Mozilla’s new Do Not Track dashboard: Firefox users continue to seek out and enable DNT

Alex Fowler

Mozilla is pleased to release a new interactive metrics page reporting monthly data on user adoption of Do Not Track (DNT) within Firefox. We’re making this data public both because it’s part of our mission and because we know there’s strong interest in the topic.

Currently, DNT adoption in the U.S. Firefox user base is approximately 17 percent. Globally, the average is around 11 percent. Based on these percentages, we estimate that our users send more than 135 million DNT signals every day — more than four trillion DNT signals every month.

The new page has interactive graphs that show the overall adoption curve for Firefox (desktop) and Firefox for Android (mobile), as well as two maps to provide a view into regional differences of adoption around the world.

Note that no Firefox user is tracked to generate data for these metrics. Every 24 hours, both Firefox and Firefox for Android automatically download the latest list of insecure add-ons and/or extensions to disable as part of our blocklist service. As a DNT signal is included in all requests made by the browser of a user who has turned DNT on, we can count the number of times we see the signal. No other information is logged on our servers. Anyone with a website and access to a web server can start counting how many users are sending DNT:1, which is how the signal is expressed via HTTP requests.

Data, Apps and Developers

Jishnu Menon

As Mozilla launches Firefox OS and the Firefox Marketplace, we’ve been focused on improving privacy through empowering app developers and users to improve transparency, choice and control, including implementing a tiered permissions model as well as tips for designing apps with privacy in mind. Over the next year, we’ll be rolling out more features and resources designed to make data practices more transparent for users and easier to indicate for developers.

Simultaneous to our own efforts, others have been innovating in the same space to try and push data transparency forward on mobile devices. We’re supportive of projects like these because they help drive the conversation forward and help to make privacy better across services and marketplaces:

Solutions that empower both developers and consumers are a critical part of making privacy better for users and the web and Mozilla looks forward to continuing our contributions to the growing number of initiatives around this issue.

Firefox getting smarter about third-party cookies

Alex Fowler

Mozilla has a long running interest in fostering greater transparency, trust and accountability related to privacy and the many cookie-based practices we see today.

fx nightly v22.0a1 privacy tabOn Friday, Mozilla released a Firefox patch into its “Nightly” channel that changes how cookies from third party companies function. Users of this build of Firefox must directly interact with a site or company for a cookie to be installed on their machine. The patch also provides an additional control setting under the “Privacy” tab in Firefox’s Preferences menu (see image).

Many years of observing Safari’s approach to third party cookies, a rapidly expanding number of third party companies using cookies to track users, and strong user support for more control is driving our decision to move forward with this patch.

We have a responsibility to advance features and controls that bring users’ expectations in line with how the web functions for them. As our General Counsel, Harvey Anderson, wrote a few weeks ago in a post about Mozilla’s recognition as the Most Trusted Internet Company for Privacy in 2012:

We all have to continue our efforts — both big and small — to create a more trustworthy environment of online products that seamlessly integrate ease of use, transparency, and user choice.

In my own use of this release this morning, I followed one of my typical browsing paths, starting with a look at surfing conditions, then local news, a major national news site, and a popular site covering the tech industry. (Incidentally, all the great coverage of our launch of Firefox OS at Mobile World Congress is really exciting!)

Here’s how the new patch changed the extent to which I was tracked:

Current Default:
Allow All Cookies
Proposed New Default:
Allow Cookies Only From Visited Domains
4 web sites used 8 first party domains 4 web sites used 8 first party domains
81 cookies from first party domains 75 cookies from first party domains
117 third party domains 0 third party domains
304 cookies from third party domains 0 cookies from third party domains
Total: 385 first & third party cookies Total: 75 first party cookies


I cleared all my cookies before visiting these sites and then re-performed this process several times, as I wanted to verify that in fact four sites did lead to over 300 cookies from more than 100 companies I had not visited. Display ads and sharing widgets on the sites worked fine, and as I clicked on them, the various parties involved were able to set cookies. The privacy policies on all four sites cover their cookie practices, including from third parties. Interestingly, they all pointed me to using settings in my browser to control the behavior of these cookies on their sites.

Mozilla is passionate about putting its users first and moving the web forward. That mission requires taking a leadership role on privacy, which we have repeatedly done (e.g., Do Not Track, Social API, Secure Search, Persona and Collusion).

Mozilla’s users frequently express concerns about web tracking, and we’ve been listening. We are constantly challenging ourselves to deliver a browser that conforms to user expectations while facilitating online innovation. We regularly review community and partner input, web standards, extensions, practices by other browsers, and much more. The new third party cookie patch in Firefox is just another example of those efforts.

