Mozilla Faces Privacy Complaint for Enabling Tracking in Firefox Without User Consent
Mozilla Faces Privacy Complaint for Enabling Tracking in Firefox Without User Consent:
Vienna-based privacy non-profit noyb (short for None Of Your Business) has filed a complaint with the Austrian data protection authority (DPA) against Firefox maker Mozilla for enabling a new feature called Privacy-Preserving Attribution (PPA) without explicitly seeking users' consent.
"Contrary to its reassuring name, this technology allows Firefox to track user behavior on websites," noyb said. "In essence, the browser is now controlling the tracking, rather than individual websites."
Noyb also called out Mozilla for allegedly taking a leaf out of Google's playbook by "secretly" enabling the feature by default without informing users.
PPA, which is currently enabled in Firefox version 128 as an experimental feature, has its parallels in Google's Privacy Sandbox project in Chrome.
The initiative, now abandoned by Google, sought to replace third-party tracking cookies with a set of APIs baked into the web browser that advertisers can talk to in order to determine users' interests and serve targeted ads.
Put differently, the web browser acts as a middleman that stores information about the different categories that users can be slotted into based on their internet browsing patterns.
PPA, per Mozilla, is a way for sites to "understand how their ads perform without collecting data about individual people," describing it as a "non-invasive alternative to cross-site tracking."
It's also similar to Apple's Privacy Preserving Ad Click Attribution, which allows advertisers to measure the effectiveness of their ad campaigns on the web without compromising on user privacy.
The way PPA works is as follows: Websites that serve ads can ask Firefox to remember the ads in the form of an impression that includes details about the ads themselves, such as the destination website.
If a Firefox user ends up visiting the destination website and performs an action that's deemed valuable by the business – e.g., making an online purchase by clicking on the ad, also called "conversion" – that website can prompt the browser to generate a report.
The generated report is encrypted and submitted anonymously using the Distributed Aggregation Protocol (DAP) to an "aggregation service," after which the results are combined with other similar reports to create a summary such that it makes it impossible to learn too much about any individual.
This, in turn, is made possible by a mathematical framework called differential privacy that enables the sharing of aggregate information about users in a privacy-preserving manner by adding random noise to the results to prevent re-identification attacks.
"PPA is enabled in Firefox starting in version 128," Mozilla notes in a support document. "A small number of sites are going to test this and provide feedback to inform our standardization plans, and help us understand if this is likely to gain traction."
"PPA does not involve sending information about your browsing activities to anyone. Advertisers only receive aggregate information that answers basic questions about the effectiveness of their advertising."
It's this aspect that noyb has found fault with, as it's in violation of the European Union's (E.U.) stringent data protection regulations by enabling PPA by default without seeking users' permissions.
"While this may be less invasive than unlimited tracking, which is still the norm in the US, it still interferes with user rights under the E.U.'s GDPR," the advocacy group said. "In reality, this tracking option doesn't replace cookies either, but is simply an alternative - additional - way for websites to target advertising."
It further noted that a Mozilla developer justified the move by claiming that users cannot make an informed decision and that "explaining a system like PPA would be a difficult task."
"It's a shame that an organization like Mozilla believes that users are too dumb to say yes or no," Felix Mikolasch, data protection lawyer at noyb, said. "Users should be able to make a choice and the feature should have been turned off by default."
(Score: 4, Informative) by jimbrooking on Saturday October 12 2024, @08:01PM (16 children)
I am running Firefox version 131. There is an option to turn this off in Settings->Privacy & Security->Website Advertising Prefernces.
(Score: 4, Funny) by RamiK on Saturday October 12 2024, @08:17PM
The GDPR requires tracking to be opt-in. It's why websites prompt your for permission to collect your information using cookies when you first visit new sites.
compiling...
(Score: 1, Informative) by Anonymous Coward on Saturday October 12 2024, @09:24PM (6 children)
Why was this modded flamebait?
Especially since a link to this specific information [mozilla.org] is included in TFS.
Are there some advertisers on here that don't like folks knowing about this?
(Score: 1, Insightful) by Anonymous Coward on Saturday October 12 2024, @10:25PM
I didn't mod it, but it could be because it sounds like it is defending Mozilla.
(Score: 2, Insightful) by Anonymous Coward on Sunday October 13 2024, @12:03AM (4 children)
There is a user or two here who spend the majority of their mod points down-modding. I'm not sure what they get out of doing that because other people will usually fix it with an up-mod.
(Score: 3, Funny) by janrinok on Sunday October 13 2024, @12:28AM
... and that comment attracted one of them. As you say, it has been countered now by other moderators.
I am not interested in knowing who people are or where they live. My interest starts and stops at our servers.
