Open Bug 1753100 Opened 3 years ago Updated 3 years ago

Consider Fingerprinting a matter of Safe Browsing

Categories

(Core :: Privacy: Anti-Tracking, enhancement)

Firefox 96
enhancement

Tracking

()

UNCONFIRMED

People

(Reporter: mozilla.org+bugzilla, Unassigned)

Details

Steps to reproduce:

Browser Fingerprinting gets a more and more severe issue on the web. It's getting basically impossible for browsers to circumvent fingerprinting, as there are more and more sophisticated solutions available (e.g. DrawnApart exploiting WebGL, https://arxiv.org/pdf/2201.09956.pdf). To put it concisely: We lost.

Unless users give explicit consent, browser fingerprinting can be considered malicious behaviour by gaining unauthorized access to information and violating the user's privacy. This gets even worse when browser fingerprinting is used to circumvent cookie deletion, as this is a clear violation of the user's expressed wishes. Browser fingerprinting thus fulfils the definition of malware.

Any website using browser fingerprinting - either directly or through a third party - without previous explicit consent can and should be considered malware. To protect users from this malicious behaviour these websites should be added to Firefox's Safe Browsing list and access should be blocked by default. Users should still be able to access the website though by expressing their explicit consent.

I'm fully aware of this being a rather rigorous change. To actually make it happen we first need a consistent definition of what malicious browser fingerprinting is - it's not as easy as one might think at first glance. Furthermore we must give websites an adequate grace period.

Actual results:

No warning about malicious contents is shown when accessing websites using browser fingerprinting without previous explicit consent.

Expected results:

A warning about malicious contents should be shown.

Firefox does support blocking fingerprinting for known trackers via Enhanced Tracking Protection. See https://support.mozilla.org/en-US/kb/firefox-protection-against-fingerprinting.
Move this bug to anti-tracking.

Component: Safe Browsing → Privacy: Anti-Tracking
Product: Toolkit → Core

I'm fully aware that Firefox supports blocking fingerprinting via Tracking Protection. This issue specifically is about considering fingerprinting without prior consent as malware, not just as a tracking measure like cookies. It aims for not just blocking the fingerprinting script, but blocking access to websites as a whole via Safe Browsing. For other malware we don't just block access to the malicious file only, but to the whole website, too.

You need to log in before you can comment on or make changes to this bug.