Category: Security & Privacy

Is Google turning Chrome into its agent?

Posted on by Martin Brinkmann

What would you do, if you were in control of the world’s most used search engine and web browser, and also the world’s largest advertising company? Would you keep things strictly separate, even if it would mean leaving billions of Dollar on the table?

Google’s control of advertising, to a large degree at least, and the Chrome web browser is a problem. The company has made several attempts in the past to push technologies that favor it through Google Chrome.

The oddly named Privacy Sandbox is just one attempt. Google uses the name to portrait an image of improvement for users of the Chrome browser. While not totally wrong, as it is a better system in some regards than the currently used third-party cookie tracking system, it is not the Holy Grail of privacy efforts Google portraits it as.

See, privacy sandbox is still about tracking. What sets it apart from cookie-based tracking are two things: first, that users are associated with interest groups instead of individual interests. Chrome looks at the browsing history and assigns groups to the user. Browse lots of car, sports or knitting sites? Chrome picks these as your interests and advertisers may use the information to display advertisement that falls into the groups.

Second, because it puts Google at the center of control of the feature. Google controls Chromium by and large, and also Chrome. If the system is baked into the browser, Google is in control. It can make adjustments and other changes, and everyone has to play ball to avoid being shut out entirely from the system.

Manifest V3

Privacy Sandbox is not the only attempt that mixes Google’s core interests, advertising, with the development of Internet browsers.

Manifest V3 is a new ruleset for extensions. Google had to postpone the release multiple times as protests sounded loud and clear throughout the Internet.

Apart from some technical issues, missing APIs and the like, Manifest V3 is clearly aimed at making content blockers and other privacy tools less useful. It would go too far to dive deep into technicalities, only this much.

Content blockers, such as uBlock Origin, reign freely under Manifest V2 rules. When they are active, they tell the browser what to do with certain requests. The browser then acts accordingly, for instance by blocking advertisement or allowing a video to play.

Under Manifest V3, that power moves to the browser. The browser controls the blocking and extensions may only make “declarations”. The extension would tell the browser to block or allow a certain element, and the browser would act accordingly.

Google’s explanation for this is improved privacy. Extensions are no longer able to access “potentially sensitive user data”, which in turn makes extensions safer to use.

The argument is flawed, as extensions still have access to the data. They may still use the old API, but only with read access. This means, that they can still access all the data, which in turn means that nothing is won or lost in regards to privacy.

Google announced this week that it will go forward with Manifest V3. Old extensions, those based on Manifest V2, will be disabled automatically for most Chrome users by mid-2024. Enterprise users may get a 1-year extension through a special policy.

Closing Words

There is a conflict of interest at work. Google depends on the advertising business and will go through great lengths to expand it and keep its dominance in the sector. To be fair, the vast majority of changes that are made to Chromium and Google Chrome have nothing to do with Google’s advertising business.

Still, some of the changes appear to favor the business over the interests of users of the browser.

It remains to be seen if the changes will lead to a mass exodus of Chrome users to other platforms. It is too early to tell, especially since the changes affect a sizeable but still relatively small part of the entire Chrome population.

Now You: do you use Google Chrome?

Beware: Human reviewers may access your Google Bard conversations

Posted on by Martin Brinkmann

Tools like Bing Chat, Windows Copilot, ChatGPT, Claude or Google Bard have seen a rise to prominence this year. These advanced chatbots promise to deliver information to users who chat with them. While you can’t ask them anything, as some content is locked down, you can get answers and information about lots of things.

Ask about the Mona Lisa or the Hallgrímskirkja and you get a good overview of these items, usually. You may get instructions on fixing PC issues or your car, and even medical advice is not out of the question.

There is always the chance of hallucination, which more or less refers to it returning content that is not true. Still, many tech companies are pushing AI like crazy. Microsoft, for example, added Bing Chat to Windows and several other company products.

Google Bard and Human Reviewers

Google Bard Human Reviewers

Google confirmed on the Bard Help website that human reviewers may look at conversations. Feedback from Bard users plays an important role in improving Bard, but Google says that this is not enough. Human reviewers are “a necessary step of the model improvement process” according to the company.

