Our great sponsors
-
privacytests.org
Source code for privacytests.org. Includes browser testing code and site rendering.
-
-
SurveyJS
Open-Source JSON Form Builder to Create Dynamic Forms Right in Your App. With SurveyJS form UI libraries, you can build and style forms in a fully-integrated drag & drop form builder, render them in your JS app, and store form submission data in any backend, inc. PHP, ASP.NET Core, and Node.js.
-
-
-
bromite
Bromite is a Chromium fork with ad blocking and privacy enhancements; take back your browser!
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
browser-laptop
Discontinued [DEPRECATED] Please see https://github.com/brave/brave-browser for the current version of Brave
-
gecko-dev
Read-only Git mirror of the Mercurial gecko repositories at https://hg.mozilla.org. How to contribute: https://firefox-source-docs.mozilla.org/contributing/contribution_quickref.html
-
-
user.js
Firefox privacy, security and anti-tracking: a comprehensive user.js template for configuration and hardening
-
-
-
-
-
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
They're comparable to Chromium's, if not mostly identical: https://github.com/brave/brave-browser
I read over the article's links now and what I said service wasn't quite right. This looks like it's based on the stub attribution technique but expands it beyond what those links describe. You can see the server dude of the implementation at the links below
https://github.com/mozilla/bedrock/issues/9830
https://github.com/mozilla-services/stubattribution/pull/103
You'll see references to bouncer as well, which is https://github.com/mozilla-services/go-bouncer
Chocolatey and WinGet don’t.
Looks like Chocolatey gets the binary from download.mozilla.org [1], while WinGet gets it from download-installer.cdn.mozilla.net [2] (which looks to be the HTTPS repository mentioned in the article, thus being exempt from tracking?)
[1] https://community.chocolatey.org/packages/Firefox#files
[2] https://github.com/microsoft/winget-pkgs/blob/master/manifes...
Minor detail: Note that librefox/librewolf are not forks, but a patchset (similar to ungoogled chromium). So the base of the source code is still upstream firefox. [1]
[1] https://gitlab.com/librewolf-community/browser/source/-/tree...
These builds still have distribution-specific in-built API keys for some of the built-in services such as Google Safebrowsing, Google Location Services and Mozilla Location Services. See [1], [2], [3], [4], [5] and [6] for details and examples.
Additionally, upon first launch of Firefox, a unique client identifier is created, and this is sent to Mozilla by default probably before you get a chance to disable telemetry features within the preferences dialogs. See [2], [7], [8] and [9].
As these privacy impacting features are enabled by default, before first launch of Firefox on Linux, you should disable these third party and telemetry features and also lock down other security and privacy settings. See [10] and [11] for the method of doing so, and an example user.js that contains decent documentation on well over a 100+ recommended configuration changes to make Firefox more respectful of privacy and security. If you don't reconfigure a user.js before first launch, at least the "New Profile" event will be notified to Mozilla with the unique client ID after a delay of only 30 minutes from creation of the first Firefox profile[9] (first launch).
[1] https://glandium.org/blog/?p=3923
[2] https://github.com/mozilla/gecko-dev/blob/HEAD/build/moz.con...
[3] resource://gre/modules/URLFormatter.jsm (use within Firefox URI bar)
[4] resource://gre/modules/AppConstants.jsm (use within Firefox URI bar)
[5] https://gitweb.gentoo.org/repo/gentoo.git/tree/www-client/fi...
[6] https://github.com/archlinux/svntogit-packages/blob/packages...
[7] resource://gre/modules/ClientID.jsm (use within Firefox URI bar)
[8] resource:///modules/BrowserUsageTelemetry.jsm (use within Firefox URI bar)
[9] https://github.com/mozilla/gecko-dev/blob/c3ec016fafa4cea6a0...
