There was an unexpected error authorizing you. Please try again.
arrow-downarrow-leftarrow-rightarrow-upbiocircleclosedownloadfacebookgplus instagram linkedinmailmenuphoneplaysearchsharespinnertwitteryoutube

Has Mozilla Lost its Values?

The Future of the Cookie 3

On May 31, Kevin Conroy, the President of Digital and Enterprise Development for Univision Communications, one of the largest premium Hispanic media companies in the United States, wrote a heartfelt plea in Advertising Age titled, “The Third-Party Cookie Divide Is Debilitating the Industry.”  Pegged to the controversy aroused by the Mozilla Corporation’s announcement that it intended to block third-party cookies by default, Mr. Conroy correctly noted that “third-party cookies are not all bad or all good.”

“The companies behind these controversial tools are established members of the digital-advertising supply chain that provide an array of services, and their relationships with other industry participants should not be defined or determined with one broad stroke,” he added. “All-or-nothing proclamations and actions on this matter represent a dangerous over-simplification that’s creating conflict and putting the industry at risk. This face-off must be replaced with thoughtful and productive discussion recognizing the subtleties of the marketplace, the individual interests of businesses, and the true north that all parties invested in this discord and its resolution share: the desire to deliver value to consumers that is dependent upon trust, comfort and control over their privacy.”

We have taken Mr. Conroy’s admonitions to heart, not just because he is a member of the IAB’s Board of Directors, but because he is right. Conversation is better than isolation; negotiations trump obstinacy; “win-win” is preferable to “you lose.” So we were heartened when Mozilla executives started reaching out to advertising, media, and ad technology industry companies, professing to want to include them among the stakeholder groups whose opinions matter as Mozilla goes about reconfiguring its Firefox browser, which controls 20 percent of the world’s access to the Internet.

Unfortunately, a review of Mozilla’s latest scheme for blocking third party cookies shows it to be worse than its earlier proposals. While Mozilla executives say they are taking in criticism from multiple stakeholders, the company’s own statements and explanations indicate that Mozilla is making extreme value judgments with extraordinary impact on the digital supply chain, securing for itself a significant gatekeeper position in which it and its handpicked minions will be able to determine which voices gain distribution and which do not on the Internet.

The Cookied Web

Third-party cookies are an essential part of the Internet content supply chain, and date to the earliest days of the commercial Web, in the mid-1990s. Stored inside a user’s Web browser, they help the browser remember the user’s previous activity. While first-party cookies, as Wikipedia notes, “are cookies set with the same domain (or its subdomain) as your browser’s address bar,” third-party cookies “are cookies set with domains different from the one shown on the address bar.”

Although third-party cookies have been controversial mechanisms – their privacy implications, particularly the concern that they could be used to maintain identifiable dossiers of consumers and consumer activities, were subjects of Federal Trade Commission hearings in 1996-1997 – they have been part of the way Internet advertising has been delivered, measured, analyzed, optimized, and compensated for more than 15 years. Were they to be embargoed tomorrow, billions of dollars in Internet advertising and hundreds of thousands of jobs dependent on it would disappear.

On June 19, Mozilla – which is both a nonprofit foundation and a for-profit corporation – announced new plan for blocking third-party cookies in Internet content distribution. In collaboration with Stanford University’s Center for Internet and Society, it said it would establish a “Cookie Clearinghouse,” a body that would “develop and maintain an ‘allow list’ and ‘block list’ to help Internet users make privacy choices as they move through the Internet.”

The Cookie Clearinghouse replaced Mozilla’s earlier concept for controlling the use of third-party cookies: a patch to its Firefox browser which essentially would have blocked all third-party cookies except those specifically allowed by the user. After an uproar from Internet advertising and retail organizations, including the IAB, Mozilla put that plan on hold, announcing that it produced too many “false positives” and “false negatives.”  Specifically, it would block third-party domains even if they share the same owner and operator as a primary domain – an almost pure act of business interference – and failed to block cookies on sites users went to by accident. Mozilla Chief Technology Officer Brendan Eich said “the only credible alternative” to the blunt, poorly designed Firefox patch was “a centralized block-list.”