The reviews, ratings and rewrites of human reviewers helps Google improve the quality of its generative machine-learning models”.

Google explains that conversations that human reviewers access are unlinked from Google accounts. Furthermore, random samples are picked for human review and “only a portion of all Bard conversations are reviewed”.

While that sounds reassuring, it is clear that input from human users of Bard may reveal their identity. Google recommends to users that they don’t reveal anything in conversations with Bard that they don’t want human reviewers to potentially have access to.

To Google’s credit, it highlights the fact that human reviewers may access conversations on the Bard website prominently.

What Human Reviewers do

Reviewers look for “low-quality, inaccurate, or harmful” Bard responses according to Google. Once identified, evaluators suggests higher-quality responses. These are then used to “create a batter dataset for generative machine-learning models”.

In other words, Google is using human reviewers to improve Bard’s responses to user queries.

How to prevent the sharing with reviewers

Turn off Bard Activity

Google Bard users have just one option to prevent the sharing of their conversations with human reviewers. This requires disabling the Bard Activity. Here is a step-by-step guide on disabling Bard Activity:

  1. Open the Bard Activity website on Google’s My Activity hub.
  2. Activate the toggle to turn off Bard Activity on the page that opens. Note that you may also delete existing conversations while there.

Note that Bard activity won’t be saved to the Google account anymore. In other words, you can’t access conversations from one device on another when the feature is disabled.

The deletion doesn’t affect conversations that has been reviewed by human reviewers already. Google retains that data and related data for up to three years according to the privacy information on the Bard Help website.

Related information may include the language, device type and location info according to Google.

Closing Words

The advice to never include personal information that could be traced back to you is as old as the Internet. While this limits some conversations with AI, it is still sound advice.

Bard users who want to include personal information in their conversations may want to turn off Bard Activity first, as this prevents access for human reviewers.

Now You: do you use AI tools?

audit

Google Play to highlight apps with independent security reviews

Posted on by Martin Brinkmann

Starting with apps in the VPN category, Google’s Play Store is soon highlighting apps with independent security reviews.

The company announced the change on the official Google Security blog. Google Android users who visit Google Play to browse for apps may open the data safety section for security and privacy information.

There, they will soon find the new independent security review label. Google plans to roll this out to apps in the VPN category first.

Google explains that VPN apps handle “sensitive and significant amount(s) of user data”. This makes them an excellent category to introduce the functionality.

Independent Security Reviews banner on Google Play

A new Independent Security Review banner is already displayed to Android users who search for VPN apps on Google Play. The banner, displayed beneath a list of advertisement for VPN apps, informs users about the security feature.

Android Independent Security Review

The banner lists the associated badge and includes the following description:

VPN apps with this badge in the Data safety section have been independently validated against a global security standard.

A link opens the website of the App Defense Alliance that lists all VPN apps with the badge. Only eight VPN apps are on the list currently. They are:

  • Aloha Browser + Private VPN
  • ExpressVPN: VPN Fast & Secure
  • Google One
  • NordVPN: private & secure VPN
  • Private Internet Access VPN
  • SkyVPN – Fast Secure VPN
  • Tomato VPN | VPN Proxy
  • vpnify – Unlimited VPN Proxy

A tap on any app and the selection of Data safety displays the new badge, provided that the app has undergone the security validation by App Defense Alliance’s global security standard. Those without it have not, but that does not mean that they have not passed other security audits.

What this means

Google highlights VPN apps that have passed the security validation on Google Play. The badge is not displayed on the apps’ main page, however, and it is easily overlooked in the data safety section.

Apps that passed validation meet “industry mobile security and privacy minimum best practices” according to Google. The badge does not “imply that a product is free of vulnerabilities” though.

To sum it up: the badge highlights that apps have passed independent security reviews, which is a good thing. Other apps, without the badge, may also have passed security audits. Some of these audits may have been more thorough than the one required to get the badge on Google Play.

Verdict

The new badge is a welcome addition to Google Play as it may help users pick a VPN app. While there are other criteria, such as features and performance, security is without doubt important.

