Package manager installations are normally built from source by the distribution maintainers, not downloaded as binaries from the Mozilla website. So they wouldn't have any "download identifier", unique or not, in them.
Which is what 95% of users would do though.. the average user will use Windows or Mac and has never heard of Chocolatey. Firefox is not in the Mac app store and I guess not on Windows either.
Correct and it's just one of many reasons why checksums and signatures are so important in package managers. There's an automatic enforcement of privacy and integrity.
Looks like Chocolatey gets the binary from download.mozilla.org [1], while WinGet gets it from download-installer.cdn.mozilla.net [2] (which looks to be the HTTPS repository mentioned in the article, thus being exempt from tracking?)
This is the difference between a distribution and a simple package manager. Linux distributions have a more holistic approach to this and enforce it with checksums, signatures, reproducible builds, etc. A package manager really only cares about managing the packages installation, dependencies, etc. Not the integrity of the packages themselves.
It doesn’t look to me like the tracking stuff is on the HTTPS repo links, so they’re probably telling the truth about that. They also ship a version in the Microsoft Store, that should be safe too (I don’t think Microsoft shares user identities for free apps with the developers, maybe I’m wrong?)
Is the current Mozilla CEO a plant by Google with the goal of driving Mozilla into the ground as much as possible? I don't understand how they can keep fucking up their business so badly.
Even if you do 'install' and 'first run' tracking without the unique identifier you need to have consent for EU citizens before sending the tracking request to Mozilla. As the IP is transmitted you would already be sending what the regulations call 'personal data'.
The ID is just additional data that would probably be classified as PD (personal data) as well.
So even basic install tracking is a no go. I also just don't understand why this would be necessary. This wasn't the case for software for how many decades? It didn't necessarily transmit such information. If it was commercial you probably had something like license server stuff in the later days (before just a number that was checked for validation).
It probably became a thing when the mobile phone with app model rose. There the vendors (mostly Apple/Google) knew the downloads from the app stores and marketing wanted more. Especially when the pushed advertisements for apps.
So companies like Adjust rose to fame for tracking ad clicks to installs, first run and usage stats.
This probably led to others thinking it to be a great idea for general software as well.
I love this comment. It feels like it gets at the heart of a frustration that is otherwise difficult to articulate. I have passed it around to all those I know (with credit) in the hope that it helps them, too, at least name what they are facing as they struggle through bureaucratic morasses.
I hate WebKit and Blink's domination as much as anyone, but rather than put up a strong fight, Firefox is begging to lose.
And unfortunately, I can't help but admit that Firefox deserves to lose (not just from this, but from other terrible decisions added up), even if the consequences of a web monoculture are terrible.
How much of the drama of the last three years can be laid squarely at the feet of the CEO who gave themselves a raise right when they laid off the MDN staff?
Firefox users who prefer to download the browser without the unique identifier may do so in the following two ways:
Download the Firefox installer from Mozilla's HTTPS repository (formerly the FTP repository).
Download Firefox from third-party download sites that host the installer, e.g., from Softonic.
It's nuts and another indication Mozilla doesn't understand the reason they exist, but it's not that hard to get around... if you're one of the 0.1% that hears about this.
Use a reputable Linux distro and install from the official repos, problem solved. To date the Debian maintainers have proven more trustworthy than 99.99% of the software vendors out there. They also appear to have better security practices than most commercial shops.
Debian has a deliberate policy of extensively modifying upstream code, including security-critical code, without any dedicated security review. This (predictably) resulted in quite possibly the worst general-purpose software security bug of all time, where SSH and TLS keys generated on Debian machines were effectively blank and supposedly encrypted communications were readable by anyone. Debian has not changed its practices to prevent a reoccurrence and continues to follow the same policy.
I agree that most Debian maintainers are trustworthy and have good intentions, but I would not consider them as having good security practices.
That particular outstandingly bad security bug, once. (There are other cases of bugs in Debian that aren't present in upstream - in particular, Debian packagers introduced enough bugs in cdrecord that the maintainer made future versions non-open-source as he felt that these bugs that were not his fault were hurting his reputation - but I don't have any stats, and I don't feel that the rate of bugs in Debian is particularly high compared to other projects if we set aside the security-specific aspects).
Regarding time to fix it, the bug was fixed about 2 weeks after it was reported, but it had been present for about 20 months (affecting all DSA keys generated on Debian systems during that time) - since security audits and researchers only look at the original upstream source, the bug was only spotted when a user noticed that two of the servers they were logging into had the same SSH key.
These builds still have distribution-specific in-built API keys for some of the built-in services such as Google Safebrowsing, Google Location Services and Mozilla Location Services. See [1], [2], [3], [4], [5] and [6] for details and examples.
Additionally, upon first launch of Firefox, a unique client identifier is created, and this is sent to Mozilla by default probably before you get a chance to disable telemetry features within the preferences dialogs. See [2], [7], [8] and [9].
As these privacy impacting features are enabled by default, before first launch of Firefox on Linux, you should disable these third party and telemetry features and also lock down other security and privacy settings. See [10] and [11] for the method of doing so, and an example user.js that contains decent documentation on well over a 100+ recommended configuration changes to make Firefox more respectful of privacy and security. If you don't reconfigure a user.js before first launch, at least the "New Profile" event will be notified to Mozilla with the unique client ID after a delay of only 30 minutes from creation of the first Firefox profile[9] (first launch).
