The Firefox Browser is a privacy nightmare on desktop and mobile

Posted on Jan 24, 2020 by Caleb Chen
Mozilla Firefox browser

The Firefox Browser is not as private as you may think – especially on iOS and Android. Mozilla recently announced that they would be allowing any Firefox user a means to request Mozilla to delete stored telemetry data that is tied to said user. Mozilla maintains “strict limits” on how long they store this logged telemetry data, but any duration is too long if the telemetry data can be associated with an individual Firefox browser instance on a particular IP address through a government request. Sure, the collection of this telemetry data can be turned off, but the vast majority of Firefox users are not using Firefox with telemetry turned off, and are therefore incredibly vulnerable.

The change by Mozilla comes as a result of the California Consumer Privacy Act (CCPA), a state law which came into effect at the turn of the new year. 2020 is a year of clear vision, and we get to start it off with the revelation that Firefox stores telemetry data in a way that can be traced back to an individual user. After all, how else would Mozilla be able to delete just your telemetry data upon request? To answer this question, Privacy Online News reached out to Mozilla and a Mozilla spokesperson explained how the telemetry data is associated with your browser instance:

“By default, Mozilla collects limited data from Firefox to help us understand how people are using the browser, such as information about the number of open tabs and windows or number of webpages visited. This does not include data that can reveal sensitive information about users’ activity online, such as search queries or the websites users visit.

The data collected is associated with a randomly generated identifier that is unique to each Firefox client. We refer to this as a clientID. That clientID is not linked to you personally or any sensitive data (for example to your name or phone number) but to your local Firefox software installation. It is never shared with third-parties. Full public documentation about this data collection, including the identifier, can be found here.

When users choose to delete their telemetry, the Firefox browser will submit this identifier to Mozilla and we will then delete data on our servers associated with this ID.”

Specifically, when you request your telemetry data be deleted from Mozilla’s servers, you do so by sending a “deletion-request” ping which by virtue of how internet pings work, includes a timestamp, your IP address and your unique client ID – as confirmed by Mozilla. That is all the information that’s needed to tie your telemetry data back to your specific browser instance.
Mozilla confirmed to Privacy Online News that all this data is stored, but they don’t seem to consider it a privacy issue because they are stored separately. A Mozilla spokesperson explained how the IP address of all telemetry pings, not just the deletion-request ping, is stored:

“Mozilla does initially receive the IP as part of telemetry technical data. The IP is then stripped from the telemetry data set and moved to an environment with restricted access for security and error review purposes only. By moving the IP address into this restricted environment this de-identifies the collected telemetry data.”

Firefox stores your telemetry data in a way that can be tied back to you

While the fact that Firefox collects telemetry data may be well known to some security minded researchers, and even viewed as acceptable because of reasons such as “debugging,” it is quite the revelation that Mozilla actually maintains this data in a way that is matchable to an individual user’s IP address that is requesting said data be deleted.

Mozilla even tried to downplay the impact of their privacy decision, saying in their announcement:

“To date, the industry has not typically considered telemetry data “personal data” because it isn’t identifiable to a specific person, but we feel strongly that taking this step is the right one for people and the ecosystem.”

While it is arguable that telemetry data isn’t technically “personal data” when it is viewed on its own without other information; however, if there’s a way to link a given set of telemetry data to a particular Firefox browser instance and IP address – and Mozilla just revealed that there is – then that telemetry data all of a sudden becomes the most personal of data.

What does Firefox telemetry data include?

According to the Mozilla wiki, telemetry data includes all the information needed to answer the following questions:

  • How long does it take Firefox to start?
  • How long does it take Firefox to load a web page?
  • How much memory is Firefox consuming?
  • How frequently do the Firefox cycle collector and garbage collector run?
  • Was your session successfully restored when you last launched Firefox?

Reading into the questions, the technical pieces of data that Firefox needs to store to be able to answer these questions become apparent. Stay tuned to future posts from Privacy Online News that will dive into the Firefox codebase to showcase what constitutes telemetry data stored by Mozilla in association with your Firefox browser instance. For a preview, simply type about:telemetry into your Firefox browser. For Android and iOS versions of Firefox, parts of this telemetry data – and more – are also shared with a third party company called Leanplum.

What is Leanplum and why is it on Firefox for iOS and Android?

Firefox on the popular mobile operating systems iOS and Android has even larger privacy concerns beyond the telemetry data that is stored by Mozilla. Leanplum is a mobile advertising company that also receives your personal information, courtesy of Mozilla. According to Mozilla Firefox’s support website:

“Firefox by default sends data about what features you use in Firefox to Leanplum, our mobile marketing vendor, which has its own privacy policy. This data allows us to test different features and experiences, as well as provide customized messages and recommendations for improving your experience with Firefox.”

