European digital rights group NOYB (None Of Your Business) has filed a privacy complaint with the Austrian data protection watchdog (DSB) against Mozilla, alleging the company uses a Firefox privacy feature (enabled without consent) to track users' online behavior.
The feature, called "Privacy-Preserving Attribution" (PPA) and jointly developed with Meta (formerly Facebook), was announced in February 2022 and was automatically enabled in Firefox version 128, released in July.
NOYB's complaint claims that, despite its name, Mozilla uses the feature to track Firefox user behavior across websites.
"Contrary to its reassuring name, this technology allows Firefox to track user behavior on websites. In essence, the browser is now controlling the tracking, rather than individual websites," the privacy advocate group said.
"While this might be an improvement compared to even more invasive cookie tracking, the company never asked its users if they wanted to enable it. Instead, Mozilla decided to turn it on by default once people installed a recent software update."
According to NOYB, PPA enables Firefox to store data on users' ad interactions and bundle that information for advertisers. Mozilla claims this system enhances privacy by measuring ad performance without individual websites collecting personal data.
However, NOYB says that part of the tracking is done in Firefox, interfering with user rights under the EU's General Data Protection Regulation (GDPR).
"Mozilla has just bought into the narrative that the advertising industry has a right to track users by turning Firefox into an ad measurement tool," Felix Mikolasch, data protection lawyer at NOYB, added.
"While Mozilla may have had good intentions, it is very unlikely that 'privacy preserving attribution' will replace cookies and other tracking tools. It is just a new, additional means of tracking users."
In a July support document, Mozilla described PPA as a "non-invasive alternative to cross-site tracking," designed to help advertisers assess the effectiveness of their ads without sharing information on users' online behavior.
Mozilla also insists that PPA doesn't share browsing information with third parties, including the company itself, and that advertisers only receive aggregated data about ad performance.
"PPA does not involve websites tracking you. Instead, your browser is in control. This means strong privacy safeguards, including the option to not participate," Mozilla says.
"PPA does not involve sending information about your browsing activities to anyone. This includes Mozilla and our DAP partner (ISRG). Advertisers only receive aggregate information that answers basic questions about the effectiveness of their advertising."
Firefox users can disable the PPA feature by opening the web browser's Privacy & Security settings and unchecking the option labeled "Allow websites to perform privacy-preserving ad measurement."
"There's no question we should have done more to engage outside voices in our efforts to improve advertising online, and we’re going to fix that going forward," a Mozilla spokesperson told Bleeping Computer on Wednesday.
"While the initial code for PPA was included in Firefox 128, it has not been activated and no end-user data has been recorded or sent.
"The current iteration of PPA is designed to be a limited test only on the Mozilla Developer Network website. We continue to believe PPA is an important step toward improving privacy on the internet and look forward to working with NOYB and others to clear up confusion about our approach."
Recommended Comments
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.