site to site. So, the amount of information that companies gather from you is reduced as well as all the invasive and sometimes too-close-to-home advertisements you might see on a daily basis.

Image Credits: Mozilla

In addition, Total Cookie Protection offers additional privacy protections provided by existing anti-tracking features such as Enhanced Tracking Protection (ETP), which Mozilla launched in 2018 and became default to all Firefox users in 2019. ETP blocks trackers based on a list yet had some shortcomings as there were still ways for trackers to evade being blocked. For instance, many just set up a new tracking domain that wasn’t on the list. Meanwhile, TCP restricts the functionality of all cookies no matter what.

When third-party cookies are blocked outright, this can break some site functionality. So this is part of the reason why Firefox’s Total Cookie Protection doesn’t completely eliminate third-party cookies. Access to these cookies is only restricted. That way, the browser experience isn’t affected as TCP continues to offer strong protection against tracking.

Plus, cross-site cookies are an exception as they are needed for non-tracking purposes, such as those used by popular third-party login providers. This means the website and the login provider will access the same cookie jar so the user can sign in conveniently. Firefox will remember the user’s preference for 30 days.

It’s important to note that TCP in Firefox doesn’t protect users from all cookie pop-ups. The company informed TechCrunch that while it protects users from the third-party tracking that might occur on the websites that ask you to accept or decline their privacy policy in a cookie banner, TCP, however, does not protect against first-party tracking, so choosing to click either “accept” or “decline” is still required for first-party cookies.

When Mozilla was first testing the feature in February, the company monitored for breakage and even collaborated with websites to restructure their site to work with cookie storage isolation technologies like TCP, often by encouraging the use of the Storage Access API, the company told TechCrunch. The Storage Access API offers a way for embedded resources to see if they currently have access to their first-party storage and then gives them the ability to request access from the user agent.

As Mozilla became more aware of common breakage patterns, the company developed heuristics and SmartBlock in Firefox that allow sites using these patterns to continue working without breakage while still enabling the privacy benefits of TCP. Overall, the amount of breakage was limited, according to Mozilla.

In total, the Firefox browser has more than 200 million monthly active users, per its own data, and is known to be a popular browser among users with privacy concerns. However, by the beginning of 2021, Firefox reported having lost up to 12% of its user base, according to StatCounter.

It is likely that this decline was due to complaints that the Firefox design introduced in version 89 was “slow and buggy,” a Reddit user wrote. In May 2022, Firefox 100 was then hacked in seven seconds, but Mozilla quickly released 100.0.2 within 48 hours. This month, Firefox 101.0.1 was released with no zero-day security holes fixed, and no patches deemed critical, so maybe users will flock to the browser.

Earlier this month, Safari reached one billion worldwide users, whereas Google Chrome has over three billion. Microsoft Edge has 212 million users, according to Atlas VPN’s findings.

Even though the browser struggles to retain as many users as its competitors — and had some road bumps with updates — Firefox’s tracking protection is far more comprehensive than Microsoft Edge and Google Chrome, which do not disable third-party cookies by default. Meanwhile, Apple’s Safari browser and Firefox have blocked third-party cookies since 2013. In addition, privacy-focused browsers Tor, Brave, Epic and Min also block third-party cookies by default.

In 2020, Google announced that it plans to phase out support for third-party cookies in Chrome within the next two years. This was delayed until 2023.

Google has argued with Mozilla’s approach to blocking third-party cookies and has said that this will only drive the industry to find workarounds. Mozilla believes that while advertising is central to the internet economy, it also believes that consumer privacy should not be optional. The nonprofit company never sells or buys your data — it still collects it, however — and Firefox developers are driven to work toward a more “healthy internet,” the company once wrote.