Inside Mozilla's internet privacy fight with Google, Facebook - Protocol

February 9, 2020

In 2016, Mitchell Baker, the chairwoman and interim CEO of Mozilla, sat down to update her manifesto. Well, technically, it's Mozilla's manifesto, but it's Baker's handiwork. Think of it as a sort of Bill of Rights for the internet, or maybe a Ten Commandments: 10 principles about what the internet should be, with ideas about promoting privacy and openness and community. It repeatedly uses words like "individual" and "public" and starts with the premise that the internet is for human beings and needs to be treated as such.

Baker's original opus was published in 2007, adapted from principles Mozilla had held since it was founded in 1998. Over the years, the manifesto has become a foundational document for Mozilla and for the internet as a whole. Employees casually quote it, frequently invoking their favorite principles in explanations and arguments. Baker said her only regret is that there's no way to boil the principles down to a single sentence, like "Don't be evil" or "Think different." Turns out it takes a bit longer to explain how the internet ought to be.

Get what matters in tech, in your inbox every morning. Sign up for Source Code.

A decade after its first incarnation, though, Baker felt that the manifesto needed to change. Because the internet had changed. In its early days, when "Mozilla" was the codename for Netscape's browser source code and Internet Explorer was the enemy, the Mozilla team believed the web was the future and it must remain open. By 2016, phones had taken over, apps ruled the world, and the web was dominated by a few companies, serving billions of users, subject to increasing pressure from shareholders and governments alike, running their businesses on the back of an unprecedented effort to collect people's personal data. Baker could no longer accept her place in this ecosystem.

"I'm not spending my life building an open system that's good for trolls and surveillance organizations and violent groups," she said.

So Baker set out to change the rules to help reframe Mozilla's vision. She drafted some new principles and shared them with some people. That's how Mozilla works: slowly, collaboratively, trying to speak for everyone. Baker got feedback, wrote more, shared again. Rinse and repeat for months. At one point, she thought it was done — "I liked it, and it had crisp little headings," she said — but late feedback shook her up. One reader said they liked it, but their parents would think it was "just more California liberal stuff." Baker rewrote it again.

Finally, on March 29, 2018, two days before Mozilla's 20th anniversary, Baker wrote on Mozilla's blog that in the last decade, the world had seen "the power of the internet used to magnify divisiveness, incite violence, promote hatred, and intentionally manipulate fact and reality." Baker then added four new manifesto principles calling for equality, discourse and diversity online in an addendum called "Pledge for a Healthy Internet."

Mozilla has spent the last several years fighting harder and louder than ever for the future of the internet. It's fundamentally rethinking its most important product, Firefox, to align it with the company's vision of a more user-centric, privacy-conscious web. It's fighting in the courts to ensure that the internet is accessible and fair for as many users as possible. It's battling Google, Facebook and other tech conglomerates — including the ones that provide nearly all of Mozilla's revenue.

Tech has become a villain, and Mozilla has sought to appoint itself hero, animated by a pressing fear that if it doesn't fix the internet, doesn't bring back an era of privacy and openness and community, maybe no one will.

David vs. Goliaths

Concerns about the state and future of the internet have been brewing inside Mozilla for years, but if you had to pick The One Day Mozilla Changed Forever, it's March 17, 2018. Also known as Cambridge Analytica Day. As information poured out about Facebook's data-collection practices, and millions of people started to ask whether tech companies were abusing their trust and violating their privacy, a team at Mozilla met to consider how the company should respond. Was it best to explain these privacy issues in human terms? To offer advice on what consumers could do to preserve their own? None of that seemed like enough.

Then someone had an idea: Mozilla makes Firefox, a powerful browser that already offers a technology called "containers" that walls off a single tab from the rest of a user's browsing. Originally, containers were useful for tasks like logging into multiple Gmail accounts in a single window. But what if people could also use them to keep Facebook from snooping as they traveled the web?