As of testing 2 minutes ago, downloading from the canonical "latest" location [1] vs. navigating the directory structure of the mentioned repository[2] result in identical files, which (assuming the above info is correct) means my scripted ffox upgrades have omitted the unique id, I guess?
> So forget user agent/screen resolution/OS masking and other marketing talk used by browsers - this was maybe a thing 15 years ago, if ever. This does not protect you against sophisticated fingerprinters on the web.
> The only efficient protection against fingerprinting is what Orion is doing - preventing fingerprinter from running in the first place. Orion is the only browser on the market that comes with full first party and third party ad and tracking script blocker, built in by default, making sure invasive fingerprinters never run on the page.
Well, Firefox' tracking is usually meant for determining things like where did the installer came from and collecting feature usage data, while Google's is all about building marketing profiles to sell targeted ads. You decide how bad each of them is.
Like, people can’t see the difference between “telemetry” done by supermarkets by counting an approximate number of visitors vs the full-on knowing your childhood best-friends’ secret crush on you. There is eons of difference between the two.
How much R&D do you think Firefox squandered on making a custom installer generator for every download and being unable to cache the files on a cheap CDN?
Not much? I did exactly this when I worked on a really popular P2P file sharing client (at one point estimated to be installed on >15% of all PCs worldwide). It even improved our actual installs, but that is probably about just using an ultralight weight installer rather than having a tracking ID integrated into it. It literally took me a week. Granted, things were really fast and loose back then. It would probably take me 2 years and a team of engineers to do a similar thing at my current FANG job.
They seem to be trying to gather a lot of telemetry to measure how they can boost popularity of Firefox. I wonder did they tried to measure how the measurement itself influences popularity? Social measurements are like quantum ones, they change reality.
There was a funny story of a Hawthorn Experiment[1], which tried to find ways to boost productivity but at the end managed to state just that the very attempt to conduct an experiment boosts productivity. It seems to me that with Mozilla the effect has a opposite sign and any attempt to measure decreases the target variables of decision making. And therefore they need to find ways to measure "non-invasively", not to measure every little thing they can measure.
Well they've spent a decade trying the "be more like Chrome" method. I suggest they try the "be more like Firefox from when Firefox was successful" method.
Firefox was successful when it was the alternative, better, option to the dominant Internet Explorer. Now the dominant browser is Chrom(e|ium). The two scenarios are very different.
Precisely. Firefox is never going to defeat Chrome in the "being Chrome" category. If it wants to exist as more than a tool for Google to avoid antitrust lawsuits, it can't keep playing that game. It has to differentiate. Privacy is not differentiation because it's invisible and HN commentators are 90% of the people who care about it. I want the sense of power back. I want the feeling that Firefox gave me a decade ago that my browser behaved exactly the way I wanted it to and nothing about it ticked me off because if I didn't like it I could just change it.
Nowadays using Firefox feels more like holding a political demonstration in an empty room than using the finely-tuned instrument I once had.
> Nowadays using Firefox feels more like holding a political demonstration in an empty room than using the finely-tuned instrument I once had.
I can't think of better words to describe my feeling as a Firefox holdout. It's still my default browser, and the one I use for 97% of my work. Mozilla is breaking my heart with their floundering. Like a fantasy author who keeps getting mired in side quests and can never get back to the main plot.
Stop with the goofy marketing tie ins, the hostile telemetry choices, the side products like Pocket and VPN, and just make a fucking browser that doesn't attempt to hide complexity from the user. Focus on that, do yearly fundraising like Wikipedia does, and be content.
It can't be worse for growth than their current strategy of burning the house down, which for some reason does not prevent them from justifying millions a year in C-level salaries.
Hah, yeah, I've seen that page before. It's not ideal. I'd still take it over their current funding strategy of "don't piss off Google."
Or maybe I should find a better example. But one thing about Wikipedia is that it appears to be much the same as it was 10 years ago and more. Wikipedia hasn't started introducing Wiki VPN, nor has it partnered with Mr. Robot to temporarily insert marketing stuff into articles.
To the extent that Wikimedia has graft and vanity projects, they're not ruining the core "product".
So... I guess yeah, just like Wikipedia, as in "Look, even with donations you can spend a crapton of money. Maybe not $500mm a year, but still enough to support development of an open source software product."
Indeed.. For me the only reason I still really use it is because the other options are even worse. I definitely won't use Chrome. And Microsoft is pushing edge so hard it annoys me (both at work politically, and by pushing it everywhere in Windows)
Also, Firefox is the only browser I know that has end to end encrypted sync. Google and Microsoft enjoy snooping around in your bookmarks (great to determine marketing interests) too much to ever offer this. You can even self host it.
Also it still has a few power user features left over like container tabs. Though they've relegated it to a plug-in now.
I too want my power back. I want my user agent back. I especially want total inalienable power over the websites I'm browsing. The kind of power I'd have if I were to write a custom client for each website: the power to freely script, copy, save, edit, block and delete, whether the site's owner wants it or not.
> Privacy is not differentiation because it's invisible
Privacy could be a differentiation if Mozilla did not show again and again that they don't actually care about your privacy. It might not be enough, but currently they don't even have that.
That seems like a very harsh interpretation. Very few people will care whether their specific download is tracked. I do honestly wonder how that adds vakuento Mozilla, but no one will not use Firefox due to this- especially as every single alternative is much worse than Firefox on such metrics.