[10] https://kb.mozillazine.org/User.js_file
[11] https://github.com/arkenfox/user.js/
These builds still have distribution-specific in-built API keys for some of the built-in services such as Google Safebrowsing, Google Location Services and Mozilla Location Services. See [1], [2], [3], [4], [5] and [6] for details and examples.
Additionally, upon first launch of Firefox, a unique client identifier is created, and this is sent to Mozilla by default probably before you get a chance to disable telemetry features within the preferences dialogs. See [2], [7], [8] and [9].
As these privacy impacting features are enabled by default, before first launch of Firefox on Linux, you should disable these third party and telemetry features and also lock down other security and privacy settings. See [10] and [11] for the method of doing so, and an example user.js that contains decent documentation on well over a 100+ recommended configuration changes to make Firefox more respectful of privacy and security. If you don't reconfigure a user.js before first launch, at least the "New Profile" event will be notified to Mozilla with the unique client ID after a delay of only 30 minutes from creation of the first Firefox profile[9] (first launch).
[1] https://glandium.org/blog/?p=3923
[2] https://github.com/mozilla/gecko-dev/blob/HEAD/build/moz.con...
[3] resource://gre/modules/URLFormatter.jsm (use within Firefox URI bar)
[4] resource://gre/modules/AppConstants.jsm (use within Firefox URI bar)
[5] https://gitweb.gentoo.org/repo/gentoo.git/tree/www-client/fi...
[6] https://github.com/archlinux/svntogit-packages/blob/packages...
[7] resource://gre/modules/ClientID.jsm (use within Firefox URI bar)
[8] resource:///modules/BrowserUsageTelemetry.jsm (use within Firefox URI bar)
[9] https://github.com/mozilla/gecko-dev/blob/c3ec016fafa4cea6a0...
[10] https://kb.mozillazine.org/User.js_file
[11] https://github.com/arkenfox/user.js/
These builds still have distribution-specific in-built API keys for some of the built-in services such as Google Safebrowsing, Google Location Services and Mozilla Location Services. See [1], [2], [3], [4], [5] and [6] for details and examples.
Additionally, upon first launch of Firefox, a unique client identifier is created, and this is sent to Mozilla by default probably before you get a chance to disable telemetry features within the preferences dialogs. See [2], [7], [8] and [9].
As these privacy impacting features are enabled by default, before first launch of Firefox on Linux, you should disable these third party and telemetry features and also lock down other security and privacy settings. See [10] and [11] for the method of doing so, and an example user.js that contains decent documentation on well over a 100+ recommended configuration changes to make Firefox more respectful of privacy and security. If you don't reconfigure a user.js before first launch, at least the "New Profile" event will be notified to Mozilla with the unique client ID after a delay of only 30 minutes from creation of the first Firefox profile[9] (first launch).
[1] https://glandium.org/blog/?p=3923
[2] https://github.com/mozilla/gecko-dev/blob/HEAD/build/moz.con...
[3] resource://gre/modules/URLFormatter.jsm (use within Firefox URI bar)
[4] resource://gre/modules/AppConstants.jsm (use within Firefox URI bar)
[5] https://gitweb.gentoo.org/repo/gentoo.git/tree/www-client/fi...
[6] https://github.com/archlinux/svntogit-packages/blob/packages...
[7] resource://gre/modules/ClientID.jsm (use within Firefox URI bar)
[8] resource:///modules/BrowserUsageTelemetry.jsm (use within Firefox URI bar)
[9] https://github.com/mozilla/gecko-dev/blob/c3ec016fafa4cea6a0...
