Pierluigi Paganini September 26, 2024

Privacy non-profit noyb filed a complaint with the Austrian DPA against Firefox for enabling tracking in Firefox without user consent.

Privacy non-profit None Of Your Business (noyb) has filed a complaint with Austria’s data protection authority (DSB) against Mozilla for enabling the privacy feature Privacy-Preserving Attribution (PPA) in Firefox without user consent. Noyb claims that PPA doesn’t prevent Firefox from tracking user behavior, shifting control of tracking from websites to the browser itself.

“Contrary to its reassuring name, this technology allows Firefox to track user behaviour on websites. In essence, the browser is now controlling the tracking, rather than individual websites.” states noyb. “While this might be an improvement compared to even more invasive cookie tracking, the company never asked its users if they wanted to enable it. Instead, Mozilla decided to turn it on by default once people installed a recent software update.”

noyb pointed out that a recent Firefox update quietly enabled the “Privacy Preserving Attribution” (PPA) feature.

The non-profit organization claims that the feature allows websites to request Firefox to store information about users’ ad interactions, which is then shared in a bundled form, without using traditional tracking cookies. Mozilla never asked for informed consent from its users.

The feature is an experimental feature shipped in Firefox version 128 to enhances user privacy by measuring ad performance without collecting personal data. However, noyb discovered that Firefox track users’ activity, potentially violating user rights under the EU’s GDPR. Rather than replacing cookies, this feature adds another method for websites to target ads. Noyb’s data protection lawyer, Felix Mikolasch, suggests that Mozilla has adopted the advertising industry’s view on tracking, turning Firefox into an ad measurement tool, despite good intentions.

“Mozilla has just bought into the narrative that the advertising industry has a right to track users by turning Firefox into an ad measurement tool. While Mozilla may have had good intentions, it is very unlikely that ‘privacy preserving attribution’ will replace cookies and other tracking tools. It is just a new, additional means of tracking users.” said Mikolasch.

noyb states that enabling PPA feature by default without informing users or seeking their consent violates their privacy. The organization highlights that the tracking feature is not mentioned in Mozilla’s data protection policies, and users can only disable it by navigating to a hidden opt-out option in the browser’s settings. A Mozilla developer explained the decision, arguing that users cannot make an informed choice about the feature.

 “It’s a shame that an organisation like Mozilla believes that users are too dumb to say yes or no. Users should be able to make a choice and the feature should have been turned off by default.” concluded Mikolasch.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Mozilla Firefox)