If they really thought that 'very few people' would care about it ... why then didn't they 'the privacy browser' reveal this 'feature' when it was rolled out?
'Low-level skulduggery' is the nicest description I can muster (noone wants to hear what I really think).... Now (with telemetry 'turned off' each time before took it online) I have to wonder what else is 'protecting' me....
I think the physical analogy you're thinking about is "the observer effect"[1]. And it's actually a pretty much universal problem in physics, not just quantum mechanics.
Maybe they just kind of forgot how to make good software and now desperately try to recreate that magic using loads of metrics and social experiments leading to loads of competing interpretations and infighting.
There are nothing wrong with laying a scientific basis under your anecdotal experience, to get an ability to reproduce your successes. But it must be done by using the best possible scientific methods and by great minds, just a statistics wouldn't do it magically.
My (probably wrong) opinion, is that they hired data scientists who knows nothing about social science's research and these statisticians are trying to substitute research with data gathering and statistics. If something doesn't work, then instead of refining their research techniques they gather more data. They had hit the ceiling of this paradigm but they do not know it.
There are other options beyond data. For example you can find representatives of different categories of users and research their use of your software (or software you compete with). You need not have millions of representatives, a dozen would be enough for the most practical purposes, just pick them carefully so they will be the most diverse set of representatives. Or you can even have no real representatives, you can imagine them. It is a real technique of UX professionals, I heard of it in a talk at some conference from people who are professionally using it. If it doesn't seem rigorous enough, one could dig into Judea Pearl and to make a formal quantitative model out of it. One can even measure differences between this quantitative model and the reality, and it wouldn't necessarily lead to an annoying telemetry.
I will not be surprised if there are techniques I never heard of that can compete with a statistical data processing: I'm not an UX specialist, I just was curious about it at some point, because it lays on a boundaries of two interests of mine -- psychology research and software development. But Mozilla seem unaware of them all. They gather data instead.
> They seem to be trying to gather a lot of telemetry to measure how they can boost popularity of Firefox.
This might sound like a crazy idea, but they could always try listening to users! Everytime I get annoyed by something in Firefox and try to find a fix for it, I find a lot of people with the same issue across HN, Reddit, the Mozilla forums, etc. There is rarely any sign that a decision maker from Mozilla cares one bit. But rather than listening to the many vocal complaints, suggestions, and other copious public feedback... they add a unique download identifier. Ok then.
I really, really hope that Mozilla gets new management before it's too late (if it's not already).
yeah the pay of the higher ups does not seem to be tied to success of the browser or the relationship they have with their users; endlessly depressing TBH
I have observed this as well, and not just with Mozilla.
It is so easy to just ignore feedback because it's difficult to parse, just set up some automated telemetry and focus on nothing but that. Removing the human element here is a big optimization in the cycle of receiving feedback, and it's also critically damaging to the effectiveness of decisions made based on that feedback cycle...
I don't know how to claw back a company like Mozilla that has strayed this far. Perhaps the political culls they had are responsible for the breakdown in decision making competence. Perhaps they've just gotten too big. Either way they aren't serving the original market of firefox, and if they continue straying this way the only option is a unified effort by the community to create a true competitor, likely starting as a fork. Maybe one of the forks that exist now can launch themselves successfully into prominence with proper funding and achieve independence from the Mozilla branch.
> Our sacred cow was excellent US-based phone support. That is quite expensive. If there were bugs in our product, users would call in, and our call center costs would increase because we'd have to have more people working. So every week in our team meeting, we would look at summaries of calls, and take on engineering work to address the most common class of problems. That let us scale up the business and still provide friendly and competent phone support, because we were reducing the problems that people called in about.
> Because we had that "sacred cow", every obscure bug that we spent months fixing not only made the product better and were intellectually stimulating to finally figure out, but had a concrete impact on how costly it was to deliver the service.
> What most companies would do here to reduce costs is simple. Don't fix DERP bugs, just charge for it. Don't fix "black screen" bugs, just hide the phone number on your website so people can't figure out to call.
I have worked with enough "data scientists" and see enough telemetry to believe it is all smoke and mirrors and bullshit.
Managers, product owners enjoy making pretty looking graphs out of them and with enough creative accounting they can make any data to fit their narrative.
If a product is in trouble and they think the telemetry will help, then it is time to looking for a new job
> This will allow us to track which installs result from which downloads to determine the answers to questions like, "Why do we see so many installs per day, but not that many downloads per day?"
What value does Mozilla see in being able to do that?
The prevailing belief in the industry is that any problem can be solved with more data, dumpster-grade[1] though it may be. It's appealing to think that it can be used in lieu of just making thoughtful decisions.
I have no idea what the actual answer is, but one can image that they want to understand where are people getting these copies of ff if they do not download them themselves.
Why would this be important, again just speculating: to try to leverage whatever channel this might uncover to distribute even more copies of the browser.
Is this ID thing the best way to do it, though? Probably.
> but one can image that they want to understand where are people getting these copies of ff if they do not download them themselves.
These people are getting it obviously from their admins! (Like myself. I push Firefox updates to close to 1000 PCs. I thought (amongst other things) I'm doing them a favour by saving them traffic.) They obviously know that! The real reason they are doing this is simply because they started collecting data. Now they are hooked and constantly want more. That is all there is to it. They already identify each individual installation, so someone on the team said: Let's identify each download too.
> These people are getting it obviously from their admins!
