So how does one turn it off?
There's nothing obvious in the security settings for this Linux Firefox 130.0.1
Privacy activist group noyb has filed a complaint against Mozilla over a "Privacy Preserving Attribution" feature that was quietly enabled in Firefox following a July update. "Contrary to its reassuring name, this technology allows Firefox to track user behavior on websites," noyb stated this morning. Worse: "Mozilla decided …
Thanks. Turned off now.
Obviously one would search for it in the advanced settings, and not in e.g. Advertising Preferences (despite Biddi...'s comment, it's not visible there in this version). There's no such section; the nearest is 'Website Privacy Preferences'. Odd.
It would have been good for the article to point out where the setting is located. It's under "Website Advertising Preferences" since version 128. The description makes it sound like a terrible thing, like it's GIVING websites a whole NEW capability to measure ad performance on your machine, and does not make it sound like the browser is STOPPING them from doing the previous privacy-violating things. If it's actually taking away their ability to track you, then it should be made more clear. If it's not really disabling any capabilities, then it's nothing but giving Firefox/Mozilla the ability to track you in addition to all the previous stuff.
Just for your own sake if you don't like the feature, and because they don't explicitly say anything about it and this is confusing, I would make the assumption that about:config is what is actually happening (and so you should change it to false if you really want to make sure this is disabled). I searched though, and it turns out the option gets grayed out and unchecked if you have "Allow Firefox to send technical and interaction data to Mozilla" unchecked (which makes sense, as WSAP sends data to Mozilla). Theoretically this should mean that the settings page's indicator shows what is actually happening and supposedly that's how Firefox normally works, and you can disregard what about:config says. Having one setting automatically change other settings should also be more clearly indicated (since they added WSAP recently, so someone who had telemetry disabled already would have no idea why WSAP was disabled). Good programming and user interface design would make them match, of course, but consistency and following up on things like that has not been a programming guideline for a long time, at any company.
"It's strange. My own WSAP is already "Off" (and I did nothing to change it), yet in about:config
dom.private-attribution.submission.enabled
is set to TRUE. So, which does what and are they conflicting?"
They are conflicting!
You have to explicitly enable "Allow Firefox to send technical and interaction data to Mozilla" in order to see the true state of the "Allow websites to perform privacy-preserving ad measurement"" setting. Otherwise it appears to be also disabled when the former is unchecked -- but if you then check the "dom.private-attribution.submission.enabled" setting, it's still set to "True" even though the checkbox for it in Settings is blanked!
This behavior, if deliberate, seems a bit sketchy.
To turn it off, you have to first check the "Allow Firefox to send technical and interaction data to Mozilla" box and then explicitly uncheck the "Allow websites to perform privacy-preserving ad measurement""checkbox, finally unchecking "Allow Firefox to send technical and interaction data to Mozilla" again, OR you have to go into about:config (not even possible under Android -- thanks a bunch, Mozilla) and toggle "dom.private-attribution.submission.enabled" to False.
Works this way under both Windows and Linux.
Disabling the technical data going to Mozilla does disable the WSAP function, which is why it shows that it's off when it's grayed out. It can't send data if you've told the browser to never send data to Mozilla, as it's a complete override. The fact that the about:config setting doesn't get changed to match is just poor design, but is only cosmetic. The only reason to enable telemetry and manually disable the setting then disable telemetry again is paranoia, which isn't necessarily bad, but as long as that option doesn't show it's turned on, you should be safe.
"Disabling the technical data going to Mozilla does disable the WSAP function, which is why it shows that it's off when it's grayed out. It can't send data if you've told the browser to never send data to Mozilla, as it's a complete override. The fact that the about:config setting doesn't get changed to match is just poor design, but is only cosmetic."
Kudos to you, pal, if you've really taken the time to wade through the Firefox source code and can verify for the rest of us that it actually behaves in the manner that you have described above (or you are a Mozilla developer involved in this area of the codebase -- in which case, thanks for jumping in here). Otherwise, your supposition regarding how it all behaves behind the scenes is absolutely as good as mine -- but no better.
Why change the visible state of a checkbox which becomes grayed-out if the underlying variable itself remains unchanged (whether overridden by other settings or not)? Mozilla has been in this business long enough to know a thing or two about good UI design -- and where is this more sensitive and important than on the Privacy and Security page of the Settings interface?