[10] https://kb.mozillazine.org/User.js_file
[11] https://github.com/arkenfox/user.js/
I read over the article's links now and what I said service wasn't quite right. This looks like it's based on the stub attribution technique but expands it beyond what those links describe. You can see the server dude of the implementation at the links below
https://github.com/mozilla/bedrock/issues/9830
https://github.com/mozilla-services/stubattribution/pull/103
You'll see references to bouncer as well, which is https://github.com/mozilla-services/go-bouncer
I read over the article's links now and what I said service wasn't quite right. This looks like it's based on the stub attribution technique but expands it beyond what those links describe. You can see the server dude of the implementation at the links below
https://github.com/mozilla/bedrock/issues/9830
https://github.com/mozilla-services/stubattribution/pull/103
You'll see references to bouncer as well, which is https://github.com/mozilla-services/go-bouncer
Elinks looks like it hasn't had an update in years. There's a fork of it called Felinks [0] which seems pretty actively maintained. The last release was on December 24, 2021.
[0] https://github.com/rkd77/elinks
I don't know how many folks will see this, and of those that do I don't expect many will necessarily be moved by what I say here. I'm going to say it anyways, however, and then I may never look at this thread again. I'm the person who designed the download token scheme that is discussed in this article, and, while I understand all of the concerns and suspicions, I believe that the way we designed this and the way we handle our telemetry data means that this is not the privacy violation some of you are claiming it is. Also, to be clear, I am speaking for myself here, these are my own thoughts and opinions, and I am not representing Mozilla in any official capacity.
So, a download token is a UUID associated with a unique download event. It gets generated when you click the 'download' link, added to the installer, and then passed through to the installed browser. It is returned to us in the telemetry pings that the browser sends back to our telemetry ingestion endpoints. When the download happens, on the server side we capture the download token and the GA session ID and store those in a table. There is nothing else stored in this table.
Having access to this table means that you can correlate the user's activity on the Mozilla website that GA provides with the telemetry data that Firefox sends us. The website activity contains URLs that the user visited, so we consider this "category 3" data (see https://wiki.mozilla.org/Data_Collection#Data_Collection_Cat...), quite sensitive. For that reason this table has highly restricted access, only a small number of individuals are able to get to it.
Access restrictions offer no protection against subpoenas, of course. But I believe you can safely maintain your anonymity by opting out of our telemetry gathering, because when you opt out of telemetry we delete all of the historical telemetry data we have collected for your Firefox profile. Everything, including all of the records that contain the download token.
If this happens, all we are left with is that original record with the download token and a GA session. The download token can no longer be correlated with your telemetry data, and we have no way of associating your Firefox installation with your GA session, not even under subpoena. And this is all assuming that you haven't blocked GA, or that you haven't specified 'Do Not Track' before visiting our website. If you've done either of those things, we won't have a GA session ID for you to begin with.
Oh, incidentally, we never store any IP addresses or other PII in our telemetry data. That all gets scrubbed during ingestion.
Again, I don't expect this to have much impact, but I'm sharing what I know to counter some of the more extreme claims that this removes the ability for Firefox users to remain anonymous.
Finally, we have the obvious question: Why we would even do this? Believe it or not, understanding your user base does actually have some value in serving that user base. For most of Firefox's existence, there has been no trustable feedback loop. Sure, folks out there in the world have opinions, and share them, but opinions differ, and anecdotes are not data. If one person thinks most users will like a particular change, and someone else thinks they won't, nobody can prove their point in any meaningful way. The folks making decisions about Firefox have been flying blind. And, as many of you in this thread have pointed out, it hasn't necessarily been going that well.
In Firefox's early years, there was lots of low hanging fruit, and the competition was a poorly maintained Internet Explorer, so it was easy to win a bunch of market share. Then Chrome came on the scene with their effectively limitless budget and famously data driven product process. We'll never match their budget, but we can try to make choices based on data instead of just letting whoever has the most organizational power decide. My team has spent the last few years building out a data infrastructure that we hope will support better decision making going forward while still trying to honor user privacy and choice. This is a tough balance to strike, and we're far from perfect, but we do our best.
You can learn about or data collection infrastructure and policies in great detail on our docs site (https://docs.telemetry.mozilla.org/index.html), and you can see nearly all of the code that handles our data ingestion and processing in our public repositories (https://github.com/mozilla/gcp-ingestion and https://github.com/mozilla/bigquery-etl).
