"Privacy-Preserving" Attribution: Mozilla Disappoints Us Yet Again

"No shady privacy policies or back doors for advertisers" proclaims the Firefox homepage, but that's no longer true in Firefox 128.

Less than a month after acquiring the AdTech company Anonym, Mozilla has added special software co-authored by Meta and built for the advertising industry directly to the latest release of Firefox, in an experimental trial you have to opt out of manually. This "Privacy-Preserving Attribution" (PPA) API adds another tool to the arsenal of tracking features that advertisers can use, which is thwarted by traditional content blocking extensions.

It seems that 6 years after the Mr. Robot extension debacle, Mozilla still hasn't learned their lesson about sneaking unwanted advertising and features onto our computers.

We already know from Google's Privacy Sandbox that simply adding "privacy" to the name of your feature does not make it private. While Mozilla claims that the "Privacy-Preserving" attribution aims to provide a more privacy-friendly alternative to ad tracking, there are a plethora of issues with this new (anti-)feature that are worth examining:

Misaligned Incentives

Mozilla's decision to implement PPA in Firefox highlights a growing trend among user agents (browsers) to grant preferential treatment to the advertising industry over all other businesses.

All websites on the internet—including ad networks!—are guests on our computers, and the content they provide are merely suggestions for a user agent to interpret and show us how it chooses. This has always been a fundamental truth of how the internet works, and enables many great things: from highly-accessible text-based web browsers to the ability to block trackers and other unwanted bloat on the websites you visit. By baking in software that's tailor-made for the advertising industry, Mozilla is wrongly asserting that the advertising industry has a legitimate interest in collecting your data and tracking you across the internet over all other parties, including over your own interests.

The advertising industry and Google in particular have been trying their hardest to reverse this dynamic, to turn browsers into a locked-down piece of viewing software under the total control of the servers it's accessing. Mozilla is the organization meant to protect us from the ever-encroaching desires of industry to control and track what we see online, but instead they're continually giving in to the idea that user agents should serve website operators and ad-tracking networks instead of users.

Lack of Consent

Mozilla constantly fails to understand the basic concept of consent. Firefox developers seem to see their position as shepherds, herding the uninformed masses towards choices they interpret to be "good for them." Firefox users are not a captive audience that needs to be coddled, they are generally full-grown adult computer users who need to be listened to.

One Mozilla developer claimed that explaining PPA would be too challenging, so they had to opt users in by default.

The reality is that it isn't simply a privileged minority of users who care about surveillance tracking software being built in to their browsers.

Firefox users are fully capable of understanding basic concepts like tracking, and can make an informed decision about whether they want their browser to track them. Mozilla refuses to acknowledge this, because it's in their best (financial) interest to get as many people as possible to use this feature.

At the end of the day, Mozilla knows this feature isn't something that Firefox users want. If they truly believed this was the one path away from the constant data theft perpetuated by the advertising industry, they would've announced this loudly and proudly. They could've given the privacy and general Firefox communities ample time to scrutinize the protocol beforehand.

Instead, they buried the announcement in a two sentence blurb at the bottom of the release notes, 5 months after they posted a very brief blog post talking about this technology which was likely ignored by the vast majority of Firefox users.

False Privacy

Let's ignore all of this though, and say you don't care that Mozilla is selling out to advertisers, as long as the feature is actually more private than the current status quo. PPA still isn't the answer we are looking for.

The simple truth is that the "Distributed Aggregation Protocol" Mozilla is using here is not private by design.

The way it works is that individual browsers report their behavior to a data aggregation server (operated by Mozilla), then that server reports the aggregated data to an advertiser's server. The "advertising network" only receives aggregated data with differential privacy, but the aggregation server still knows the behavior of individual browsers!

This is essentially a semantic trick Mozilla is trying to pull, by claiming the advertiser can't infer the behavior of individual browsers by re-defining part of the advertising network to not be the advertiser.