Easily discoverable if you have an inkling that you need to go look for that specific type of setting, and then you still have to actually look at every section for changes. That section didn't even exist until this setting was added. For a browser, it needs to be "hey, before you can proceed, you need to be aware that this setting exists".
It's a checkbox right there in Privacy and Security in the main Settings interface.
"Website Advertising Preferences
Allow websites to perform privacy-preserving ad measurement
This helps sites understand how their ads perform without collecting data about you. Learn more"
"easily discoverable opt out option + blog posts" -- The overwhelming majority of users, even the "advanced" people that use Firefox because they don't like Google, won't be reading blog posts regarding every point release or even major release of the application, and most probably just quickly close out of the "What's New" tabs that open when a browser or other application first runs after an update, without reading them. They just want to get on with their activity. Being "easily discoverable" just means that it's in the settings page and doesn't need you to drill down through sub-menus, and at least a large percentage of users probably don't even look at settings a single time and the rest don't look at after their first time setting up the browser on a new machine, so without a popup that clearly says this setting exists and they have to acknowledge it people won't know it exists. With MS Edge, I got used to needing to peruse all the Settings pages after every update because Microsoft would randomly add entirely new privacy-violating features or integrate new applications as if they were browser features; Mozilla shouldn't be following Microsoft's lead on this.
"With MS Edge..."
Top tip: delete the subdirectories of everything even vaguely labelled "Edge" in Progra~1\Microsoft, and then revoke all permissions to those folders, assigning the owner to some dummy non-admin account. You may find that certain Windows Store "apps" stop working – e.g., the new Netflix "app" – but this just means it was never an app in the first place but rather an Edge window connecting to a website. (There's never any excuse for someone to release a so-called app like that: just admit it's not an app and I'll just go to the website in FF.)
Because you stated,
"With MS Edge, I got used to needing to peruse all the Settings pages after every update because Microsoft would randomly add entirely new privacy-violating features or integrate new applications as if they were browser features"
What I gave was solution to the problem of Edge and its various privacy violations – this is a problem that you, among many other people, may continue to have. If Edge cannot be run, then the problem goes away. This is, in my opinion, the best and indeed only solution to having Edge rammed down my throat without my consent at every update.
I just looked on the normal settings page for privacy and security and there is a new section:
Web Site Advertising Preferences
Allow web sites to perform privacy-preserving ad measurement
However the check box is not ticked and it is impossible to tick anyway. Maybe one of my other security settings or ad-ons overrides this new feature?
However the check box is not ticked and it is impossible to tick anyway.
If you have unticked Allow Firefox to send technical and interaction data to Mozilla, the option to Allow web sites to perform privacy-preserving ad measurement is greyed out.
If you haven't, it appears to be on by default.
Can you please stop giving statcounter any credence?
When was the last time that you actually saw a website that had a statcounter spyware beacon on it?
As a Firefox user with NoScript (of course), I know every dodgy connection that every miserable data reaping website (that I have the misfortune to have to interact with) tries to make. I don't think I have seen statcounter appear in the list of attempted connections at all for at least a decade, if not longer, and, if I had, I would have marked it as "untrusted" the first time I saw it - as would most likely be the case for a large proportion of Firefox users. One of the reasons we use Firefox is because We Really Really Don't Like Spyware Tracking!
The Wikipedia article quotes W3Techs (admittedly, I don't know how authoritative or trustworthy they are) as showing that statcounter really isn't used by very many websites.
Then maybe the rest of corporate America should sponsor FF.
I run Brave for basic web browsing with basic settings. I use Vivaldi for banking(and online purchases for work, I have over 30 credit cards I use for different properties).
My real defence against tracking and ads is a tight Group Policy, a big ass Host file(125K sites blocked), major firewall rules that kill the MS sniffing shit, and I take ownership of all browser folders. Also, TrustedInstaller is limited to read only(browser folders only)so nothing gets backdoored(updated) unless I say OK.
So if FF wants to suck Google's wanker, they are more than welcome to. The CEO of FF should get off his ass and start marketing their product to companies that really worry about their privacy, secuity, and bandwidth.
