This repo contains the yaml files specifying the metrics collected by the Mozilla Ads Routing Service (MARS).
Commonly in the ads industry, client apps or websites make requests for ads directly to ad servers. These direct requests allows ad partners to see a wealth of information, which can be used to identify the specific person using an app or site, and to build profiles about that person across many different apps and sites. The ads returned and shown also commonly contain tracking code that detects that person's activities and adds to their profile.
MARS is a backend API service that prevents ad partners from gaining this kind of information. It functions as a privacy-preserving proxy bewteen Firefox clients and third party ad providers. MARS takes requests for ads from the Firefox browser, redacts or anonymizes any information that can be used to identify users or create profiles, forwards along these anonymized requests to third party ad providers, and returns privacy-respecting, tracker-free ads to Firefox.
Some examples of these ads are the Sponsored Shortcuts and Sponsored Stories found on Firefox's Home and New Tab.
An example of one way MARS functions to preserve user privacy:
- Instead of passing the Firefox user's potentially fingerprintable User Agent string to ad partners, MARS sends along only the user's OS and whether they are on Desktop, Tablet, or Phone. The ad partner gets enough information to return an ad appropriate for the device, but has no way to identify, fingerprint, or track any user.
MARS is a stateless service and doesn't collect or store any data itself. The only data it persists is via Glean ping to Mozilla's data warehouse. MARS also plays a privacy-preserving proxy role between Firefox users and our own data warehouse.
MARS needs to collect some anonymized, aggregated data about user interactions with ads in order to do business with our third party ad partners and advertisers, and for our financial record keeping. This is because we are paid based on these interactions, for example by how many times we show an ad, or by how many times an ad gets clicked. This is Category 2 "Interaction" data, captured via our interaction ping.
MARS also collects some anonymized, aggregated data to ensure our systems are functioning correctly and our third party partners are meeting their contractual obligations. This is Category 1 "Technical" data, captured via our request-stats and provider-request-stats pings.
MARS's Glean integration is server-side, and all our pings are sent without any of the client_info.* fields that would be populated in a typical client-side Glean integration. This means no client info ever gets sent by default. Instead we pick a few coarse, non-identifying client fields to include for necessary reporting, and place them under the ad_client category of the ping's metrics.
At Mozilla we always give users meaningful choice and control over data collection. To opt-out of Mozilla Ads data collection, a user must opt out of ads entirely by going to Preferences > Home and unchecking "Support Firefox", or unchecking both "Sponsored shortcuts" and "Sponsored stories".
This is because we invoice our third party ad partners and advertisers based on this data. So if we are showing ads, it is necessary to keep anonymized, aggregated data about user interactions with ads, for doing business and for our financial record keeping.
Firefox clients that use MARS are required to send ContextId, a UUID, with their ad requests. The ContextId is used to enable features like users blocking specific ads they don't want to see again. The ContextId is one of the metrics we send in Glean pings and store under the ad_client.* category.
Clients of the MARS API are required to rotate their ContextIds at least every 3 days to prevent it from becoming a persistent identifier within our data warehouse.
MARS is currently a stateless service, we do not store any data on the users' behalf, nor have any way to identify clients or users, aside from the ephemeral ContextId detailed above. The only data we store is the Category 1 and Category 2 data that we send in our Glean pings. This data is necessary to retain for our business purposes, so we do not provide a way for users to delete it.
At Mozilla, like at many other organizations, we rely on data to make product decisions. But here, unlike many other organizations, we balance our goal of collecting useful, high-quality data with our goal to give users meaningful choice and control over their own data. The Mozilla data collection program was created to ensure we achieve both goals whenever we make a change to how we collect data in our products.
Making changes to the metrics and pings in this repo requires review by a Data Steward, in addition to the usual Ads Engineering code review.
- Submit your PR to
mars-telemetry(but do not merge it yet!) - Fill out a data collection review form (examples here).
- Submit the request to Bugzilla.
- Add a comment to your PR linking your Bugzilla request and a copy of your proposed measurements table (from the data collection review form).
- Send a friendly message to #data-stewardship-help to request a review. Make sure to:
- Give some brief context on the change
- Include a link to the PR and Bugzilla request
- Include a link to this
README.mdfor our reviewer to reference for background on MARS data collection.
If the data collection changes involve Category 3 or Category 4 data, or if it is initially unclear which Category the data might fall under, then the change will also need a Sensitive Data Collection Review, as outlined in the Data Collection wiki page.