(Score: 1, Interesting) by Anonymous Coward on Sunday October 13 2024, @02:09AM (2 children)
Acting out motivated by a schizoaffective disorder.
Maybe, and only if their reading threshold is low enough to see the post at all. Not everyone reads at 1, 0, or -1.
And, if everyone reads at -1, what's the point of a mod system?
(Score: 3, Informative) by janrinok on Sunday October 13 2024, @05:54AM (1 child)
For me, the moderation still indicates which comments make a contribution to the discussion, and those which are either background noise or, even worse, are intended to disrupt intelligent discussion.
I am not interested in knowing who people are or where they live. My interest starts and stops at our servers.
(Score: 3, Informative) by Mykl on Monday October 14 2024, @12:03AM
Seconded. I read at -1, but will be more likely to gloss over posts marked as such (though not ignore them altogether).
(Score: 4, Interesting) by BlueCoffee on Saturday October 12 2024, @10:29PM (2 children)
The option to disable it also in 128.3.1ESR, but the point is that it should be turned OFF by default. Let the user decide. Anyone left using FF are developers or coders or technicallly inclined individuals, they can figure it out.
I just don't understand Mozilla's handling of Firefox's development over the past eight years or so. They've dropped from 35% market share to something like 3% now, yet they still seem to ignorantly continue to do things to peeve off the remaining users. When I upgraded to 128ESR , all my custom css to make the UI look how I want it stopped working because they removed a couple redundant css tags. And it happened not on the 128.0.0 build, but on a very recent . or .. build. It figured it out but it was so close to being the last straw to switch to Vivaldi full time. I though ESR's were supposed to be functionally stable and only got bug fixes or security patches. Why are they fxing with the code for UI css in minor or patch builds?
Just like so many recent products that have come out in the gaming industry or the movie industry, Mozilla seems to be doing the same and is telling us "We are making the product (Firefox) for us, not for you."
(Score: 2) by janrinok on Saturday October 12 2024, @10:52PM
I'm in Europe. My FF 131 was set to OFF.
I am not interested in knowing who people are or where they live. My interest starts and stops at our servers.
(Score: 2) by PiMuNu on Sunday October 13 2024, @07:46AM
I thought google et al have put shills on the board and neutered them. (Apologies for the metaphor)
(Score: 2) by rufty on Sunday October 13 2024, @06:29AM (3 children)
Firefox 131.0.2, MacOS13 x86_64, in the UK. Settings->Privacy & Security->Website Advertising Preferences was set on.
(Score: 2) by janrinok on Sunday October 13 2024, @07:30AM
I wonder if the variation is caused more by where the code is updated from? For example, when using Ubuntu it defaults to installing Firefox using snap. I download directly from Mozilla's own site so perhaps it is just a matter of versions not being updated as quickly depending on the origin of the code?
I am not interested in knowing who people are or where they live. My interest starts and stops at our servers.
(Score: 0) by Anonymous Coward on Tuesday October 15 2024, @09:24AM (1 child)
(Score: 0) by Anonymous Coward on Tuesday October 15 2024, @09:30AM
They are no longer part of the EU, but they closely follow and adopt EU laws. Not each law, it is true, but unless they comply with the GDPR they could not trade with the EU online.
(Score: 1) by shrewdsheep on Sunday October 13 2024, @09:10AM
I'am on 127 (openSUSE Tumbleweed) and I do not even have this section "Website Advertising". To make sure, I tried to check the options for their "Allow Mozilla to run experiments" but that is gone, too. I have to reprimand Mozilla for their stealthy and sneaky tracking practices.
(Score: 2) by mrpg on Saturday October 12 2024, @10:44PM
Mine is off. 131.0 (64-bit) ubuntu budgie. snap.
(Score: 4, Interesting) by aafcac on Saturday October 12 2024, @11:59PM
And as this is happening, you've got Google moving forward on manifest v3 which seems to be a bit of a mixed bag in some ways as there does seem to be some security improvements mixed in with them making it a lot harder to effectively block ads using extensions.
Personally, I moved back to Fx just because as nice as Arc Browser is in some ways, its built on Google's code and it's really just a matter of time before they bury the necessary bits to serve ads so deep that they can't be disabled using simple extensions. It's a shame that Fx didn't just do right here and automatically enable the requests as it's not like they're necessarily legally binding in many areas anyways
Personally, I'm happy with Fx and a few choice extensions, even if Fx seems more interested in being a Chrome also run rather than a viable alternative vision.
(Score: 1, Interesting) by Anonymous Coward on Sunday October 13 2024, @06:27PM
Both are powered and financed by advertisers. So instead of bickering over which one is worse, why doesn't everybody just switch over to Seamonkey and relive the glory days of Netscape? To this day it is still the best browser ever made, so, what gives?