Categories: privacy Safety

Putting Our Data Privacy Principles Into Action

In November, we told you about Mozilla’s updated Data Privacy Principles, which inform how we build products, manage user data, and select and interact with partners. Today, Mozilla’s Content Services team is announcing its latest innovation in Web advertising – Suggested Tiles. This product demonstrates how we put those principles into action.

Suggested Tiles promotes specific content on our new tab page – this may be Mozilla content (such as our campaigns on policy issues), publisher content, or advertising. Relevance of the content to the user is based on the user’s interests. We define interest categories as a set of URLs that are related to the category. When one of those URLs appears in the user’s list of most frequently visited sites, we show the content. You can read more about this at our Advancing Content blog.

With Suggested Tiles, we’ve worked hard to deliver relevant content and advertisements to our users while respecting their privacy. We’ve pushed the logic down to the Firefox Browser, so we don’t collect information about our users to decide which advertisement to show. We provide easy to understand controls that allow users to turn off Suggested Tiles. And when the user does see or click an advertisement on the new tab page, we limit what data we collect about how the user interacts with the product.

The data could still allow us to learn something about the user’s history that we did not know before. To address this, we’ve taken a number of additional steps.

First, we put a system of rules in place to limit what Mozilla or our partners can infer about our users based on Tiles data. Each interest category must have a minimum of 5 URLs. We will attempt to construct interest categories such that no single URL is significantly more likely to appear in a user’s browsing history than any other URL in the category. Suggested Tiles also cannot be triggered based on combinations of URLs in the interest category. These rules allows us to balance privacy against contextual relevance, ensuring we can deliver useful content while obscuring the user’s browsing behavior.

Second, we’ve created a process to limit any conflicts of interests when we choose what URLs to include in a category. While our Tiles partners can suggest URLs to include, it’s the Content Services team that actually defines the interest categories. We’ve designated a separate role on the team, who isn’t involved in creating the interest categories, to approve the final categories. We will also make our interest categories publicly available, specifying the label of the bucket and the collection of URLs specified against it. You can currently see the interest categories we’ve created in our source code here.

And third, we’ve established several other safeguards. We discard IP addresses within 7 days of collection and collect no other unique IDs associated with Tiles. As we scale, we are only including one Suggested Tile per new tab page, which prevents impression data from providing a more complete portrait of the user’s history. And we only share reports containing aggregate impression and click data – number of impressions, clicks, etc. – with partners. No individual data will be provided to our advertising clients.

We put Mozilla’s five data privacy principles to work in Suggested Tiles. As we continue to innovate in this space, finding new ways to deliver relevant content, we will continue to put users at the center of our decisions by limiting what data we collect, providing transparency and user control, and using security practices that earn the trust of our users.