That's one possibility. And even if you pretend it's the only one, it's still interesting how that's distributed. Is it X admins of 1000-PC orgs, or X*500 people who also install it on dads PC? Count how often each token is used, and you got a histogram, and if you just record that you've not collected anything remotely sensitive about any user. This question can be answered extremely cleanly.
I'm an admin of Y orgs + a hand full of private (dad) PCs. The information is useless. They collect it because they can. (Well technically I also push a installation profile that deactivates all known telemetry. So hopefully they get nothing.)
> This question can be answered extremely cleanly.
I pushed it to tens of thousands of endpoints in the past :P
Though we have long since moved it to optional. First we moved to Chrome as the "standard browser" due to user requests and eventually our management caved in to Microsoft's constant pushing to make Edge the standard browser. Not that I cared because both are bad for privacy obviously.
But the amount of lobbying for edge that they do makes me really sceptical. It's clearly not about having their pet project succeed, they must have some serious strategy hinging on this. Edge doesn't make them any money on its own as it's a free product so the revenue must come from side channels of its use instead.
Which, considering MS' past with IE and their recent ventures into tracking and advertising in the OS is probably bad news for the end user :(
Does this even help with that though? Without some further means of identifying users, what use is there in saying download#123 got installed x times? Even if you add the obvious IP information to this, then what? Run GeoIP and say "oh, interesting" when they do or do not correlate?
What could they realistically figure out from this that could help them figure out how people are getting Firefox?
the reverse case might be more interesting. Many downloads but few install follow throughs may suggest the installation process is to cumbersome or something along those lines.
That's an easy one, of course. By identifying a "commonly-used installer" (say, some installer stored by some IT team) you could then do things like say with more certainty "no, we do need older installers to keep working". Or reach out to mirrors that have decided to stop updating installers.
From an Ops perspective, having an idea of how your install base is installing your browser can have a lot of implications. And not having the information could easily lead you to accidentally breaking installations for large subsets of your users.
There's also content-market-y stuff involved, of course.
Remember what happened when Firefox OS died? It was forked into KaiOS, which has become a superior product that actually found a market.
I will not mourn the death of Mozilla. When it collapses, may it be forked and turn into something decent by more competent leaders who don't give themselves multimillion dollar salaries and make pointless acquisitions.
>One note, in case it's not already clear: The download token will be available in the telemetry environment, but all web session data that it is linked to will NOT ever be included in telemetry, it is being deliberately kept in a separate data set, and we will be limiting access to the ability to join these data sets to a small set of people.
This is very alarming. If web session data will never be included in telemetry, why do some people have to ability to query joins? That means it can happen. Why does this small set of people need to access my web session data?
I don't use Firefox regularly, but I have it installed on my computers. I think I'm going to uninstall it completely. This stuff has become more and more common, and is totally unacceptable.
This is an example of where openness — which Mozilla used to excel at — would have helped.
If there was a detailed rationale considering the potential privacy impact of this change, publicly available, then we'd be able to see that Mozilla did indeed thoughtfully weigh up the consequences of doing this.
We may disagree with the decision, but at least we'd be able to see the set of underlying assumptions and point to which one we think is wrong, and perhaps provide evidence to show it's mistaken — constructive feedback.
But as it is, we just have an opaque assertion that “this is fine”.
The entirety of the US government most likely, any hacker that manages to get onto Mozillas servers, every spy agency worth its money, if its choice of research partners has something to say everyone at Meta. So in total maybe a bit bellow a million people. So really just a handful of trusted people.
In fact this is how you get past SmartScreen checks. Windows freaks out a lot more when it sees the same file being downloaded by lots of people, but if you make them all different, then it calms down.
IMO as market optimization turns the screws ever harder, the escape hatch is to head towards source distributions. Outrage articles are only necessary because people have come to rely on these monolithic binary downloads with their "channels" and "installers" and "auto updaters", that are gatekept by centralized entities like Mozilla. Whereas if say the source tarball used by Nix is engaging in similar shenanigans, that is fixable with a self-applied patch rather than needing to convince Mozilla to change.
Imagine you could stick a camera over your users' shoulders, mostly without them knowing you're doing it, instead of doing actual user research.
That's what the stuff's for. Some of the tools for these things record entire sessions, including mouse movements. It's creepy as hell and even the tamest of "telemetry" 100% would have gotten something classed, unambiguously, as spyware, in the distant past of ~15-20 years ago.
Considering that ~everyone was tracking device or installation IDs before Apple cracked down on it, on iOS, I think it's a safe bet that ~everyone is still doing it on desktop, and yeah, generating at install time is probably enough for most use cases and makes your build and distribution processes simpler.
The way firefox does it can connect the downloading session with the running session. You can argue with the value or validity of that, but it seems like the chrome installer cant do that, which is nice.
As for why it's in the article I think it's valuable to include it since if chrome was doing it too it might be seen as just "normal", but now it seems even more weird that firefox which is supposed to be the privacy alternative is tracking something that google is not.
>OK, however, are we completely sure that Chrome installer doesn't generate this token on launch and talk with the mothership?
That wouldn't give any information about where/when you got the installer from, which is the topic of this article. Doing so would be impossible without embedding information in the exe (which would change the hash).
While I agree that it's a little weird to specifically note it for Google of all companies, the relevance to the article is that Chrome isn't engaging in this specific type of tracking.
