Mozilla hit with privacy complaint in EU over Firefox tracking tech

Mozilla, the nonprofit that develops the Firefox web browser, has been hit with a complaint by European Union privacy rights group noyb, which accuses it of violating the bloc's General Data Protection Regulation (GDPR) by tracking Firefox users by default without their permission.

It's unusual to see a privacy complaint targeting Mozilla, an organization which is more often associated with efforts to bolster web users' privacy rights, such as siloing cookies to prevent cross-site tracking. However noyb has taken issue with a new feature Mozilla recently deployed in Firefox that it argues turns the Firefox browser "into a tracking tool for websites."

Mozilla calls the feature at issue "Privacy Preserving Attribution" (PPA). But noyb argues this is misdirection. And if EU privacy regulators agree with the complaint the Firefox-maker could be slapped with orders to change tack -- or even face a penalty (the GDPR allows for fines of up to 4% of global revenue).

"Contrary to its reassuring name, this technology allows Firefox to track user behaviour on websites," noyb wrote in a press release. "In essence, the browser is now controlling the tracking, rather than individual websites. While this might be an improvement compared to even more invasive cookie tracking, the company never asked its users if they wanted to enable it. Instead, Mozilla decided to turn it on by default once people installed a recent software update. This is particularly worrying because Mozilla generally has a reputation for being a privacy-friendly alternative when most other browsers are based on Google’s Chromium."

The attempt to move from cookie-based tracking of web users to browser-level tracking will be familiar to anyone who's been following Google's so-called "Privacy Sandbox" proposal. It's a multi-year effort to end support for tracking cookies in Google's Chrome browser in favor of an alternative ad-targeting tech stack, based on assigning browser users to interest buckets.

Google's effort to shift the adtech stack away from tracking cookies has been derailed and put in the slow lane via U.K. regulatory oversight -- but one tangible impact, per noyb, is it seems to have served as inspiration for Mozilla to get into browser-level tracking.

"Similar to Google’s (failed) Privacy Sandbox, this turned the browser into a tracking tool for websites," noyb wrote, adding: "While this may be less invasive than unlimited [cookie-based] tracking, which is still the norm in the U.S., it still interferes with user rights under the EU’s GDPR."

Another component of noyb's objection is that Mozilla's move "doesn't replace cookies either" -- Firefox simply wouldn't have the market share and power to shift industry practices -- so all it's done is produce another additional way for websites to target ads.

Commenting in a statement, Felix Mikolasch, data protection lawyer at noyb, said: “Mozilla has just bought into the narrative that the advertising industry has a right to track users by turning Firefox into an ad measurement tool. While Mozilla may have had good intentions, it is very unlikely that 'privacy preserving attribution' will replace cookies and other tracking tools. It is just a new, additional means of tracking users."

The noyb-backed complaint, which has been filed with the Austrian data protection authority, accuses Mozilla of failing to inform users about the processing of their personal data and of using an opt-out -- rather than an affirmative "opt-in" -- mechanism.

The privacy rights group also wants the regulator to order the deletion of all data collected so far.

While Firefox users are able to opt out of the tracking they must take an active step to do so by locating and enabling the relevant setting, which noyb says is tucked away in a sub-menu. “It’s a shame that an organisation like Mozilla believes that users are too dumb to say yes or no," Mikolasch added. "Users should be able to make a choice and the feature should have been turned off by default.”

Reached for a response to the complaint, Mozilla sent a statement attributed to Christopher Hilton, its director of policy and corporate communications, who claimed it has, so far, only conducted a "limited test" of a PPA prototype -- with the technology restricted to Mozilla's own websites.

The effort is aimed at improving "invasive advertising practices by providing technical alternatives," he also suggested, further claiming the feature is "easily disabled" in Firefox’s settings.

"PPA allows advertisers to measure overall ad effectiveness without gathering information that identifies specific individuals," he wrote. "Rather than collecting private information to determine when consumers have interacted with an ad, PPA is built on cryptographic techniques to enable aggregated attribution that preserves privacy. These techniques prevent any party, including Mozilla, from identifying individuals or their browsing activity."

Hilton added that Mozilla welcomes opportunities to engage with stakeholders, its own community of users and regulators as it builds out the technology.

In further remarks, the company admitted its communications around the effort have been poor. "There’s no question we should have done more to engage outside voices in our efforts to improve advertising online, and we’re going to fix that going forward," it told us. "While the initial code for PPA was included in Firefox 128, it has not been activated and no end-user data has been recorded or sent. The current iteration of PPA is designed to be a limited test only on the Mozilla Developer Network website. We continue to believe PPA is an important step toward improving privacy on the internet and look forward to working with noyb and others to clear up confusion about our approach."

In a blog post published in late August, setting out its rational for PPA, Mozilla wrote that it's concerned about moves in certain jurisdictions to block anti-tracking features in browsers, adding that addressing a mix of "technical and regulatory threats to user privacy" were motivating its development of the technology.

One complicating strand for Mozilla's narrative, which goes unmentioned in the post, is that Google itself remains its main source of revenue, thanks to a long-standing search deal that sees Google pay the Firefox maker to have its eponymous search engine set as the rival browser's default.

This report was updated with additional comment from Mozilla