Jump to content

The Firefox Browser is a privacy nightmare on desktop and mobile


steven36
 Share

Recommended Posts

The Firefox Browser is not as private as you may think – especially on iOS and Android.

 

134666292_158012913144070618.jpg

 

 

Mozilla recently announced that they would be allowing any Firefox user a means to request Mozilla to delete stored telemetry data that is tied to said user. Mozilla maintains “strict limits” on how long they store this logged telemetry data, but any duration is too long if the telemetry data can be associated with an individual Firefox browser instance on a particular IP address through a government request. Sure, the collection of this telemetry data can be turned off, but the vast majority of Firefox users are not using Firefox with telemetry turned off, and are therefore incredibly vulnerable.

 

The change by Mozilla comes as a result of the California Consumer Privacy Act (CCPA), a state law which came into effect at the turn of the new year. 2020 is a year of clear vision, and we get to start it off with the revelation that Firefox stores telemetry data in a way that can be traced back to an individual user. After all, how else would Mozilla be able to delete just your telemetry data upon request? To answer this question, Privacy Online News reached out to Mozilla and a Mozilla spokesperson explained how the telemetry data is associated with your browser instance:

 

“By default, Mozilla collects limited data from Firefox to help us understand how people are using the browser, such as information about the number of open tabs and windows or number of webpages visited. This does not include data that can reveal sensitive information about users’ activity online, such as search queries or the websites users visit.

 

The data collected is associated with a randomly generated identifier that is unique to each Firefox client. We refer to this as a clientID. That clientID is not linked to you personally or any sensitive data (for example to your name or phone number) but to your local Firefox software installation. It is never shared with third-parties. Full public documentation about this data collection, including the identifier, can be found here.

 

When users choose to delete their telemetry, the Firefox browser will submit this identifier to Mozilla and we will then delete data on our servers associated with this ID.”

Specifically, when you request your telemetry data be deleted from Mozilla’s servers, you do so by sending a “deletion-request” ping which by virtue of how internet pings work, includes a timestamp, your IP address and your unique client ID – as confirmed by Mozilla. That is all the information that’s needed to tie your telemetry data back to your specific browser instance.


Mozilla confirmed to Privacy Online News that all this data is stored, but they don’t seem to consider it a privacy issue because they are stored separately. A Mozilla spokesperson explained how the IP address of all telemetry pings, not just the deletion-request ping, is stored:

 

“Mozilla does initially receive the IP as part of telemetry technical data. The IP is then stripped from the telemetry data set and moved to an environment with restricted access for security and error review purposes only. By moving the IP address into this restricted environment this de-identifies the collected telemetry data.”

Firefox stores your telemetry data in a way that can be tied back to you

While the fact that Firefox collects telemetry data may be well known to some security minded researchers, and even viewed as acceptable because of reasons such as “debugging,” it is quite the revelation that Mozilla actually maintains this data in a way that is matchable to an individual user’s IP address that is requesting said data be deleted.

 

Mozilla even tried to downplay the impact of their privacy decision, saying in their announcement:

 

“To date, the industry has not typically considered telemetry data “personal data” because it isn’t identifiable to a specific person, but we feel strongly that taking this step is the right one for people and the ecosystem.”

 

While it is arguable that telemetry data isn’t technically “personal data” when it is viewed on its own without other information; however, if there’s a way to link a given set of telemetry data to a particular Firefox browser instance and IP address – and Mozilla just revealed that there is – then that telemetry data all of a sudden becomes the most personal of data.

What does Firefox telemetry data include?

According to the Mozilla wiki, telemetry data includes all the information needed to answer the following questions:

 

  • How long does it take Firefox to start?
  • How long does it take Firefox to load a web page?
  • How much memory is Firefox consuming?
  • How frequently do the Firefox cycle collector and garbage collector run?
  • Was your session successfully restored when you last launched Firefox?

 

Reading into the questions, the technical pieces of data that Firefox needs to store to be able to answer these questions become apparent. Stay tuned to future posts from Privacy Online News that will dive into the Firefox codebase to showcase what constitutes telemetry data stored by Mozilla in association with your Firefox browser instance. For a preview, simply type about:telemetry into your Firefox browser. For Android and iOS versions of Firefox, parts of this telemetry data – and more – are also shared with a third party company called Leanplum.

What is Leanplum and why is it on Firefox for iOS and Android?

Firefox on the popular mobile operating systems iOS and Android has even larger privacy concerns beyond the telemetry data that is stored by Mozilla. Leanplum is a mobile advertising company that also receives your personal information, courtesy of Mozilla. According to Mozilla Firefox’s support website:

 

Firefox by default sends data about what features you use in Firefox to Leanplum, our mobile marketing vendor, which has its own privacy policy. This data allows us to test different features and experiences, as well as provide customized messages and recommendations for improving your experience with Firefox.”

