---

blog: Don Marti

---

The new browser consensus and SSO

28 July 2019

(Disclaimer: I work for Mozilla. Not speaking for Mozilla here.)

The first result of the browser privacy trend is a growing difference between how the browser treats third-party data collection that happens when the user chooses to use information from one site on another site, and data collection that happens when a site or service, without an action from the user, tries to get at information about the user's actions from one site while they're using another site.

Any third party interaction that the user knows about is supposed to keep working. But hidden tracking pixels, scripts and any technology that tries to implement tracking without user interaction are all supposed to stop working.

This is not perfectly implemented right now, but that's the direction Safari, Firefox, and now Microsoft Edge are going. We now have the same kind of rough consensus on user expectations about tracking that we developed pretty early on in the email spam situation, based on hearing from users about their expectatations. (Why browsers took so long to listen to people about what they find creepy is another story.)

Mozilla has an anti-tracking policy that is pretty close to reflecting the views of a lot of people by now. For example, the Storage Access API ensures that third-party scripts can still use cookies and LocalStorage, but only if the user takes action. Apple Safari, Mozilla Firefox, and Microsoft Edge are all involved. (hashtag #worldsFriendliestBrowserWar)

For sites, what this means is that SSO and reg walls are relatively safe. If the user experience is "Sign in with (identity provider brand)" and there is a button the user has to click the first time they go to the site, that identity system should keep working. After all, the person knows that they're using it, and clicked the logo of the provider they "sign in with."

If the user doesn't see the way that multiple sites are are trying to use the same identity info, then that flow of data across sites is likely to get blocked, whatever the technical implementation is.

Could be good for the relative market power of sites that people trust more, if it turns out that people are more willing to "sign in with" (and obviously share info about themselves) on their trusted sites than on a random site that their uncle sent them a link to.

Cookies and other tracking devices: the CNIL publishes new guidelines

What happened when Congress looked into data brokers almost 50 years ago

The Washington Post is preparing for post-cookie ad targeting

AdTech Sucks: This Time It’s Personal IDs

Uber’s Latest Lawsuit Calls Out Agencies, Advertisers and Now Ad Tech