Skip to content

Privacy-Preserving Attribution, or A Better Tapeworm

A small cloud of smoke

Mozilla maintains the Firefox web browser, and Mozilla has put significant work into communicating that Mozilla cares about privacy, and that Firefox is built to protect privacy. As I write this, the landing page for the Firefox download page leads with this text:

“Get the browser that protects what’s important. No shady privacy policies or back doors for advertisers. Just a lightning fast browser that doesn’t sell you out.”

Firefox download page
Firefox download page

Given this explicit focus on privacy, it’s reasonable and logical to expect that Mozilla would build and maintain Firefox in a manner consistent with these claims: no back doors for advertisers, and avoiding selling the user out.

This is why it was surprising and disappointing to see Mozilla gut the credibility of their marketing when, in release 128 of Firefox, Mozilla rolled out a change that added data collection, and opted people in to this data collection by default.

To be clear: the new feature collects additional data. The feature was added via an update. People were opted into this data collection with no notice. This feature is designed to benefit advertisers.

Firefox's new "feature", which is enabled by default.
Firefox’s new “feature”, which is enabled by default. Disable this feature to eliminate additional data collection.

Invisibly opting a user in to a feature that collects data from that user for the benefit of advertisers feels a lot like creating a back door for advertisers, and selling Firefox users out.

The Details

Mozilla published an overview of the system in an “explainer”.

The explainer is titled, “Experiment: Privacy-Preserving Attribution Measurement API”. The inclusion of the word “Experiment” in the title suggests that Mozilla views this work as an experiment. Given that they are collecting interaction information from real people brings up ethical issues that, without specific information from Mozilla, are outside the scope of this post because they would be based on speculation.

With that said, Mozilla has not shared anything I have seen that suggests that they have done any review to determine what disclosure or oversight needs to be in place, whether they sought feedback from an IRB, why they chose for opt in versus opt out consent, and what mechanisms are in place to ensure that people are providing informed consent. Experiments with people that don’t respect participants are on ethically fraught ground, and good intentions aren’t a substitute for skipping basic ethical steps.

The first line of this explainer clarifies that Mozilla is “working with Meta and other actors” on this experiment. Later in the piece, Mozilla clearly states that users will suffer a cost from “(p)rivacy loss from use of their information.” The piece makes it clear that data are eventually aggregated, with some noise added into the results, but this piece is clear: this is a new form of data collection, done for an experiment, which will benefit advertisers.

“The value that an advertiser gains from attribution is enormous. Attribution can be the difference between an advertising-dependent business surviving or failing.”

To summarize: Mozilla is justifying additional data collection in Firefox as acceptable because it will benefit advertisers.

To be clear, this is their right. They are building the browser, they are giving it away for free, and they have complete control over the roadmap. They have every right to do what they want. However, when an organization that says they don’t provide a back door for advertisers subsequently builds a back door for advertisers, they shouldn’t be surprised when people who use their product for reasons of privacy are upset by the yawning gap between marketing and actions.

The short version: Mozilla could have eliminated significant blowback by doing more communication about this change, adding in-browser notification about the change immediately after the update, and by making the feature opt-in rather than opt-out.

Not surprisingly, when people saw the change and understood what it meant, some people were less than pleased. The justifications that people shared about Mozilla’s unannounced data collection experiment are interesting for what they show about how people justify different forms of tracking and surveillance.

There have been a few people offering different forms of justification. An reasonably-complete-yet-bound-to-be-incomplete list includes:

  • Attribution is different than tracking
  • You’re already being tracked. If this works, it could lead to less tracking.
  • Opt-in is only meaningful if users can make an informed decision/opt-in makes it hard to get enough participants
  • The internet already runs on ads. We need to work to make it better, and this might help

Attribution is different than tracking

Maybe? Maybe not? But this argument is flawed because it assumes that I — a person who didn’t create your problem — must play a role in solving your problem. Whether or not attribution and tracking are identical or  different doesn’t change the reality that the solution being proposed requires people share data in an experiment they didn’t sign up for.

People don’t owe you their time or information. When I go online, I’m not working to make your flawed attempts work better. Assuming you have a right to people’s time, attention, and information — for attribution or tracking — is what greed looks like.

You’re already being tracked. If this works, it could lead to less tracking.

The solution to tracking isn’t more tracking. This isn’t hard.

Opt-in is only meaningful if users can make an informed decision/opt-in makes it hard to get enough participants

This line of thought appears in many places where power differentials exist between people or communities. In many cases, people who are trying to “make things better” allow their good intentions to steamroll over their need for consent, or their understanding of what informed consent actually means. The disdain with which people try and define who is capable of making an “informed” decision needs more attention than I can provide here, but this type of disdain for people is often accompanied with using the strawman of “an average user.”

The tech industry writ large has a bad track record with consent, in their products, their business practices, and frequently in their corporate culture. In fairness, this is something that I’ve also seen among researchers, including well funded academics in R1s. They become so convinced of the importance of their work, and the good intentions driving their work, they they forget about the pesky details of consent and the dignity and agency of their participants.

The fact that many powerful people make the same mistake doesn’t make it any less despicable. If opt-in consent feels too hard, that’s a good sign that you need to review the mechanics and the assumptions of how you are working.

The internet already runs on ads. We need to work to make it better, and this might help

Yeah. The greed of adtech companies and the people who look to them for easy money is not my problem, nor is it the problem of people trying to do basic (or even complex) things online. If adtech companies can’t evolve, maybe they should go out of business.

It’s very easy to blame the user for problems created by systems or corporations. The fact that it’s easy and convenient doesn’t make it right.

And let’s not forget: adtech spreads malware. https://arstechnica.com/security/2024/06/mac-info-stealer-malware-distributed-through-google-ads/ It has for a while. https://arstechnica.com/information-technology/2016/03/big-name-sites-hit-by-rash-of-malicious-ads-spreading-crypto-ransomware/

Conclusion

Privacy-Preserving Attribution collects more data in an effort to collect less data. The folks behind it want us to believe that their goals justify our forced participation – “this is better than what’s happening now, so just let us try,” they say.

But the internet and those of us who use it deserve better. If the scope of their imagination ends with effectively giving us a better tapeworm, we don’t need to accept that.

I’ll be giving LibreWolf and Waterfox close look, and also tracking the development of Servo https://servo.org/ (and yes, the irony is not lost on me that these projects all have roots with Mozilla’s work). I’ll also continue using the Mullvad/Tor collaboration.

EDIT, 18 July, 2024. Based on feedback on the security and reliability of LibreWolf and Waterfox, I am no longer comfortable installing them or recommending them.

Image credit: https://www.flickr.com/photos/pedromourapinheiro/5567034637/in/photostream/