Privacy Complaint Lodged Against Mozilla for Enabling Tracking in Firefox Without User Approval
Austrian-based nonprofit group noyb (abbreviated for None Of Your Business) has submitted a grievance to the Austrian data protection authority (DPA) against Mozilla, the developer of Firefox. The complaint is centered around the introduction of a new feature known as Privacy Preserving Attribution (PPA) without obtaining explicit consent from users.
“Despite its seemingly benign label, this technology permits Firefox to monitor user activities on websites,” according to noyb’s statement. “In essence, the browser now takes charge of the tracking process instead of individual websites.”
No Consent
The group also accused Mozilla of adopting Google’s methodology by discreetly activating the feature by default without users’ knowledge.
PPA, which is at present accessible in Firefox version 128 as an experimental feature, draws parallels with Google’s Privacy Sandbox initiative in Chrome.
The Privacy Sandbox, which Google has subsequently abandoned, aimed to substitute third-party tracking cookies with a suite of web browser-based APIs that advertisers could interface with to comprehend users’ preferences and deliver tailored advertisements.
In simpler terms, the browser functions as an intermediary that retains information regarding various user categories based on their browsing habits.
Intended Use
According to Mozilla, PPA enables websites to “assess the efficacy of their advertisements without gathering personal user data,” positioning it as a “non-intrusive substitute for cross-site monitoring.”
Akin to Apple’s Privacy Preserving Ad Click Attribution, which allows advertisers to gauge the performance of their online ad campaigns while preserving user privacy.
The process of PPA is outlined as follows: Websites displaying ads can request Firefox to remember the ads in the form of an impression containing ad specifics, such as the ad’s landing page.
If a Firefox user later visits the landing page and performs a valuable action, like making a purchase after clicking on the ad, known as a “conversion”, the website can instruct the browser to compile a report.
The generated report is encrypted and anonymously forwarded using the Distributed Aggregation Protocol (DAP) to an “aggregation service,” where the results are amalgamated with other similar reports to construct an abstract summary, thus preventing the disclosure of individual data.
This is feasible through a cryptographic protocol called differential privacy, which facilitates the sharing of consolidated information on users in a privacy-conscious manner by introducing random noise to thwart re-identification attempts.
“PPA is now operational in Firefox starting from version 128,” as stated in Mozilla’s support documentation. “A limited number of websites will assess this feature and provide feedback to shape our standardization strategy and gauge user interest.”
“PPA does not transmit any information about your browsing habits to external parties. Advertisers only obtain aggregate data providing fundamental insights into their advertising campaigns.”
Concerns
However, noyb has identified a breach in this system, as it infringes upon the strict data protection laws of the European Union (E.U.) by activating PPA without securing user consent.
“While this may be less intrusive than widespread tracking seen in the U.S., it still violates the privacy rights guaranteed by the E.U.’s GDPR,” the advocacy group remarked. “In essence, this tracking option doesn’t supplant cookies but merely presents an alternative – additional – approach for websites to target ads.”
The group further highlighted that a Mozilla developer rationalized the decision by claiming that users lacked the ability to make informed choices and that “explaining a system like PPA would be challenging.”
“It’s unfortunate that an entity like Mozilla believes users are incapable of making an informed choice,” stated Felix Mikolasch, a data protection attorney at noyb. “Users should have the freedom to decide, and the feature should have been disabled by default.”
About Author
