Firefox 128 enables "privacy-preserving" ad measurements by default

Original Article ↗ Hacker News Discussion ↗

What Firefox 128 changed

  • New “privacy‑preserving ad measurement” is enabled by default under:
    Tools → Settings → Privacy & Security → Website Advertising Preferences → “Allow websites to perform privacy‑preserving ad measurement”.
  • Similar functionality has existed in Safari for years and is also on by default there.
  • Purpose: measure ad impressions → conversions without exposing individual user identities.

Technical design and comparisons

  • Uses an aggregation service based on the IETF PPM/DAP work; initial aggregators are Mozilla and ISRG (Let’s Encrypt’s parent).
  • Idea: each aggregator sees only partial, encrypted data; only combined aggregates are revealed.
  • Supporters emphasize that data is stored in the browser, aggregated with differential‑privacy‑style techniques, and is less invasive than current ad-tech practices.
  • Distinct from Google’s FLoC/Topics or Protected Audience APIs, though all live in the “post‑3rd‑party‑cookie” space.

User control, defaults, and discoverability

  • Major controversy: it is opt‑out, not opt‑in, and many users discovered it only via online discussion.
  • Some note the update page mentioned it; others have that disabled.
  • On mobile Firefox, there’s no obvious GUI toggle; it must be disabled via about:config (e.g., dom.private-attribution.submission.enabled), which some see as “hidden”.

Privacy, trust, and GDPR‑style concerns

  • Critics argue:
    • Any added measurement is strictly worse than not implementing it.
    • The browser is now acting on behalf of advertisers, not users.
    • Defaults matter; enabling this despite strict privacy settings and “no studies” is seen as disregarding user intent and possibly conflicting with GDPR principles (consent, purpose limitation, privacy by default).
    • Aggregators or data brokers could collude or game the system to re‑identify users.
  • Defenders argue:
    • If you don’t trust Mozilla at all, you shouldn’t use Firefox.
    • A controlled, open‑source, privacy‑preserving mechanism is better than opaque tracking methods (fingerprinting, PII‑based IDs).

Debate over ads and web economics

  • One camp: ads and tracking are economically entrenched; better to channel them into less‑harmful, privacy‑preserving paths.
  • Another camp: ad‑funded “free” web is inherently toxic; everyone should use blockers, let ad‑supported sites collapse or adapt, and favor paid/donation‑based or hobbyist content.
  • Disagreement over whether “the web needs to make money”, and if so, whether advertising is necessary or desirable.

Alternatives and reactions

  • Some users immediately disable the feature, use ESR with policies.json, or consider switching to Firefox forks (LibreWolf, Mull, Floorp, etc.) or to non‑Firefox browsers (Brave, Vivaldi, Orion, Chromium variants).
  • A few accept the feature, seeing it as a pragmatic compromise if it enables stronger anti‑tracking elsewhere.

Open questions

  • Who exactly will get access to the aggregated data and under what terms is unclear from the discussion.
  • How robust the crypto and aggregation are against adversarial misuse (e.g., targeted IDs plus fake traffic) is questioned but not resolved.