Privacy Complaint Against Mozilla for Enabling Tracking in Firefox Without User Approval
An Austrian data protection authority has received a complaint from Vienna-based privacy advocacy group noyb (None Of Your Business) against Mozilla for activating a new feature known as Privacy Preserving Attribution (PPA) without obtaining users’ explicit consent.
“Despite its seemingly comforting title, this mechanism enables Firefox to monitor user actions on websites,” noyb mentioned. “Fundamentally, the browser is now overseeing the tracking process, rather than individual websites.”
Noyb also criticized Mozilla for purportedly adopting a similar strategy to Google by activating the feature covertly without informing users beforehand.
PPA, which is currently activated as an experimental feature in Firefox version 128, bears resemblance to Google’s Privacy Sandbox project within Chrome.
The project, now abandoned by Google, aimed to replace third-party tracking cookies with a series of APIs integrated into the web browser, allowing advertisers to gauge users’ interests and present targeted advertisements.
In simple terms, the web browser serves as an intermediary that stores information about different user categories based on their browsing habits.
According to Mozilla, PPA allows websites to “assess the performance of their advertisements without collecting personal data,” positioning it as a “non-intrusive alternative to cross-site tracking.”
It mirrors Apple’s Privacy Preserving Ad Click Attribution, which aids advertisers in measuring the efficiency of their online ad campaigns without jeopardizing user privacy.
The functioning of PPA is as follows: Websites displaying ads can request Firefox to store the ads in an impression format containing ad details, such as the target website.
If a Firefox user visits the target website and performs a valuable action for the business—e.g., making an online purchase by clicking on the ad (termed “conversion”)—that website can ask the browser to generate a report.
The report is encrypted and sent anonymously using the Distributed Aggregation Protocol (DAP) to an “aggregation service.” The results are combined with similar reports to create a summary, preventing any individual identification.
This privacy mechanism is achieved through a technique known as differential privacy, which ensures the secure sharing of aggregate user data by adding random noise to prevent re-identification attacks.
“PPA has been activated in Firefox version 128,” pointed out Mozilla in a support article. “A few websites will assess this feature to provide feedback for our standardization plans and to gauge its potential popularity.”
“PPA does not transmit your browsing data to any party. Advertisers receive general information to evaluate the effectiveness of their adverts.”
This specific aspect is what noyb has taken issue with, as it violates the stringent data protection regulations of the European Union (E.U.) by enabling PPA without explicit user consent.
“Although less invasive than unregulated tracking, commonplace in the U.S., it still encroaches on user rights under the E.U.’s GDPR,” the advocacy organization remarked. “In essence, this tracking method does not replace cookies but serves as an additional avenue for targeted advertising.”
Noyb highlighted that a Mozilla developer defended the decision by claiming that users may find it challenging to understand PPA’s workings.
“It’s unfortunate that an entity like Mozilla believes users are incapable of making decisions,” remarked Felix Mikolasch, a data protection attorney at noyb. “Users should have the liberty to choose, and the feature should not be enabled by default.”
About Author
