Firefox v128 brings Ad tracking with Privacy-Preserving Attribution (PPA): What you need to know

In June 2024, Mozilla announced an experimental feature called Privacy-Preserving Attribution (PPA) with the release of Firefox version 128. According to Mozilla, this new capability aims to strike a balance between advertisers’ need to measure ad performance and users’ privacy concerns. However, the introduction of PPA has sparked significant discussion and controversy among Firefox users and privacy advocates. Here’s a comprehensive look at what this feature entails, the reactions it has provoked, and how you can disable it if you choose.

Attribution is crucial for advertisers to understand the effectiveness of their ads. It measures how many people saw an ad and then took a specific action, like purchasing a product. Traditionally, attribution has relied on tracking users across websites, which raises significant privacy concerns.

Mozilla’s PPA is an experimental feature developed in collaboration with Meta, the organization behind Facebook and Instagram. The goal is to offer a privacy-friendly alternative to the invasive ad tracking techniques that are currently prevalent on the web. Instead of websites tracking users directly, Firefox itself manages the attribution process. Here’s what Mozilla says about PPA in the latest Firefox v128 release notes:

Firefox now supports the experimental Privacy Preserving Attribution API, which provides an alternative to user tracking for ad attribution. This experiment is only enabled via origin trial and can be disabled in the new Website Advertising Preferences section in the Privacy and Security settings.

Traditional ad tracking involves monitoring users’ online behavior across different websites, collecting vast amounts of personal data in the process. This data is then used to target ads and measure their effectiveness. PPA aims to achieve the same goal of measuring ad performance but without the privacy intrusion.

When you visit a website that displays ads, PPA allows Firefox to remember those ads. If you later visit the advertiser’s website and perform a desired action (such as making a purchase), Firefox can generate an encrypted report that is anonymously submitted to an aggregation service. This service combines your report with many others, ensuring that individual browsing activities remain private.

The advertiser receives a summary of the reports, which includes noise to further protect user privacy. This summary provides aggregated information about the effectiveness of their ads without revealing any personal details about individual users. So, in summary:

1. Ad impressions: When you see an ad, Firefox stores an “impression” containing limited information about the ad and its destination website.
2. Conversion events: If you later visit the destination website and complete an action considered important by the advertiser (a “conversion”), the website can request Firefox to generate a report.
3. Reporting: Firefox encrypts this report and anonymously submits it using the Distributed Aggregation Protocol (DAP) to an aggregation service.
4. Aggregation: The aggregation service combines your report with many others, adding noise to ensure differential privacy before sending a summary back to the advertiser.

While Mozilla claims that PPA enhances user privacy, some Firefox users and privacy advocates are skeptical. Some of the concerns raised include:

1. Misaligned incentives: Mozilla’s decision to collaborate with Meta, a company known for its data collection practices, raises questions about whose interests are truly being prioritized.
2. Lack of consent: The feature is enabled by default, requiring users to actively opt-out if they don’t want to participate. This approach is seen by some as paternalistic and disrespectful of user autonomy.
3. False privacy: The privacy guarantees of PPA rely on the aggregation service and the advertiser not colluding to track individual users. This trust-based model raises doubts about the effectiveness of the privacy protection.
4. Effectiveness: Some argue that there are already alternative methods for measuring ad performance that don’t require tracking users, rendering PPA unnecessary.
5. Philosophical objections: Some believe that any form of ad measurement inherently compromises user privacy and that browsers should not facilitate it in any form.

But Mozilla emphasizes that PPA is designed with strong privacy protections. Websites do not track you as the browser controls the process instead. Reports are encrypted and aggregated to ensure individual actions cannot be traced back to specific users; and users can opt out of PPA if they prefer not to participate.

In response to the criticism, Firefox CTO, Bobby Holley, has addressed the concerns in a detailed Reddit post. He emphasizes that PPA is a prototype designed to inform the development of a web standard for private attribution and that its privacy properties have been rigorously vetted. He highlighted several key points, starting with the economic realities of the advertising industry, which is unlikely to disappear.

Recognizing this, Mozilla aims to provide a privacy-friendly way for advertisers to measure performance, seeing it as a pragmatic solution to an unavoidable aspect of the web. He defended the collaboration with Meta on PPA, emphasizing that this partnership ensures the feature meets both stringent privacy standards and advertiser needs.

He also underscored the extensive research and standardization work behind PPA, involving the Multi-Party Computation (MPC) system called DAP/Prio, vetted by leading cryptographers. This collaboration and research aim to create a system that can genuinely reduce the need for invasive tracking while still providing necessary ad performance metrics.

Holley also acknowledges the importance of user choice and explains that the decision to enable PPA by default was based on the belief that most users would benefit from the enhanced privacy it offers. However, he assures users that they can easily disable the feature if they prefer.

If you are concerned about the privacy implications of PPA, you can easily disable it in Firefox:

1. Click the menu button (three horizontal lines) in the top-right corner.
2. Select “Settings”.
3. In the “Privacy & Security” panel, find the “Website Advertising Preferences” section.
4. Uncheck the box labeled “Allow websites to perform privacy-preserving ad measurement”.

The introduction of Privacy-Preserving Attribution in Firefox is a bold move by Mozilla to address the ongoing tension between online privacy and advertising needs. While the feature promises to reduce invasive tracking, it has also sparked significant debate within the Firefox community. Whether you support or oppose PPA, it’s crucial to understand what it does and how you can control your participation.

For those who prioritize privacy above all, opting out of PPA is a straightforward process. Meanwhile, the ongoing dialogue between Mozilla, privacy advocates, and users will undoubtedly shape the future of this experimental feature.