The new default is currently only in this very early developer build of Firefox as it goes through Mozilla’s usual vetting process. As with other features we deploy, it will be several months of evaluating technical input from our users and the community before the new policy enters our Beta and General release versions of Firefox. The policy for how our current versions of Firefox handle cookies can be found here and here.

Mozilla loves to hear from our users about how it can make Firefox even better. We encourage all those interested to provide feedback via the discussion group.

Cyber-security heating up on both sides of the Atlantic


In the US, another version of CISPA was reintroduced yesterday in the House of Representatives. The White House has also issued an executive order on the same topic. Similarly in Europe, the European Commission recently published two documents which articulate a strategy for cybersecurity – Cybersecurity Strategy of the European Union and the Proposed Directive on Network and Information Security. Info sharing programs to improve Internet security may be one of the most important global technology policy issues this year. We’re currently looking at these proposals to develop a view and understand if and how they may impact the Mozilla mission. If you would like to contribute to this effort, we welcome your participation.

On this side of the Atlantic, an editorial by CISPA bill author Rep. Dutch Ruppersberger articulates the rationale for the new CISPA bill. He likens it to a “911 line for cyber emergencies” so companies can call in threats and share supporting information when or before they occur.

The CISPA bill was problematic the first time it was introduced and later dropped last year, not because of the general goal to make critical infrastructure more secure, which is laudable, but because it compromised user privacy expectations. The new bill, among other provisions, provides for two way sharing of information from the government to commercial organizations and from commercial entities to the government to better defend against cyber-security attacks.

It seems the current bill has the same defects as last time as detailed by Mark Jaycox at EFF and Leslie Harris at Center for Democracy and Technology. Both organizations oppose the new bill  because it overwrites existing privacy laws and fosters non-transparent sharing of personal user information with US government agencies without controls. To encourage and facilitate this kind of sharing, it also provides civil immunity to private companies for such sharing. Citing recent attacks on The New York Times, The Wall Street Journal and the Federal Reserve, other organizations like CTIA, Verizon, and AT&T support the new CISPA bill. Civil advocates appear to support the White House executive order.

With the accumulation of digital user data and preferences held by service providers and the reality that increased cyber-attacks also jeopardize user privacy, it seems that the tensions between national security and human rights/civil liberties will again be tested. It’s also unclear that this kind of sharing will really make a difference, so it seems the technical community needs to weigh in further. My hope is that there’s a reasonable balance that doesn’t cost users too much in the way of privacy to achieve the stated security goals.

“do track or do not track?” — that is the question

Sid Stamm


For a while now, we’ve been talking about how the Do Not Track feature really has three states: “user says nothing”, “user says track”, and “user says don’t track”. In Firefox 4, we introduced two of these states with a checkbox (“user says nothing” and “user says don’t track”), and many people are voicing their desire to opt-out.

three-state DNT UI

Of course, it’s reasonable to expect some people want the tracking to improve the quality of ads they see; after all, the goal of this feature is to help each individual say what they want, whether it’s pro-tracking or not.

I just finished updating the Firefox tracking preference interface to give people the ability to say, “this tracking thing is fine, bring on the custom content!” This change is still experimental, but within a day or so it will be available in our Nightly builds for testing. Take a look, let us know what you think.

Search Suggestions for Firefox for Android: Another example of Mozilla’s approach to Privacy by Design

Alex Fowler

With the latest release of Firefox for Android, we’ve added the ability to get search suggestions from Google before you even finish typing. With the small screen and even smaller keyboard on users’ phones, anything that makes it easier to discover and access sites is a huge
improvement. The Awesome Bar already suggests bookmarks and recently visited sites. Now implementing Google’s search suggestions in Firefox for Android makes it that much easier to find sites users haven’t been to before.

Google can only make suggestions if it knows what you’re looking for. To do that, Firefox needs to send Google what you’re typing in the Awesome Bar as you type it. For many users, this makes sense. They know and trust Google and send completed search queries to Google anyway, so getting faster search suggestions is a welcome addition. 

Screenshot_searchprompt_3The first time you start typing in the Awesome Bar on your Android device, Firefox asks you whether you want search suggestions from Google. This is enabled by a prompt right where you’d look for the feature, so you can decide which experience you prefer and what you want to share. Of course, if you change your mind, you can always change your settings.

We added some other features to make search suggestions privacy-sensitive. For one thing, Firefox doesn’t ask Google for search suggestions if it looks like you’re typing a URL, like if you start with “www” or include a “:” or “/”. This means that even with search suggestions on, Google only gets asked about things you might actually want to search for, not every site you want to visit. We also make sure to get search suggestions (and searches themselves) over a secure HTTPS connection, so nobody else can view what you’re looking for.

You can try out the latest version for Firefox for Android with search suggestions now by going to the Google Play store on your computer or Android device.

