Mozilla wants to estimate Firefox's Telemetry-off population - gHacks Tech News

Mozilla wants to estimate Firefox's Telemetry-off population

Mozilla Firefox is one of the few web browsers out there that gives users and system administrators options to turn off Telemetry.

Telemetry, which Mozilla introduced in Firefox 7 back in 2011, provides data to Mozilla which the organization uses to refine its products.

While that is often beneficial to users, for instance when issues are detected and fixed, it has also been used in the past to justify the removal of features from Firefox. The removal of features based on Telemetry led to my suggestion in 2013 to keep Telemetry enabled to make "your voice" count.

Telemetry controls in Firefox

firefox data collection

Firefox users who are concerned about the collection and sending of Telemetry data to Mozilla can turn off the functionality in the browser's options.

All that it takes is to load about:preferences#privacy in the browser's address bar and check or uncheck the following options:

  • Allow Firefox to send technical and interaction data to Mozilla
  • Allow Firefox to install and run studies
  • Allow Firefox to send backlogged crash reports on your behalf

Turning off Telemetry does not mean that Firefox won't make any connections to Mozilla anymore as other browser functions, e.g. update checks, are still enabled by default.

Telemetry Coverage

telemetry coverage

Mozilla revealed in August 2018 that it had no data on the number of Firefox installations with disabled Telemetry.

Finally, we need better insight into our opt-out rates for telemetry. We use telemetry to ensure new features improve your user experience and to guide Mozilla’s business decisions. However, an unknown portion of our users do not report telemetry for a variety of reasons. This means we may not have data that is representative of our entire population.

The organization made the decision to measure Telemetry Coverage to get an estimate of the percentage of Firefox installations with Telemetry set to off.

Mozilla created  the Telemetry Coverage system add-on and distributed it to 1% of the Firefox population. The add-on is automatically installed and designed to inform Mozilla whether Telemetry is enabled in the browser.

The add-on reports data similar to the one below to Mozilla when it is installed:

{
"appVersion": "63.0a1",
"appUpdateChannel": "nightly",
"osName": "Darwin",
"osVersion": "17.7.0",
"telemetryEnabled": true
}

The reporting does not include a client identifier and it is not associated with Firefox Telemetry.

Firefox users can create toolkit.telemetry.coverage.opt-out and set it to true to opt-out of this. Problem is that this is only mentioned on the Bugzilla page over on the Mozilla website and not in the add-on description according to Mozilla's announcement on the Mozilla blog.

This measurement will not include a client identifier and will not be associated with our standard telemetry.

Mozilla has been criticized for installing the Telemetry Coverage add-on in Firefox installations, e.g. on Reddit. The main claims are that a) Mozilla makes it difficult to near impossible to prevent the installation of system add-ons, and b) that data is sent to Mozilla about the system even if Telemetry is turned off.

While some users argue that this is not an issue at all, since Firefox just sends information about the Telemetry status, others see it as a privacy issue as other data is submitted to Mozilla automatically with the request (IP address).

Closing Words

The release of the system add-on is controversial and so where other decisions Mozilla made in the past. I truly understand the need for data to improve products and better address user needs and requirements but think that Mozilla is shooting itself in its own foot once more.

There needs to be a rethinking about these experiments and how they are conducted. In 2016 I asked Mozilla to give users control over system add-ons in Firefox and I still believe that the organization should implement easy on/off controls for those in the browser similarly to what it has done with Shield Studies.

Part of Firefox's userbase, mostly those using the browser because of its better privacy controls, will continue to criticize Mozilla unless the organization changes its approach to studies and Telemetry fundamentally.

Now You: What is your take on this?

Summary
Mozilla wants to estimate Firefox's Telemetry-off population
Article Name
Mozilla wants to estimate Firefox's Telemetry-off population
Description
Mozilla revealed in August 2018 that it had no data on the number of Firefox installations with disabled Telemetry. 
Author
Publisher
Ghacks Technology News
Logo
Advertisement

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:


Previous Post: «
Next Post: »

Comments

  1. Richard Allen said on September 21, 2018 at 6:06 pm
    Reply

    My take? I don’t care as long as…

    “The reporting does not include a client identifier and it is not associated with Firefox Telemetry.”

    1. ilev said on September 21, 2018 at 7:44 pm
      Reply

      Of course Mozilla includes client identifier otherwise they would count your PC every time you ran Firefox.

      1. Richard Allen said on September 21, 2018 at 9:47 pm
        Reply

        Client identifier?

        {
        “appVersion”: “63.0a1”,
        “appUpdateChannel”: “nightly”,
        “osName”: “Darwin”,
        “osVersion”: “17.7.0”,
        “telemetryEnabled”: true
        }

      2. John Fenderson said on September 21, 2018 at 10:39 pm
        Reply

        @ilev

        It doesn’t contain a special client identifier. However, Mozilla’s server certainly knows what your IP address is, and they could use that to disambiguate. It wouldn’t be perfect (there may be several machines behind your publicly-facing IP address), but it looks like they’re just estimating things anyway, so that might not matter.

