I have a couple of preferences when browsing the web. I would rather not see ads. I would rather sites load faster and use less ressources. I would rather not be tracked.
How I’ve dealt with this over the decades has changed. For the better part of the past decade I’ve put my hopes in a combination of blocks and ‘negotiation tactics’. I’ve now given up on the latter and as a result I’ve found a solution that’s simple, elegant and not that hard to work with on a day to day basis.
Block all cookies by default. Block all javascript by default.
And by all means use any built-in anti-tracking and domain blocking features of your browser and content blocking plugin/resolver but I think that goes without saying.
By negotiation tactics I mean: Clicking on reject cookies popups, “Ad Choices” and Do Not Track Me signals. Agreeing to be tracked as someone who doesn’t want to be tracked. That kind of thing.
The problem
Many legal frameworks require some legal basis for setting cookies as they usually allow for some degree of personal identification and thus the data, they deliver, are always on the verge of being ‘personal information’, i.e. data about (potentially) identifiable people.
Advertisers used to rely on consent as one such legal basis (within the GDPR, it’s article 6, 1.a) Now that too many people have grown a habit of not consenting to being tracked, they have found another legal basis: “legitimate interest” (within the GDPR, it’s article 6, 1.f) If the advertiser has a legitimate interest in setting these cookies, they have a non-consent-based legal basis. My consent or lack thereof is irrelevant.
Is this widespread? Well, check the ‘Consent preferences’ table from Condé Nast when visiting wired.com. I can toggle a lot buttons, but the following cookies and tracking activities are non-negotiable because Condé Nast claims legitimate interest.
| “Always active” cookies/tracking | No. of partners shared with |
| Ensure security, prevent and detect fraud, and fix errors | 119 |
| Deliver and present advertising and content | 112 |
| Match and combine data from other data sources | 108 |
| Link different devices | 104 |
| Identify devices based on information transmitted automatically | 109 |
| Save and communicate privacy choices | 91 |
What constitutes “legitimate interest”? Noone can really define it, and most pertinently noone can say what it doesn’t include. Here’s an example from the above list:
Why does Condé Nast have a legitimate interest in linking different devices in my household? I’ve no idea. Captify technologies is listed as a partner under “Link different devices”. Under their own explanation of what they do with the data they receive in the ‘legitimate intest’ package, the include “Developing and improving our products and services” and “Optimizing website and mobile app experiences”.
I read this all this as basically anything goes as long as you make the setup convoluted enough.
A sane solution
Here’s what I recommend to sane people. Install Firefox. Set “Browser Privacy” to Strict. Install uBlock Origin. The Strict setting includes blocking all cross-site cookies. This should disable most tracking through cookies.
If they’re more competent than most: Devise some reasonable Firefox profiles. One for web banking, one for browsing, one for social media or the like. Ideally learn to use Firefox Multi-Account Containers, too.
TBH I don’t know if the last set of precautions are needed with the browsers of today. I probably won’t ever shake the feeling that not doing them are… not kosher. Haram. Yucky.
My solution
My solution is in all likelihood overkill. As I said, the above is sane. This is probably not. But it is clean. I am, however, under no illusion that this completely kills tracking as there are fingerprintering techniques that do not rely on cookies. Some may in fact work excellently well to track that one weirdo who keeps making requests without handing back a single cookie. You can’t cover all the bases.
No cookies by default
Firefox’ Enhanced Tracking Protection has a Custom setting. Set all transmitters to full, all receivers to boost.
Will it actually prevent sites from setting cookies? Yes, as far as I can tell, it works as advertised. Use this setting, clear out all existing cookies using the Cookies and Site Data setting underneath, restart Firefox. No cookies are set unless the site is exempted.
Will it break sites (as the parenthesis warning promises)? Yes. Especially of course if you need to login or it’s decidedly a web application and not just text and media. If not, the answer is mostly no. Be advised that cookie consent forms also rely on cookies not to popup once you’ve made your choices (insert sarcasm) so you will need to deal with them in some other way.
How do I allow cookies on a site-by-site basis? It’s absolutely doable but I’ll admit this is somewhat awkard. You need to get into a really old part of Firefox UI called Page Information. Click the Permission tab, then find the cookie setting and disable the default for the site. Firefox has some newer and fancier easy-to-access UI to remove site permissions once set and to grant permissions the site explicitly asks for (notifications, access to webcam, etc.) Sadly, it cannot be used to grant permissions it never thought it would need to ask for.
