In June, Firefox made its Total Cookie Protection (TCP) mechanism enabled by default for everyone. The feature had been in development for a long time and was introduced in a staggered manner. TCP is designed specifically to defang online advertisers by giving them siloed access to the browser cookies, severely compromising their ability to track people across websites. “[TCP], also known as comprehensive state partitioning, is a major improvement in anti-tracking protections because it prevents all cookies, and other things similar to cookies, from being used to track users between websites,” Arthur Edelstein, creator of PrivacyTests.org, told Lifewire over email.

Tracker Cookies

A well-known web privacy advocate, Edelstein was the product manager on the team that developed TCP until last year. His PrivacyTests.org website monitors the state of privacy protection across all mainstream browsers. Though Edelstein is happy to see the feature enabled for all Firefox users, he added that other web browsers, including Brave, LibreWolf, Safari, and Tor, already have comprehensive State Partitioning functionality. “Cookies are one of the easiest ways for ad companies to track users across the web, so any additional privacy protections are welcome,” Chris Clements, vice president of solutions architecture at cybersecurity company Cerberus Sentinel, told Lifewire over email.  Clements explained TCP helps prevent companies from tracking users across multiple sites using third-party cookies by limiting their visibility into other cookies set in a user’s browser.  Typically, cookies set by one website can’t read the contents of cookies set by another website. These are known as first-party cookies. However, if the websites both serve ads from the same third-party, the ad network could set and read cookies set by both websites. Clements explained that ad networks use this ability to set unique cookies for different websites. By correlating the cookies as people move to other websites, the advertisers could track the browser’s movement across the web. “As you can imagine, the more widespread the ad network, the more insight they can gain about [people’s] browsing habits,” noted Clements. “TCP changes this model by limiting the ad networks to only read its cookies from each site the user visits, but denying access to the cookies, they create when the user visits another site using the ad network.”  So, while the ad network can still set unique cookies, Firefox knows they were set from different domains and will now disallow the ad network from reading cookies it set from a different website. In essence, the ad network wouldn’t know if you’ve visited another website, even if it serves ads from the same ad network.

A Good Start

But if third-party cookies have such privacy implications, why not just yank them from the browser completely? Edelstein explained that blocking third-party cookies completely isn’t really feasible since they’re sometimes necessary for a website to function correctly. The TCP implementation makes an exception for certain genuine uses for third-party cookies to ensure websites work as expected. Commenting on Google’s proposal to replace the third-party cookie, Edelstein said the company’s Chrome browser has the market share to pull [off] something so drastic and force websites to change and adapt.  “TCP is not a panacea,” Nosh Ghazanfar, a web designer and developer, told Lifewire via Twitter DMs, “however it basically nullifies the advantage of third-party cookies, [and] leaves them isolated like first-party cookies.” Clements agreed and said that third-party cookies are so popular because they’re the easiest way to track people across the web. But in the grander scheme, they’re just one of the tools and tricks in a tracking company’s chest. He also believes that, given Firefox’s single-digit market share, at the end of the day, the feature would impact very few people. “[TCP] certainly helps, but is by no means a complete solution for online privacy,” noted Clements. “So while I would say TCP is a major, important advance, there is lots more privacy work to be done in Firefox and other browsers before you could say they are ‘airtight.’”