Mozilla Accused of Tracking Firefox Users Without Consent

By Riley ThompsonTechnology News

Mozilla Accused of Tracking Firefox Users Without Consent

The European digital rights organization NOYB (None Of Your Business) has filed a complaint against Mozilla with the Austrian Data Protection Authority. The complaint alleges that the Privacy-Preserving Attribution (PPA) feature in Firefox, which was enabled without user consent, is being used to track people’s online behavior.

What Is Privacy-Preserving Attribution?

The Privacy-Preserving Attribution (PPA) feature, developed in collaboration with Meta*, was announced in February 2022 and was automatically enabled in Firefox version 128, released in July of this year. Mozilla describes PPA as a “non-invasive alternative to cross-site tracking,” designed to help advertisers measure the effectiveness of their ads without directly sharing user behavior data online. Developers emphasize that PPA does not transmit browsing information to third parties (including Mozilla itself), and advertisers only receive aggregated data about their ad performance.

Overall, PPA is similar to Google’s Privacy Sandbox (which Google eventually abandoned). The idea is to replace third-party cookies with a set of APIs built into the browser, allowing advertisers to determine user interests and show targeted ads without traditional tracking methods.

NOYB’s Complaint and Privacy Concerns

NOYB claims that Mozilla is using PPA, which is supposed to protect privacy, for the opposite purpose—tracking Firefox users’ behavior across different websites.

“Contrary to its name, this functionality allows Firefox to track user behavior on websites. Essentially, tracking is now controlled by the browser instead of individual sites,” NOYB writes. “While this may be an improvement over even more invasive cookie-based tracking, the company never asked its users if they wanted to activate this feature. Instead, Mozilla decided to enable it by default as soon as people installed the latest software update.”

Privacy advocates argue that PPA allows Firefox to store data about users’ ad interactions and collects this information for advertisers. Mozilla developers, on the other hand, claim that this system actually increases privacy by measuring ad effectiveness without collecting personal data on individual sites.

Nevertheless, NOYB insists that if any tracking is performed within Firefox itself, it violates users’ rights under the EU General Data Protection Regulation (GDPR).

“While Mozilla may have had good intentions, it is very unlikely that ‘privacy-preserving attribution’ will replace cookies and other tracking tools. It’s simply a new, additional way to track users,” NOYB says.

Default Activation and User Choice

NOYB also points out that a Mozilla developer previously justified enabling PPA by default by saying that users would not be able to make an informed decision about turning the feature on or off, since “explaining how a system like PPA works would be a complex task.”

“It’s a shame that an organization like Mozilla thinks users are too dumb to say ‘yes’ or ‘no’,” says Felix Mikolasch, a data protection lawyer at NOYB. “Users should have a choice, and this feature should have been disabled by default.”

Mozilla’s Response

Mozilla representatives told Bleeping Computer that the PPA code is included in Firefox 128, but it was not active, and no user data was collected or transmitted anywhere.

“The current iteration of PPA is intended for limited testing only within the Mozilla Developer Network site. We still believe that PPA is an important step toward improving privacy on the internet, and we hope to work with NOYB and other organizations to resolve misunderstandings related to our approach,” Mozilla stated.

Leave a Reply