Centralized solutions may, in fact, be necessary to improve performance, user control, and the safety of the Internet advertising and media supply chain.

We believe the “open source” Internet advertising supply chain, while a foundation for enormous innovation, also introduces vulnerabilities into the advertising and media ecosystem, and we are eager to work with legitimate participants to improve the functioning and safety of this supply chain.  IAB already participates in several such centralized solutions. A prominent one is the Digital Advertising Alliance’s self-regulatory program for online behavioral advertising. This program allows consumers to see how they are being tracked online and by which advertising-related companies, and to selectively opt in and opt out of such tracking. In February 2012, Jon Leibowitz, the then-Chair of the FTC, called the DAA program “a significant step forward.”  Today, trillions of ad impressions a year carry the DAA’s notification icon; millions of consumers have clicked on it and visited the DAA’s site; and hundreds of thousands have opted in and out of various forms of targeting via the DAA program.

And just this week, the White House praised another IAB initiative, our Quality Assurance Guidelines, a centralized compliance program that, among other things, will help combat the piracy of intellectual property in digital advertising environments.

So our initial opposition to the new Mozilla announcement was not based on hostility to centralized solutions. It was based on our skepticism about Mozilla’s motives and with its ability to follow through on its commitments.

Anti-Business Bias

Mozilla executives say they are not opposed to advertising. Indeed, at the same time the organization is threatening to choke off the ability of Long Tail publishers to monetize their advertising inventory, it is  testing the market for a new advertising product of its own – a suspicious confluence of events, to say the least.

But that aside, the company’s civic positioning and public character are heavily freighted with antipathy toward advertising and the commercial Internet. For example, Mozilla is the world’s largest distributor of Adblock Plus, a browser add-on that impedes advertising delivery on the Internet. Adblock Plus boasts nearly 15 million Firefox users, and is the browser’s no. 1 add-on by far, with more than twice as many users as its no. 2 add-on, Video Download Helper.

Like the piracy of music and movies online, ad blocking appears to be a victimless endeavor, but in fact is a possibly illegal activity that deprives a cascading chain of legitimate enterprises of income. In some markets, Adblock Plus is responsible for stopping as much as 50 percent of mainstream publishers’ ads, significantly harming their revenue stream. For small publishers, the effect is devastating. Niero Gonzalez, the proprietor of the gamer site and a member of the IAB’s Long Tail Alliance, says that half his users are blocking ads. “This means we’re working twice as hard as ever to sustain our company,” he has written.

When asked about this, Mozilla executives give a figurative shrug and say they are merely responding to their users’ interests, and that Firefox add-ons are community contributions, about which Mozilla does not pass moral judgments.  But of course, this is, at best, a rationalization, and perhaps wholly disingenuous. Like all organizations, Mozilla makes choices and passes judgments every day, which reflect the organization’s values. Mozilla’s active, prominent promotion of Adblock Plus suggests a value system hostile to advertising and the businesses and people dependent on it. If the organization felt strongly about the economic impact of ad blocking on small Web publishers and retailers, it could curb it – or at least cease aiding and abetting it.

An organization’s values also are represented by those with whom it chooses to associate. Here again, Mozilla’s values reflect an aversion toward advertising and the consumer economy to which it is central. The Cookie Clearinghouse launched by Mozilla with Stanford is led by Aleecia M. McDonald, the Director of Privacy at Stanford’s Center for Internet and Society. Dr. McDonald co-chaired the Worldwide Web Consortium’s Tracking Protection Working Group, a body that was supposed to join stakeholders from industry, academic institutions, NGOs, and regulators in developing standards for browser-based mechanisms to enable users to opt out of tracking. Dr. McDonald’s leadership of the group was widely perceived as unsuccessful, in no small part because of her Manichaean point of view that pits privacy interests against business interests, and her impatience with alternative perspectives on the W3C Task Force.  Last July, for example, she said, “Whatever standard the W3C produces will put a number of third parties out of business, but that is okay because that will be a good day for privacy.”  Only since her departure from the W3C has the body managed to struggle closer to a consensus standard.