That Google displays ads for VPN apps before the Independent Security Reviews badge is a problem. The listing in Data Safety makes sense, but Google might want to consider adding the badge to an application’s main page as well.

All in all, it is a welcome addition on Google Play. Users may still want to research VPN providers before installing any of them on their Android devices.

Now You: do you use VPN apps on your mobile devices?

How to block Firefox from importing OS Certificate Authorities

Posted on by Martin Brinkmann

Mozilla’s Firefox web browser maintains its own root certificate store by default. The browser uses these as “trust anchors” and the functionality is essential for making sure that only trusted SSL/TLS certificates are used by the browser.

Starting in Firefox 120, Firefox will automatically trust operating sysdtem certificates installed by the user or an administrators.

The beta release notes offer the following explanation:

By default, Firefox now uses TLS trust anchors (e.g., certificates) added to the operating system by the user or an administrator. This works on Windows, macOS, and Android, and it can be turned off in the “Privacy & Security” section of Firefox settings, under “Certificates”.

Administrators may add certificates to the operating system for a number of reasons. Some applications and devices may require them to work properly, and they may also be required in development environments. Antivirus solutions on Windows may try and register with Firefox to monitor data.

Blocking Firefox from trusting OS certificates

Firefox block third-party root certificates installed by the user

Firefox users may disable the functionality in Firefox 120 and newer versions. It is enabled by default. To modify this setting, follow these instructions:

  1. Load about:preferences#privacy in the Firefox address bar to open the Privacy settings.
  2. Scroll down to the Security section.
  3. Locate Certificates there.
  4. Remove the checkmark from “Allow Firefox to automatically trust third-party root certificates you install”.

You can undo the change at any time by checking the box again.

Another certificate preference

Firefox supports an Enterprise root preference already. When the browser runs into a TLS connection error, it will enable this Enterprise Roots preference automatically. This imports “any root certificate authorities” that users or administrators have added to the operating system.

Firefox tries to connect again to the site that threw the error. If successful, Firefox will keep the preference enabled and thus also the imported certificates.

Here is how this automatic behavior gets disabled:

  • Load about:config in the Firefox address bar.
  • Click “Accept the Risk and Continue” if the warning page is displayed.
  • Search for security.certerrors.mitm.auto_enable_enterprise_roots.
  • Change the value from True to False with a double-click or by using the button.
  • Search for security.enterprise_roots.enabled.
  • Change the value from True to False.
  • Restart the Firefox web browser.

Closing Words

Most Firefox users may want to keep the default as these are designed to minimize connection errors and issues. Users who want to be in full control may disable the functionality, on the other hand.

O&O ShutUp10++ review: tame Windows’ data hunger

Posted on by Martin Brinkmann

O&O ShutUp10++ is a free tool for Microsoft’s Windows operating system to improve privacy. Designed initially for Windows 10, the program is now also available for Windows 11.

While its main focus is on blocking the operating system’s data hunger, it is also a helpful tool for managing other Windows settings.

First, the basics. You can download the free tool from the official project website. Just run the program after download, an installation is not required. Note that elevated privileges are required to modify settings on the system.

The main interface looks like this on start.

O&O ShutUp10++ interface

O&O ShutUp10++ groups settings for better recognition. You may disable that under View > Group by Categories if you prefer a long list. There is also a search to find settings that match search terms quickly.

Using O&O ShutUp10++ to improve Windows Privacy

All tweaks use a color coding to indicate whether a feature is enabled or disabled. Each setting has a toggle to turn a feature on or off. A short description and a recommendation is also displayed.

Note that you may hover over any description and click with the left mouse button to display additional information. Excellent if you need to know more about a setting.

Many options are self-explanatory, but some may require additional research. “Disable People icon in the taskbar” is quite clear, but “disable input personalization” or “disable automatic receipt of updates” may not.

You can modify individual options with a click on the switch next to a setting. The program prompts you to create a system restore point, which you should accept. It allows you to restore the system to the previous state. The settings do not have the capacity to break the system, but it is still better to have a restore option.

