Firefox is broadly seen as a data security ally to the average internet user, but a new EU privacy complaint asserts that it is “taking a leaf out of Google’s playbook.” The complaint notes that the web browser has an on-by-default user tracking feature called “Privacy Preserving Attribution” (PPA) that is poorly documented and has not been adequately brought to user attention.
The privacy complaint compares PPA to Google’s “Privacy Sandbox” project, as an alternative to user tracking cookies that purports to enhance anonymity but instead simply provides a new means of identifying users as they move around the web. This is also a means that is less familiar and obvious to users, and requires digging into a sub-menu to discover.
Privacy complaint takes on Firefox’s in-browser tracking
The privacy complaint was filed in Austria by noyb, the activist group headed by Max Schrems that is better known for its crusades against Facebook and for prompting major restrictions on data transfers to the United States. The group now turns its attention to Mozilla and its browser, seemingly seeing parallels between its scheme for facilitating targeted advertising and the system Google is in the midst of transitioning to.
noyb characterizes PPA as an improvement over traditional user tracking via cookies, but says that it simply moves the ability to de-anonymize people from the internet to the internals of the browser. It also chastises Mozilla for adding the feature to Firefox via a recent update that did not inform users of the change, turning it on by default, and not obtaining user consent to the new form of tracking.
As it did with its earlier criticism of Google’s new Privacy Sandbox approach, noyb accuses PPA of violating General Data Protection Regulation (GDPR) terms, specifically Article 4(11)’s requirements that “specific, informed and unambiguous” consent be collected for any user tracking of this sort. Firefox users were not informed of PPA as of its rollout, and would have to explore the browser’s sub-menus to learn of the change and to opt out from it. It was also not added to the data protection policy, at least at the time of the privacy complaint.
noyb’s privacy complaint also cited a Firefox’s developer’s social media post, which expressed the opinion that most users could not make an “informed decision” about PPA because they would not understand it and would “complain” if they were interrupted during browser use. The developer cited blog posts about PPA as the company’s means of informing users, but other social media posters noted that those posts were difficult to find even if users were intentionally searching for the term.
User tracking concerns remain even as cookies fall out of favor
The move away from cookie-based user tracking has been spearheaded to a great degree by Google and the Chrome browser, which spent years cycling through several alternative proposals before settling on the Privacy Sandbox program. That project is nearly complete in terms of Chrome implementation, but has recently been subject to delays that allow cookies as an option at least into 2025.
Google and Mozilla’s user tracking alternatives are similar in structure, assigning users to interest “buckets” in a process that is conducted locally within the web browser. Advertisers are then connected to these more generalized buckets via API, rather than tracking individual users around the web. Privacy groups have taken issue with the system, noting ways in which existing fingerprinting techniques could still be used to pick out individuals. But the main opposition to it has come from the adtech industry, which has made a successful push to raise antitrust concerns against Google. Firefox appears to be conducting its own individual experiment with in-browser user tracking, but Google has expressed a desire for its model to be adopted across the internet by other web browsers.
noyb’s privacy complaint does not seek to eliminate browser-based user tracking, but it does want Mozilla’s data collected to date to be erased. It also seeks an overhaul of the system to reach GDPR compliance, with proactive user notification and opt-in consent required. Mozilla has responded to the complaint by claiming that PPA is “easily disabled” and that it has thus far only been rolled out in a limited test involving the organization’s own websites. However, it also conceded that its communications about the feature could be improved and said it plans to improve that going forward.
The code for PPA has been included as of the Firefox 128 update, first issued on July 9. However, Mozilla says that it has not yet been activated and that no end user data has been recorded or sent (presumably outside of its “limited tests” involving the Mozilla Developer Network).