 

Mozilla sends information to Leanplum under the guise of testing different features. More information, also from Mozilla’s support team, gets into the specifics:

 

Leanplum tracks events such as when a user loads bookmarks, opens new tab, opens a pocket trending story, clears data, saves a password and login, takes a screenshot, downloads media, interacts with search URL or signs into a Firefox Account.”

 

The horror story continues:

 

“Leanplum receives data such as country, timezone, language/locale, operating system and app version.”

 

More specific information on what Leanplum collects from your mobile Firefox browser can be found from the Leanplum privacy policy, which Mozilla defers to in their own support text possibly because it’s so heinous:

 

“[…] we automatically collect certain information, which may include your browser’s Internet Protocol (IP) address, your browser type, the nature of the device from which you are visiting the Service (e.g., a personal computer or a mobile device), the identifier for any handheld or mobile device that you may be using, the Web site that you visited immediately prior to accessing any Web-based Service, the actions you take on our Service, and the content, features, and activities that you access and participate in on our Service. We also may collect information regarding your interaction with e-mail messages, such as whether you opened, clicked on, or forwarded a message.”

 

The opening up of a privacy option to allow all users (not just Californian users) to delete telemetry data reveals a deeper, darker truth: that the popular browser actually keeps track of telemetry data in a way that can be connected back to your specific browser instance and IP address. Revelations like these are exactly what should be occurring after proper privacy laws are written, passed, and enacted. Just with this revelation, arguably, the CCPA has already done so much more than the GDPR for internet privacy. Firefox is not the privacy conscious browser that it has been masquerading as. Not on the desktop, and certainly not on mobile.

 

About the Author  Caleb Chen is a digital currency and privacy advocate who believes we must #KeepOurNetFree, preferably through decentralization. Caleb holds a Master's in Digital Currency from the University of Nicosia as well as a Bachelor's from the University of Virginia. He feels that the world is moving towards a better tomorrow, bit by bit by Bitcoin.

 

Interesting discussion about this article at Hacker News  here

 

Side Note : make sure to disable their telemetry if you dont want to be spied on if you use Firefox

 

Source

 

 

  • Like 1
  • Thanks 2
Link to comment
Share on other sites

Quote

Side Note : make sure to disable their telemetry if you dont want to be spied on if you use Firefox

Ok, how can users disable the whole telemetry?

Link to comment
Share on other sites

Yep, did that but there are a lot of telemetry entries in about:config too.

Wondering if the settings are kept when updating.

At some point it becomes difficult to trust 'open browsers'.

Link to comment
Share on other sites

17 minutes ago, mp68terr said:

Yep, did that but there are a lot of telemetry entries in about:config too.

Wondering if the settings are kept when updating.

At some point it becomes difficult to trust 'open browsers'.

If you want to get tinfoil hat about it  On Linux  use   autohosts  It  Blocks Firefox telemetry, Google snooping and web trackers at the root.  On Windows use Windows 10 Firewall control it blocks  Firefox and others  telemetry too .   If you cant trust open browsers you sure cant trust closed ones  because they  all collect telemetry,  Closed ones have no way to turn  it off . If you opt out and they hand over your data you can sue  them  for giving you false sense of  privacy so thats good enough. Even OP says you turn it off and thats how you do it. Or just use Waterfox  they remove all that data collecting crap from Mozilla.

Edited by steven36
Link to comment
Share on other sites

28 minutes ago, mp68terr said:

Yep, did that but there are a lot of telemetry entries in about:config too.

Do you have any recommendations on which specific settings to change and what to change them to in the about:config page? Thanks

Edited by randomjester
Link to comment
Share on other sites

1 hour ago, randomjester said:

Do you have any recommendations on which specific settings to change and what to change them to in the about:config page? Thanks

As written elsewhere I used the user script file from there https://github.com/pyllyukko/user.js and customized it to my needs/thoughts. In point of fact in palemoon, not in FF itself.

  • Like 1
Link to comment
Share on other sites

(user.js) file is 3 years old, since updated..Quite a few updates to firefox since then. Might be adding unecessary additions to firefox

Link to comment
Share on other sites

19 hours ago, steven36 said:

use Waterfox 

 

34 minutes ago, mp68terr said:

Latest commit Nov 29, 2019 

 

 

Quote

In addition to that, Cliqz gives you full control over your data. Cliqz does not store personal data, everything stays on your device and under your control.

https://cliqz.com/

Link to comment
Share on other sites

They 4 problems   with Firefox were they give you  a false sense of privacy

 

Mozilla clams  they  put people over profit in everything they say, build and do.

 

1. However, with their decision to make Cloudflare the default DNS provider for DNS over HTTPS, they are definitely not supporting user privacy or putting people over profit.

DNS over HTTPS is by itself bad enough, and highly criticized with good reason, but by combining it with a company like Cloudflare makes it even worse.