Of which there are (supposedly) only 2^13 possible variants:
>Additionally, a subset of low entropy variations are included in network requests sent to Google. The combined state of these variations is non-identifying, since it is based on a 13-bit low entropy value (see above). These are transmitted using the "X-Client-Data" HTTP header, which contains a list of active variations. On Android, this header may include a limited set of external server-side experiments, which may affect the Chrome installation. This header is used to evaluate the effect on Google servers - for example, a networking change may affect YouTube video load speed or an Omnibox ranking update may result in more helpful Google Search results.
This wouldn't be so bad if it wasn't that the entire brand identity of Firefox is Privacy.
It's like discovering there's ham in a vegetarian sandwich. When you ask them they look puzzled and say their focus group was clear it tastes a lot better that way, besides it's just a little bit and the bread is vegetarian and there's way more meat in a Big Mac.
This also wouldn't be so bad if people were capable of nuance instead of acting as if everything involving data were the same thing. I won't claim Mozilla is in any way perfect, but even as someone who is very much pro-privacy it is a little bit ridiculous how much people loose their shit about tiny things like this and claim there is no difference to what other trackers do.
If you position your product as being about privacy, your company about being about privacy, and talk about the importance of online privacy whenever you get any sort of opportunity, then it looks extremely bad if you can't refrain from spying on your users. I don't really think there is any way around this fact.
If this type of telemetry is necessary for Mozilla to develop software, then perhaps they shouldn't be talking so much about privacy, because as it stands, they're not walking the talk, that's what ultimately looks bad. The telemetry is incidental. Nobody is railing against Microsoft for doing the same thing because they're not constantly seen preaching about how bad it is.
> do you seriously consider counting how many installs are triggered from a download "spying"?
Yes. It is a unique identifier that they are fully capable of associating with telemetry data and other personal activity. It could be used by various parties to deanonymize me. That is spying. You are playing dishonest semantic games.
Effective privacy may well be complicated. Perhaps you can maintain effective privacy in various ways even while being actively spied on in some manners. That doesn't mean that spying isn't spying.
There is a very large difference between "X is spying on Y" and "X could spy on Y if they started to record and correlate things". And even "I don't trust them not to" is not the same as "they are". A lot about privacy involves not looking at things you could look at.
E.g. picking the example mentioned repeatedly in this discussion: Network transfers annoyingly involve IP addresses. That doesn't mean every server you talk to is spying on you, and there is wide a range from "doesn't record anything", over "keeps a log of errors for 5 days that's only used for debugging", over "looks in GeoIP database and counts visitors per country", to "immediately connects your IP to your user profile and shares that data packet with 50 ad networks". I have a hard time calling the first three "spying", it starts IMHO somewhere after that. And annoyingly, telling the difference comes down to trust at some point.
Or even simpler, I could trivially spy on my neighbors with what reaches my apartment. I don't though.
They don't need to hook an IP to a tracking code for this sort of testing?
From what they've said it's very basic information they're looking to collect. "This installer was downloaded on X date. The installer was then used and run on X date." sort of thing.
No IP is needed to check anything regarding that.
Attaching an IP in the process somewhere for tracking would only be needed if you were checking things on a deeper level. For example, where a user might download the installer but is downloading and sending it to someone else, where it gets installed on a different IP/system.
479 comments
[ 4.0 ms ] story [ 304 ms ] threadhttps://www.microsoft.com/en-us/p/mozilla-firefox-browser/9n...
Looks like Chocolatey gets the binary from download.mozilla.org [1], while WinGet gets it from download-installer.cdn.mozilla.net [2] (which looks to be the HTTPS repository mentioned in the article, thus being exempt from tracking?)
[1] https://community.chocolatey.org/packages/Firefox#files
[2] https://github.com/microsoft/winget-pkgs/blob/master/manifes...
It doesn’t look to me like the tracking stuff is on the HTTPS repo links, so they’re probably telling the truth about that. They also ship a version in the Microsoft Store, that should be safe too (I don’t think Microsoft shares user identities for free apps with the developers, maybe I’m wrong?)
It's not like they are having tracking JavaScript on 80% of the worlds Web sites like someone else I know, starting with Googl...
At the most basic level, you can get this by doing a count over http logs.
It could be obtained through other data that doesn't need to track the individual install.
I forget if Firefox has a 'welcome' page that it shows on first launch, but it could serve as the count of number of installs.
I believe Firefox also has an auto update system, so that too could serve as an Active Users count.
Lots of ways that you can derive this data without needing to track individual download to installation.
The ID is just additional data that would probably be classified as PD (personal data) as well.
So even basic install tracking is a no go. I also just don't understand why this would be necessary. This wasn't the case for software for how many decades? It didn't necessarily transmit such information. If it was commercial you probably had something like license server stuff in the later days (before just a number that was checked for validation).
It probably became a thing when the mobile phone with app model rose. There the vendors (mostly Apple/Google) knew the downloads from the app stores and marketing wanted more. Especially when the pushed advertisements for apps.
So companies like Adjust rose to fame for tracking ad clicks to installs, first run and usage stats.
This probably led to others thinking it to be a great idea for general software as well.
And unfortunately, I can't help but admit that Firefox deserves to lose (not just from this, but from other terrible decisions added up), even if the consequences of a web monoculture are terrible.
I agree that most Debian maintainers are trustworthy and have good intentions, but I would not consider them as having good security practices.
Because "few" and "not much" would be fantastic.
Nothing is perfect.
