Mozilla’s user research, and research conducted by universities and independent experts, consistently shows that most people who use the web do not approve of many of the ways in which their personal data is collected and shared for targeted advertising. In fact, people consider some practices to be invasive, creepy, and even scary. User tracking can also create real harm, including enabling divisive political advertising and affecting health coverage decisions. To help make the web more trustworthy for our users, Firefox is developing, testing, and deploying new privacy features to protect them.
As a leader of Firefox’s product management team, I am often asked how Mozilla decides on which privacy features we will build and launch in Firefox. Since transparency is fundamental to our way of doing business, I’d like to tell you about some key aspects of our process, using our recent Enhanced Tracking Protection functionality as an example.
Mozilla is a mission-driven organization whose flagship product, Firefox, is meant to espouse the principles of our manifesto: “A Pledge for a Healthy Internet.” Firefox is our expression of what it means to have someone on your side when you’re online. We believe in standing up for consumers’ rights while pushing the web forward as a platform that is open and accessible to all. As such, there are a number of careful considerations we must weigh as part of our product development process in order to decide which features or functionality make it into the product, particularly as it relates to user privacy.
A focus on people and the health of the web
Foremost, we focus on people. They motivate us. They are the reason that Mozilla exists and how we have leverage in the industry to shape the future of the web. Through a variety of methods (surveys, in-product studies, A/B testing, qualitative user interviews, formative research) we try to better understand the unmet needs of the people who use Firefox.
Another consideration we weigh is how changes we make in Firefox will affect the health of the web, longer term. Are we shifting incentives for websites in a positive or negative direction? What will the impact of these shifts be on people who rely on the internet in the short term? In the long run? In many ways, before deciding to include a privacy feature in Firefox, we need to apply basic game theory to play out the potential outcomes and changes ecosystem participants are likely to make in response, including developers, publishers and advertisers. The reality is that the answer isn’t always clear-cut.
Balancing the pros and cons
Recently we announced a change to our anti-tracking approach in Firefox in response to what we saw as shifting market conditions and an increase in user demand for more privacy protections. As an example of that demand, look no further than our Firefox Public Data Report and the rise in users manually enabling our original Tracking Protection feature to be Always On (by default, Tracking Protection is only enabled in Private Browsing):
The optimal outcomes are clear. People should not be tracked across websites by default and they shouldn’t be subjected to abusive practices or detrimental impacts to their online experience in the name of tracking. However, the challenge with many privacy features is that there are often trade-offs between stronger protections and negative impacts to user experience. Historically this trade-off has been handled by giving users privacy options that they can optionally enable. We know from our research that people want these protections but they don’t understand the threats or protection options enough to turn them on.
We have run multiple studies to better understand these trade-offs as they relate to tracking. In particular, since we introduced the original Tracking Protection in Firefox’s Private Browsing mode in 2015, many people have wondered why we don’t just enable the feature in all modes. The reality is that Firefox’s original Tracking Protection functionality can cause websites to break, which confuses users. Here is a quick sample of the website breakage bugs that have been filed:
In addition, because the feature blocks everything, including ads, from any domain that is also used for tracking, it can have a significant negative impact on small websites and content creators who depend on third-party advertising tools/networks. Because small site owners cannot change how these third-party tools operate in order to adhere to Disconnect s policy to be removed from the tracker list, the revenue impact may hurt content creation and accessibility in the medium to long-term, which is not our intent.
Finding the right tradeoffs
The outcome of these studies caused us to seek new solutions which could be applied by default outside of Private Browsing without detrimental impacts to user experience and without blocking most ads. This is exactly what Enhanced Tracking Protection, being introduced in Firefox 63, is meant to help with. With this feature, you can block cookies and storage access from third-party trackers:
The feature more surgically targets the problem of cross-site tracking without the breakage and wide-scale ad blocking which occurred with our initial Tracking Protection implementation. It does this by preventing known trackers from setting third-party cookies — the primary method of tracking across sites. Certainly consumers will still be able to decide to block all known trackers under Firefox Options/Preferences if they so choose (note that this may prevent some websites from loading properly, as described above):
Sometimes plans change. So we test
As part of our announcements that ultimately led to Enhanced Tracking Protection, we described how we planned to block trackers that cause long page load times. We’re continuing to hone the approach and experience before deciding to roll out this performance feature out to Firefox users. Why? There are a number of reasons: The initial feature design was similar in nature to the original Tracking Protection functionality (including ad blocking). But blocking only occurred after a few seconds of page load. In our testing, there was a high degree of variability as to when various third-party domains would be blocked (even within the same site). This could be confusing for users since they would see blocking happen inconsistently.
A secondary motivation to block trackers and ads on slow page loads was to encourage websites to speed up how quickly content loads. With the tested design, a number of factors such as the network speed played a part in determining whether or not blocking of trackers and ads would occur on a given site. However, because factors like network speed aren’t in the control of the website, it would pose a challenge for many sites, even if they did their best at speeding up content load. We felt this provided the wrong incentive. It could cause sites to prioritize loading ads over content to avoid the ads from being blocked, a worse outcome from a user perspective. As a result, we are exploring some alternative options targeted at the same outcome, much faster page loads.
Open, transparent roadmaps
We work in the open. We do it because our community is important to us. We do it because open dialog is important to us. We do it because deciding on the future of the web we all have come to rely upon should be a transparent process — one that inherently invites participation. You can expect that we will continue to operate in this manner, being upfront and public about our intent and testing efforts. We encourage you to test your own site with our new features, and let us know about any problems by clicking “Report a Problem” in the Content Blocking section of the Control Center.
I hope this glimpse into our decision-making process around Enhanced Tracking Protection reaffirms that Mozilla stands for a healthy web — one that upholds the right to privacy as fundamental.
About the Author
Peter Dolanjski is the product lead for Firefox on Windows, Mac, and Linux. Along with a team of like-minded internet advocates and a vibrant open source community, he fights for the fundamental right to online privacy through innovative browser features and meaningful privacy defaults.