The Actions menu at the top lists bulk options for the most part. You may use them to apply all recommended settings among other things. These are safe changes that should not impact usability on the device.

Bulk Actions in O&O ShutUp 10++

Options to apply “somewhat recommended” or all settings are also available, but this is not recommended. It is better to go through the remaining settings manually to make changes.

The two other options let you reset everything to factory defaults and to create a system restore point manually.

Administrators may also switch between the user and machine tabs. User settings apply only to the logged-in user, machine to all users on the system.

Verdict

O&O ShutUp10++ is a useful tool for Windows users. It is easy to use, free for personal use and includes major privacy settings. The settings don’t have the capacity to break a system, but some of the advanced options may impact certain settings or features on the device. It is easy enough to restore these, should you ever run into any issues in this regard.

All in all, O&O ShutUp10++ is an excellent program that every Windows user should run after installation and major upgrades. O&O Software updates the program frequently to include new options, which is another major plus.

Everyone wants your browsing data

Posted on by Martin Brinkmann

On today’s Internet, data is as precious as gold was in the Ancient world. Browsing data is data that is created automatically when you browse the Internet.

Whenever you visit a website, lots of things happen in the background. Requests are made, cookies and site data may be saved to the local system, and the cache is filled with data. The browser adds a record to its browsing history and maybe to other logs, e.g., when files get downloaded.

Data stored on third-party servers is not considered browsing data, but it may be generated as well.

This browsing data reveals a lot about you. What you like or your interests. It may reveal how old you are, if you are ill or looking for companionship. It may reveal what you plan to buy next or have bought, what you may need or needed.

Browsing data is personal data. This makes it desirable for nearly everyone on today’s Internet.

Who wants it and why: advertising

Google Chrome Privacy Sandbox

When asked, most Internet users would probably mention advertising first. Today’s advertising on the Internet relies to a large degree on information. The more information about a user, the better the chance to display targeted adverts and produce sales.

Tracking plays a large role in this. Most Internet users would probably disallow tracking if there was an easy switch integrated in browsers. There is none.

Google would be in an excellent position to create such a switch: it controls Chromium, the world’s most widely used browser source and Chrome,, the world’s most widely used browser. It also operates some of the world’s most visited websites.

Google is, however, an advertising company. Most of its revenue comes from advertising, which means that it benefits from the system that is in place.

But Google is ending third-party cookies in 2024, I hear you say. This is true, but this is not done without introducing another system that works in its place beforehand.

Built-into Google Chrome directly, it analyzes the browsing history locally to assign interests groups to the user. Websites may also suggests interests based on your visits.

Sites and advertisers may use the information for displaying ads based on your interests.

Google calls these “Interests estimated by Chrome” and “sites you visit that define your interests”.

Granted, Google Chrome includes controls to turn all of this off. There is also a popup with information about this in Chrome.

As is often the case in life, the wording matters. Google calls this Privacy Sandbox, which is an euphemistic term. It may be better than tracking via third-party cookies, but it is still tracking in the end. By the way, you can already disable third-party cookies in your browser, no need to wait for Google to do so in 2024.

Quick Tip: disabling Chrome’s Privacy Sandbox

Disable Chrome's Privacy Sandbox

All you have to do is the following:

  1. Load chrome://settings/privacySandbox in the Chrome address bar.
  2. Disable “Trials” on the page that opens.

Note that this page is not final and that Google will likely make changes to it. You may also want to click on every option there to expand it and make sure it is turned off as well.

These are at the time of writing:

  • Browser-based ad personalization
  • Ad measurement
  • Spam & fraud protection.

AI wants it, too

AI has taken a big leap in 2023. New products release on a weekly basis. All of these have in common that they require data, lots of data.

It is used for training for the most part. A current trend is the integration of AI services into browsers and other programs. Even Windows 11 has its own AI integration, called Windows Copilot now.

These work best if they got access to user data. Personal data usually requires giving consent in these cases, for instance when the request comes from a user.

Microsoft is testing a new option in Edge Canary currently that gives Bing Chat Microsoft access to all page content. It is disabled by default, as it sends all browsing data to Microsoft “to make AI-generated answers and suggestions more relevant on Copilot”.