Regarding time to fix it, the bug was fixed about 2 weeks after it was reported, but it had been present for about 20 months (affecting all DSA keys generated on Debian systems during that time) - since security audits and researchers only look at the original upstream source, the bug was only spotted when a user noticed that two of the servers they were logging into had the same SSH key.
Additionally, upon first launch of Firefox, a unique client identifier is created, and this is sent to Mozilla by default probably before you get a chance to disable telemetry features within the preferences dialogs. See [2], [7], [8] and [9].
As these privacy impacting features are enabled by default, before first launch of Firefox on Linux, you should disable these third party and telemetry features and also lock down other security and privacy settings. See [10] and [11] for the method of doing so, and an example user.js that contains decent documentation on well over a 100+ recommended configuration changes to make Firefox more respectful of privacy and security. If you don't reconfigure a user.js before first launch, at least the "New Profile" event will be notified to Mozilla with the unique client ID after a delay of only 30 minutes from creation of the first Firefox profile[9] (first launch).
[1] https://glandium.org/blog/?p=3923
[2] https://github.com/mozilla/gecko-dev/blob/HEAD/build/moz.con...
[3] resource://gre/modules/URLFormatter.jsm (use within Firefox URI bar)
[4] resource://gre/modules/AppConstants.jsm (use within Firefox URI bar)
[5] https://gitweb.gentoo.org/repo/gentoo.git/tree/www-client/fi...
[6] https://github.com/archlinux/svntogit-packages/blob/packages...
[7] resource://gre/modules/ClientID.jsm (use within Firefox URI bar)
[8] resource:///modules/BrowserUsageTelemetry.jsm (use within Firefox URI bar)
[9] https://github.com/mozilla/gecko-dev/blob/c3ec016fafa4cea6a0...
[10] https://kb.mozillazine.org/User.js_file
[11] https://github.com/arkenfox/user.js/
(In my case:)
1: https://download.mozilla.org/?product=firefox-latest-ssl&os=...
2: https://ftp.mozilla.org/pub/firefox/releases/98.0.1/linux-x8...
I invite everyone on a Mac to try and support Orion browser - zero telemetry by default.
This is embarrassing, by the way:
> So forget user agent/screen resolution/OS masking and other marketing talk used by browsers - this was maybe a thing 15 years ago, if ever. This does not protect you against sophisticated fingerprinters on the web.
> The only efficient protection against fingerprinting is what Orion is doing - preventing fingerprinter from running in the first place. Orion is the only browser on the market that comes with full first party and third party ad and tracking script blocker, built in by default, making sure invasive fingerprinters never run on the page.
I feel I did it many times so that it is clear. Also I used "I invite you..." phrase.
> This is embarrassing, by the way:
Care to explain why you think so?
Like, people can’t see the difference between “telemetry” done by supermarkets by counting an approximate number of visitors vs the full-on knowing your childhood best-friends’ secret crush on you. There is eons of difference between the two.
There was a funny story of a Hawthorn Experiment[1], which tried to find ways to boost productivity but at the end managed to state just that the very attempt to conduct an experiment boosts productivity. It seems to me that with Mozilla the effect has a opposite sign and any attempt to measure decreases the target variables of decision making. And therefore they need to find ways to measure "non-invasively", not to measure every little thing they can measure.
[1] https://en.wikipedia.org/wiki/Hawthorne_effect
Nowadays using Firefox feels more like holding a political demonstration in an empty room than using the finely-tuned instrument I once had.
I can't think of better words to describe my feeling as a Firefox holdout. It's still my default browser, and the one I use for 97% of my work. Mozilla is breaking my heart with their floundering. Like a fantasy author who keeps getting mired in side quests and can never get back to the main plot.
Stop with the goofy marketing tie ins, the hostile telemetry choices, the side products like Pocket and VPN, and just make a fucking browser that doesn't attempt to hide complexity from the user. Focus on that, do yearly fundraising like Wikipedia does, and be content.
Or maybe I should find a better example. But one thing about Wikipedia is that it appears to be much the same as it was 10 years ago and more. Wikipedia hasn't started introducing Wiki VPN, nor has it partnered with Mr. Robot to temporarily insert marketing stuff into articles.
To the extent that Wikimedia has graft and vanity projects, they're not ruining the core "product".
So... I guess yeah, just like Wikipedia, as in "Look, even with donations you can spend a crapton of money. Maybe not $500mm a year, but still enough to support development of an open source software product."
Also, Firefox is the only browser I know that has end to end encrypted sync. Google and Microsoft enjoy snooping around in your bookmarks (great to determine marketing interests) too much to ever offer this. You can even self host it.
Also it still has a few power user features left over like container tabs. Though they've relegated it to a plug-in now.
Privacy could be a differentiation if Mozilla did not show again and again that they don't actually care about your privacy. It might not be enough, but currently they don't even have that.
If only they would come to their senses..
'Low-level skulduggery' is the nicest description I can muster (noone wants to hear what I really think).... Now (with telemetry 'turned off' each time before took it online) I have to wonder what else is 'protecting' me....
[1]: https://en.wikipedia.org/wiki/Observer_effect_(physics)
My (probably wrong) opinion, is that they hired data scientists who knows nothing about social science's research and these statisticians are trying to substitute research with data gathering and statistics. If something doesn't work, then instead of refining their research techniques they gather more data. They had hit the ceiling of this paradigm but they do not know it.
