Closed Bug 1907678 Opened 4 months ago Closed 4 months ago

Firefox 128 contains back door for advertisers, contradicting its own advertising

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Version:
Firefox 128
Type:
defect

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: lukasmai.403+bugzilla.mozilla, Unassigned)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression)

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0

Steps to reproduce:

I upgraded to the current release version of Firefox, 128. A while later, I checked my "Privacy & Security" settings.

Actual results:

I discovered that a new section had appeared: "Website Advertising Preferences", containing one entry giving websites permission "to perform ad measurement".

Expected results:

This setting/functionality (PPA) should not exist in Firefox. At minimum it should be turned off by default ("opt-in").

Firefox is advertised as "the browser that protects what’s important. No shady privacy policies or back doors for advertisers. Just a lightning fast browser that doesn’t sell you out." Given that, Firefox should not include a back door for advertisers, let alone one that is enabled by default.

PPA is "for advertisers" because it certainly wasn't designed for users. (I didn't ask for this feature, I don't want this feature, and I certainly didn't expect this feature to be silently enabled for all Firefox users.) Even the PPA KB article flat out states "attribution is very important to advertisers" as the sole justification for this feature. It is a "back door" because it happens behind the user's back and sends data about their activity to some unspecified "aggregation service" even if the user has enabled tracking protection, uses an ad blocker, etc.

(Another contradiction: "Do what you do online. Firefox Browser isn’t watching." (Firefox marketing) vs PPA: "Websites that show you ads can ask Firefox to remember these ads. When this happens, Firefox stores an “impression” which contains a little bit of information about the ad, including a destination website." Sounds a lot like Firefox is watching, doesn't it?)

If PPA is not removed, the contradictions could alternatively be resolved by changing the marketing copy to something like: "Very few shady privacy policies and back doors for advertisers. Just a lightning fast browser that rarely sells you out."

Blocks: ppa-experiment
Keywords: regression
Regressed by: 1901068

:emilio, since you are the author of the regressor, bug 1901068, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

Flags: needinfo?(emilio)

The Bugbug bot thinks this bug should belong to the 'Core::Privacy: Anti-Tracking' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Privacy: Anti-Tracking
Product: Firefox → Core
Component: Privacy: Anti-Tracking → DOM: Core & HTML
See Also: → 1907659

Disclaimer: I implemented the setting and the plumbing from the DOM side, but I'm not a comms person nor I'm responsible for the underlying implementation of the API. I have some understanding about how this API works (all of which is public btw) tho, so I'll try to reply to your concerns to the best of my abilities.

I discovered that a new section had appeared: "Website Advertising Preferences", containing one entry giving websites permission "to perform ad measurement".

You missed a key part of that, which is that it says giving them permission to perform privacy-preserving ad measurement. See the explainer linked below about the details.

PPA is "for advertisers" because it certainly wasn't designed for users. (I didn't ask for this feature, I don't want this feature, and I certainly didn't expect this feature to be silently enabled for all Firefox users.)

See https://github.com/mozilla/explainers/tree/main/ppa-experiment#end-user-benefit. The point of this feature is to (eventually) allow advertisers to perform attribution without user tracking.

even if the user has enabled tracking protection, uses an ad blocker, etc

If you use an ad blocker that still works, not sure what's that about. If the website records an impression when you're using an ad blocker (and thus not seeing the ad) then you're potentially giving confusing data to the advertiser, but they don't learn anything about you (they wouldn't learn anything about you anyways).

Sounds a lot like Firefox is watching, doesn't it?

Not really, the key point here is that we don't tell (nor store) the information about what user is seeing what ad. We only report aggregated data to the advertiser.

It seems folks also missed the experiment part of all this, which means that this API is not exposed to random websites or advertisers. We're just experimenting with a few ads in e.g. MDN (where Mozilla is both the advertiser and the owner of the website that displays the ad) to validate the properties and viability of the technology.

