Big changes afoot at Mozilla

I’m Alan Chapell. I’ve been working at the intersection of privacy, competition, advertising and music for decades and I’m now writing for The Monopoly Report. If you have a tip to share in confidence, find me on Twitter or Bluesky.

Our latest Monopoly Report podcast is out with Eric Goldman - Professor of Law at Santa Clara University School of Law. We talk about Section 230 of the Communications Decency Act and how Section 230 has been critical to the growth of the consumer Internet economy, including the digital ads space.

The Internet don’t take kindly to broken promises

I want to begin today’s newsletter with a story about the SECOND most well-known privacy kerfuffle of the dot-com era. By now, just about everyone reading this has probably heard of the DoubleClick / Abacus - the privacy “scandal” that almost took down the then reigning king of the ad techs of Silicon Alley, NYC.

The fallout from the DCLK-Abacus fiasco ultimately resulted in the creation of the Network Advertising Initiative (i.e., to address privacy concerns once and for all) as well as the “we don’t touch PII” mantra that ad tech CEO’s continue to spout to this day (so as to demonstrate that we all REALLY care about privacy).

By comparison, few people remember Toysmart - the OTHER poster child for bad privacy practices from the early days of the Internet.

Toysmart was one of the darlings of the early dot com era. Like many companies born in the late 90’s, they were going to fundamentally change the way the toy business operated. And….Yada, yada, yada - by the Summer of 2000, Toysmart had declared bankruptcy. And that’s when things got interesting.

Toysmart tried to sell it’s customer list as one of the bankruptcy assets. But it turned out that Toysmart’s privacy policy contained a promise indicating that they would NEVER sell their customer data. So when they tried to sell that data as part of the bankruptcy proceeding, the FTC and a bunch of State AG’s objected…vigorously.

(Imagine if the FTC had approached Google’s acquisition of DoubleClick with the same level of vigor… but I digress).

Eventually, all the noise around Toysmart forced a change to the bankruptcy law - requiring the appointment of a “privacy ombudsman” in certain bankruptcies that involved the sale of customer data. Bragging alert: I was appointed by the U.S. Trustee’s office in over 20 separate bankruptcies over the years, including: Chrysler, General Motors, Atari, Eddie Bauer and St Vincents Hospital bankruptcies.

From Toysmart’s broken promise to Mozilla

Toysmart came to my mind over the weekend when I read an Ars Technica article noting that Mozilla had recently attempted to delete a promise to never sell its users' personal data. The article (and similar articles) all but characterizes Mozilla as an organization that has lost it’s moral compass and gone to the dark side.

It’s not so much that Mozilla has broken a privacy promise. Rather, this change in terminology is a direct function of a drastic shift in both the regulatory and business environment. Put another way, Mozilla didn’t land on the “Plymouth Rock” of the ads space. It might be more accurate to say that the Google Search Trial landed on Mozilla.

Why did Mozilla move away from it’s privacy promise?

• The definition of personal data has expanded - I’ve written about this before. Thanks to places like California, it’s near impossible to remove a data set from the definition of personal data. What about Mozilla’s purchase of Anonym? Either Anonym’s solution wasn’t able to remove Mozilla’s data flows from the definition of personal data - or Mozilla isn’t able to make enough money via Anonym to keep the lights on.

• The definition of “sale” is also REALLY broad - State privacy laws like California’s CCPA views most transfers of data in an ads context as a sale. So even if you haven’t changed your model, these rules make it hard to share data - even log file data - without that transfer being considered a sale. While I don’t see Mozilla listed as a California data broker just yet, that registration seems like only a matter of time.

• Mozilla’s revenue model is shifting - For years, browsers were effectively subsidized by search engines like Google and Yahoo! as distribution outlets. As that subsidy seems to be going away, all browsers need to adjust. And for most of them, that means a full(er) embrace of advertising and the nestling of ad platforms within the browser. I’ve previously opined that serving advertisers may pose a conflict for browsers.

• Anti-preferencing rules - As browsers build their own internal ad platforms, they need to be wary of anti-preferencing rules. Apple is under scrutiny in the EU for treating it’s targeting tools as “personalization” while framing other tools as “tracking”. And a few U.S. states have created rules saying that browsers and mobile O/S can’t use opt-out privacy signals like the Global Privacy Control to preference their own internal solutions. I’ve previously noted that these rules exacerbate a conflict of interest for browsers.

What needs to happen?

I’m not here to praise or bury Mozilla. Many of the critics of Mozilla’s recent moves are hand-waving away some real world revenue problems in a way that comes off as a bit naive. And that sentiment ignores the inconvenient truth that the traditional practice of sending search data to Google may not have been great for privacy either.

I have a certain amount of empathy for browsers who may be dealing with some unrealistic expectations of their user base - even tho I recognize it was the browsers who fostered those expectations.

In that light, I have a few broad suggestions for Mozilla and the rest of the browser community:

• Think You’re Better than Me? - Forgive the New England tone here. Just because it’s YOU doing XXX doesn’t mean that XXX puts you on the side of the angels. Browsers should stop pretending that they are somehow “above” the ads business. If you work at a browser, you now fall into one of two buckets (and perhaps, both): (a) you are squarely in the ads business, and/or (b) you are part of a large company that makes enough money in other ways so as to subsidize your work.

• Collaboration and Interoperability - The last thing the ads world needs is more walled gardens grading their own homework. If browsers are going to be part of the ads community, then they should consider embracing some flavor of interoperability. And no… I’m NOT saying that it should be a free for all where everyone gets access to all browsing data. But restricting data use to a small group of tech giants isn’t good for anyone.

• Standards around PETs - To their credit, Mozilla is doing some really cool work when it comes to privacy enhancing technologies. But there are limits to those PETs because: (a) they don’t necessarily address core consumer privacy concerns, (b) they don’t consistently meet the requirements of privacy laws, and (c) they sometimes carry their own biases in ways which aren’t always clear on the surface. (Don Marti has written a bunch of on this topic.) Imagine if Mozilla were willing to create standards that embraced interoperability and privacy within the larger ads community and we all socialized the standard to the CPPA or some other body when it comes to “sale” or definition of “personal information”? Worth a try? (And please - don’t get me started on the W3C as the vehicle for the creation this type of standard).

Epilogue - Mozilla has reportedly edited its privacy and data use language again in response to critics - some of whom work at competing browsers. Careful with the schadenfreude, folks - expanding definitions of sale and personal data might just find their way into your businesses too.

Alan’s Hot Takes…

Here are a few additional stories that hit me over the past week:

• Screen Scraping for AI is “fair use”? – Not according to the District Court of Delaware. (h/t to Peter Csathy). A few implications: (1) AI just got much more expensive to train, (2) content creators may have a fighting chance (hope news publishers are watching), (3) Irony alert: Microsoft’s restrictive position on screen scraping when it comes to pages on LinkedIn may be in contrast to it’s much more open view when it comes to OpenAI’s scraping for AI.

• Weaponized Opacity: Self-Preferencing in Digital Audience Measurement - Thomas Hoppner and Philipp Westerhoff published a paper that discusses the challenges posed by digital gatekeepers like Google, Meta, and Amazon regarding independent audience measurement in the advertising ecosystem. We are rapidly approach a world where the “jig is up” on the whole “walled gardens will fix everything” narrative. Also, someone should give Rick Bruner a bunch of money so he can go fix the measurement business.

If there’s an area that you want to see covered on these pages, if you agree/disagree with something I’ve written, if you want tell me you dig my music, or if you just want to yell at me, please reach out to me on LinkedIn.