Not all AI products require access to personal data. The basic chat AI tools act on user input. Personalization, on the other hand, gets better with data. If an AI knows your interests, it may be of better service.

Take holiday planning as an example. If you ask AI for 5 sights in Barcelona, it may look like this: Gothic Quarter, Sagrada Familia, Casa Batlló, Casa Amatller and Park Güell.

If the AI knew more about your interests or personal information, it may have suggested different sights. Say, you love football or are travelling with young children or dislike crowds.

Users who like this may opt-in and maybe improve their experience with the AI. Whether that is also giving Microsoft more information and also better options to display targeted ads should be clear from the previous paragraphs.

Closing Words

Browsing data is valuable and it should be protected. Not everything is opt-in in today’s world and that is a problem. An upcoming tutorial will provide guidance on protecting browsing data.

What about you? Do you allow services to use your browsing data?

enter password

Password Managers that restrict passwords should not exist

Posted on by Martin Brinkmann

Password service Dashlane announced restrictions for free account users this week that limit passwords to 25. Starting November 7, 2023, all Dashlane Free users are restricted to 25 passwords instead of unlimited passwords, the previous limit.

Those with more than 25 passwords keep access to them but they face the same restrictions in regards to adding new passwords. In short: once the 25 passwords limit is reached or crossed, new passwords can only be added if enough old passwords are deleted. Dashlane will also limit support access to paying customers.

The company explains that it made the decision to “focus resources on providing the highest level of service, support, and security”. This is marketing speak.

Dashlane Free remains a product, which means that it requires development resources. Limiting passwords won’t change that. This leaves pushing Free users to paid plans by artificially worsening the experience for many of them as a plausible reason.

Restricting passwords is not right

Dashlane Free users could and can store as many passwords as they want using the password manager. This won’t change until November 7, 2023.

The new artificial limit puts many Free users in a precarious position. Those with more than 25 stored passwords can’t continue using the service, as new passwords need to be stored eventually. They have just a few options:

  • Delete passwords regularly to stay under the 25 passwords limit.
  • Upgrade to a paid account and give in to Dashlane’s pressuring.
  • Migrate to another password manager.

The first option is only feasible for users who don’t have many passwords in Dashlane. Upgrading is the quickest option to deal with the issue, but it also means paying for the password manager.

Migration is another option. Dashlane supports exporting all passwords to CSV files, which most password managers can import.

Password storage is a core feature of every password manager. Restricting the feature limits the password manager significantly. With the artificial limit in place, what is keeping Dashlane from introducing another restriction in the future that limits password storage even further or ends Dashlane Free altogether?

A short term boost to subscriptions

Bitwarden Password Manager

Dashlane will likely notice a short term boost to subscriptions. As users hit the new limit in November, part of the affected group will sign-up for a paid account, especially since a discount is offered.

Others will migrate to a different password manager. Plenty are also free and most do not limit password storage.

My recommendation is Bitwarden. It is open source, does not restrict passwords and is considered one of the best password managers out there. If you don’t need cloud syncing, you could also check out KeePass, another excellent password manager.

Dashlane sign-ups will slow down after the change lands. Users who look for a password manager may not pick the one that is limiting a core feature of a password manager. Less Free signups will also lead to less free to paid upgrades, as fewer users may choose that path. This will impact revenue.

Closing Words

Dashlane could have selected a different path. It could make old user accounts grandfathered accounts. This would have allowed existing free users to continue using the password service as well, at least in regards to passwords storage. This, on the other hand, would not have pushed sales as much, as only new users would be subject to the passwords limit.

It remains to be seen if Dashlane is going to reverse the limit eventually. This is not totally out of the question.

This uBlock Origin filter blocks IDN attacks in browsers

Posted on by Martin Brinkmann

IDN attacks are a common threat on today’s Internet. IDN stands for Internationalized Domain Name. It refers to domain names that contain one or multiple characters in “non-Latin script or alphabet, or in the Latin alphabet-based characters with diacritics or ligatures”.

This enables support for domain names in all languages. German-speaking organizations and users may for instance use the letter Ö in domain names.

