Privacy blunder? Firefox's Get Add-ons page uses Google Analytics
The Firefox web browser ships with an add-on management interface that users may load directly by typing about:addons in the browser's address bar, or by using menus of the browser the page is linked from.
The management interface comes with several pages that separate extensions from themes, plugins, services, scripts and other "add-ons" that users may add to Firefox in one way or another.
There is also a Get Add-ons page that lists add-on suggestions to users. It is making the rounds right now connects to Google Analytics when users access it.
Nicolas Petton posted a message on Twitter on July 11, 2017 that Mozilla was using Google Analytics on the about:addons page. The message was picked up on social news sites such as Reddit and Hacker News shortly thereafter.
Some users voiced concerned about the integration of Google Analytics in Firefox (on this one page), stating that a browser that advertises with being privacy-focused should not do that.
Mozilla employees provided detailed information on the implementation on various sites, including on GitHub where a issue was raised by a concerned user.
According to Mozilla employee Matthew Riley MacPherson, known as tofumatt on GitHub, about:addons loads an iFrame with content hosted on a Mozilla website which contains the Google Analytics script.
Mozilla has a special agreement with Google which means that the data is aggregated and anonymised. Another Mozilla employee, who goes by the handle potch, added on Hacker News that Mozilla negotiated a special deal with Google that only a "subset of data" is collected, and that the "data is only used for statistical purposes".
When asked why Mozilla was not using self-hosted analytics scripts like Piwik, Matthew replied that hosting their own analytics product -- Piwik in particular -- was more work for "a worse product".
Matthew suggested to disable the tracking for users who have opted out of Telemetry tracking in the Firefox browser. This has not been implemented yet, and it is unclear whether this is going to happen.
Ultimately, this seems to be Mozilla's stance on the issue right now according to Matthew:
We won't be discontinuing our usage of analytics for our web properties, but I do think it would be nice to consider easy opt-outs for users like yourself who clearly do not want to participate in analytics sharing.
The maker of uBlock Origin posted an interesting observation in the thread as well. The legacy version of uBlock Origin can block the requests on internal Firefox pages, while the WebExtension version cannot.
Legacy uBlock Origin can block the network request to GA.
However webext-hybrid uBO as per Network pane in dev tools does not block it. Same for pure webext Ghostery, the network request to GA was not blocked, again as per Network pane in dev tools.
What is concerning is that both uBO webext-hybrid and Ghostery report the network request to GA as being blocked, while it is really not as per Network pane in dev tools. It's as if the order to block/redirect the network request was silently ignored by the webRequest API, and this causes webext-based blockers to incorrectly and misleadingly report to users what is really happening internally, GA was not really blocked on about:addons, but there is no way for the webext blockers to know this and report properly to users.
The Tor browser developers, a browser that is a modified version of Firefox for added security and privacy, have voiced concerns as well.
Disallow 'about:addons' unless the extensions directory is volatile, because regardless of what Mozilla PR says about respecting privacy, loading Google Analytics in a page that gets loaded as an IFRAME as part of an 'about:' internal page, is anything but.
Tip: Firefox users who don't use Get Add-ons can disable the functionality in the following way:
- Load about:config?filter=extensions.webservice.discoverURL
- Double-click on the preference, and remove all characters so that the value is blank.
- Restart Firefox.
See how to block automatic connections that Firefox makes for additional information, or the list of Firefox security and privacy preferences.
It is clear that there are multiple points of view on the issue at hand:
- Some users think that Firefox should never connect to third-parties without explicit user consent.
- Others think that the issue is blown out of proportion, as it is limited to a single page in the browser.
- Mozilla acknowledges that tracking is taking place, confirms that it has a special deal in place with Google, and that it considers opting users out that have opted out of Telemetry tracking.
My personal stance on the matter is that I think it is unwise to integrate anything that connects back to Google in the Firefox browser. Unwise because it torpedos Mozilla's stance on privacy in the eyes of some Firefox users.
Now You: What's your take on this?Advertisement