Firefox 86, recently released as I write this, brings an interesting new feature. Mozilla uses the unfortunate “Total Cookie Protection” branding for what is called, in more technical terms, “state partitioning.”

State partitioning is a privacy feature whose purpose is to prevent tracking using cookies. How this compares to blocking third party cookies, I do not know as yet. As Mozilla puts it, it’s a new approach to the same issue that blocking third-party cookies is meant to address.

The issue is that it is very simple for web advertisers to use third-party cookies to track a given user’s movements around the web. If the site you visit has a “Like this on Facebook” link, that’s all that is needed for Facebook to track you, even if you don’t have a Facebook account or if you never click on that button. In fact, there does not have to be any visual sign that you’re being tracked at all! A company interested in tracking you can set a 1×1 pixel image, often called a web bug, on a given page. It could be transparent, so you’ll never see it… but when it is loaded, it will set a cookie and read the contents of any existing cookie for the domain of the web bug. I’ll use the “like us on Facebook” example here because of how common and visible it is, but web bugs are probably even more common, but not visible.

If you visit a web page that has the “Like on Facebook” button, it is not being served by the page you visited. The page you visited uses an iframe or Javascript to embed that link, hosted on Facebook’s server, within the page. It’s like a web page within a web page, even though it looks like it’s all the same thing.

When that bit from Facebook is served up, if there is no cookie from Facebook in the browser, facebook.com will immediately request to set one. The URL listed in the URL bar of the browser is not facebook.com, so that cookie is a third-party cookie. There’s no qualitative difference between that and a first-party cookie, but the browser knows it’s third party because it’s from facebook.com and not the page you’re visiting.

Later, if you should happen to visit another web site that has the “Like on Facebook” button on it, the browser will again request the code from the facebook.com server. As part of that request, it will send the cookie that was set in the paragraph above, since it matches the URL of the “like on Facebook” button. So now Facebook knows not only the site you are on right now, but also the other site you were on in the first paragraph.

As you move about the web, each time you see a “like this on Facebook” link, it’s adding to the list of sites you’ve visited. It’s storing that (and other things, like which specific items you looked at in each of the sites) in the cookie, and every time you visit another page with the Facebook icon, it’s uploading all it knows to Facebook and adding to what it has gathered so far.

If you should use Facebook directly, it will then be able to attach that growing dossier with your Facebook ID, which on Facebook is supposed to be your actual identity. From then on, it knows {your real name} is visiting all of these sites, and looking at all of these specific things in those sites. It knows all that you’ve put in your Facebook profile and all of the sites you’ve visited that have the Facebook “like” button. It will store that data on its own internal servers, so even if you clear the cookies at that point, it already knows what sites you’ve visited prior to clearing them.

Blocking third-party cookies is the usual way to prevent this. Firefox and Safari used to both have third-party cookie blocking enabled by default, though it seems that when Firefox introduced its “enhanced tracking protection,” it downgraded that third-party cookie blocking to just be on sites that are known trackers. If the list is truly complete, that would suffice for most people (not for me… I want it all blocked, and if sites fail to function properly, I will troubleshoot it at that time. I’m used to it… I’ve been using script blockers for years, and a lot of sites fail the first time I visit them).

Google has announced that they will phase out third-party cookies, but they’re taking a couple of years to do it (while they try to come up with something that will serve their advertising interests without quite as much controversy over all of the snooping). Advertisers, naturally, are up in arms about this, which is quite satisfying to see. Not because of schadenfreude (or not just because of it), but because it means that our data, which is money to them, actually will be harder to steal with the proposed changes. If they were okay with it, I’d have to conclude that it isn’t going to help us much.

I saw one site for web advertisers that had the results of a survey, where 60% or whatever percent of web advertisers thought eliminating third party cookies would not help enhance people’s privacy. Yeah, that’s a group of people I really would not trust when it comes to judging what would boost people’s privacy. If it didn’t, they’d be okay with the change, because it is the privacy they violate that makes them money. I wonder if they really manage to twist themselves into believing that third party cookies will be disastrous for their industry (which they clearly do, according to what the same site said about that issue) AND that it won’t enhance the privacy of regular users. Anything to prevent themselves from being the bad guys in their own minds! Cognitive dissonance can be a real pain.

Still, third party cookies exist now, and so do some tools that allow us to control them.

The simplest thing is to disable third-party cookies in the browser. What this does exactly is something I have not been able to nail down just yet. Does it merely prevent the setting of third-party cookies, or does it do that and also refuse to send any cookies to third parties?

Normally, when any URL is visited (first party or third party), the browser will check the URL before the request is sent and automatically include any cookies that match the full domain. But what does it do if it finds a matching cookie for a third-party request while “third party cookie blocking” is enabled? If you’re visiting “example.com” and it has a “like us on Facebook” button, will the browser send a Facebook cookie, if there should happen to be one, along with the request for the Facebook script or iframe, even if “third party cookie blocking” is enabled?

The facebook.com cookie would presumably not be there if the user never uses Facebook and always has third-party cookies disabled, so the person is protected by virtue of the facebook.com cookie never being allowed in the first place. If that user does sometimes use Facebook, though, at the moment he visits that site, the cookies it sets are first-party and will be allowed (which also triggers the uploading of any cookies that have been collected so far). Even if he does not log in, those cookies are still first-party, though they are less useful to Facebook than if he logged in and revealed exactly who he is.

From that point forward, if the third-party cookie blocking feature only prevents those cookies from being set, any of those “like us on Facebook” buttons can still read the facebook.com cookie and know the person’s full identity and add the things the person looked at on the new site to the list (and store that data in Facebook’s internal servers). In order for the protection to be complete, the browser would have to prohibit the setting of third party cookies AND the sending of third-party cookies. What do the browsers actually do, though? So far all I’ve been able to see are simplified descriptions of what third-party cookies are and why they are privacy risks, but not anything about the mechanics of the blocking, or whether it works bidirectionally. No mention is made of the difference between the setting of cookies and the reading of them.

This new feature in Firefox, if used, would make the question moot (though I still would like to know). It will limit access to cookies according to both the URL of the page that generated the cookie itself (facebook.com, in this example) and also the first-party site (example.com, from above). The cookie would be set as normal when you went to example.com and if they have the “like us on Facebook” button. If you then went to different.com and they also have the “like us on Facebook button,” Firefox would look to see if there were any cookies that matched both facebook.com (third party) and different.com (first-party). It would not find the one set when you visited example.com (first-party) or the one set when you used Facebook directly (first-party).

It’s a great idea, I think, and I’ve enabled the strict tracking protection mode to try it out, but I still don’t know if it has any benefits beyond my old method of blocking third party cookies. There are other kinds of cases too, like having multiple tabs open on the same browser, things like that, where the tracking that can be done might not be obvious at first, that could play into this. Using a web site in a tab with a lot of other tabs open is not the same as using each of those sites as the only tab present. The browser makers are moving toward making it more like that, but it has performance and memory use penalties, things people already get on their case about.

In my case, it is my general uncertainty of whether the same-site origin protections are adequate that led me to install an addon that deletes cookies, so none of them last that long. It does mean I have to log into any site that needs a login (like this one, if I want to post non-anonymously) every time. I use a password manager, though, so it’s really not much of a bother.