Being social with privacy in mind

Tom Lowenthal

People really enjoy social features that help them connect with others. To offer these features, social networks often end collecting lots of personal info, and their users don’t always understand the tradeoffs involved. We want to offer social features in Firefox, but user privacy is fundamental to Mozilla’s DNA: it’s not something we can sacrifice. Given that, we’ve set out to find a way to combine these two aspects and enable an experience that folks can enjoy, safely.

With our latest beta, we’ve started testing a new social API right inside Firefox. This API provides an open, Web-based infrastructure that allows users to connect Firefox with their favorite social networks, creating an experience that’s social, still feels like Firefox, and most importantly still respects our privacy principles. The first implementer of our new social API is Facebook, and we expect many more implementations in the coming months.

One of the social API’s key requirements is that data is only sent to a social network when the user wants to send it. The new social features are completely opt-in and are disabled until you visit a social network site and decide to turn things on. Once enabled, Firefox loads several pages from your social network over secure connections. These pages are treated just as if you’d loaded them in another browser tab. They share cookies and other data like normal but they don’t get any special treatment or additional data from Firefox, nor are any part of your social activities sent to Mozilla. Facebook, for example, will know that you’ve turned on the feature and loaded the pages, just as if you had visited pages on the main site.

There’s a slight difference however. With the new API, social content is now persistent so the social network can add new features, like notifications, status updates and chat requests, even when you don’t have a browser tab open to their website. This new functionality doesn’t give your social network access to any additional information from your browser. Again: it’s a lot like having a tab open to your social network.

One of our favorite privacy-supporting features in the social API is the recommend button. Many websites add buttons that let you share content with your friends on social networks. When a site does this, those social networks can track which of their users visit those web pages. If we add this functionality in Firefox instead, you can still interact with your social network and share pages, but without the opportunity for tracking by all those social networks. It also allows you to share pages even if that page doesn’t include social sharing widgets. The recommend button in the URL bar — for Facebook, it’s a Like button — only sends the page’s URL to your social network when you click on it.

The Social API lets networks create an experience distinctive to the way people interact with them, using their own design and features, and without sacrificing user control or privacy. This is only a first step; we’ll be continuing to look at more features that enable new functionality from social providers while improving users’ choice, control and privacy.

The next phase of the Collusion project

David Ascher

Last week, I had the privilege of hosting a great meeting focused on the next phase of the Collusion project. With generous support from the Ford Foundation, we’re tackling a significant next phase in Collusion’s evolution.

First, a bit of background.  Collusion started off as an experimental add-on for Firefox by Atul Varma, in his quest to understand how cookies and tracking actually worked on the web.  Since that initial version, Collusion has evolved into a popular and influential tool, and sparked a broader research effort.  With hundreds of thousands of users, it’s helped us teach a lot of people about the web. A Collusion presentation by Mozilla CEO Gary Kovacs is now one of the  50 most-watched TED talks of all time.  Collusion has also been forked, with ports to Chrome and Safari from

Like many Mozilla projects, Collusion’s  progress depends on contributions from staff, partners, and volunteers.  In this particular case, we have an interesting collection of people who will contribute in distinctive ways, from coding to visualization to infrastructure and metrics.  Also, like all Mozilla projects, this effort is open to participation by others, as I’ll mention in more detail below.

Over the next year or so, we agreed to dig in and take our research and the Collusion add-on forward in a few significant ways.

First, we realize that the user experience of Collusion needs refining and evolution.  The current add-on is most compelling in the context of a demo or a tutorial, and could include a good deal more storytelling and explaining than it does today. Second, the visualization of the connected graph that makes Collusion so compelling needs some tweaks, both in terms of scaling to larger graphs and presentation/visual design.

We also realize that the current add-on experience often surprises users with what they learn about third-party tracking on the web, but gives them little in the way of actionable next steps to take.  The point of Collusion isn’t to “freak people out,” but allow them to understand tracking, control how they’re being tracked, and lead to a better Internet experience for all.  We have yet to define the details of all those next steps, but some of them seem fairly clear.

Understanding that there are different kinds of uses of shared third-party HTTP requests (which is what Collusion tracks) is another important goal for our research. Some of them are fully in line with users’ desires and intents, and some are not.  We need to let users figure out which requests they want and which they’d rather avoid.

Critically, gaining a better understanding of how requests are used will help make Collusion useful for publishers as well as users.  Most publishers do have their visitors’ interests at  heart, and constantly optimize their sites to deliver a better experience.   Hopefully, Collusion will provide them with signals when their visitors don’t understand or appreciate the third-party services deployed.  Collusion could also provide useful market feedback to third parties and help them bridge the current divide with users, becoming more than silent parties to online experiences.