Dr. McDonald’s insensitivity was on display again last month, when she chose an anti-business extremist for the Advisory Board of her Clearinghouse – Jonathan Mayer, the Stanford graduate student who designed the cookie-blocking patch, and whose intemperate public opposition to the ad industry, consensus-generating processes, and stakeholder negotiations led Mozilla, in a May industry forum, to publicly disavow its connections to him. That Mozilla would subsequently turn to such people to lead a body that will make decisions regarding the life and death of businesses is an indication of the organization’s indifference to the economic stakes involved in its efforts to unilaterally reconfigure the Internet advertising supply chain.

But at least as telling as the presence of anti-business radicals on Mozilla’s “cookie court” is who and what is absent. There are no publishers on it – the people whose livelihoods depend on the sale of digital advertising. There are no executives from ad networks – the companies that are almost solely responsible for helping small publishers earn any income. There are no executives from brand marketers, ad agencies, retailers, e-tailers, or ad technology companies – not a single representative froman ecosystem responsible for creating 5.1 million jobs in and contributing $530 billion annually to the U.S. economy.

In light of this criticism, Mozilla may lean on Stanford to change the composition of its Cookie Clearinghouse, but that alone cannot change the character or complexion of Mozilla or the Stanford Center for Internet and Society, which appear to be those of elitist organizations that hide under the shield of populism to make value judgments about who is worthy of earning a living in the digital age.

The Atomized Individual

We saw this anti-business value system reflected again in the operating details Mozilla has begun to unveil for its Cookie Clearinghouse. These specifics have been doled out sparingly in blog posts and in a sparsely attended discussion Mozilla convened on July 2 at its San Francisco headquarters.

At first blush, Mozilla’s ideology seems inarguable. “We simply believe that when personal data is collected to deliver these [personalized Internet] services, the collection should be done respectfully and with the consent of the consumer,” the company said on its Mozilla Blog on May 10. Its decision to block third-party cookies by default was made “to strike a better balance between personalized ads and the tracking of users across the Web without their consent.”

Seemingly benign, Mozilla’s ideology is weighted down with counter-historical presumptions. The entire marketing-media ecosystem has subsisted on purchase-behavior data and other forms of research being available without individuals’ consent. R.L. Polk & Co. receives automotive ownership data from some 240 sources, including state governments, auto manufacturers, and financing companies, to create profiles of nearly every vehicle on the road and the people driving them. This data has been central both to the health of the auto industry and to improvements in cars, driving, and auto safety over the years.

U.S. Census data, too, is a foundation of U.S. economic development. The U.S. Census Bureau maintains a site full of case studies describing how this most personalized data source of all can be used by businesses that want to “gauge the competition,” “calculate market share,” “locate business markets,” “design sales territories and set sales quotas,” and engage in myriad other activities. Not only is this use of anonymous, personal data central to the American economy – it is protected by the U.S. Constitution.

Were such sources of data suddenly to become unavailable – or if they were to shift from default-available to default-closed – whole industries would suffer, and along with them the people they employ and the communities in which they operate.

This is exactly what Mozilla is proposing to do – and what its self-styled libertarian patrons are (paradoxically) urging it to do.

Words like “privacy” and “respect” seem incontestably clear and insistent. Yet they have no single meaning. They are social constructions – and different social constructions have different trade-offs, one of which is the diversity of content, and ideas, on the Internet.

At this moment in the evolution of the Internet, third-party cookies are the technology that makes small publishers economically viable. Their elimination will concentrate ad revenues in a shrinking group of giant media and technology companies. It is incumbent on Mozilla, which claims to defend openness and diversity on the Internet, to reconcile its public values with the diminution in diversity that is bound to occur from its proposed actions.