The blog post from Mozilla, which most people wouldn't have known to read in the first place, provides some useful details about how this system works. I'm inclined to trust them on that part. What it doesn't say is why it was worth doing this. They describe the technology they've built and just stop, as if we already understand why such a thing was needed. Since I don't think such a thing is needed, because advertisers can already track the success of their ads by looking at their server logs for which links someone clicked on, and because I don't care about whether they have the tools they want or not, I am still in the dark about why this was worth Mozilla's time.
This, a thousand times this.
Their sop toward the ad industry is exactly that, a sop.
Don't give them anything and work harder to block what they do. This is what should differentiate FF from the rest and this tech is the sort of thing that undermines that.
It still boggles my mind that ad slingers fight tooth and nail to force their tripe on people who are trying very hard to avoid them. Do they believe this somehow ingratiates their shite with those they successfully hack through to? Are there not enough normies out there happily handing out their data already for them to pore over.
It still boggles my mind that ad slingers fight tooth and nail to force their tripe on people who are trying very hard to avoid them. Do they believe this somehow ingratiates their shite with those they successfully hack through to?
Surely the ad-slingers want to get as many views as possible because that is the metric of success/payment they need to present to those paying for the ads. Getting sales is the sponsor's problem - and for some reason the sponsors think that getting views is helping them.
The only thing that seems to have caused sponsor's to pause for thought is when they find out their product ads are appearing alongside very unsavoury web-content.
Correct response: Give users sufficient information to make such an informed decision.
Idiotic response: Just turn the damn thing on and hide any information about what it does on a blog I didn't even know existed (and probably wouldn't pay that much attention to if I had).
Well done, Mozilla. You should be trying to entice users, not piss them off.
If “Mozilla believes that users are too dumb to say yes or no”, then the feature should be off by default, since by definition if you can’t understand something then you are incapable of giving informed consent - it’s the basis of Powers of Attorney...
I expect that Firefox is not engaged in collating data and sending a monthly report (which would be expensive), but rather blindly instantly sends to an Ad UID to the Ad Provider when the user interacts. So the Ad UID just has to be granular enough to identity the user.
C.f. Mozilla 2023 Annual Report: CEO pay skyrockets, while Firefox Marketshare nosedives [lunduke . locals . com]
I know some of the senior technical folk who work (or worked) at Mozilla from their participations at IETF and they always seemed very privacy focused to me.
E.g., they wanted to use things like private relay when uploading telemetry data from the browser so that even their own backend systems cannot know where the data is being uploaded from (to mitigate the risk of a rogue employee being able to identify the source).
I think that these guys are genuinely trying to do the right thing and trying to find a fair balance between end users and the advertising industry. E.g., generally know how your adverts are performing without being able to track and individuals.
I know some of the senior technical folk who work (or worked) at Mozilla from their participations at IETF and they always seemed very privacy focused to me.
And yet they still don't get that adding new opt-out settings in a release for the user to find sometime later is not informed consent and they still don't get there's other things apart from advertising.
I understand they need money but they still haven't done the one thing that could make them that money which is Firefox making it easy to allow micropayments for online content and Mozilla gets a small commission (not 30%) for each micropayment and obviously no wallet loading or crypto nonsense. I.e. the user goes to a blog or a video, hits a button, confirms the amount or enters the amount to tip, and gets access. Perhaps some kind of integration with Kofi and Patreon. If we want to get away from advertising-driven data slurp, that's what we've got to do.
Micropayments like that would surely require Google to be involved - as YouTube is the biggest platform for creators that would have loyal fanbases like that (Tiktok and the like are more for doomscrolling.) I can't see Google being on board with that - *they'd* want the cut, not Mozilla.
Pardon me for saying this, but that's stupid. If your ads work, your sales will increase. No other metrics are required.
Don't try to force your ads on those of us who resist, because I, for one, will automatically NOT buy whatever it you've just advertised at me. You could use nude supermodels in your ad and I would still not consider buying your merchandise.
Also, for you morons who don't mention your product name in your ads on video streaming sites; I'm not watching, I'm only listening, so how am I going to know who's product to avoid if you don't mention your company name, or your product name?
And another thing. If I'm listening to quiet fifty year old Irish folk music, an ad with loud modern-day rap music is NOT going improve my reception of your already unwanted ad.
The advertisers do need to know WHICH ads worked, and where. Unfortunately the whole advertising and marketing industry, and how horrible they have become, is just a symptom of late-stage capitalism, and something we needed to put controls on many decades ago and now can't pull back on.