Mozilla sends information to Leanplum under the guise of testing different features. More information, also from Mozilla’s support team, gets into the specifics:

“Leanplum tracks events such as when a user loads bookmarks, opens new tab, opens a pocket trending story, clears data, saves a password and login, takes a screenshot, downloads media, interacts with search URL or signs into a Firefox Account.”

The horror story continues:

“Leanplum receives data such as country, timezone, language/locale, operating system and app version.”

More specific information on what Leanplum collects from your mobile Firefox browser can be found from the Leanplum privacy policy, which Mozilla defers to in their own support text possibly because it’s so heinous:

“[…] we automatically collect certain information, which may include your browser’s Internet Protocol (IP) address, your browser type, the nature of the device from which you are visiting the Service (e.g., a personal computer or a mobile device), the identifier for any handheld or mobile device that you may be using, the Web site that you visited immediately prior to accessing any Web-based Service, the actions you take on our Service, and the content, features, and activities that you access and participate in on our Service. We also may collect information regarding your interaction with e-mail messages, such as whether you opened, clicked on, or forwarded a message.”

The opening up of a privacy option to allow all users (not just Californian users) to delete telemetry data reveals a deeper, darker truth: that the popular browser actually keeps track of telemetry data in a way that can be connected back to your specific browser instance and IP address. Revelations like these are exactly what should be occurring after proper privacy laws are written, passed, and enacted. Just with this revelation, arguably, the CCPA has already done so much more than the GDPR for internet privacy. Firefox is not the privacy conscious browser that it has been masquerading as. Not on the desktop, and certainly not on mobile.

Comments are closed.

15 Comments


Notice: Undefined index: screen_reader_text in /var/www/blog/wp-content/themes/privacynews/functions.php on line 594
  1. Samanto Hermes

    On desktop: Use Pale Moon or Basilisk
    On Android: Use Fennec F-Droid
    On iOS: Use DuckDuckGo Browser

    4 years ago
  2. Daniel

    The article’s headline is very clickbait-y, in my opinion. Without challenging the factual information of the article, I think it’s pretty reckless to word the headline in a way that implies privacy-concerned users should not be using Firefox, when virtually all of the alternatives are worse to an almost inconceivable degree. It cannot be seriously suggested that people use a Chromium-based browser instead. Even if the intention behind the article is to highlight issues and weaknesses in Firefox regardless of what their competitors are doing, it should give a minimal amount of context through an overview of the current state of the web and the browser market. Otherwise, it reads like an opinion piece by someone who wants to get back at Mozilla for some reason.

    I also strongly question the statement that this shows how CCPA did more for Internet privacy than the GDPR. Mozilla’s press release indirectly implies a connection between this change and the CCPA, but it seems more likely to be a case of trying to profit from the CCPA being a trending topic at the moment. The release mentions that the CCPA contains an “expanded definition” of what constitutes personal data, however, from what I remember and by all interpretations I’ve read, the CCPA definition of “personal data” is decidedly *less* strict than the GDPR’s. If this change was really mandated by the CCPA, then Mozilla should have implemented it back when the GDPR came into effect, because its requirements go even further – unless they decided that they didn’t have to comply with the GDPR.

    However, even the Mozilla statement stops short of connecting this change to an actual requirement under the CCPA. Rather, they say they are doing this to “go the extra mile”, therefore saying (as this article mentions) that this data deletion option is not mandated under the CCPA, nor was it under the GDPR (which, as this article also mentions, is debatable). I have yet to see an example in which restrictions under the GDPR are not at least as strict as those of the CCPA. The question of what effect they ultimately have seems much more determined by the strangeness of deciding when and how a local law is applicable in a global network environment.

    4 years ago
  3. HAMISH MOFFATT

    You can turn telemetry off in the settings. Is that enough?

    4 years ago
  4. Jacob

    This article is a farce — Firefox moves to allow users more control over already carefully stripped and limited telemetry data, and somehow this is a privacy disaster? Almost every significant pc application collects some kind of similar telemetry data, and many of them do it in a far opaque way than Firefox. The extent to which you’ve overblown the issue is unreal. I mean, take this statement alone:

    “Just with this revelation, arguably, the CCPA has already done so much more than the GDPR for internet privacy.”

    Are you seriously arguing that a minute increase the control over the ‘average number of tabs open on machine 724567’, outweighs literally every website on the internet being required to implement cookie tracking opt-outs?

    Frankly, this is shameful mudslinging at a group that continues be one of the models for user privacy and transparent operation.

    4 years ago
  5. Nathan Basanese

    What other choice do we have?

    It’s leaps and bounds better than IE and Google Chrome.

    However, I hope this inspires Firefox to find ways to use “one way algorithms” to allow us to delete our telemetry data without them being able to tell whose data is whose.

    A simple table of SHA256 hashes of IP addresses could be used instead of storing (and, inevitably, sharing) the IP addresses themselves.

    4 years ago