The Mozillan Ideology

There are four major ideological presumptions underlying Mozilla’s decision to block third-party cookies through its Cookie Clearinghouse:

  • It presumes that blocking third-party cookies by default is better than allowing them by default.
  • It presumes that an Internet supply chain dependent on a centralized clearinghouse will continue to operate equitably.
  • It presumes that human involvement only during counter-challenges to the Clearinghouse’s decisions is reasonable and scalable.
  • It presumes that the establishment of a centralized body to determine which third parties should be exempt from this default behavior is consistent with Mozilla’s mission.

All of these presumptions are questionable.

Blocking third-party cookies by default is neither better nor worse than allowing them by default- but it does reflect a value judgment which affirms that the sanctity of the individual, in any way he or she chooses, transcends all other values, including important functions of civil society.

Consider, for example, the role of commerce – the freedom to engage in which was a fundamental spark to the American Revolution. Although it may not be as apparent as when a customer enters a physical store, visiting a web site is a commercial act, during which a value exchange occurs.  Consumers receive content, and in exchange are delivered advertising.  The value of the delivered ad is currently calculated based on two essential points of data – where the ad is being delivered, and to whom.  By blocking third-party cookies by default, Mozilla is turning off the anonymized but behaviorally relevant “who” signal, thereby reducing the value of most ads.   The user effectively has been granted a right to engage in a commercial transaction without anyone knowing anything about that transaction, including the other party to the transaction.  This social decision carries costs. By reducing the value of advertising, consumers and businesses will shoulder higher prices, in the form of more ads, more intrusively delivered. Or they will pay more for content. Or they will be asked for more explicitly personal information in return for the content.

The same would be true if another source of prevalent, anonymized, personal data – bar codes and retail scanners – was suddenly embargoed. Costs in the retail supply chain would skyrocket, as stores, distributors, and manufacturers struggle to maintain optimal stocks of goods. No one would benefit – margins would decline everywhere, and consumer prices would rise – but the worthiness of the individual, and his freedom from intrusive inspection of his anonymized toothpaste purchases, would be sanctified.

As the internet becomes further entrenched in modern life, assuring sufficient consumer control grows in importance.  Yet simply flipping a default preference for all consumers does nothing to empower them. Instead, it degrades the opportunities businesses have for delivering conveniently available high quality content, and it promises to raise various kinds of consumption costs on consumers.

Social costs also factor into the equitability of Mozilla’s proposal for a centralized Cookie Clearinghouse. At this time, Mozilla hasn’t made clear the formats for its proposed “block-list” and “accept-list.”  The accept-list is to contain a list of third parties that are exempt from the blanket ban on third-party cookies. This accept-list has two possible implementations of which we are aware:

  1. It could list the domains that are allowed to use cookies in a third party context.  For example, “XYZ can set cookies in a third party context.”
  2. It could list the domains that are allowed to use cookies in a third party context, and specify which domains on which they are allowed to do so.  For example, “XYZ can set cookies in third party context, but only on ABC and DEF.”

The first possible implementation introduces a fixed cost to anyone who would want to use third-party cookies for any reason.  This cost would have a higher proportional impact on smaller players, thereby increasing the barriers to entry for new competition.  Depending on the criteria used to evaluate exceptions, this may block several existing business models – those of advertising networks and data brokers, certainly, but also such functions as web analytics, on-page social sharing buttons, and other widgets.

The second possible implementation introduces significant scaling costs to anyone who would want to use third-party cookies.  It will definitely block social widgets, “share” buttons, “like” buttons, and any other popular business model that depends on user interactions with cookies while the user is away from the first-party “proprietor” site.  At best, the centralized clearinghouse skews towards the incumbent, reducing the opportunity for small innovators to gain a foothold and compete.  At worst, it completely eliminates certain business models.