A few days later, Mozilla released the Facebook Container extension for Firefox, along with careful instructions on how to keep as much of your browsing data as possible away from the big blue app. It was a useful product — and a powerful statement. This was Mozilla not just allowing the internet to be free, but actively trying to make it better.

"That gave us some of the best reach we've ever had on social media, and in terms of press coverage," said Peter Dolanjski, Mozilla's director of privacy and security products. "It really changed how we think about going out in the world and building products." Mozilla announced at the same time that it would no longer advertise with Facebook.

The Cambridge Analytica scandal changed the way people talk around online privacy, which is to say it caused many people to actually talk about online privacy. "There were just so many stories about how people's data was being collected, and people were aware of it for the first time," Dolanjski said. He began to believe that some users — not all, not even most, but some — might be interested in products that were designed to protect their personal information. And Mozilla, it just so happened, made one of those.

Firefox has long held the not-entirely-flattering distinction of being the most popular browser not made by a huge corporation. For years, it battled Internet Explorer, trying to expand the web beyond the blue icon on every Windows PC. In the early 2000s, for a brief moment, when Mozilla was first to launch things like browser tabs and a search bar, it even looked like Firefox might win the browser wars. Then came Chrome. Google's browser — created by a group of ex-Mozillians — now commands more than two-thirds of desktop market share, according to analytics firm StatCounter. Firefox accounts for slightly less than 10%. For mobile browsers, Chrome and Safari enjoy similar dominance; Firefox has less than 1%.

Still, Mozilla's clout outweighs Firefox's market share. Because even its for-profit arm is owned entirely by the nonprofit Mozilla Foundation, because it's been around for so long, and because it's been publicly preaching the values laid out in the manifesto, it's able to move larger competitors in its direction.

"Mozilla, DuckDuckGo, Sonic and other 'small' tech companies consistently punch above their weight because they are transparent about their values, listen to their users, and stand up for them," said Gennie Gebhart, a research director at the Electronic Frontier Foundation. Even competing browser executives said they respect what Mozilla has to say.

But words only get you so far. Over time, Mozilla has learned to use its product updates as declarations of intent — to do more than shake its fist at the clouds, but proclaim things can be better and then engineer better into existence.

Better by default

A few years ago, Mozilla studied how its users understood the meaning of "private browsing." The results were not surprising: When a user clicked or tapped on the mask icon and went incognito, they generally expected not to be tracked at all. In reality, plenty of data was still being collected. So Firefox engineers began to quietly turn off the third-party trackers and background scripts that incognito mode typically still allowed. Making private browsing more private was a success, which is to say less data was collected and users didn't notice the difference.

The same trackers, though, help users log into sites and pay for goods, and blocking them would break the internet for lots of users. Still, Dolanjski and his team couldn't shake the feeling that it was the right thing to do. So, over two years, they ran a dozen user studies, worked with publishers and advertisers and tech companies, and tried to figure out all the ways the internet could collapse if it couldn't track you anymore. They made changes, tweaked policies, and tried to find fixes that worked for all sides.

This project, which became known as Enhanced Tracking Protection, became a Firefox feature in late 2018. But it was a buried setting, off by default, and addressed only part of the tracking ecosystem. Mozilla knew few users would flip the switch — or even find it. "We can't put this entire burden of protecting your privacy on an individual person," said Selena Deckelmann, Mozilla's senior director of Firefox engineering. Even the most aware users rarely understand the actual mechanics of maintaining their online privacy.

"It's incredibly difficult to figure out which set of checkboxes to flip to preserve your privacy," Deckelmann said. The only way to get people to flip the right switch is to do it for them. Last July, after more months of testing and tweaking, Mozilla turned on Enhanced Tracking Protection by default for a subset of users. In September, the company spread it to everyone. Dolanjski braced for feedback, but not much came. Once again, nobody really noticed the difference.

Mozilla has always operated this way: Make responsible decisions on users' behalf, without bogging them down with the details. This time, though, Mozilla decided to be a little louder in broadcasting the good it was trying to do.