That’s cumbersome. Is there not an easier way? Well, you can disable Enhanced Tracking Protection quite easily for a specific site but then it’s all or nothing. Not just ‘ok to session cookies’. Maybe there are plugins that can help but mostly I avoid plugins that just replicate inbuilt functionality.
In practice I’ve been impressed at how well most of the web still handles without cookies, man baby sites excepted of course. The main difficulty stems from cloud services with convoluted SSO authentication procedures. The sites I want to log in to in a browsing browser profile are mostly hosted affairs, however. Approve one or two subdomains and it usually works.
No javascript by default
uBlock Origin blocks javascript on explicit request but otherwise allows it (from non-blocked domains). This behaviour can be reversed by going into Settings and check Disable Javascript under the Default Behaviour heading. You may have to unlock the setting first by putting a check next to “I am an advanced user”.
One fortunate effect of this is to block all cookie popups that use javascript to trigger. The ones that are part of the initial html, however can now no longer be removed because they rely on js to disappear. Fortunately there are other means for that, like domain specific user stylesheets, also available through uBlock Origin.
If enabling cookies on a domain specific basis was fiddly, then doing the equivalent for scripts is both easier and far more demanding. If all you want is to allow everything to run on a specific site: Easy. If you want to enable one particular script or feature: Somewhat difficult.
The first is accomplished simply by removing the red X from the script icon on the site, you wish to unblock, and then clicking the padlock icon to make the policy permanent.
The second requires use of dynamic filtering rules. The tutorial linked explains it better than I can but here’s an example.
As a test case I wanted to allow the YouTube frame to display on Ars Technica’s Fantastic Four trailer coverage article while allowing as little other stuff as possible. First, I had to allow the site to run scripts in general as detailed above. I couldn’t keep the general ban in place and say: Except this. uBlock Origin does have exceptional allow rules, but they are so heavily discouraged that I dare not touch them. AFAICT this means that I have to disallow script origins on a more case-by-case basis. Without a total script ban in place, which script origins and script types are to be trusted?
Fortunately, three things assist here.
First, uBlock’s static filters are still in place. So Doubleclick scripts aren’t run even when scripts aren’t banned.
Secondly, I can ban something globally but apply a rule saying skip the relevant filter e.g. for on this site.
Thirdly, there are a couple of abstractions that can assist. In addition to origin based rules, there are rules that apply to types or categories. E.g. I can lift the ban on all scripts but immediately ban e.g. all 3rd party scripts, leaving 1st party scripts and inline scripts in place. This turned out the be a very easy way of getting comments back on one of my favourite gaming news sites.
So to accomplish what I set out to do in the test case, I applied a general ban on content loaded in from youtube.com but said it didn’t apply on ars. I then did the same for 3rd party frames.
In principle this still leaves a lot of openings. However these are mostly dealt with by static filters. I don’t have to tell uBlock to block Taboola and the like.
Gains
Going back to my original motivations it is not entirely clear what is actually gained by this more radical approach. I am not seeing fewer ads as these are already taken care of by existing controls. It would require too much speculation to assess how much tracking protection is gained by these extra measures. So I figured that instead I would focus on the change in regards to ressources. Also, to get some perspective, I wanted to include what my existing countermeasures added.
As is apparent the impact varies wildly from site to site. The division between ETP and uBlock savings probably just come down to what kind of advertising system the site uses. As for the script blocking savings, it’s a question of how much javascript is used to load media. In the case of the NYT, it’s a lot. In others not so much. With the NYT the impact could be seen in grey boxes where content should have been. This was easily remedied by allowing 1st party scripts but then the memory savings were gone too.
Conclusion
The gains are small and probably mostly illusory. However, it does feel like taking some measure of control back and it’s infinitely less frustrating that conveying ‘preferences’ by way of cookie popups. I think it’s gonna stay.
And for sane but clever people I will make this suggestion: Don’t disable scripts globally (using uBlock Origin settings) but do disallow 3rd party scripts and 3rd party frames globally in the left hand side options. It will leave (mostly useful) 1st party scripts alone and you can easily enable 3rd party for sites you trust.