Much of this will start with letting users choose to contribute to a crowd-sourced data set about tracking on the web.  As with the test pilot project, we will build a system that lets Collusion users contribute to a rich data set about the web as experienced by everyday users, fostering a better understanding of today’s web by researchers, users, policymakers and industry.

I’m excited to be part of this effort, which could have meaningful impact on a broad set of actors — in part because we’ll be relying on input from a diverse set of perspectives, from designers and artists who will help us build further compelling visualizations of the data that we collect, to privacy researchers who will help us ask better questions of our data.

In the next few weeks, we’ll set up the “heartbeat” bits of the project — a weekly call, IRC channel, mailing lists, etc. If you’re interested in participating, check out the wiki page for details, or contact me directly.

Congratulations, Chrome Users

Alex Fowler

We’re glad to see that Google has taken the next step in their commitment to Do Not Track.

Now that all the major browsers have their DNT implementations well underway, it’s time for advertisers and publishers to do their part, including Google’s own ad folks. While some publishers like Twitter and the Associated Press respect users with DNT enabled, and many independent ad tech companies have done so, as well, there is not yet widespread support. Everyone will soon be able to express their tracking preference, so we eagerly look forward to the day when people can trust that their privacy choices will be honored as they browse the Web.

It’s also noteworthy that Google and Microsoft have decided to implement their own user interfaces for Do Not Track. Mozilla is currently working on the second release of Do Not Track within Firefox, and we remain the only mobile browser to support it. With all these different UI experiments, users have many good options for privacy in their browser of choice and we’ll be able to more quickly determine which approaches best meet users’ expectations.

Alex Fowler

Do Not Track: It’s the user’s voice that matters

Alex Fowler

Today, Microsoft announced a change in how it will be implementing Do Not Track (DNT) in Internet Explorer. In a pre-release version of IE10, Microsoft will automatically start sending a DNT header on behalf of its users to not be tracked by third parties across the Web.

We appreciate seeing Microsoft putting its full weight behind DNT, especially given Firefox was the lone browser supporting DNT just one year ago. This will make DNT more mainstream and bring more attention to the important issue of user control.

We look forward to learning more about Microsoft’s new DNT implementation, as well as its implications for the standards work currently underway. And for the Web community, we thought it would be helpful to share our position, as well as the consensus view of the W3C Tracking Protection Group, about how we believe DNT can be most effective.

At its foundation, DNT is intended to express an individual’s choice, or preference, to not be tracked. It’s important that the signal represents a choice made by the person behind the keyboard and not the software maker, because ultimately it’s not the browser being tracked, it’s the user. In the words of the W3C group, which is made up of leading consumer privacy groups and industry representatives including Microsoft:

“Key to that notion of expression is that it must reflect the user’s preference, not the preference of some institutional or network-imposed mechanism outside the user’s control.” (Tracking Preference Expression, W3C Editor’s Draft, 29 May 2012)

DNT is not an off switch for a particular technology, rather it is the expression of an individual user’s desire being reflected in code — and that’s what makes the feature great. Do Not Track transcends specific technology and gets to the heart of what matters: how a user’s browsing habits are used.

There are three different signals to consider in broadcasting the user’s preferences for tracking:

  1. User says they accept tracking
  2. User says they reject tracking
  3. User hasn’t chosen anything

Firefox defaults to state 3: we don’t know what the user wants, so we’re not sending any signals to servers. This causes the presence of the signal to mean more — the signal being sent should be the user’s choice, not ours. Therefore, Firefox doesn’t broadcast anything until our user has told us what to send.

DNT allows for a conversation between the person sitting behind the keyboard and the site that they want to visit. If DNT is on by default, it’s not a conversation. For DNT to be effective, it must actually represent the user’s voice.

We introduced DNT to do just that: to give users a voice and let them tell sites that they don’t want to be tracked. We did this before knowing exactly how sites and advertisers would respond, and we still believe this is the most effective way for DNT to work.

Update (5-June): We’ve received a few comments asking if we believe all privacy defaults should be about letting users decide, even when that approach leaves users vulnerable. The short answer is “no”; our approach to DNT should not be viewed as a broad policy statement that will apply to other privacy and security considerations — our choice of opt-in for DNT is specific to the way the DNT feature works.

In carefully weighing our approach for appropriate DNT defaults, we talked with many members of the Mozilla community, privacy and technical experts and our users. The DNT feature relies on representing each individual’s desire to web sites, something that requires each user to activate the feature. In fact, a number of academic studies have found that there are users interested in personalized services and content, including targeted ads, so they would not like to have the header sent for them by default. Taken together, we believe the right starting point for a DNT system is a default of preference unknown.

Sid Stamm & Alex Fowler