Mozilla Firefox is known as one of the best web browsers for privacy. In an unexpected turn of events, however, the service is currently under fire in Europe for tracking users without consent.
On Wednesday, September 25, Austria-based digital rights group Noyb (None Of Your Business) filed a complaint with the local data protection authority for quietly enabling what's supposed to be a privacy feature, the so-called Privacy Preserving Attribution (PPA). Mozilla describes it as a "non-invasive alternative to cross-site tracking," but experts argue it may interfere with user rights under the EU’s GDPR.
While standing by the controversial privacy feature, Mozilla has now admitted to TechRadar that it "should have done more" and is ready to work to "clear up confusion" over its approach of rolling out PPA by default.
🚨 Firefox quietly enabled a supposed “privacy feature” that tracks users - noyb files complaint today! Read more here: https://t.co/DoVHAmP3KQSeptember 25, 2024
"There’s no question we should have done more to engage outside voices in our efforts to improve advertising online, and we’re going to fix that going forward," Christopher Hilton, Director of Policy and Corporate Communication at Mozilla, told me.
Noyb, in fact, especially criticized Mozilla's decision to turn the new feature on by default once people installed a recent software update. Developed jointly with Meta and announced back in February 2022, the provider automatically enabled PPA in Firefox 128 which was released in July this year.
The digital rights group also didn't buy the explanation a Mozilla developer shared on Mastodon arguing that users can’t make an informed decision on such a complicated system like PPA.
"It’s a shame that an organization like Mozilla believes that users are too dumb to say yes or no," said Felix Mikolasch, data protection lawyer at Noyb. "Users should be able to make a choice and the feature should have been turned off by default."
Noyb is now calling the provider to inform users about its data processing activities, effectively switch to an opt-in system, and delete all unlawfully processed data for the millions of European users who may have been affected.
On its side, Mozilla now claims that, while the initial code for PPA was included in the Firefox 128 update, it has not been activated and no end-user data has been recorded or sent. "The current iteration of PPA is designed to be a limited test only on the Mozilla Developer Network website," Hilton told me.
What is Firefox's Privacy-Preserving Attribution?
As per Mozilla's words, Firefox's Privacy-Preserving Attribution (PPA) aims to "provide a privacy-first design for advertising companies to be able to measure how advertising drives conversions."
Put simply, the new technology is meant to replace third-party cookies. It does not involve websites tracking you, in fact, but it's the browser in control, instead.
Firefox's PPA echos Google's plans – now halted – of developing a new advertisement system for minimizing online tracking as part of its Privacy Sandbox initiative. Google's so-called Protected Audience API was supposed to enable on-device auctions on the browser level to tailor relevant ads to users without sharing their information and browsing activities with third parties.
Like the Mozilla case, Google's plans have been met with criticism. In February, ad-blocker provider AdGuard warned how such a solution is "far from being private," de-facto transforming the browser into an ad auction tool. Noyb would then file a privacy complaint against Google's parent company in June for tracking users without asking for informed consent.
The history is now repeating. For Noyb, Mozilla's solution is also problematic in terms of privacy. What's changed now is that part of the tracking is done directly in Firefox, potentially breaching GDPR rules. So, yes, it's less invasive but still invasive, according to experts.
"While Mozilla may have had good intentions, it is very unlikely that 'privacy-preserving attribution' will replace cookies and other tracking tools. It is just a new, additional means of tracking users," said Mikolasch from Noyb.
Mozilla doesn't agree with this view, though. Hilton said: "We continue to believe PPA is an important step toward improving privacy on the internet and look forward to working with NOYB and others to clear up confusion about our approach."