Privacy-Preserving Attribution technology by Mozilla

In the wake of Google and Facebook, Mozilla has introduced its own technology for replacing third-party cookies: let’s take a look at how privacy-preserving attribution works.

Privacy-Preserving Attribution by Mozilla: what is it and what’s it for?

In July 2024, with the latest version of its Firefox browser, Mozilla introduced a technology called Privacy-Preserving Attribution (PPA) — designed to track how effective online advertising is. The feature is enabled by default in Firefox 128.

This has already caught the eye of online privacy advocates, and led to headlines like “Now Mozilla too is selling user data”. The clamor got so loud that Firefox CTO, Bobby Holley, had to take to Reddit to explain to users what Mozilla actually did and why.

Now’s the time to take a closer look at what PPA is, why it’s needed in the first place, and why it’s appeared now.

Google Ad Topics and Facebook Link History

First, a bit of backstory. As you may recall, way back in 2019 the developers of the world’s most popular browser — Google Chrome — began hatching plans to completely disable support for third-party cookies.

These tiny files have been tracking user actions online for 30 years now. The technology is both the backbone of the online advertising industry, and the chief means of violating users’ privacy.

Some time ago, as a replacement, Google unveiled an in-house development called Ad Topics. With this technology, tracking is based on users’ Chrome browser history, and interaction history with Android apps. The rollout of Ad Topics was expected to be followed by the phasing out of support for third-party cookies in Chrome in H2 2024.

Another major digital advertising player to develop its own user-tracking technology is Meta, which likewise relies on third-party cookies. Called Link History, it makes sure that all external links in the Facebook mobile apps now get opened in its built-in browser — where the company can still snoop on your actions.

The bottom line is that ending support for third-party cookies hands even more control over to Google and Meta — owner of the world’s most popular browser and mobile OS, and of the world’s most popular social network, respectively — while smaller players will become even more dependent on them.

At the same time, user data continues to be collected on an industrial scale, and primarily by the usual suspects when it comes to claims of privacy violation: yes, Google and Facebook.

The question arises: is it not possible to develop some mechanism to allow advertisers to track the effectiveness of advertising without mass collection of user data? The answer comes in the shape of Privacy-Preserving Attribution.

Meet Prio, a privacy-preserving aggregation system

To better understand the history of this technology, we have to go back a bit in time — to 2017, when cryptographers Henry Corrigan-Gibbs and Dan Boneh of Stanford University presented a research paper. In it, they described a privacy-oriented system for collecting aggregated statistics, which they called Prio.

To greatly simplify matters, Prio is based on the following mechanism. Let’s say you’re interested in the average age of a certain number of users, but you want to preserve their privacy. You set up two (or more) piggy banks and ask each user to count out the number of coins corresponding to their age and, without showing them to anyone, randomly drop the coins into different money boxes.

Then you tip the coins out of the piggy banks into a pile, count them and divide by the number of users. The result is what you wanted: the average age of the users. And if at least one of the piggy banks keeps its secret (i.e., doesn’t tell anyone what went into it), then it’s impossible to determine how many coins any one user put into the boxes.

Prio's operating principle

Prio’s main stages of information processing. Source

Prio overlays this basic mechanism with a lot of cryptography to protect information from interception and ensure the validity of data received. There’s no way for users to slip answers into the system, for whatever reason, that could distort the results. The main concept lies in the use of two or more aggregators that collect random shares of the sought information.

Prio’s algorithms have another key feature: they greatly improve system performance compared to previous methods of reliable anonymized data collection — by 50–100 times, say the researchers.

Distributed Aggregation Protocol

Mozilla got interested in Prio back in 2018. The first fruit of this interest was its development of the experimental system Firefox Origin Telemetry — based on Prio. Notably, this system was designed to privately gather telemetry on the browser’s ability to combat ad trackers.

Then, in February 2022, Mozilla unveiled Interoperable Private Attribution (IPA) technology, developed jointly with Meta, which, it seems, served as the prototype to PPA.

May 2022 saw the publication of a zero draft of the Prio-based Distributed Aggregation Protocol (DAP). The draft was authored by representatives of Mozilla and the Internet Security Research Group (ISRG) — a non-profit known for the Let’s Encrypt project to democratize the use of HTTPS — as well as two Cloudflare employees.

While working on the protocol, ISRG was also building a DAP-based system for collecting anonymized statistics, known as Divvi Up. This system is primarily intended to collect various technical telemetry to improve website performance, such as page load-time.

DAP operating principle

Schematic of the basic operating principle of the DAP protocol. Source

Finally, in October 2023, Divvi Up and Mozilla announced a collaboration to implement DAP in the Firefox browser. As part of this joint effort, a system of two aggregators was created — one of which operates on the Mozilla side, the other on the Divvi Up side.

How PPA works

It’s this Divvi Up/Mozilla system that’s currently being deployed with PPA technology. So far, it’s just an experiment involving a limited number of sites.

In general outline, it works as follows:

  • The website asks the browser to remember instances of successful ad views.
  • If the user performs some action that the site considers useful (for example, buys a product), the site queries the browser to find out if the user saw the ad.
  • The browser doesn’t tell the site anything, but sends information through the DAP protocol to the aggregation servers.
  • All such reports are accumulated in aggregators, and the site periodically receives a summary.

As a result, the site learns that out of X number of users who saw a certain ad, Y number of users performed actions deemed useful for the site. But neither the site nor the aggregation system knows anything about who these users were, what else they did online, etc.

Why we need PPA

In the above-mentioned statement on Reddit, Firefox’s CTO explained what Mozilla was aiming for by introducing PPA along with the new version of its browser.

The company’s reasoning is roughly the following. Online advertising, at least at this stage of the internet’s development, is a necessary evil. And it’s understandable that advertisers want to be able to measure its effectiveness. But the tools currently used for this disregard user privacy.

Meanwhile, any talk about how to somehow restrict advertisers’ tracking of users’ actions is met with protests from the former. No data collection, they argue, means they’re deprived of a tool for assessing online advertising.

Basically, PPA is an experimental tool that allows advertisers to get the feedback they need without collecting and storing data on what users did.

If the experiment shows the technology can satisfy advertisers’ needs, it will give privacy advocates a weighty argument in future dealings with regulators and lawmakers. Broadly speaking, it will prove that total online surveillance is unnecessary, and should be limited by law.

Block third-party cookies now

As it happens, almost immediately after the uproar surrounding Mozilla’s new rollout, Google announced a complete reversal of its plans to disable third-party cookies. Getting rid of stale technology can be harder than it might seem — as Microsoft found out when trying to bury Internet Explorer.

The good news is that, unlike Internet Explorer, which is indeed hard to weed out of Windows, third-party cookies are something that users can handle on their own. All modern browsers make it easy to block them — see our guide for full details.

Bear in mind that Google’s refusal to get rid of cookies doesn’t spell the end of Ad Topics — the company intends to continue the experiment. So we recommend disabling this feature too, and here’s how to do it in Chrome and Android.

And if you use the Facebook mobile app, it’s worth turning off Link History. Again, our guide explains how.

Also, you can and should make use of the Private Browsing feature in our Kaspersky Standard, Kaspersky Plus and Kaspersky Premium subscription plans to block ad trackers (by no means all of which use cookies).

Lastly, we recommend using our free Privacy Checker service, where you can find instructions on setting up privacy for the most common applications, services and social networks for different operating systems.

As for PPA, the technology looks pretty useful. If you think otherwise, here are simple instructions to disable it in Firefox. As for me, I prefer to support the development of this technology, so will continue to use it in my browser.

Tips