European digital rights group NOYB (None Of Your Business) has filed a privacy complaint with the Austrian data protection watchdog (DSB) against Mozilla, alleging that the company uses a Firefox privacy feature (enabled without consent) to track users’ online behavior.
The function, called “Privacy-preserving attribution” (PPA) and jointly developed with Meta (formerly Facebook), was announced in February 2022 and was automatically enabled in Firefox version 128, released In July.
By NOYB complaint claims that, despite its name, Mozilla uses the feature to track Firefox user behavior across websites.
“Despite what its name suggests, this technology allows Firefox to track user behavior across websites. In essence, it is now the browser that controls the tracking, rather than individual websites.” The privacy advocacy group said.
“While this might be an improvement over cookie tracking, which is even more invasive, the company never asked its users if they wanted to enable it. Instead, Mozilla decided to turn it on by default once users installed a recent software update.”
According to NOYB, PPA allows Firefox to store data about users’ interactions with ads and aggregate that information for advertisers. Mozilla claims that this system improves privacy by measuring ad performance without individual websites collecting personal data.
However, NOYB says some of the tracking takes place in Firefox, which interferes with users’ rights under the EU’s General Data Protection Regulation (GDPR).
“Mozilla has just accepted the idea that the advertising industry has the right to track users by turning Firefox into an advertising measurement tool,” added Felix Mikolasch, a data protection lawyer at NOYB.
“While Mozilla may have had good intentions, ‘privacy-preserving attribution’ is highly unlikely to replace cookies and other tracking tools. It is simply an additional new means of tracking users.”
In a July Support DocumentMozilla described PPA as a “non-invasive alternative to cross-site tracking,” designed to help advertisers evaluate the effectiveness of their ads without sharing information about users’ online behavior.
Mozilla also insists that PPA does not share browsing information with third parties, including the company itself, and that advertisers only receive aggregated data on ad performance.
“PPA doesn’t mean websites track you. Instead, your browser is in control. This means strong privacy protections, including the option to opt out,” Mozilla says.
“PPA does not involve sending information about your browsing activities to anyone. This includes Mozilla and our DAP partner (ISRG). Advertisers only receive aggregated information that answers basic questions about the effectiveness of their advertising.”
Firefox users can disable the PPA feature by opening the web browser’s Privacy & Security settings and unchecking the option labeled “Allow websites to perform privacy-preserving ad measurement.”
“There’s no question that we should have done more to involve outside voices in our efforts to improve online advertising, and we’re going to address that going forward,” a Mozilla spokesperson told BleepingComputer on Wednesday.
“While the initial code for the PPA was included in Firefox 128, it has not been activated and no end-user data has been logged or sent.
“The current version of the PPA is designed to be a limited test on the Mozilla Developer Network website only. We continue to believe that the PPA is an important step toward improving privacy on the Internet and look forward to working with NOYB and others to clear up confusion about our approach.”
Update September 25, 15:13 EDT: Added Mozilla statement.