The advertisers do need to know WHICH ads worked, and where.
So, build that into the ad.
Best approach: Give the punters a reward for telling you. The ad includes a "discount code" or other freebie which tells you which ad&channel the user saw when they come to you. And it is up to the user - they can still buy your product without the discount if they aren't willing to tell you how they found you.
Not quite so good approach: make clicking on the ad include an ID in the URL. Not so good because the user can't contact you if they are unwilling to let you know which channel they used, and people who buy your product later through a different channel (supermarket, for example) don't give you the advertising channel ID.
The problem I see isn't so much with the implementation of this feature, but how this will conflict with Mozilla's medium term interests to make money from online ads.
In the end personalized and non-anonymous ads will simply be much more profitable for Mozilla and this may result in them eventually "downgrading" users' privacy to allow "limited" tracking (or some other Orwellian term being used) of their shopping behavior.
That's why I would advise Mozilla: don't go there! Once you start on this road there's no turning back.
feel sad as firefox (my daily driver and the default on all my customers) doesn't really have a future anymore
just got bloated/lazy on the google monies, just human nature
bit like giving your kid too much pocket money and then wondering why they turned out that way later :)
google are proper bastards... they paid a clever game and won!
hindsights a wonderfull thing ... not
glimmer of hope ... it is fully open source (yay) so can be forked as it withers
shame, probably good peoples there ..let down by the "uppers" behaving all corporatey
I want my browser to send *nothing* to any third party, be they advertiser or browser developer. I don't want it pulling crap from anywhere outside the domain containing the URL I typed or clicked on.
If the browser isn't working right then *I* will submit a bug report - or not if I choose.
If you want to serve me ads, then do it from within your own domain and keep any data identifying my machine *out* of your feedback on impression counts to the advertisers. While accepting that just because you served it doesn't mean I have to have rendered it!
...'opt in is only meaningful if users can make an informed decision,"'
If I cannot make an informed decision about something, most of the time, the correct assumption is that I don't want or should buy/activate/use the "something" in question.
For example, if I cannot make informed decisions about how the stock market works, I don't buy stock. If I cannot make an informed decision about how to handle a powerful Motorcycle, I probably shouldn't try to handle a beast that can go 250 km/h.
So yeah. No. Luckily, there is no shortage of privacy enabled chromium based browsers these days.
https://github.com/mozilla/explainers/tree/main/ppa-experiment explains how this works and I do not believe it falls afoul of GDPR et al as PPA does not track you, it tracks ads and whether they were viewed/clicked - not by whom.
> A site can register ad impressions, either when the ad is shown or when the ad is clicked, at their discretion.
Without a way to do this elsewhere, for example in the browser, Advertisers only way to measure ads is with the privacy-destroying, invasive tracking we're all desperate to escape from. With PPA, Advertisers can answer questions like "How many times was ad X seen?", "How many times was ad X clicked?" and little else.
The title describes your post perfectly. "We're not tracking you - we are tracking ads and clicks in your browers"
If there is no legal way to count how often someone using my browser clicks on an ad without my informed consent than that is bad luck for the advertisers -> It means they have to do without that data.
They are not entitled to that data.
I side with Max, my data is None Of Your Business.
Bullshit. The content delivery network hosting the ad can tell them exactly how many impressions they got....or would if browsers didn't preload data. If the CDNs aren't happy because some bastard wrote a background ad watcher plugin, well tough, stop providing ads to that browser (and ad me to this list).
It was off by default for me.
I carefully read Mozilla's description: click the ? on the option. It does seem to preserve privacy. If it gains traction it would be much better than the current illegal cookie situation where when I search for something, my wife gets the advertising...
I have clicked it on. I wish them luck!
"the tracking is effectively done within Firefox itself and handed over anonymously to an aggregation service, which can give advertisers the information they need without compromising a user's privacy."
I would argue that "they need" should be changed to "they want".
Advertisers do not "need" anything (other than nuking from orbit)
Reading the developer's responses
'it's about privacy' , 'it's about privacy', 'it's about privacy'
'wait, how would the web work if it didn't have adverts?'
attempt to shift the goalposts
'yeah, it's about money' (implied).
It's not Firefox's responsibility to look at how the web is funded. Create a decent browser that leaks the minimal amount of user information. This is not achieving those aims.