I don't know how many folks will see this, and of those that do I don't expect many will necessarily be moved by what I say here. I'm going to say it anyways, however, and then I may never look at this thread again. I'm the person who designed the download token scheme that is discussed in this article, and, while I understand all of the concerns and suspicions, I believe that the way we designed this and the way we handle our telemetry data means that this is not the privacy violation some of you are claiming it is. Also, to be clear, I am speaking for myself here, these are my own thoughts and opinions, and I am not representing Mozilla in any official capacity.
So, a download token is a UUID associated with a unique download event. It gets generated when you click the 'download' link, added to the installer, and then passed through to the installed browser. It is returned to us in the telemetry pings that the browser sends back to our telemetry ingestion endpoints. When the download happens, on the server side we capture the download token and the GA session ID and store those in a table. There is nothing else stored in this table.
Having access to this table means that you can correlate the user's activity on the Mozilla website that GA provides with the telemetry data that Firefox sends us. The website activity contains URLs that the user visited, so we consider this "category 3" data (see https://wiki.mozilla.org/Data_Collection#Data_Collection_Cat...), quite sensitive. For that reason this table has highly restricted access, only a small number of individuals are able to get to it.
Access restrictions offer no protection against subpoenas, of course. But I believe you can safely maintain your anonymity by opting out of our telemetry gathering, because when you opt out of telemetry we delete all of the historical telemetry data we have collected for your Firefox profile. Everything, including all of the records that contain the download token.
If this happens, all we are left with is that original record with the download token and a GA session. The download token can no longer be correlated with your telemetry data, and we have no way of associating your Firefox installation with your GA session, not even under subpoena. And this is all assuming that you haven't blocked GA, or that you haven't specified 'Do Not Track' before visiting our website. If you've done either of those things, we won't have a GA session ID for you to begin with.
Oh, incidentally, we never store any IP addresses or other PII in our telemetry data. That all gets scrubbed during ingestion.
Again, I don't expect this to have much impact, but I'm sharing what I know to counter some of the more extreme claims that this removes the ability for Firefox users to remain anonymous.
Finally, we have the obvious question: Why we would even do this? Believe it or not, understanding your user base does actually have some value in serving that user base. For most of Firefox's existence, there has been no trustable feedback loop. Sure, folks out there in the world have opinions, and share them, but opinions differ, and anecdotes are not data. If one person thinks most users will like a particular change, and someone else thinks they won't, nobody can prove their point in any meaningful way. The folks making decisions about Firefox have been flying blind. And, as many of you in this thread have pointed out, it hasn't necessarily been going that well.
In Firefox's early years, there was lots of low hanging fruit, and the competition was a poorly maintained Internet Explorer, so it was easy to win a bunch of market share. Then Chrome came on the scene with their effectively limitless budget and famously data driven product process. We'll never match their budget, but we can try to make choices based on data instead of just letting whoever has the most organizational power decide. My team has spent the last few years building out a data infrastructure that we hope will support better decision making going forward while still trying to honor user privacy and choice. This is a tough balance to strike, and we're far from perfect, but we do our best.
You can learn about or data collection infrastructure and policies in great detail on our docs site (https://docs.telemetry.mozilla.org/index.html), and you can see nearly all of the code that handles our data ingestion and processing in our public repositories (https://github.com/mozilla/gcp-ingestion and https://github.com/mozilla/bigquery-etl).
Related posts
- Mozilla Firefox or Chrome which is best for MOBILE PHONE.?
- Firefox memory usage and alternatives
- Need advice: What browser would you recommend for someone who wants to sync between Linux, Mac and iOS
- Betterfox: User.js to harden Firefox and optimize privacy, security, and speed
- Betterfox: User.js to harden Firefox and optimize privacy, security, and speed