One problem associated with this is that it is sometimes impossible for users to distinguish between different characters. The Latin letters e and a, for instance, look identical to the Cyrillic letters e and a. The strings ghacks and ghаcks are not identical, for example, even though they are not distinguishable from just looking at them.

IDN homograph attacks

IDN homograph attacks take advantage of this. Threat actors create domain names that look like a legitimate domain. Links are then pushed via online advertising, comments, chats, email or other forms of communication.

Ars Technica published a story just yesterday about an online ad on Google Search that impersonated the official KeePass website. A search for KeePass listed a sponsored result at the top. This sponsored result pointed to the same domain as the legitimate KeePass website, at least on visual inspection.

It is not uncommon for organizations to place ads for key search terms, even if their domain is the first organic result.

In this particular case, it turned out that the sponsored ad was malicious. It used an IDN to look like the official KeePass website. The fake site pushed a malware family known as FakeBat according to Ars Technica’s research.

Protection against IDN attacks

blocked IDN attacks example

Ars Technica writer Dan Goodin concluded that there is no 100% protection against IDN attacks. All major browsers load IDN URLs without issues.

Chromium-based browsers copy the punycode version of the domain, which offers a quick way to find out if it is an IDN.

Raymond Hill, creator of uBlock Origin, disagreed with Goodin’s conclusion as well. He published a single filter line for use in uBlock Origin, which blocks access to all IDN URLs by default. Users still have the option to proceed and to add an exception for the site, if it is legitimate.

Here is a step-by-step guide to add the filter to uBlock Origin:

  • Open the web browser.
  • Activate the uBlock Origin icon and select Settings.
  • Switch to the My Filters tab.
  • Paste the following string into an empy line: ||xn--$doc,frame
  • Select Apply changes.

That’s all there is to it. Any attempt to load an IDN in the browser is now met with uBlock Origin’s “blocked” window.

Don’t wait for Google to end third-party cookies

Posted on by Martin Brinkmann

Google plans to eliminate third-party cookies in its Chrome web browser. An updated schedule, published on Wednesday, confirms that testing begins in the first quarter of 2024.

A total of 1% of Chrome users will join the test, which disables third-party cookies in their browsers. Google plans to push the change to the entire Chrome population by the third quarter of 2024.

The main purpose of this type of cookies is tracking on today’s Internet. While it is up for debate whether the disabling will have a positive effect on tracking, it is clear that it does eliminate a widely used form of tracking.

Google, being an advertising company first and foremost, has already created a system that it believes is better for the privacy of Internet users. Called Privacy Sandbox, it integrates the tracking directly into the Chrome browser.

Chrome analyzes the browsing data and assigns the user to interests groups. Websites and web advertising companies may use the information to display targeted ads. There is also an option for websites to assign certain interests to users. The system runs in the local browser, which, Google believes, is reason enough to use the term privacy to describe it.

You can disable these ad systems in Chrome for desktop systems and on Android; check out the linked guides to find out how.

Disable third-party cookies in Chrome

Block third-party cookies in Google Chrome

Most Internet users have no benefit from keeping third-party cookies enabled in their browsers. Very few may use services that require third-party cookies for functionality. The vast majority of websites and services works fine without third-party cookies.

It is therefore a good idea to test disabling third-party cookies in the web browser. If you run into problems, you can still enable the feature again to resolve it, or create exceptions for these rare cases.

Here is how that is done in Chrome:

  1. Load this page in Chrome’s address bar: chrome://settings/cookies. It opens the Cookies and other site data preferences.
  2. Select “block third-party cookies” under general. Chrome displays information about this when the option is set.

It states:

Sites can use cookies to improve your browsing experience, for example, to keep you signed in or to remember items in your shopping cart

Sites can’t use your cookies to see your browsing activity across different sites, for example, to personalize ads. Features on some sites may not work.

This is all that is required to block the use of cookies for tracking across different sites. Note that the change does not affect first-party cookies, which remain supported. These serve an important purpose, as they are often used to keep user’s signed in among other things.