It is extremely disingenuous for Mozilla to claim that Firefox is adding technical measures to protect your privacy, when the reality is that your privacy is only being protected by social measures. In this particular case, Mozilla and their partner behind this technology, the ISRG (responsible for Let's Encrypt), could trivially collude to compromise your privacy.

Uselessness

Finally, there is no reason for this technology to exist in the first place, because tracking aggregate ad conversions like this can already be done by websites without cookies and without invading privacy, using basic web technology.

All an advertisement has to do is link to a unique URL: Instead of linking to example.com one could link to example.com/ad01, and the website operator simply has to track how many people visit the ad01 page on their end.

In contrast to the amazingly complex PPA setup Mozilla is pushing, this is a perfectly viable alternative that advertisers could easily adopt today. The reason they do not is simply because they have an insatiable need for as much of your data as possible.

        <div class="kg-signup-card-content">
            
            <div class="kg-signup-card-text ">
                <h2 class="kg-signup-card-heading" style="color: #000000;"><span style="white-space: pre-wrap;">Subscribe to Privacy Guides</span></h2>
                <p class="kg-signup-card-subheading" style="color: #000000;"><span style="white-space: pre-wrap;">The Privacy Guides blog publishes timely information, website announcements, and other updates from the team and contributors.</span></p>
                
    <form class="kg-signup-card-form" data-members-form="signup">
        
        <div class="kg-signup-card-fields">
            <input class="kg-signup-card-input" id="email" data-members-email="" type="email" required="true" placeholder="Your email">
            <button class="kg-signup-card-button kg-style-accent" style="color: #FFFFFF;" type="submit">
                <span class="kg-signup-card-button-default">Subscribe</span>
                <span class="kg-signup-card-button-loading"><svg xmlns="http://www.w3.org/2000/svg" height="24" width="24" viewBox="0 0 24 24">
    <g stroke-linecap="round" stroke-width="2" fill="currentColor" stroke="none" stroke-linejoin="round" class="nc-icon-wrapper">
        <g class="nc-loop-dots-4-24-icon-o">
            <circle cx="4" cy="12" r="3"></circle>
            <circle cx="12" cy="12" r="3"></circle>
            <circle cx="20" cy="12" r="3"></circle>
        </g>
        <style data-cap="butt">
            .nc-loop-dots-4-24-icon-o{--animation-duration:0.8s}
            .nc-loop-dots-4-24-icon-o *{opacity:.4;transform:scale(.75);animation:nc-loop-dots-4-anim var(--animation-duration) infinite}
            .nc-loop-dots-4-24-icon-o :nth-child(1){transform-origin:4px 12px;animation-delay:-.3s;animation-delay:calc(var(--animation-duration)/-2.666)}
            .nc-loop-dots-4-24-icon-o :nth-child(2){transform-origin:12px 12px;animation-delay:-.15s;animation-delay:calc(var(--animation-duration)/-5.333)}
            .nc-loop-dots-4-24-icon-o :nth-child(3){transform-origin:20px 12px}
            @keyframes nc-loop-dots-4-anim{0%,100%{opacity:.4;transform:scale(.75)}50%{opacity:1;transform:scale(1)}}
        </style>
    </g>
</svg></span>
            </button>
        </div>
        <div class="kg-signup-card-success" style="color: #000000;">
            Email sent! Check your inbox to complete your signup.
        </div>
        <div class="kg-signup-card-error" style="color: #000000;" data-members-error=""></div>
    </form>
    