So far, Firefox has blocked 1.6 trillion tracking requests — about 200 per user, per day. But rather than saving the city and fading into the night like Batman, Mozilla thumped its chest a bit. It created a "Privacy Protections report" for users detailing exactly how many trackers it had blocked, how many cookies it had kicked out, and how many times a user's information had been leaked or exposed. It built tools like Firefox Monitor, which monitors the dark web and alerts users when they need to change passwords, and Lockwise, a password manager.

Mozilla's overarching message: You should know how bad things are and how to make it better. At least a little.

Hunting for hits

As Mozilla has worked to improve Firefox, though, the world has started to leave Firefox behind. Most people use Chrome, and most people who don't use whatever browser came with their phone or laptop. Even if they install Firefox, that won't touch the in-app browsers on their phones or the voice assistants and messaging apps. The desktop browser was once the sole portal to the internet; now it's not even the most important.

Mozilla has tried to branch out into other products, with little success. Its Thunderbird project was supposed to "make email easier" but never really caught on. It bet big on FirefoxOS, hoping to build a web-first mobile operating system that could compete with iOS and Android, but that project went the way of Windows Mobile and WebOS. "We have not cracked what to do in a closed mobile system," Baker said. "It's exactly the same system we had before the web: two giants and a really closed system."

Mozilla's product team is left to think out a few years and to wonder: What innovation will transform the web the way the web transformed the PC? One of Baker's guesses is mixed reality. Whether it's AR glasses or Pokémon Go on smartphones, Mozilla is investing heavily in a future where digital and real-world information intermingle. Baker is also interested in finding a way for the smart home to be more confined and privacy-focused. "I just don't understand why your home automation should be on a global backbone," she said.

Mozilla is one of many companies rethinking where data should live and how much of it needs to be on the internet at all. In those spaces, though, Mozilla seems likely to once again battle giants for market share.

Today, the vast majority of Mozilla's revenue — about $435 million in 2018 — comes from a series of search-engine partnerships that pay Mozilla every time Firefox users press enter in the built-in search box. Much of that money comes from Google, with a portion from Baidu in China and Yandex in Russia and other countries. That means Mozilla gets most of its money from some of the same data-collecting, content-suppressing, ad-targeting tech behemoths it's spending that money to fight.

"When we started, the search revenue was just about perfect," Baker said. Google was, in the early 21st century, about the only thing growing faster than Firefox. It was the best search engine, and its vision for openness and access fit Mozilla's goals for the internet. Now, Baker said, "It doesn't feel 100% aligned."

Mozilla is in a strong financial position — thanks to so many years of these partnerships — but no longer feels comfortable with its partners' policies on data collection, misinformation and more.

The plan is to diversify. Mozilla is working on subscription services for features like VPNs and secure storage, hoping to find new ways to generate income from the growing subset of users willing to pay to ensure privacy. But these moves aren't working fast enough: Mozilla recently laid off 70 of its roughly 1,000 employees, and in a note to staff announcing the changes, Baker admitted that the company "underestimated how long it would take to build and ship new, revenue-generating products."

Increasingly, Mozilla seems to believe its best chance to save the internet — even if it doesn't help the bottom line — is to venture outside its own products. Above the browser, above the ad networks, above the tech companies altogether. The only way to fight Google, Facebook and the rest of the seemingly unstoppable tech giants is to change the structure and technology of the internet itself.

Beyond the browser

Not long after Alan Davidson joined Mozilla as its new VP of policy in September 2018, he sat down with his team to figure out where Mozilla should be spending its time. They made a chart: on one axis, how important an issue was; on the other, how much Mozilla could do about it. The top-right corner — big issue, big opportunity — was the sweet spot. Three topics made it in. The first, privacy and security. The second, content and misinformation. The third, net neutrality and internet access.