      3. Anonymous said on September 22, 2018 at 7:45 am
        Reply

        There’s no way to identify something without something unique. It maybe the pc mac address or firefox profile or something, otherwise the data would be useless. IP address is not unique, millions of people might be using the same IP address(mobille carriers use same IP address).

      4. notAUser said on September 22, 2018 at 11:18 am
        Reply

        time + IP + “TCP/IP Fingerprint” + “Your DNS Servers” + browser/system info
        Mozilla collect unique data, it’s real telemetry otherwise it’s no sense to collect data.
        You can see some info about TCP/IP or DNS Servers at https://browserleaks.com/ip

      5. notAUser said on September 22, 2018 at 11:18 am
        Reply

        time + IP + “TCP/IP Fingerprint” + “Your DNS Servers” + browser/system info
        Mozilla collect unique data, it’s real telemetry otherwise it’s no sense to collect data.
        You can see some info about TCP/IP or DNS Servers at “browserleaks (dot) com/ip”

      6. notAUser said on September 22, 2018 at 11:19 am
        Reply

        time + IP + “TCP/IP Fingerprint” + “Your DNS Servers” + browser/system info
        Mozilla collect unique data, it’s real telemetry otherwise it’s no sense to collect data.
        You can see some info about TCP/IP or DNS Servers at online analyzers as “browserleaks”.

    2. jackjoe said on September 24, 2018 at 12:37 pm
      Reply

      So baisically as long as you trust mozilla claims and PR. Such things as silently installing code to monitor people who expressedly opted out to not be monitored after changing this option from opt in to opt out should hint at how trustable mozilla is.

  2. Yuliya said on September 21, 2018 at 6:15 pm
    Reply

    Three days ago I posted a comment here on the last few articles how Mozilla had sent “fxmonitor@mozilla.org.xpi” without my consent to a Firefox 62 installation running on a LTSB 1607 inside a virtual machine.

    The next day the situation repeated on my actual PC, running Windows 7 and Firefox 62. However, there was another addon there besides the aforementioned “fxmonitor” malware. It was called “telemetry-coverage-bug1487578@mozilla.org.xpi”. Every test, auto updater, everything auto and everything telemetry related is disabled from settings and then about:confing entries. I clearly opted out of telemetry yet I was sent this malware, and no matter how many times I was removing it, it kept coming back. The solution was to break Firefox’s access from a folder called “features” inside my profile folder.

    Mind you, Firefox was not showing this addon, CCleaner picked it up.

    In which universe is this malicious behaviour acceptable from a company beating with its fists on its chest claiming they care about my privacy? Fuck you Mozilla. Fuck you! Disgusting, horrible, the absolute pit in the software world. This company represents how you should not treat your users, and it provides the best example on how to tank your business in the least amount of time possible.

    1. svim said on September 21, 2018 at 8:57 pm
      Reply

      In contrast, I have no problem with things like this. Data collection is just a reality we all have to deal with if you want any kind of online access and/or online social media presence.
      As you’re obviously really pissed off at Mozilla and filled with so much hate and rage, for your own peace of mind wouldn’t it be better to just use a different browser? There’s no shortage of alternatives to choose from.

      1. John Fenderson said on September 21, 2018 at 9:41 pm
        Reply

        @svim: “Data collection is just a reality we all have to deal with if you want any kind of online access”

        True, but a legitimate way to deal with it is to obstruct it to the greatest degree possible. That’s my approach (combined with not using “social media” at all).

      2. Yuliya said on September 21, 2018 at 10:15 pm
        Reply

        svim,
        Few years ago there were surveys on Moizlla’s website when you were visiting it. You were asked if you want to participate in it, then asked a few questions. What was wrong with this model? Why did they not send everyone who upgraded to v62 to that page? After every upgrdate you are being sent to a “What’s new” page, so why not take this advantage and put the survey there? Everyone would have seen it. I gladly reply to all those kind of surveys whenever I see them on Microsoft, Google, Mozilla, Opera, etc pages. I think it’s the most logical and respectful way of dealing with situations like this.

        Few years ago Firefox also had greater market share. Clearly te current model is not something many people agree with. What angers me the most is that all this has been done behind my back. Not one word from Mozilla that this is happening. Not a notification, nothing. By mistake I found about it in CCleaner, I did not even want to go to browsers addon management page initially. To add salt to the injury, they kept pushing it as soon as I was restarting Firefox despite me removing those addons.

        No, I don’t think telemetry is necessary in any way. Let me report if there is a problem on your software. Some of the best, and oldest, open source projects do not have telemetry. VLC, 7-zip to give some examples. Even closed source software like AIMP or FastStone Image Viewer does just fine improving their software without spying on me.

        No, I don’t think a browser needs a special treatment in this area. And I believe, if there is any telemetry functionality, then OFF should mean OFF, not “disabled unless we, Mozilla, say so”.

        I also don’t believe “socail media” is a fair comparison. VK for example only knows about me as much as I’ve willingly given them the information about me. Mozilla now knows something about me which I did not agree to let them know. Hell, I don’t even know what they collected from me. And at this point given the circumstances, whatever they claim is just worthless and should not be believed at all. They lied once, they will do it again.

