Jump to content

Privacy blunder? Firefox’s Get Add-ons page uses Google Analytics


Batu69

Recommended Posts

The Firefox web browser ships with an add-on management interface that users may load directly by typing about:addons in the browser's address bar, or by using menus of the browser the page is linked from.

 

The management interface comes with several pages that separate extensions from themes, plugins, services, scripts and other "add-ons" that users may add to Firefox in one way or another.

 

There is also a Get Add-ons page that lists add-on suggestions to users. It is making the rounds right now connects to Google Analytics when users access it.

Nicolas Petton posted a message on Twitter on July 11, 2017 that Mozilla was using Google Analytics on the about:addons page. The message was picked up on social news sites such as Reddit and Hacker News shortly thereafter.

 

Some users voiced concerned about the integration of Google Analytics in Firefox (on this one page), stating that a browser that advertises with being privacy-focused should not do that.

 

Mozilla employees provided detailed information on the implementation on various sites, including on GitHub where a issue was raised by a concerned user.

According to Mozilla employee Matthew Riley MacPherson, known as tofumatt on GitHub, about:addons loads an iFrame with content hosted on a Mozilla website which contains the Google Analytics script.

 

Mozilla has a special agreement with Google which means that the data is aggregated and anonymised. Another Mozilla employee, who goes by the handle potch, added on Hacker News that Mozilla negotiated a special deal with Google that only a "subset of data" is collected, and that the "data is only used for statistical purposes".

 

When asked why Mozilla was not using self-hosted analytics scripts like Piwik, Matthew replied that hosting their own analytics product -- Piwik in particular -- was more work for "a worse product".

 

Matthew suggested to disable the tracking for users who have opted out of Telemetry tracking in the Firefox browser. This has not been implemented yet, and it is unclear whether this is going to happen.

 

Ultimately, this seems to be Mozilla's stance on the issue right now according to Matthew:

We won't be discontinuing our usage of analytics for our web properties, but I do think it would be nice to consider easy opt-outs for users like yourself who clearly do not want to participate in analytics sharing.

The maker of uBlock Origin posted an interesting observation in the thread as well. The legacy version of uBlock Origin can block the requests on internal Firefox pages, while the WebExtension version cannot.

Legacy uBlock Origin can block the network request to GA.

However webext-hybrid uBO as per Network pane in dev tools does not block it. Same for pure webext Ghostery, the network request to GA was not blocked, again as per Network pane in dev tools.

What is concerning is that both uBO webext-hybrid and Ghostery report the network request to GA as being blocked, while it is really not as per Network pane in dev tools. It's as if the order to block/redirect the network request was silently ignored by the webRequest API, and this causes webext-based blockers to incorrectly and misleadingly report to users what is really happening internally, GA was not really blocked on about:addons, but there is no way for the webext blockers to know this and report properly to users.

The Tor browser developers, a browser that is a modified version of Firefox for added security and privacy, have voiced concerns as well.

Disallow 'about:addons' unless the extensions directory is volatile, because regardless of what Mozilla PR says about respecting privacy, loading Google Analytics in a page that gets loaded as an IFRAME as part of an 'about:' internal page, is anything but.

firefox no discovery

 

Tip: Firefox users who don't use Get Add-ons can disable the functionality in the following way:

  1. Load about:config?filter=extensions.webservice.discoverURL
  2. Double-click on the preference, and remove all characters so that the value is blank.
  3. Restart Firefox.
 

See how to block automatic connections that Firefox makes for additional information, or the list of Firefox security and privacy preferences.

Closing Words

It is clear that there are multiple points of view on the issue at hand:

  1. Some users think that Firefox should never connect to third-parties without explicit user consent.
  2. Others think that the issue is blown out of proportion, as it is limited to a single page in the browser.
  3. Mozilla acknowledges that tracking is taking place, confirms that it has a special deal in place with Google, and that it considers opting users out that have opted out of Telemetry tracking.

My personal stance on the matter is that I think it is unwise to integrate anything that connects back to Google in the Firefox browser. Unwise because it torpedos Mozilla's stance on privacy in the eyes of some Firefox users.

 

Article source

 

Others source: Discussions on reddit

Firefox tracks users with Google Analytics in the add-on settings : linux

Firefox secretly tracks users with Google Analytics in the add-on settings : programming

Link to comment
Share on other sites


  • Replies 6
  • Views 1k
  • Created
  • Last Reply

Mine don't have this problem  on windows as  removed it all from the settings in about config   it only calls home too addons.cdn.mozilla.net,  if i open addons  i could block this if i didn't want  too check for updates but why bother? i use a ip sniffer so I see my traffic and control my own density, but on Linux I just use Waterfox  and end of story  lol

Link to comment
Share on other sites


  • Administrator

I still think people do not understand that some of the data is quite important to understand what a site's or a service's users are doing. We do not collect anything at the moment for many reasons including user privacy, but because of that we do not know what or how our users are doing.

 

The thing is, whom should a person trust. Is one from Mozilla or Google trustable or are both of them trustable here. Obviously, expert users are free to do whatever required to protect their privacy here.

Link to comment
Share on other sites


  • 3 weeks later...

There is another privacy issue with Firefox... Because it doesn't sanitize the file SiteSecurityServiceState.txt (the cookies remains (cause by the HSTS leak)).

FolderLocation = "firefox-56.0a1.fr.win64.installer\core\browser\features"
FolderLocation = "firefox-57.0a1.en.win64.installer\core\browser\features"
	[email protected]
	[email protected]
	[email protected]
	[email protected]
	[email protected]
	[email protected]
	[email protected]
	[email protected]
	[email protected]
	[email protected]
	[email protected]
	[email protected]
	[email protected]
	[email protected]

Becareful with the installer (Nightly, Developer, etc) because there are several addons preinstalled (check the list available on the page about:support).

These addons can be deleted easily because there are located inside the folder features.

 

Link to comment
Share on other sites


Quote

There is also a Get Add-ons page that lists add-on suggestions to users. It is making the rounds right now connects to Google Analytics when users access it.

No Get Add-ons — no problem:—

 

RVq0SXA.png

Link to comment
Share on other sites


On undefined at 3:13 PM, DKT27 said:

The thing is, whom should a person trust. Is one from Mozilla or Google trustable or are both of them trustable here. Obviously, expert users are free to do whatever required to protect their privacy here.

This is my opinion.. It dont pay too trust any software . But I trust  Mozilla more than i do Google ..In fact I never trusted Google before they made browsers . Firefox can be  configured were it will not call home too Mozilla or Google. But no chromium based browser can be configured were it dont call  too Google at all even if  it dont have Google Analytics .Does this mean I dont use chromium based browsers ,YouTube and Google search sometimes no.. because i am also behind a vpn . But comparing Mozilla  witch just make browsers too Google witch is a ad company  witch is present almost everywhere is not the best example.  And really you dont have too use ether you can use a alternative like Waterfox or Palemoon witch removes it by default ..It's the users choice what they use...

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...