Net neutrality struck a particular chord for Davidson. He's been working on the issue for more than a decade, first at Google and then as President Barack Obama's director of digital economy. By 2018, Mozilla and a number of other companies and organizations were suing the FCC in a bid to overturn the Restoring Internet Freedom Order that had effectively eliminated net neutrality in 2017. Mozilla quickly became the lead plaintiff in that case — which became Mozilla vs. FCC — and spent months preparing to argue it in Washington, D.C.'s circuit court.

On Feb. 1, 2019, Davidson and his team filed into a large, wood-paneled courtroom and argued the case in front of three judges. These cases tend to be whirlwind affairs, but this one went a bit differently. "You've written these briefs, hundreds of pages, thousands of person-hours, and you usually get an hour to argue the case," Davidson said. "This argument actually went on for almost five hours. I've never seen anything like it."

Leaving the courthouse, exhausted, walking out into a snowy D.C., Davidson wasn't sure how to feel. "I don't want to say I was optimistic," he said, though he thought two judges appeared sympathetic to Mozilla's argument. All he could do was wait. And wait.

The court issues opinions Tuesdays and Fridays, but it doesn't reveal timelines for specific cases. So twice a week, someone on Mozilla's team went to the courthouse to check if the decision had landed. Meanwhile, the rest of the team planned for all outcomes. For nine months. Until the morning of October 1—a Tuesday— when Davidson was on his way into the office, "and all of a sudden my phone starts blowing up."

The decision was mixed, from Mozilla's perspective. While the court didn't strike down the FCC's order, it allowed individual states to make their own neutrality rules, which Davidson expects will happen soon. Going forward, he's focusing on the other issues in that top-right quadrant. "A year ago," Davidson said, "we thought we were going to have a bigger opportunity in Washington" to help pass a federal privacy law. "That just hasn't happened the way we hoped." Instead he's focused on national efforts in Kenya, India and elsewhere.

Mozilla has only a few employees in Washington, but they're increasingly active. Mozilla in January filed a friend-of-the-court brief on behalf of a number of other small tech companies, as part of a case in which Oracle accuses Google of violating Oracle copyrights while building Android. The case is set to be heard by the Supreme Court in March, and will set critical precedents over who owns and controls code. In the brief, Jason Schultz, an NYU law professor and Mozilla fellow, wrote that "competition and innovation are at the heart of a healthy internet and the field of software development that fuels it." The court, he said, should rule in Google's favor.

At the same time, Mozilla is trying to help rewrite some of the internet's foundational technology. It's working to enable a new protocol called DNS over HTTPS, or DoH, which would make it harder for carriers and ISPs to track users as they browse. (The effort earned Mozilla an "Internet Villain" nomination from a group of ISPs in the United Kingdom, though they later rescinded the nomination.) Mozilla was early to the fight to encrypt the entire web through HTTPS, and is now leading the charge on DoH as well.

Mozilla's DoH work, like many of its other privacy-first initiatives, is gaining momentum across the industry. Google has several ongoing DoH-related projects in Chrome and has announced its intention to eliminate third-party tracking cookies — though it won't go as far as Firefox in blocking those cookies altogether. Microsoft's new Edge browser and Apple's Safari both have powerful anti-tracking features, and they're turned on by default. Google followed Mozilla's lead in blocking those obnoxious desktop-notification pop-ups. Browser developers everywhere are making the web a little safer to peruse.

All of this is good news for Mozilla, with a big caveat: Every privacy-conscious Edge or Safari user is one less person using Firefox. Baker, like so many other Mozilla employees, insists that's OK. Mozilla's job, its mission, its manifesto, has always been bigger than browsers. Besides, by the time those browsers get fixed, there will be entirely new internet universes — voice assistants, AI interfaces, mixed-reality platforms — requiring a champion for openness and humanity. "I mean, we have this manifesto," Baker said. "It's not like we're going to reach it one day and be done, right? Even if we did, a week later, there'd be new things to do."

The manifesto will change again. The internet will change again. Mozilla's just trying to make sure it's still around to fight.