For the past few months, Firefox alphas have been heuristically blocking certain cookies in a bid to protect user privacy and reduce the amount of online tracking by advertisers. Mozilla has not moved this blocking into the stable builds of its browser, however, because of problems with its effectiveness. The heuristics aren't perfect, so sometimes it blocks cookies it shouldn't block and other times lets cookies through that it should block.

A new project from Stanford University could provide the solution. The Cookie Clearinghouse intends to provide lists of cookies that should be blocked or accepted. Still in the planning stages, it will be designed to work in concert with the heuristics found in Firefox in order to correct the errors that the algorithmic approach makes.

Firefox's algorithm is simple. Essentially, if you visit a domain directly, that domain will be able to set cookies (first-party cookies) and it will continue to be permitted to set cookies even when visited indirectly (third-party cookies). For example, if you visit facebook.com, it will be allowed to set cookies both for explicit visits and whenever other sites embed Facebook content such as like buttons.

Conversely, if you've never directly visited a domain, that domain won't be allowed to set cookies at all. If you've never once visited Facebook then the embedded Facebook content won't be able to set any cookies.

As a rule of thumb, this works reasonably well; Safari has used this same algorithm for some time. However, it's not perfect. Some sites use multiple domains. A visit to the site should treat these domains as first-party (as they're still owned, operated, and controlled by the same people who run the site), but under this heuristic it won't. The Cookie Clearinghouse gives a hypothetical example: stanford.edu could load its images from domain stanford-images.edu. This would fall foul of the algorithm.

There can also be problems in the other direction. An accidental click on an advertisement will elevate the advertiser's domain to being an explicitly visited first party, and that will allow the advertiser's third-party cookies to work. That's probably not what you want to do.

Apple's solution for the problem, such as it is, is to disable the cookie blocking entirely should it cause a problem. That works, but Mozilla isn't keen on it. Mozilla CTO Brendan Eich writes that users tend to just leave the setting off forever, attaining no privacy protection at all.

The Cookie Clearinghouse is the solution. It will produce lists enumerating both cookies that should be allowed but aren't, and cookies that shouldn't be allowed but are. Browsers can then use these lists to shore up the algorithmic approach. The plan is to also allow site owners to challenge inclusion on the block list and present an argument for why their cookies should be allowed.

As well as Stanford staff, the Cookie Clearinghouse's advisory board includes representatives from Mozilla and Opera. Mozilla is inviting feedback and promoting the Cookie Clearinghouse as a neat solution to cookie privacy issues.

Advertisers appear to be less keen. Speaking to The Washington Post, Randall Rothenberg, president of the Interactive Advertising Bureau (an organization of advertisers and media companies), said that "there are billions and billions of dollars and tens of thousands of jobs at stake in [the advertising] supply chain." He continued. "[Changes in browser behavior] should be done with stakeholders' input." (Condé Nast, parent company of Ars Technica, is a member of the IAB.)

The algorithmic approach, combined with the lists to patch up the algorithm, also sidesteps another Web privacy issue that has been rumbling for a couple of years: Do Not Track. The Do Not Track specification described a request that browsers can send to Web servers to indicate that their users don't want to have their Web activity tracked by servers.

Its development has been fraught with controversy. To be useful, Do Not Track requires advertisers to opt in and explicitly choose to support it. Naturally, they're reluctant to do so, as it limits their ability to target ads to users. Accordingly, the spec says that the Do Not Track request cannot be sent by a browser by default: it must require a user opt-in.

Microsoft, in the name of greater privacy, threw a cat among the pigeons and turned Do Not Track on by default. The company justified its decision by saying that it still forced users to click through settings screens when first using Internet Explorer 10 and hence still had user consent.

The specification has other issues, such as a definition of "tracking" that might not square well with user expectations (analytics and advertising companies are still allowed to perform some kinds of tracing of Do Not Track users). There's also an unrestricted right for first parties to track users, even if they don't want to be tracked.

The conflicting views and incompatible demands threatened to derail the standard but it may yet limp towards some sort of outcome. The group working on the spec is due to finish their work in July. Getting agreement among the various parties seems impossible, so the options are to give up entirely, to force through changes that not everyone agrees on (something that the group's co-chairs can do), or to weaken the language and terminology of the spec to make it so meaningless that everyone will agree to it.

The algorithmic approach with the Cookie Clearinghouse should prove to be a more robust privacy system and one that doesn't depend on the consent of advertisers. If the browser blocks a cookie then there's nothing an advertiser can do about it.

Listing image by Jeramey Jannene