Did you grab your cookies and milk? OK, so you can forget the milk. The cookie(s) on the other hand are the type that you can eat; it is the kind that is used by the web for various purposes.
A recent article in the WSJ entitled “What They Know” analyzed the top 50 Internet web sites and examined what tracking mechanisms each site employed and the corresponding privacy policies. Mozilla was rated as a “low exposure risk” which is all well and good, but in the process it identified 21 trackers on our web properties (aka web sites). So the obvious questions are what are those trackers, who placed them, and what do they do. Below is a little more detail to fill out the picture:
| Set by | Cookie | If disclosed, to whom? | Why? | Where is it used? | Notes |
|---|---|---|---|---|---|
| Mozilla | Omniture | Mozilla Only; Omniture is contractually bound to only share info with Mozilla. | 3rd party cookie intentionally set by Mozilla and used to provide analytics for usage of Mozilla web sites. | Across Mozilla domains | This was listed as Mozilla because we are using our domain as the destination for all Omniture cookies. Omniture is 3rd-party analytics software used by Mozilla. |
| Mozilla | Urchin (Google) | Mozilla Only | Provides analytics for usage of Mozilla web sites. No longer used. | Various Mozilla domains | Urchin is 3rd-party software self-hosted by Mozilla. Shows as Google b/c of acquisition. Google never receives any data. |
| 3rd-party-based content | Vimeo (Flash cookie) | Vimeo.com | Video publishers want to track where the video content is being used. | Used in 3rd party blogs aggregated on Mozilla.com, i.e. Planet and the Add-ons blog. | To our knowledge, they don’t have a “no cookie” option. |
| 3rd-party-based content | YouTube (Flash cookie) | YouTube | Video publishers want to track where the video content is being used. | Used in 3rd party blogs aggregated on Mozilla.com, i.e. Planet and the Add-ons blog. | Updated practices to discourage use. |
| 3rd party set by blog software | ShareThis (beacon) | ShareThis.com | 3rd party widget/plugin used on blogs from sharing content with others. | Included in blogs hosted under Mozilla domains. | URL was actually not working, but still shows as a cookie being set. This has since been disabled globally on our blogs. |
It is important to note that the summary above represents the point of time prior to the WSJ report. To the extent that video or other content is embedded in user-generated content, and sometimes even our own posts, those cookies may change over time. That being said, the Mozilla cookies which we directly control change less frequently. These cookies provide valuable site analytics so we can both understand how our properties are used in the aggregate and learn how to improve them. Most importantly however, the information we obtain through these cookies is aggregate information that is used for no other purpose. We also have contractual provisions to protect the data Omniture collects on our behalf, and before we adopted Omniture, Mitchell Baker led a long public discussion in 2008 about the implications. In the case of Urchin, we ran that software internally, so there were no 3rd parties involved at all.
The WSJ article, in addition to contributing to the ongoing privacy dialogue, has also helped us as hopefully others. There’s always room for improvement in this area. Seeing the 3rd party cookies with embedded video called attention to something we want to discourage, but it’s also pretty hard to excise it completely. Greater awareness and more frequent house cleaning are some basic steps. We’ve also identified methods to use video in a ways that are privacy forward, such as described in Sid’s recent blog post “privacy preserving video” where he pointed out other options for video, “Flash is not the only way to display video on the web!”
We realize that privacy on the web is a hard problem to solve. It’s full of complexity, context, and balancing. It’s also uniquely personal and goes to the core of our web experience because it’s about us and what we do. But bottom line, it’s super important and we make privacy a high priority. The WSJ article shows how we do value this. We’re also working on some other initiatives in this area, which we’ll write about soon.
FWIW, some sites still use Urchin.
there looks to be a few more still using urchin, bug is filed to removed.
Nice post, Chris. Glad we’re talking about this.