                <p class="kg-signup-card-disclaimer" style="color: #000000;"><span style="white-space: pre-wrap;">No spam. Unsubscribe anytime.</span></p>
            </div>
        </div>
    </div><h2 id="disabling-ppa">Disabling PPA</h2><p>Firefox users should <a href="https://support.mozilla.org/en-US/kb/privacy-preserving-attribution#:~:text=Privacy%2Dpreserving%20attribution%20(PPA),collecting%20data%20about%20individual%20people.">disable this feature</a>:</p><ol><li>Open Firefox's settings page at <code>about:preferences</code></li><li>In the&nbsp;Privacy &amp; Security&nbsp;panel, find the&nbsp;<em>Website Advertising Preferences</em>&nbsp;section.</li><li>Uncheck the box labeled&nbsp;<strong>Allow websites to perform privacy-preserving ad measurement</strong>.</li></ol><p>There are also plenty of other <a href="https://www.privacyguides.org/en/desktop-browsers/" rel="noreferrer">web browsers</a> you could choose from, if you're growing tired of Mozilla's behavior in recent months. Between their foray into generative AI and their business acquisitions in the advertising industry itself, I certainly wouldn't blame you.</p><p>PPA is an additional privacy attack surface that has no value for end users whatsoever, as its sole purpose is to give data to the advertising industry for nothing in return. Instead of focusing their efforts on compromising with advertisers, Mozilla could work to actively block unwanted data collection. Because they <em>aren't</em> blocking any of the myriad of ways advertisers <em>currently</em> track you, Mozilla is not acting in your best interest here.</p><p>For a browser and organization which has built its reputation entirely on protecting user privacy, these moves are really eroding the trust of its core user base. We hope that Mozilla will listen to the overwhelming user feedback surrounding this feature and their other endeavors, and consider whether these recent actions are aligned with their core mission of putting users first.</p><hr><p><a href="https://discuss.privacyguides.net/t/privacy-preserving-attribution-mozilla-disappoints-us-yet-again/19467/2"><strong>Discuss this article on our forum</strong></a>, or leave a comment below.</p>

This is a companion discussion topic for the original entry at https://blog.privacyguides.org/2024/07/14/mozilla-disappoints-us-yet-again-2/
5 Likes

Is this using the same implementation as the one in Safari or does it just carry the same name?

I think “Privacy Preserving Ad measurement” is just a general industry term, not any one specific implementation. Not sure how similar Safari and Firefox’s implementations will be.

I also don’t think it is inherently a bad thing that companies and researchers are working on these alternative approaches. Like most of us, I’m very wary of this sort of thing, because big tech has had a very form track record when it comes to advertising without being privacy invasive. But ads aren’t inherently privacy invasive. And so long as the internet is primarily ad funded (which doesn’t appear likely to change in the short term), browsers like Brave/Safari/Firefox, experimenting with alternative, ostensibly less invasive approaches that publishers or advertisers could use, seems like an overall good thing (assuming these alternatives replaces the existing invasive status quo), even if it does cause me to feel wary/concerned because of the history of unethical behavior by the ad industry (Google, Meta,et al).

So I’m trying to keep an open mind as best I can, its been a struggle with Brave since I had no pre-existing trust or relationship with Brave (they’ve been an adtech company since their founding) with Firefox, I have built up trust over decades, so its easier for me personally to adopt a more patient wait-and-see approach (due to my personal experience)

Edit: Statement of Clarification from Mozilla’s CTO

Read

Firefox CTO here.

There’s been a lot of discussion over the weekend about the origin trial for a private attribution prototype in Firefox 128. It’s clear in retrospect that we should have communicated more on this one, and so I wanted to take a minute to explain our thinking and clarify a few things. I figured I’d post this here on Reddit so it’s easy for folks to ask followup questions. I’ll do my best to address them, though I’ve got a busy week so it might take me a bit.

The Internet has become a massive web of surveillance, and doing something about it is a primary reason many of us are at Mozilla. Our historical approach to this problem has been to ship browser-based anti-tracking features designed to thwart the most common surveillance techniques. We have a pretty good track record with this approach, but it has two inherent limitations.

First, in the absence of alternatives, there are enormous economic incentives for advertisers to try to bypass these countermeasures, leading to a perpetual arms race that we may not win. Second, this approach only helps the people that choose to use Firefox, and we want to improve privacy for everyone.