There are other options beyond data. For example you can find representatives of different categories of users and research their use of your software (or software you compete with). You need not have millions of representatives, a dozen would be enough for the most practical purposes, just pick them carefully so they will be the most diverse set of representatives. Or you can even have no real representatives, you can imagine them. It is a real technique of UX professionals, I heard of it in a talk at some conference from people who are professionally using it. If it doesn't seem rigorous enough, one could dig into Judea Pearl and to make a formal quantitative model out of it. One can even measure differences between this quantitative model and the reality, and it wouldn't necessarily lead to an annoying telemetry.
I will not be surprised if there are techniques I never heard of that can compete with a statistical data processing: I'm not an UX specialist, I just was curious about it at some point, because it lays on a boundaries of two interests of mine -- psychology research and software development. But Mozilla seem unaware of them all. They gather data instead.
This might sound like a crazy idea, but they could always try listening to users! Everytime I get annoyed by something in Firefox and try to find a fix for it, I find a lot of people with the same issue across HN, Reddit, the Mozilla forums, etc. There is rarely any sign that a decision maker from Mozilla cares one bit. But rather than listening to the many vocal complaints, suggestions, and other copious public feedback... they add a unique download identifier. Ok then.
I really, really hope that Mozilla gets new management before it's too late (if it's not already).
It is so easy to just ignore feedback because it's difficult to parse, just set up some automated telemetry and focus on nothing but that. Removing the human element here is a big optimization in the cycle of receiving feedback, and it's also critically damaging to the effectiveness of decisions made based on that feedback cycle...
I don't know how to claw back a company like Mozilla that has strayed this far. Perhaps the political culls they had are responsible for the breakdown in decision making competence. Perhaps they've just gotten too big. Either way they aren't serving the original market of firefox, and if they continue straying this way the only option is a unified effort by the community to create a true competitor, likely starting as a fork. Maybe one of the forks that exist now can launch themselves successfully into prominence with proper funding and achieve independence from the Mozilla branch.
> Our sacred cow was excellent US-based phone support. That is quite expensive. If there were bugs in our product, users would call in, and our call center costs would increase because we'd have to have more people working. So every week in our team meeting, we would look at summaries of calls, and take on engineering work to address the most common class of problems. That let us scale up the business and still provide friendly and competent phone support, because we were reducing the problems that people called in about.
> Because we had that "sacred cow", every obscure bug that we spent months fixing not only made the product better and were intellectually stimulating to finally figure out, but had a concrete impact on how costly it was to deliver the service.
> What most companies would do here to reduce costs is simple. Don't fix DERP bugs, just charge for it. Don't fix "black screen" bugs, just hide the phone number on your website so people can't figure out to call.
Managers, product owners enjoy making pretty looking graphs out of them and with enough creative accounting they can make any data to fit their narrative.
If a product is in trouble and they think the telemetry will help, then it is time to looking for a new job
Seriously, does FireFox hate itself, or just hates it’s dwindling but loyal user base?
We used to use Firefox because they didn’t do shit like this.
I actually deleted Firefox after about 15 years of loyal use after the ‘Turning Red’ incident. Glad to hear I made the right call.
I’ve been using Safari and have no regrets.
Goodbye, Firefox. Good riddance, if this is how you’ll behave.
It’s sad to watch the dream of a mainstream open-source browser that wasn’t evil vanish.
We will need something else, but I don’t see huge potential adoption for anything.
It was hard enough to get people to swap browsers in the 00’s, it’s gonna be way harder with each platform pushing its own pre-installed browser.
What value does Mozilla see in being able to do that?
1. https://news.ycombinator.com/item?id=25016532
Why would this be important, again just speculating: to try to leverage whatever channel this might uncover to distribute even more copies of the browser.
Is this ID thing the best way to do it, though? Probably.
These people are getting it obviously from their admins! (Like myself. I push Firefox updates to close to 1000 PCs. I thought (amongst other things) I'm doing them a favour by saving them traffic.) They obviously know that! The real reason they are doing this is simply because they started collecting data. Now they are hooked and constantly want more. That is all there is to it. They already identify each individual installation, so someone on the team said: Let's identify each download too.
That's one possibility. And even if you pretend it's the only one, it's still interesting how that's distributed. Is it X admins of 1000-PC orgs, or X*500 people who also install it on dads PC? Count how often each token is used, and you got a histogram, and if you just record that you've not collected anything remotely sensitive about any user. This question can be answered extremely cleanly.
> This question can be answered extremely cleanly.
What was the question again?
Though we have long since moved it to optional. First we moved to Chrome as the "standard browser" due to user requests and eventually our management caved in to Microsoft's constant pushing to make Edge the standard browser. Not that I cared because both are bad for privacy obviously.
But the amount of lobbying for edge that they do makes me really sceptical. It's clearly not about having their pet project succeed, they must have some serious strategy hinging on this. Edge doesn't make them any money on its own as it's a free product so the revenue must come from side channels of its use instead.
Which, considering MS' past with IE and their recent ventures into tracking and advertising in the OS is probably bad news for the end user :(
What could they realistically figure out from this that could help them figure out how people are getting Firefox?
From an Ops perspective, having an idea of how your install base is installing your browser can have a lot of implications. And not having the information could easily lead you to accidentally breaking installations for large subsets of your users.
There's also content-market-y stuff involved, of course.
All it does is separate out two numbers: downloads and installs.
How does that tell you why someone is installing a specific download on a specific day?
