Mozilla faces criticism over new Firefox Tracking Feature

Mozilla, the organization behind the Firefox web browser, is facing backlash from privacy advocates over a new feature called Privacy Preserving Attribution (PPA) that was quietly enabled by default in a recent update. The controversy highlights the ongoing tension between user privacy and the advertising-driven internet economy.

On September 25, 2024, the digital rights organization noyb filed a formal complaint against Mozilla with the Austrian Data Protection Authority. The complaint alleges that Mozilla violated European privacy laws by enabling PPA without properly informing users or obtaining consent.

PPA is designed to allow advertisers to measure the effectiveness of their ads without relying on traditional cross-site tracking methods. When enabled, the Firefox browser stores information about ad impressions locally and can generate anonymized, aggregated reports on ad performance.

Mozilla claims PPA enhances user privacy compared to existing tracking technologies. In a public statement, Bas Schouten, a Mozilla engineer, explained: "PPA offers significantly fewer capabilities than exist in the current model. So the model would have to actually change quite a bit if advertisers were to use it at scale."

However, critics argue that Mozilla should have made PPA opt-in rather than enabling it by default. The noyb complaint states (in German): "Gegenständlich hat es die Beschwerdegegnerin komplett verabsäumt irgendwelche Informationen hinsichtlich der Datenverarbeitung zu 'PPA' in ihren Datenschutzerklärungen zur Verfügung zu stellen." (Translation: The respondent has completely failed to provide any information regarding the data processing of 'PPA' in its privacy policies.)

Key points of contention include:

• Lack of transparency: Mozilla did not prominently disclose the addition of PPA to users.
• Default activation: The feature was turned on automatically with a browser update.
• Consent concerns: Critics argue Mozilla should have obtained explicit user consent before enabling PPA.
• Data processing questions: There is debate over whether PPA involves processing of personal data under GDPR definitions.

Mozilla defends its decision, stating that PPA is designed to protect user privacy while still allowing a sustainable advertising model for websites. The organization argues that the aggregated data produced by PPA does not constitute personal information under GDPR.

"There is no personal data collected or stored," Schouten stated in an online discussion. "So the legitimate interest debate (which would indeed be interesting legalistics), doesn't apply at all."

The controversy highlights several complex issues:

1. The challenge of balancing user privacy with the current ad-supported internet model
2. Differing interpretations of privacy laws like GDPR, particularly regarding aggregated data
3. The role of browser developers in shaping online privacy standards
4. Whether privacy-enhancing technologies should be opt-in or enabled by default

As the complaint proceeds, it could have significant implications for how browsers implement privacy features and how strictly consent requirements are interpreted under European law.

Users who wish to disable PPA can do so in Firefox's privacy settings. However, privacy advocates argue that many users may be unaware the feature exists.

The outcome of this case could influence future browser development and set important precedents for implementing privacy-enhancing technologies. It also underscores the ongoing debate over how to create a more privacy-respecting internet without upending existing business models.

Key facts

• PPA was enabled by default in Firefox version 128, released in 2024
• The feature allows aggregated ad performance measurement without individual-level tracking
• noyb filed a GDPR complaint on September 25, 2024
• Mozilla claims PPA does not process personal data as defined by GDPR
• Users can opt-out of PPA in Firefox's privacy settings