This second point gets to a deeper problem with the way that privacy discourse has unfolded, which is the focus on choice and consent. Most users just accept the defaults they’re given, and framing the issue as one of individual responsibility is a great way to mollify savvy users while ensuring that most peoples’ privacy remains compromised. Cookie banners are a good example of where this thinking ends up.

Whatever opinion you may have of advertising as an economic model, it’s a powerful industry that’s not going to pack up and go away. A mechanism for advertisers to accomplish their goals in a way that did not entail gathering a bunch of personal data would be a profound improvement to the Internet we have today, and so we’ve invested a significant amount of technical effort into trying to figure it out.

The devil is in the details, and not everything that claims to be privacy-preserving actually is. We’ve published extensive analyses of how certain other proposals in this vein come up short. But rather than just taking shots, we’re also trying to design a system that actually meets the bar. We’ve been collaborating with Meta on this, because any successful mechanism will need to be actually useful to advertisers, and designing something that Mozilla and Meta are simultaneously happy with is a good indicator we’ve hit the mark.

This work has been underway for several years at the W3C’s PATCG, and is showing real promise. To inform that work, we’ve deployed an experimental prototype of this concept in Firefox 128 that is feature-wise quite bare-bones but uncompromising on the privacy front. The implementation uses a Multi-Party Computation (MPC) system called DAP/Prio (operated in partnership with ISRG) whose privacy properties have been vetted by some of the best cryptographers in the field. Feedback on the design is always welcome, but please show your work.

The prototype is temporary, restricted to a handful of test sites, and only works in Firefox. We expect it to be extremely low-volume, and its purpose is to inform the technical work in PATCG and make it more likely to succeed. It’s about measurement (aggregate counts of impressions and conversions) rather than targeting. It’s based on several years of ongoing research and standards work, and is unrelated to Anonym.

The privacy properties of this prototype are much stronger than even some garden variety features of the web platform, and unlike those of most other proposals in this space, meet our high bar for default behavior. There is a toggle to turn it off because some people object to advertising irrespective of the privacy properties, and we support people configuring their browser however they choose. That said, we consider modal consent dialogs to be a user-hostile distraction from better defaults, and do not believe such an experience would have been an improvement here.

Digital advertising is not going away, but the surveillance parts could actually go away if we get it right. A truly private attribution mechanism would make it viable for businesses to stop tracking people, and enable browsers and regulators to clamp down much more aggressively on those that continue to do so.

Edit 2: This blog post is the most insightful and technically focused blog post on the topic I’ve seen so far. And I think the first take I’ve seen that doesn’t try to paint things in overly simplistic black white terms, and takes the time to try to understand befoe rushing to judgement.

5 Likes

:clown_face: Mozilla :clown_face:

6 Likes

Yeah we want to love Moz but the company makes it hard for us to love them.

7 Likes

If they don’t stop fooling around like this, then it will come to the point where I will not justify worse security and site compatibility just to use Firefox on my Linux PC.

2 Likes

Anyone else remember when the browser was the user agent? :confused:

I’ve resorted to using Librewolf but with RFP disabled and Sync enabled. It’s easier this way than starting with the normal Firefox and keeping track of all the newest Mozilla anti-features that need to be disabled.

1 Like

I feel like firefox will loose their last users here…

2 Likes

I only use firefox (not mullvad browser) for the multi container thing, its a shame that chromium only has profiles.

I think its worth re-reading this report:

1 Like

Worth reading from Jamie Zawinski, co-founder of Mozilla:

2 Likes

Clarifying Statement from Mozilla’s CTO:

Firefox CTO here.

There’s been a lot of discussion over the weekend about the origin trial for a private attribution prototype in Firefox 128. It’s clear in retrospect that we should have communicated more on this one, and so I wanted to take a minute to explain our thinking and clarify a few things. I figured I’d post this here on Reddit so it’s easy for folks to ask followup questions. I’ll do my best to address them, though I’ve got a busy week so it might take me a bit.