All major browsers support options to turn off cookies entirely or only third-party ones. Most Internet users may want to block these cookies or configure their browsers to delete them regularly to limit tracking. Firefox users may want to check out this cookie banners article, as it explains how to do so in the browser.

Closing Words

Google’s crusade against cookies is self-preserving. The company makes most of its money from advertising and a lot of that money relies on tracking. The euphemistically called Privacy Sandbox is a continuation of that, albeit under different conditions.

The main danger of Privacy Sandbox is not that it continues to track users using a different system, but that it is an advertising system that is now integrated into a web browser. Google controls this web browser and also the open source core Chromium. Several developers of Chromium-based browsers announced that they won’t go along with Google, which is good for users of these browsers.

Problem is, Chrome has a commanding usage share and that means that the majority of Internet users will be enrolled automatically into the new system.

Now You: how do you handle third-party cookies on your devices?

Firefox 120 will block cookie banners, but only in Germany

Posted on by Martin Brinkmann

Mozilla plans to enable cookie banner blocking in Firefox 120, but initially only in Germany. Other regions will follow at later point in time. Firefox users may, however, enable the blocking already.

Many websites display cookie consent banners to users. These banners give website visitors a choice regarding the use of cookies.

Cookies are data that websites may save on the local system. The sites may read the data in future visits. Cookies are useful, as they may keep the user signed-in or store preferences. Cookies are also used for tracking purposes.

The rise of cookie banners coincided with new regulatory laws in the European Union, California and some other regions. The main idea was to put users in control again in regards to cookies.

What was once thought of as a good idea turned into a huge annoyance for users. More or less all websites display cookie banners to users now, which often means that users have to interact with these banners frequently.

It is an annoyance, especially since there is no “don’t allow” default option that the browser sends automatically. Users who delete cookies regularly will get these banners in each browsing session.

Firefox 120: cookie banners be gone

Mozilla plans to introduce automation in Firefox 120 in Germany to block cookie banners and select “decline” whenever possible. The web browser will block cookie banners that include an option to refuse all but necessary cookies.

It should be clear that users will continue to see cookie banners. There is no standard for showing them to users and sites may use third-party scripts or custom scripts for the functionality.

Still, Firefox 120 will block common cookie banners, which should reduce the number of banners that users see while using the browser.

How to enable cookie banner blocking in Firefox

Firefox Cookie Banner blocking preferences

Mozilla plans to launch the feature in Germany only, but all Firefox users may configure the browser to block banners. I mentioned this back in 2022 on Ghacks.

  1. Load about:config in the Firefox address bar.
  2. Use the search field at the top to find cookiebanners.service.mode.
  3. Change the value of the preference to 1.
  4. Change the value of cookiebanners.service.mode.privateBrowsing to 1 as well. This enables the functionality in the private browsing mode.
  5. Restart Firefox.

The preference supports three values:

  • 0 — disables the feature. In other words, no cookie banners are blocked.
  • 1 — blocks all known cookie banners and does nothing otherwise.
  • 2 — blocks all known cookie banners and accepts any cookie banner otherwise.

Dealing with cookies

Tracking is severely limited if third-party cookies are blocked in the browser. Other options include deleting cookies and site data regularly.

Firefox ships with tracking protection functionality. While not as good as a true content blocker, such as uBlock Origin, it is better than nothing.

Blocking third-party cookies is a good idea to reduce tracking. Firefox makes this a bit complicated, as it does not offer a simple switch to turn off third-party cookies like Chromium-based browsers do.

  1. Load about:preferences#privacy in the browser’s address bar.
  2. Select the Custom option under Enhanced Tracking Protection.
  3. In the cookies menu, select “All cross-site cookies (may cause websites to break)”.

This blocks third-party cookies in the browser. Note that some, very few, sites may not work properly with this setting.

Closing Words

Several browsers deal with cookie banners automatically. Brave Browser has a cookie consent blocking feature and so does Vivaldi Browser.

Mozilla is a bit late to the party, but better late than never, especially if the feature improves usability. Firefox 120 will be released on November 21, 2023.

Now You: how do you deal with cookie banners? (via Sören Hentzschel)