Firefox Suggest is a new feature that displays direct links to content on the web based on what users type into the Firefox address bar. Some of the content that appears in these suggestions is provided by partners, and some of the content is sponsored.
In building Firefox Suggest, we have followed our long-standing Lean Data Practices and Data Privacy Principles. Practically, this means that we take care to limit what we collect, and to limit what we pass on to our partners. The behavior of the feature is straightforward–suggestions are shown as you type, and are directly relevant to what you type.
We take the security of the datasets needed to provide this feature very seriously. We pursue multi-layered security controls and practices, and strive to make as much of our work as possible publicly verifiable.
In this post, we wanted to give more detail about what data is needed to provide this feature, and about how we handle it.
Changes with Firefox Suggest
The address bar experience in Firefox has long been a blend of results provided by partners (such as the user’s default search provider) and information local to the client (such as recently visited pages). For the first time, Firefox Suggest augments these data sources with search completions from Mozilla.
In its current form, Firefox Suggest compares searches against a list of allowed terms that is local to the client. When the search text matches a term on the allowed list, a completion suggestion may be shown alongside the local and default search engine suggestions.
Data Collected by Mozilla
Mozilla collects the following information to power Firefox Suggest when users have opted in to contextual suggestions.
- Search queries and suggest impressions: Firefox Suggest sends Mozilla search terms and information about engagement with Firefox Suggest, some of which may be shared with partners to provide and improve the suggested content.
- Clicks on suggestions: When a user clicks on a suggestion, Mozilla receives notice that suggested links were clicked.
- Location: Mozilla collects city-level location data along with searches, in order to properly serve location-sensitive queries.
How Data is Handled and Shared
Mozilla approaches handling this data conservatively. We take care to remove data from our systems as soon as it’s no longer needed. When passing data on to our partners, we are careful to only provide the partner with the minimum information required to serve the feature.
A specific example of this principle in action is the search’s location. The location of a search is derived from the Firefox client’s IP address. However, the IP address can identify a person far more precisely than is necessary for our purposes. We therefore convert the IP address to a more general location immediately after we receive it, and we remove the IP address from all datasets and reports downstream. Access to machines and (temporary, short-lived) datasets that might include the IP address is highly restricted, and limited only to a small number of administrators. We don’t enable or allow analysis on data that includes IP addresses.
We’re excited to be bringing Firefox Suggest to you. See the product announcement to learn more!