The Internet has become a massive web of surveillance, and doing something about it is a primary reason many of us are at Mozilla. Our historical approach to this problem has been to ship browser-based anti-tracking features designed to thwart the most common surveillance techniques. We have a pretty good track record with this approach, but it has two inherent limitations.

First, in the absence of alternatives, there are enormous economic incentives for advertisers to try to bypass these countermeasures, leading to a perpetual arms race that we may not win. Second, this approach only helps the people that choose to use Firefox, and we want to improve privacy for everyone.

This second point gets to a deeper problem with the way that privacy discourse has unfolded, which is the focus on choice and consent. Most users just accept the defaults they’re given, and framing the issue as one of individual responsibility is a great way to mollify savvy users while ensuring that most peoples’ privacy remains compromised. Cookie banners are a good example of where this thinking ends up.

Whatever opinion you may have of advertising as an economic model, it’s a powerful industry that’s not going to pack up and go away. A mechanism for advertisers to accomplish their goals in a way that did not entail gathering a bunch of personal data would be a profound improvement to the Internet we have today, and so we’ve invested a significant amount of technical effort into trying to figure it out.

The devil is in the details, and not everything that claims to be privacy-preserving actually is. We’ve published extensive analyses of how certain other proposals in this vein come up short. But rather than just taking shots, we’re also trying to design a system that actually meets the bar. We’ve been collaborating with Meta on this, because any successful mechanism will need to be actually useful to advertisers, and designing something that Mozilla and Meta are simultaneously happy with is a good indicator we’ve hit the mark.

This work has been underway for several years at the W3C’s PATCG, and is showing real promise. To inform that work, we’ve deployed an experimental prototype of this concept in Firefox 128 that is feature-wise quite bare-bones but uncompromising on the privacy front. The implementation uses a Multi-Party Computation (MPC) system called DAP/Prio (operated in partnership with ISRG) whose privacy properties have been vetted by some of the best cryptographers in the field. Feedback on the design is always welcome, but please show your work.

The prototype is temporary, restricted to a handful of test sites, and only works in Firefox. We expect it to be extremely low-volume, and its purpose is to inform the technical work in PATCG and make it more likely to succeed. It’s about measurement (aggregate counts of impressions and conversions) rather than targeting. It’s based on several years of ongoing research and standards work, and is unrelated to Anonym.

The privacy properties of this prototype are much stronger than even some garden variety features of the web platform, and unlike those of most other proposals in this space, meet our high bar for default behavior. There is a toggle to turn it off because some people object to advertising irrespective of the privacy properties, and we support people configuring their browser however they choose. That said, we consider modal consent dialogs to be a user-hostile distraction from better defaults, and do not believe such an experience would have been an improvement here.

Digital advertising is not going away, but the surveillance parts could actually go away if we get it right. A truly private attribution mechanism would make it viable for businesses to stop tracking people, and enable browsers and regulators to clamp down much more aggressively on those that continue to do so.

3 Likes

If only this were true, but I’ve been complaining about even other browsers beating them to the punch when it comes to blocking trackers since at least 2022. Their stance has always been far weaker than it should be, which is what led to this problem in the first place.

Them doubling down on the “we know best, we won’t ask” attitude is frankly embarrassing. Even Google had the sense to ask for consent when they introduced FLoC.

5 Likes

Lunduke, in my opinion, is not a reliable source.

Mozilla Foundation is a non-profit with a relatively broad goal and many of the things he brought up are either non-issues or fit inside of Mozilla Foundation’s goals.

Lunduke, like many others, has agendas and this piece has a narrative spun by him to fit his agenda. The goals of the Mozilla Foundation are largely political by nature, much as almost everything in the privacy and FOSS communities that Mozilla interacts with. Lunduke, in many of his pieces such as this, has a political bias that is counter to that of many of the goals of the Mozilla Foundation. Why I do believe that some of what Mozilla does is bizarre, this article in my eyes is nothing more than a hit piece meant to stoke the anti-Mozilla flames that we have seen over the past several years as Firefox market share dwindles and they make some questionable choices.