Cloudflare has made an agreement with Mozilla that when it acts as a DNS resolver for Firefox, that:

  • DNS requests will be stored as part of Cloudflare's "temporary" logs which are permanently deleted within 24 hours.
  • Cloudflare will also collect and store the following information as part of its permanent logs:
    • Total number of requests processed by each Cloudflare co-location facility.
    • Aggregate list of all domain names requested.
    • Samples of domain names queried along with the times of such queries.
  • Information stored in Cloudflare's permanent logs will be anonymized and may be held indefinitely by Cloudflare for its own internal research and development purposes.

Anyone who has worked with DNS servers knows what goes into such logs and in order for Cloudflare to keep their promise, they need to: Delete the DNS requests information, but at the same time somehow still contain "anonymized" logs of the total number of requests, a list of all domain names requested, a so-called "sample" of complete DNS queries along with date and time.

 

This means that even if Cloudflare could be trusted and they have the best of intentions, they will still log everything the first 24 hours. If Cloudflare is ever compromised, all these logs could be copied and distributed over a period of time.

 

Furthermore, the actual wording of the agreement is such that the technical procedure for how they actually do this can only be guessed at. How do they plan to anonymize the data? Is the "sample" 99.9% of all the queries, or is it 1%?

 

Last, but not least, Cloudflare is an American company subject to American law, a law that pretty much undermines the foundation of any kind of privacy.

Cloudflare will not retain or sell or transfer to any third party (except as may be required by law) any personal information, IP addresses or other user identifiers from the DNS queries sent from the Firefox browser to the Cloudflare Resolver for Firefox;

Security and privacy means no data retention and no logging. Period!

 

2. Firefox in itself has long been submitting data to the Mozilla foundation via its "Data Collection and Use" gathering. Even though this data is "technical and interaction data", the data collection is opt-out, meaning that you have to remember to disable it rather than enable it. This also means that the very first time you start up Firefox, it may already have connected to the Mozilla foundation before you can disable the data collection.

 

If you forget to disable the data collection and later disable it, you'll get the following information from Firefox:

You’re no longer allowing Mozilla to capture technical and interaction data. All past data will be deleted within 30 days.

There was  no option in the browser to delete the last 30 days of data gathering.

 

That is why when Snowden blew the whistle and revealed that we were all being watched, he didn't recommend Firefox, he suggested the Tor browser instead.

 

Mozilla recently announced that they would be allowing any Firefox user a means to request Mozilla to delete stored telemetry data that is tied to said user. Mozilla maintains “strict limits” on how long they store this logged telemetry data, but any duration is too long if the telemetry data can be associated with an individual Firefox browser instance on a particular IP address through a government request. The change by Mozilla comes as a result of the California Consumer Privacy Act (CCPA),

 

The opening up of a privacy option to allow all users (not just Californian users) to delete telemetry data reveals a deeper, darker truth: that the popular browser actually keeps track of telemetry data in a way that can be connected back to your specific browser instance and IP address.

 

3. Mozilla should be ashamed! They are promoting Firefox as a product to support user privacy, yet at the same time they make Google the default search engine.

 

4. Google Safe Browsing  is used and  is on by default . it tracks users across  the web and censors the web with a blacklist . Websites carrying ads that are infected might be blacklisted by Google Safe Browsing even when the website itself has no malware. To request removal from the blacklist requires a webmaster to create a Google Webmaster's Tool account which can take several days to be removed. The process is proprietary and not publicly documented.  

-------------------------------------------------------------------------------------------------------------------------------------

 

All this proprietary crap they use in the browser  to  make money shows they not the Privacy centric  browser they claim they are .  Even though all this stuff can be removed  , disabled   ,or changed.

 

1. Dns or https  can be changed to a non logging provider or disabled , still it's better than the Chrome way of doing it.

2. You can disable Firefox telemetry in the settings still better than most proprietary browsers.

3. You can remove Google Search  or change your search default  to another  one.

4 . Google Safe Browsing can be turned off  Most on-demand anti malware  programs ship with web protection modules nowadays. Also  addons like UBO  have Anti-malware filters ive not use the one by  Google since 2011 i turn it off in all my browsers. 

5. No browser is prefect the smaller forks  have better Privacy .I dont really think there  is any big corporation that is great  for privacy because they say one thing but do the other.

Edited by steven36
Link to comment
Share on other sites

9 hours ago, plb4333 said:

(user.js) file is 3 years old, since updated..Quite a few updates to firefox since then. Might be adding unecessary additions to firefox

Here is a better way to do it  anyway Just tells you how to disable it all yourself

https://chefkochblog.wordpress.com/2018/01/08/disable-all-telemetry-and-data-collection-in-mozilla-firefox-quantum/

 

There are caveats from using js files in Firefox . because   they way too strict both pyllyukko and Ghacks so  it requires  a lot of editing  so it dont break your browser , lots of not needed entries  no way id use something that harsh in my browser .

Edited by steven36
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...