Another troublesome, complex, and socially costly feature of Mozilla’s Cookie Clearinghouse involves the use of human intervention to determine which cookie-settings are acceptable and which are not. As currently drafted, the clearinghouse proposes an automated handling of most requests through a “challenge” process, and a manual handling of any contested request through a “counter-challenge” process.  This is troubling, for it empowers unscrupulous actors to leverage the clearinghouse as a tool for disruption of service and to gain competitive advantages.  Specifically, without human oversight, the following situations may occur:

  • An attacker can counter-challenge the exception for a legitimate third party, thereby temporarily blocking the ability of that third party to set cookies.
  • Multiple attackers can counter-challenge a wide range of legitimate third parties, thereby overloading the staff of the Cookie Clearinghouse, further damaging those legitimate third parties.
  • Multiple attackers can file challenges as well as counter-challenges to those same challenges, to further increase the workload of the Cookie Clearinghouse staff.
  • An unscrupulous actor can indicate that it is a legitimate third party, thereby gaining the ability to set third party cookies, and can then migrate to a new domain as soon as a counter-challenge is raised. If done in tandem with a persistent attack on the ability of the Cookie Clearinghouse staff to review counter-challenges, this advantage may be longstanding.

The creation of a centralized, automated “toggle” exposes all web sites that depend on third party resources to potential disruption.  However, staffing to validate each and every challenge manually is not feasible, either.  By attempting to enhance individual isolationism on the Web, Mozilla could instead turn it into a bureaucratic war zone of competing interests.

Firefox’s Henhouse

For years, Mozilla has portrayed itself as one of the good actors on the Wild West of the Web – a digital Jimmy Stewart out to tame the evil-doing Liberty Valance’s of the virtual world, making it safe for the citizenry to raise barns and families and towns.  “Our mission,” Mozilla proclaims, “is to promote openness, innovation & opportunity on the Web.”

Underlying this mission is a declaration of sorts, something the California foundation labels “The Mozilla Manifesto.” Among its 10 principles are:

2.       2. The Internet is a global public resource that must remain open and accessible.

6.       6. The effectiveness of the Internet as a public resource depends upon interoperability (protocols, data formats, content), innovation and decentralized participation worldwide.

The creation of a centralized gate to participation in the digital economy seems to run counter to the goals of an open, accessible, decentralized Internet.  Deciding centrally what is best for consumers – and rendering explicit judgments that individual isolationism is preferable to a diversity of information on the Internet – appears to defy Mozilla’s charter.

Perhaps worse is the organization’s blindness to its own potential, as it evolves inside a cocoon spun by techno-libertarians and academic elites who believe in liberty and freedom for all, as long as they get to decide the definitions of liberty and freedom. By dealing exclusively with the issue of controls around cookies, Mozilla is missing a great opportunity to talk about the options for identity management and safety in a larger scope.  A solution that empowers consumer choice in both the mobile OS and desktop browser spaces would bring significantly more value to all involved parties, and allow Mozilla to promote thought leadership with its nascent Mobile OS.

We’d like to work with Mozilla and other browser makers to get there. In fact, Mozilla should consider this an open, public invitation to join the IAB. We’ll even waive its annual dues for the first year, just to get its people participating in what we do and understanding more deeply the concerns of the digital advertising industry. The same goes for the browser teams at Apple, Google, and Microsoft. These companies already are members of the IAB, some of them highly participatory, but their browser teams remain generally uninvolved in what we do. We are looking to these browser makers, and the other would-be gatekeepers of the Internet, to work with us to resolve a critical social, economic, and cultural dilemma – how to balance the desire for privacy with the value of cultural diversity.

Unfortunately, the new proposal from Mozilla is not that resolution. Rather, it and other browser makers continue to fight their solo war against each other, leaving the rest of us as potential collateral damage.

So to summarize, here’s what we would like to see from Mozilla:

  • Block the ad-blockers, and turn your backs on those who delight in destroying others’ livelihoods.
  • Don’t align yourself with individuals and groups whose history shows them unwilling to strive for consensus among multiple stakeholder groups.
  • Strive to protect user privacy and anonymity, but understand that these are different than user isolationism.
  • Show publishers, agencies, and marketers that you care about their businesses, and work toward solutions that help content get distributed and fairly compensated.
  • Elevate the diversity of Web content to your highest value of all. And work with us to achieve it.


Randall Rothenberg
Executive Chair
at IAB