Misconceptions about Firefox's Privacy Preserving Ad Measurement

Mozilla has shipped with Firefox 128.0 its experimental Privacy Preserving Attribution API. The feature, which is enabled by default, has received a lot of pushback from individuals online. As someone who values privacy, I do believe that this pushback is misguided. Reading about its raison d’être as well as reading the technical details of the implementation¹² convinces me that this is genuinely an important step forward towards eliminating invasive personal tracking by AdTech companies.

I hate advertising, but…

I’m someone who despises advertising and tracking. I hate that businesses mine your data to personalize ads and sell you more stuff. I aggressively block any attempt at telemetry on my devices by disabling any telemetry toggle that’s available (other than error/exception reporting; those can lead to a better product), employ network level measures using pfBlocker-NG to prevent connections to known telemetry and tracking services, install uBlock Origin in all my browsers, alongside many other measures I take to minimize tracking. I also live as I preach. There are no trackers on this website, and I collect nothing beyond access logs³. I truly believe that privacy is a fundamental human right.

That said, as much as I hate advertising, I also understand that it is fundamental in providing funding for services (such as YouTube, or most news organizations) that enables the free flow of information online. Humanity would be far worst off if information were to be locked behind paywalls. For democracy to function, for humanity to keep getting better, information must be accessible to all, not just to those who have the means to pay for it.

Why track in the first place?

Advertisers track for a variety of reasons. The main reason behind tracking is to measure the success of an ad campaign. Ad agencies⁴ have a duty to provide metrics to their customers. This is to ensure that advertising budgets are well spent.

For online campaigns, ad networks started providing analytics services that would enable their customers to know if a particular advertisement led to a conversion⁵. Since ad networks are in control of that analytics pipeline, and their revenue stream depends on increasing the rate of conversions for their customers, they started tracking each individual to provide them with advertisements that had a greater chance of leading to one.

This type of individual tracking crosses the line of what’s acceptable for a lot of people, including myself. I do not want every individual action that I take online to be fed to a machine whose only purpose is to show me advertisements that are more relevant to me in the hope that I spend more money.

That said, the initial need of measuring the success or not of an advertising campaign is still there, and is still fundamental in ensuring that marketing budgets are well spent. Campaign tracking has been used in traditional marketing for decades: phone numbers were often purchased for the sole use of a campaign in order to track the number of calls it generated; rebate coupons included with print advertisements have been used to track the success of a traditional advertisement campaign by analyzing the return/use rate of those coupons… Campaign success measurement is nothing new.

Only in the online age has advertisement pivoted towards invasive individual tracking. And as much as I hate to admit it, advertisements have been there for a long time, and they are not going away anytime soon. So what do we do to shift tracking and metrics collection back on the campaign, and not on the individual?

Enter Privacy Preserving Attribution

The solution starts by decoupling metric collection from ad networks, and instead only providing them with noisy aggregates metrics that still allow them and their customers to measure the success of a campaign in a relatively accurate way, without compromising the privacy of each individual.

Mozilla’s Privacy Preserving Attribution API is a lightweight version of a larger Interoperable Private Attribution Proposal that’s currently in the works that aims to do just that. The goal of this API is to study the viability of such systems so that ad networks can start moving away from invasive individual tracking.

The way this works on the browser side is relatively simple. When an ad is viewed or clicked, an “impression” is registered by calling navigator.privateAttribution.saveImpression() with a parameter containing the following information:

type PrivateAttributionImpressionOptions = {
  type: 'view' | 'click';
  index: number; // unsigned int - the histogram index for counting this impression
  ad: string; // a unique identifier for the ad placement
  target: string; // the advertiser site/origin where a conversion will occur
};

That information, along with the origin of the website where this impression is registered are then stored locally in your browser’s profile location.

If ever you do an action on the target site that would be considered a conversion, the site can call navigator.privateAttribution.measureConversion(), specifying what locally stored impression should be evaluated when verifying if it is indeed a conversion.

type PrivateAttributionConversionOptions = {
  task: string; // unique identifier of a preconfigured aggregation task.
  histogramSize: number; // unsigned int - how many histogram buckets should be generated. This controls the maximum "index" of an impression.
  lookbackDays?: number; // unsigned int - optionally limits the impressions that are matched to those within the specified number of days.
  impression?: 'view' | 'click'; // optionally limits the type of impressions being considered
  index: Number; // unsigned int - the histogram index for counting this impression
  ads?: string[]; // optionally lists the ad identifiers that need to match to select an impression
  sources?: string[]; // optionally lists the publisher site/origin that need to match to select an impression
};

Impressions are evaluated based on that information, as well as on the target specified during the time of the impression being registered. If there is a match, an array of size histogramSize is generated with a 1 at the index position defined by the impression index. That array is sent to a Distributed Aggregation Protocol (DAP) provider run by an entity other than the ad network. In the case of Mozilla, the Internet Security Research Group (ISRG)⁶ is their DAP partner.