Status: UNCONFIRMED → RESOLVED
Closed: 4 months ago
Flags: needinfo?(emilio)
Resolution: --- → INVALID

You missed a key part of that, which is that it says giving them permission to perform privacy-preserving ad measurement.

As far as I'm concerned, "privacy-preserving" is semantically void. It is a marketing term, not a technical description. Omitting it doesn't change the meaning of the sentence.

The point of this feature is to (eventually) allow advertisers to perform attribution without user tracking.

My point is that I don't want to allow advertisers to do anything with my information. That's why I use Firefox (which promotes itself as having "no back doors for advertisers" and "isn't watching"), enable "Enhanced Tracking Protection", etc. In particular, I don't want to "make advertising better" (which the technical explainer claims is an end-user benefit, somehow?).

This part from https://github.com/mozilla/explainers/tree/main/ppa-experiment#end-user-benefit is particularly funny:

In comparison, the indirect benefits are likely to be significant:

  • The value that an advertiser gains from attribution is enormous.

Again, I do not want to make advertisers richer. As far as I can tell, your argument is something like: "If we provide 'enormous value' to advertisers, then they can pay more websites to place more ads, which means users have more websites to visit, which is good." (The document doesn't actually say that; all it dares claim is website ads "can be [under what conditions? source?] more equitable [by what metric?] than alternative funding models [which ones?]", which is surprisingly weak-sauce for something described as a "significant" benefit to end-users.) This is not aligned with my goals because I do not want to see more ads on the web. (Also, I don't believe in trickle-down benefits.)

  • If advertisers do not need to track people for attribution purposes, it makes it easier for us to identify and stop tracking.

This is a complete non-sequitur. How is one related to the other?

Who says advertisers will stop tracking just because they don't "need" to do it? They currently don't need to do it either, yet they still track users as hard as technically possible. If you give them more data via this back-channel built into the browser, they'll take it, of course, but why would they stop doing the other things they already have running and that provide more detailed information?

Secondly, if you can "identify and stop tracking" at the browser level, what keeps you from doing it right now, without building this advertising back-channel? Conversely, if identifying/stopping tracking is not currently feasible, what would make easier with PPA?

Sounds a lot like Firefox is watching, doesn't it?

Not really, the key point here is that we don't tell (nor store) the information about what user is seeing what ad.

Of course Firefox stores the information about what user is seeing what ad. Straight from the technical explainer:

At impression time, information about an advertisement is saved by the browser in a write-only store. This includes an identifier for the ad and whether this was an ad view or an ad click.

(The user information is provided indirectly by the user profile, which is always available.)

Further:

If cookies are cleared for that site, then the impression database is also cleared.

(The database of seen ads that you don't store?)

The number of attributed conversions for a site is a secret that does not reset if the site clears cookies.

Oh, so now information about seen ads is even persistent beyond cookie data. Very cool.

Plus there is this bit:

Our DAP deployment is jointly run by Mozilla and ISRG. Privacy is lost if the two organizations collude to reveal individual values.

That sounds more like "we could reveal your private data, we just currently don't want to".

We only report aggregated data to the advertiser.

I don't want you to report any of my data to advertisers, aggregated or not. "No back doors for advertisers", remember?

And again, from the technical explainer:

privacy protection for the trial should be as strong or stronger than the complete solution.

Or in other words: Once this feature goes from experiment to fully live, the door is open to weakening privacy protections.

We're just experimenting with a few ads in e.g. MDN

... what is this "e.g." doing here? Why isn't there simply a list of participating websites (and aggregators)? Instead, the KB article only mentions a "small number of sites" with no details. The technical explainer says "sites that are opted in to the experiment will be able to access the API", but does not say what sites those are or who opts them in (probably not the end user, I'm guessing). Similarly, there is some unspecified "aggregation service", but we don't learn where/what that server is, either.

In the end, I still think there is an unresolved discrepancy between what Firefox promises to deliver and what PPA actually does.

You need to log in before you can comment on or make changes to this bug.