Published Wednesday 17th July 2024

Firefox 128 and the Privacy Preserving Attribution API

On July 9th 2024, Mozilla released Firefox version 128 and, amongst various new features and changes, this release enables a new controversial setting by default - the experimental Privacy Preserving Attribution API (PPA API), which provides an alternative to user tracking for ad attribution.

Mozilla is normally a more privacy focussed developer, at least comparative to the likes of Google, Apple, and Microsoft, who dominate the market with their web browsers. Many people choose Firefox over Chrome because of its enhanced tracking protection features and I've previously written about how they even block Google Analytics by default, so their decision to roll out a feature designed to make it easier for ad companies to track you seems like a backwards step.

In Mozilla's defence, it's worth noting that the Privacy Preserving Attribution API (PPA API) is designed to offer advertisers a way of knowing if their ads are working, without actually tracking the websites that you visit which is the traditional system.

To give a little background - when you see an advert on a website, the advertiser has paid to be there, usually via a monetisation model that charges them a fee for every single time a person clicks on that advert. Websites cost money to run and many of them cover these costs, and make a profit, by allowing advertisers to place links rather than by charging the visitors to access content. It's important to the advertiser though, that the clicks they're paying for are worthwhile. Imagine for example, paying to advertise your product on 2 separate websites where 1 website generates say... 1,000 clicks to your product a day but only 1 of those clicks becomes a customer, and the other only generates 100 clicks but still 1 of those becomes a customer. You're effectively paying for 1,100 ad views and getting 2 customers for your money, but you could significantly reduce this spend by almost 91% and only lose 50% of your sales if you stop advertising on the website that's generating 1,000 clicks. To know these figures and that you can reduce your advertising spend so significantly, you need some way of finding out which site your customers are clicking through from, and traditionally that's where user tracking comes in.

Ad networks usually tell your browser to create a tracking cookie whenever you visit a website that incorporates that networks ads. Cookies are text files created by web browsers which hold whatever information a website wants to dump into them, and exposes that information to whatever other websites the original creator wants to allow access to. So if 30 websites all incorporate the same ad network, then all 30 of those websites can access the same text file of information. Each of them can, for example, drop their own url into the file and read all other urls that have been dropped into there, to determine which of the 30 websites you've already visited. This is known as cross site tracking and it means that when you land on the advertisers own product page, that page can look in the ad networks cookie file and see exactly which websites you saw their advert on and in what order, even if you didn't actually click on the advert to get to their product page. You might for example, have seen their advert on a page you visited last week, then suddenly remembered hearing about it so now you've decided to Google for the product and clicked through to the product information page just now, at which point the product page can look in that cookie and see that although you came from a Google search, you originally heard about them from an advert you saw last week and on exactly which website you saw it. So although you didn't even click on that original advert, paying the original website to show you it was still worthwhile.

With the cookies mechanic, websites can dump absolutely anything that they like into these text files and allow other websites on their network to read that information. So if you visit a website about a particular topic, that topic is going to be dumped into that tracking cookie and the advertiser is going to develop a profile about you from the topics it deems you're interested in. Most likely, it'll start advertising products that fit those interests and thus, if you visit a lot of websites selling televisions for example, you're going to start seeing adverts for more televisions. There's no real limit as to how far this can go or how personally identifiable you might become from your browsing habits.

Of course, as useful as this system is to the advertisers and to the websites displaying adverts, it's a massive privacy risk for consumers and, for this reason, cookies have developed a bad reputation. They're rarely used for anything other than tracking as we simply have much better, privacy focussed systems for storing per-visitor data server-side, so actual website functionality such as login mechanics and shopping baskets, don't need to rely on cookie mechanics unless that website specifically wants to expose such information to other websites. This is why we, in the EU and UK, now have the admittedly annoying cookie opt-in prompts that you see on just about every website these days, and why you should absolutely reject every single one of them, and/or use a browser like Firefox which blocks the majority of tracking cookies by default.