Ad networks and other AdTech providers can then request aggregate reports from the DAP provider. Reports are anonymized by using differential privacy, and other measures (including some cryptographic schemes to protect individual reports). At no point is a collector able to see or interact with individual conversion reports, which ensures that you are not individually tracked.

Since the DAP server acts as a middleman, and reports are only generated at conversion times (impressions without conversions are not reported), ad networks have no way through this method of collecting your personal information (such as your user information or your IP address/browser client info). All they receive is an aggregate that informs them that their ad 𝑦 (published on source 𝑧) led 𝑥 number of people to a positive outcome for their customer over a period of time 𝑝. Some amount of noise is also added to the information in order to further strengthen privacy⁷.

It’s important to know that the implementations and specifications are publicly viewable and auditable if you so desire. The DAP specifications are currently being worked on and the drafts are available on GitHub or IETF. The browser-side DAP client and the server-side DAP implementations are licensed under the Mozilla Public License 2.0; and their source code is available in Mozilla’s mozilla-central Mercurial repository (DAP Toolkit, Private Attribution), and ISRG’s divviup/janus Git repository respectively.

Only a Partial Solution

Interoperable Private Attribution and Mozilla’s Privacy Preserving Attribution API experiment are only a single piece of the puzzle towards eliminating invasive individual tracking.

One other important piece of the puzzle is to ensure that legislation is in place to outlaw invasive tracking in the first place. Legislation like GDPR (Regulation (EU) 2016/679) in Europe, or Law 25 (CQLR c P-39.1; SQ 2021, c 25) in Quebec (more relevant to me personally) are a good step, but comprehensive legislation changes in the world’s biggest markets need to happen for a substantial reduction in invasive tracking to occur.

Without strong privacy protection that is codified in law, businesses will always have monetary incentive to track individuals in order to maximize their profits. Sadly, the United States doesn’t seem to have an appetite for protecting their citizens’ privacy.

Why have PPA on by default?

Quite frankly, because the privacy of each individual user benefits from having a larger cohort at the aggregation phase. You have to remember that the alternative is NOT the absence of tracking, but invasive personalized tracking done by ad networks. Doing aggregate tracking in the most private way is the less invasive option between the two.

In Firefox specifically, if you want to prevent tracking completely, I would suggest keeping the option on, but navigating in about:config and modifing the following two properties to a loopback address:

• toolkit.telemetry.dap_helper
• toolkit.telemetry.dap_leader

This will prevent any conversion reports from being sent. Enable Strict Enhanced Tracking Protection, and install addons such as uBlock Origin, and you should have a pretty robust setup for preventing tracking. I recommend looking at Securefox.js (part of Betterfox) if you want to harden your tracking protection stance even more.

Mozilla’s Failure: Communication

Arguably, the biggest failure of Privacy Preserving Attribution (PPA) is Mozilla’s failure to clearly communicate and explain this experiment to its users. Changes that affect user privacy, positively or negatively, should be prominently displayed in the “What’s New” page. This page, containing release notes and that opens automatically when an update is installed, is the perfect opportunity to inform users about features that may impact them. While it is listed in the current release notes, it isn’t prominently displayed.

It would have been nice to also have an about:welcome style opt-in/opt-out dialog where PPA would have been clearly explained to users (with high-level information of the measurements being made available to ad networks/advertisers). Abiguity, and the prevailing user sentiment that this is something that is being sneakily forced upon them may actually harm Mozilla’s ability to convince users that this is truly an improvement over the existing status quo of invasive user tracking.

If that came to pass, it would be a huge missed opportunity. PPA is a strong step forward towards preserving user privacy. This is a change that, in my opinion, benefits the end user in the long run. Fighting against everything remotely related to advertisements makes no sense. If a change is positive when compared to the status quo, there is no reason we shouldn’t support this, even if our opinion of advertising and tracking in general is very negative (as mine is). This is still a huge step in the right direction, and one that I welcome cautiously.

Footnotes

1. Source: Experiment: Privacy-Preserving Attribution Measurement API ↩︎

2. Source: Distributed Aggregation Protocol (DAP) for Privacy Preserving Measurement IETF Draft ↩︎

3. See my Privacy Policy for more information. ↩︎

4. Disclosure: I worked for an agency for 7 years as a Solutions Architect working on eCommerce solutions. ↩︎

5. A conversion is any action by a user that leads to a favorable outcome for the advertiser (a purchase, a registration for an event, etc.). ↩︎

6. The Internet Security Research Group (ISRG) is a trusted public benefit/nonprofit organization that is notably in charge of running the nonprofit Let’s Encrypt Certificate Authority. ↩︎

7. This is done through differential privacy. ↩︎