I will not mourn the death of Mozilla. When it collapses, may it be forked and turn into something decent by more competent leaders who don't give themselves multimillion dollar salaries and make pointless acquisitions.
>One note, in case it's not already clear: The download token will be available in the telemetry environment, but all web session data that it is linked to will NOT ever be included in telemetry, it is being deliberately kept in a separate data set, and we will be limiting access to the ability to join these data sets to a small set of people.
Small set of people? Pls do tell me more
I don't use Firefox regularly, but I have it installed on my computers. I think I'm going to uninstall it completely. This stuff has become more and more common, and is totally unacceptable.
Great job there "Privacy"...
If there was a detailed rationale considering the potential privacy impact of this change, publicly available, then we'd be able to see that Mozilla did indeed thoughtfully weigh up the consequences of doing this.
We may disagree with the decision, but at least we'd be able to see the set of underlying assumptions and point to which one we think is wrong, and perhaps provide evidence to show it's mistaken — constructive feedback.
But as it is, we just have an opaque assertion that “this is fine”.
The entirety of the US government most likely, any hacker that manages to get onto Mozillas servers, every spy agency worth its money, if its choice of research partners has something to say everyone at Meta. So in total maybe a bit bellow a million people. So really just a handful of trusted people.
Smartscreen is bypassed by using EV sig, which gives the exe an instant reputation boost.
Would someone have documentation about which bytes we can modify in a code-signed .exe without making the digital signature invalid?
In the case it's not possible, does this mean Mozilla generates a new .exe on the fly + codesigns the .exe on the fly for each new download?
>> 9) If this data collection is default on, what is the opt-out mechanism for users?
>> Standard Telemetry Opt-Out
If you haven't installed it yet, how can you use the standard telemetry opt-out?
[1] https://bug1677497.bmoattachments.org/attachment.cgi?id=9195...
That's what the stuff's for. Some of the tools for these things record entire sessions, including mouse movements. It's creepy as hell and even the tamest of "telemetry" 100% would have gotten something classed, unambiguously, as spyware, in the distant past of ~15-20 years ago.
OK, however, are we completely sure that Chrome installer doesn't generate this token on launch and talk with the mothership?
This sounds like whitewashing Chrome just to increase the impact of the article or push Chrome or both.
Like Chrome is not tracking me in and out of the internet and in the kitchen making tea and noting its brand and reporting to Google.
As for why it's in the article I think it's valuable to include it since if chrome was doing it too it might be seen as just "normal", but now it seems even more weird that firefox which is supposed to be the privacy alternative is tracking something that google is not.
That wouldn't give any information about where/when you got the installer from, which is the topic of this article. Doing so would be impossible without embedding information in the exe (which would change the hash).
While I agree that it's a little weird to specifically note it for Google of all companies, the relevance to the article is that Chrome isn't engaging in this specific type of tracking.
>Additionally, a subset of low entropy variations are included in network requests sent to Google. The combined state of these variations is non-identifying, since it is based on a 13-bit low entropy value (see above). These are transmitted using the "X-Client-Data" HTTP header, which contains a list of active variations. On Android, this header may include a limited set of external server-side experiments, which may affect the Chrome installation. This header is used to evaluate the effect on Google servers - for example, a networking change may affect YouTube video load speed or an Omnibox ranking update may result in more helpful Google Search results.
https://www.google.com/chrome/privacy/whitepaper.html#variat...
I removed ghacks from my RSS reader years ago because that website tends to sensationalize these stories, and I can’t stand that.
It's like discovering there's ham in a vegetarian sandwich. When you ask them they look puzzled and say their focus group was clear it tastes a lot better that way, besides it's just a little bit and the bread is vegetarian and there's way more meat in a Big Mac.
If this type of telemetry is necessary for Mozilla to develop software, then perhaps they shouldn't be talking so much about privacy, because as it stands, they're not walking the talk, that's what ultimately looks bad. The telemetry is incidental. Nobody is railing against Microsoft for doing the same thing because they're not constantly seen preaching about how bad it is.
Yes. It is a unique identifier that they are fully capable of associating with telemetry data and other personal activity. It could be used by various parties to deanonymize me. That is spying. You are playing dishonest semantic games.
Effective privacy may well be complicated. Perhaps you can maintain effective privacy in various ways even while being actively spied on in some manners. That doesn't mean that spying isn't spying.
E.g. picking the example mentioned repeatedly in this discussion: Network transfers annoyingly involve IP addresses. That doesn't mean every server you talk to is spying on you, and there is wide a range from "doesn't record anything", over "keeps a log of errors for 5 days that's only used for debugging", over "looks in GeoIP database and counts visitors per country", to "immediately connects your IP to your user profile and shares that data packet with 50 ad networks". I have a hard time calling the first three "spying", it starts IMHO somewhere after that. And annoyingly, telling the difference comes down to trust at some point.
Or even simpler, I could trivially spy on my neighbors with what reaches my apartment. I don't though.
What are they hooking the download tracking code to if not IPs?
If you sign up for a Mozilla account, providing PII, are you saying they then throw away the link between the install and original download?
From what they've said it's very basic information they're looking to collect. "This installer was downloaded on X date. The installer was then used and run on X date." sort of thing.
No IP is needed to check anything regarding that.
Attaching an IP in the process somewhere for tracking would only be needed if you were checking things on a deeper level. For example, where a user might download the installer but is downloading and sending it to someone else, where it gets installed on a different IP/system.
As dry as German humor gets :)