The point then, of the Privacy Preserving Attribution API (PPA API), is to offer advertisers a similarly useful system in a way that doesn't breach your privacy as horrifically as the cookies system does. To quote from Mozilla's own Privacy Preserving Attribution API page:

"Mozilla is prototyping this feature in order to inform an emerging Web standard designed to help sites understand how their ads perform without collecting data about individual people. By offering sites a non-invasive alternative to cross-site tracking, we hope to achieve a significant reduction in this harmful practice across the web."

In a nutshell, the PPA API allows websites to ask Firefox to internally store the website url and hit count, but not much else. So rather than creating a cookie with all sorts of potentially sensitive information dumped in to look back on later, Firefox will only store very specific information - not just anything that the website wants to dump. Then, later on, when another website wants to read this data back, it can ask Firefox to submit an anonymised summary to an aggregation service which merges all submissions from all PPA API supporting browsers, into a single report for the ad network to read from.

What this effectively means, is that with the 30 website example above, if you visit 3 of those websites then your browser will internally store the 3 website urls which you visited. Then when you land on the advertisers own product page and they want to know where you came from, that page can ask your browser to submit this stored information to an aggregation service. So the 3 urls which Firefox logged you visiting will be submitted with visit counts to an aggregator, which adds those counts to the tally it's already built up from other submissions. Finally, the aggregator will submit a report to the advertiser of the tallies it's logged so far perhaps daily or weekly. At which point the advertiser can see that, for example, of the maybe 100 people who landed on their product page, perhaps 30 came from 1 website, 40 from another, 25 from another, and only 5 from another. They can't see the exact websites which you personally visited, but knowing that 26 of their 30 website network aren't generating any customers at all and 75% of all customers are coming from just 3 of those websites is useful, aggregate information and can be used against the advertisers own tracking of ad spends on each website to know which of those sites are worth spending more money on.

Put simply, the PPA API which Firefox is enabling by default in version 128, could in fact be the answer we need to ending cross site tracking by advertisers, and individual profiling. If more browsers implement this mechanic and the last remaining use for cookies disappears, then maybe we'll finally see browsers ditching their cookie mechanisms completely, and we can do away with those frustrating cookie opt-in prompts for good.

Maybe, just maybe, we'll find an acceptable balance where websites can offer free content in return for ad based monetisation, and advertisers can track the success of their advertising strategy, without everybody having to be victim to cross site tracking and consumer profiling.

If you still don't like that Firefox has enabled this new mechanism by default, disabling is easy.

On desktop: Tap the hamburger menu in the top right, head to Settings -> Website Advertising Preferences, and simply disable the new Allow websites to perform privacy-preserving ad measurement option.

On Android: Navigate to chrome://geckoview/content/config.xhtml and enter aboutConfig.enabled in the search at the top, to then toggle this setting to true. Next, navigate to about:config (which is only possible after that first step), search for dom.private-attribution.submission.enabled and toggle this setting to false.

On iOS: Apply devices only allow the Safari rendering engine, so although Firefox exists on iOS, it's actually just the Mozilla UI wrapped around the Safari renderer and as far as we're aware, doesn't currently implement the PPA API or any mechanic for disabling. I'll update this blog post if I become aware of this changing.

Photo of Ric

Ric

Ric is a senior web and game programmer with nearly 30 years industry experience and countless programming languages in his skillset. He's worked for and with a number of design and development agencies, and is the proprietor of QWeb Ltd. Ric is also a Linux server technician and an advocate of free, open-source technologies. He can be found on Mastodon where he often posts about the projects he's working on both for and outside of QWeb Ltd, or you can follow and support his indie game project on Kofi. Ric also maintains our Github page of useful scripts.

Blog posts are written by individuals and do not necessarily depict the opinions or beliefs of QWeb Ltd or its current employees. Any information provided here might be biased or subjective, and might become out of date.

Discuss this post

Nobody has commented yet.

Leave a comment

Your email address is used to notify you of new comments to this thread, and also to pull your Gravatar image. Your name, email address, and message are stored as encrypted text. You won't be added to any mailing list, and your details won't be shared with any third party.

This site is protected by reCAPTCHA and the Google Privacy Policy & Terms of Service apply.