3 Likes

I am more surprised by the fact that they had a chance to create a great advertising system here, and still defaulted to aggregation for anonymization.

OFF TOPIC, but I am always irritated when people start claiming they don’t want advertisements and they want the “old internet which was wild and free” back. We can’t have a free internet, someone is always paying. Imagine a web blog. It can’t be free and also have no advertisements unless everyone contributes money for the writer of the blog, and the moderator of the blog, and the web hosting for the blog. A lot of debate around advertising irritates me, because either pay and make the venture sustainable, or watch ads imo. Hate tracking though.

To me, This blog post is one of the more nuanced, thoughtful, and concise discussions of PPA I’ve read so far.

I still don’t have my mind made up on how I feel about this approach (but I think it at least has validity, and is in good faith), I still have vague personal misgivings, but I also see what they are trying to accomplish and why.

I’ve been pretty disappointed by the online discourse surrounding this framework so far, including here on PG to a degree. It feels to me like a complicated and nuanced topic being treated in the most black and white terms and not giving any space for good faith differences of opinion, which is frustrating.

3 Likes

In the post they mention that the other side to the fight against personalised, invasive tracking is legislation, because as long as they are allowed to do so, businesses will do invasive tracking to maximise profits.

So, what’s the point of the feature if legislation is needed to outlaw invasive tracking? And once invasive tracking is outlawed, this feature only exists for the benefit of the ad agency, as the law protects the user anyway.

I think the tl;dr of the strategy is “carrot and stick” build a better more private alternative, then push/force the ad industry away from a model that depends on invasive tracking using Legal (privacy legislation), Technical (all the anti-tracking approaches we currently use, and whatever else we can come up with), and economic means, with an end goal of improving the status quo for all users of all browsers, not just us tech-savvy and privacy-obsessive few who go out of our way to protect ourselves.

I think part of the goal is to remove a barrier to privacy legislation, from what I’ve heard, a point of pushback from lawmakers (and I assume ad industry and big tech lobbying) is: that virtually the entire internet is ad supported, and there is currently no existing alternative to the status quo of advertisers using the plethora of invasive tracking measures they have available. So how can they outlaw the model that is financially supporting most of the internet, before a viable alternative model exists. By building a better more private alternative, there is potential to undercut this excuse/barrier to meaningful privacy legislation, and in addition (hopefully) lessen advertisers hostility to privacy and privacy legislation (by lowering the cost to advertisers of adopting more private practices).

Honestly I’m not the best messenger for any of this, as mentioned earlier, my own point of view isn’t yet fully formed, and I’m still actively learning, (and kinda drained right now). But that is my best attempt at paraphrasing and synthesizing a few of the things I’ve read into a pair of hopefully somewhat coherent paragraphs. If you’ve already read that blog post, and the post by Mozilla’s CTO, the only other thing I’d add to that list right now is this explainer I think those 3 posts decently represent the positive case for PPA.

Edit: also want to note, PPA, and all the things we already do to thwart tracking are not mutually exclusive.

3 Likes

Spitballing an idea for actually private targeted ads: Your web browser downloads a large pool of ads, and shows you only those that match your profile. Your profile lives on locally on your browser and is never uploaded. Does this waste bandwidth? Sure, but it actually provides the privacy Google and Mozilla only claim to. The bigger problem with this is there’s no way for the ad buyers to know how many views they’re getting. If the browser uploads those stats, it negates the privacy benefit of profiling being local.

I think that (attribution done privately) is actually the problem Privacy Preserving Attribution seeks to solve.

And just to be clear, private attribution is the only problem it seeks to solve (as best I understand it).

PPA is not about showing you ads, or profiling users. <---- This is a source of a lot of misunderstanding online right now.

2 Likes