Mozilla, the non-profit behind the Firefox web browser, faces a complaint by European Union privacy rights group noyb, filed on 25^th September. The complaint accuses Mozilla of violating the General Data Protection Regulation (GDPR) by tracking Firefox users by default without their consent.

Known for its strong stance on privacy, Mozilla’s involvement in a privacy complaint is surprising, with the organization previously championing web users’ privacy rights, such as by siloing cookies to prevent cross-site tracking.

However, noyb claims that a new Firefox feature effectively turns the browser into a tracking tool for websites. noyb argues that even the name of the feature, “Privacy Preserving Attribution (PPA)”, is misdirection.

“Contrary to its reassuring name, this technology allows Firefox to track user behaviour on websites,” noyb wrote in a press release. “In essence, the browser is now controlling the tracking, rather than individual websites. While this might be an improvement compared to even more invasive cookie tracking, the company never asked its users if they wanted to enable it. Instead, Mozilla decided to turn it on by default once people installed a recent software update. This is particularly worrying because Mozilla generally has a reputation for being a privacy-friendly alternative when most other browsers are based on Google’s Chromium.”

“Similar to Google’s (failed) Privacy Sandbox, this turned the browser into a tracking tool for websites,” noyb wrote, adding: “While this may be less invasive than unlimited [cookie-based] tracking, which is still the norm in the U.S., it still interferes with user rights under the EU’s GDPR.”

The argument from noyb is that although this is better than cookie tracking, it is not enough. Particularly when it has been turned on by default and goes unmentioned in Mozilla’s data protection policies. The only option for users to turn it off is to find the opt-out function in a sub-menu of the browser’s settings. The tech lead at Mozilla even believing that users are not able to make an “informed decision” about PPA as it is too difficult to explain.

Commenting in a statement, Felix Mikolasch, data protection lawyer at noyb, said: “Mozilla has just bought into the narrative that the advertising industry has a right to track users by turning Firefox into an ad measurement tool. While Mozilla may have had good intentions, it is very unlikely that ‘privacy preserving attribution’ will replace cookies and other tracking tools. It is just a new, additional means of tracking users.”

“It’s a shame that an organisation like Mozilla believes that users are too dumb to say yes or no,” Mikolasch added. “Users should be able to make a choice and the feature should have been turned off by default.”

The noyb-backed complaint, which has been filed with the Austrian data protection authority, accuses Mozilla of failing to inform users about the processing of their personal data and of using an opt-out — rather than an affirmative ‘opt-in’ — mechanism.

If EU privacy regulators agree with the complaint, the Firefox-maker could be faced with orders to change tack — or even face a penalty. With the GDPR allows for fines of up to 4% of global revenue, this could be a costly choice.

Mozilla has since issued a statement via Christopher Hilton to Techcrunch, director of policy and corporate communications:

“PPA allows advertisers to measure overall ad effectiveness without gathering information that identifies specific individuals,” Christopher wrote. “Rather than collecting private information to determine when consumers have interacted with an ad, PPA is built on cryptographic techniques to enable aggregated attribution that preserves privacy. These techniques prevent any party, including Mozilla, from identifying individuals or their browsing activity.”

The effort is aimed at improving “invasive advertising practices by providing technical alternatives”, he also suggested, further claiming the feature is “easily disabled” in Firefox’s settings.

Hilton added that Mozilla welcomes opportunities to engage with stakeholders, its own community of users and regulators as it builds out the technology.

While this could have been a step in the right direction for privacy browsers that used more invasive cookies, this feels like a step backward for Firefox with its historical focus on privacy. This could end up alienating users who had relied on the browser for just such features, driving them away to other browsers that are more open about their data collection methods.

In theory, this feature could be a good solution for companies to collect anonymous data and allow users a personalized experience. But, as ever, it is vital to be open and honest with users about changes to how their data is being used and if they want to opt into it.