      3. Anonymous said on September 22, 2018 at 7:53 am
        Reply

        >>What angers me the most is that all this has been done behind my back.

        Firefox is not your browser. You don’t pay for it so you can move into other browser if you don’t like it. There’re many free browsers out there.

        Things change, like Opera, the current Firefox is not the Firefox 10 from years ago.

      4. Yuliya said on September 22, 2018 at 9:49 am
        Reply

        Anonymous [September 22, 2018 at 7:53 am],
        “things change” is not an argument, I hope you realise that. It’s more of a statement, which is factual. Another statement is the decline in Firefox’s market share as seen from any source which anilses online traffic. Which is a consequence of the aforementioned change.

        Firefox is not my browser, I did not make it, I did not pay for it, never did and never will, I would never pay to be abused. But consider this: which piece of software are you aware of, which has no userbase, yet the develoers are still maintaining it? Software needs users to live and to have a community. And just as factual as your “things change [about Mozilla]” your statement is, so is mine about FIrefox losing its userbase, backed up by any statistic you want to look at.

      5. nonameforachange said on September 24, 2018 at 10:17 am
        Reply

        Fun part is mozilla markets firefox as being the user browser despite your take on it.

        Other fun part is that soon firefox will be no one browser due to a disappearing user base thank to attitude like your and dumb decisions forced upon users by mozilla.

      6. John Fenderson said on September 24, 2018 at 5:55 pm
        Reply

        @Anonymous; “Firefox is not your browser. You don’t pay for it so you can move into other browser if you don’t like it.”

        You say that as if it were somehow meaningful.

      7. ULBoom said on September 22, 2018 at 4:54 am
        Reply

        No svim, many people couldn’t care less about social media but understand the need for some info to be collected, e.g., to make online connections at all. Beyond that, unless particular data is requested by the user, not the software, to make online transactions, nothing should be given away unknowingly.

        Love your use of the trite social media approved “hate” and “rage.” Maybe park your phone for a few weeks.

      8. Anonymous said on September 22, 2018 at 10:06 am
        Reply

        “As you’re obviously really pissed off at Mozilla and filled with so much hate and rage, for your own peace of mind wouldn’t it be better to just use a different browser? There’s no shortage of alternatives to choose from.”

        We’re locked with them because their competitors are even worse. They know it and they’ll abuse this situation as much as possible while carefully remaining just 99% as evil as the other browsers.
        Ethical forks like Waterfox can help mitigate the problem, but they’re still based on evil code that can’t be 100% cleaned with absolute confidence. If only we could be numerous enough using it maybe this could send a message to Mozilla.

      9. stefann said on September 22, 2018 at 1:37 pm
        Reply

        @svim:

        Could You please post Your personal data and bank account number ? You doesn’t seem to bother that more and more data is collected about You by the corporations and governments.

        Yet another ***** that has nothing to hide…..

    2. 420 said on September 21, 2018 at 10:28 pm
      Reply

      I agree with Yuliya, I should not have to figure out what has been added to my software without my consent, especially when I have all my privacy settings on. Pretty much the same shit people were all bitching about with ccleaner. Unacceptable behavior.

  3. John Fenderson said on September 21, 2018 at 7:04 pm
    Reply

    My take on this is that Mozilla is already walking a questionable path with their telemetry to begin with (in terms of how it’s technically handled, how the telemetry data is being used, and Mozilla’s public statements about telemetry), and how they handle it has reduced trust in Firefox with a large number of users.

    This business with the Telemetry Coverage add-on can only reduce that trust even further.

  4. Sidney Ferreira de Moraes Neto said on September 21, 2018 at 7:46 pm
    Reply

    People does not understand that telemetry is needed to improve software. For example, if Firefox crashes after a Nvidia driver update, with telemetry they will receive the information that Firefox crashes after a Nvidia driver update, also receive the specific version of the driver, than they devs will check if the bug is on firefox or nvidia, if it is on Nvidia, they will have data to report Nvidia devs the bug.

    1. John Fenderson said on September 21, 2018 at 8:50 pm
      Reply

      @Sidney Ferreira de Moraes Neto: “People does not understand that telemetry is needed to improve software”

      Strictly speaking, telemetry is not needed to improve software. The software industry has been successfully improving software before telemetry was a thing that was possible, after all.

      What telemetry does is improve efficiency and reduce monetary cost, but it comes with its own set of different problems, of course.

    2. Anonymous said on September 21, 2018 at 10:11 pm
      Reply

      Telemetry is absolutely NOT needed to improve software. Very little software released prior to 10 or 15 years ago included telemetry.

      Telemetry is a poor substitute for listening-to your users, understanding their problems, and thinking about good solutions. Sure telemetry gives you data, often so much data that you are drowning in it. But relying only or even mostly on data confuses “facts” for “truth”. If you have enough data, you can find facts in that data to support almost any predetermined conclusion that you want to reach, but that doesn’t necessarily mean that the conclusion that you reached is true. It requires thought, understanding, and wisdom born of experience to reach the truth, attributes which seem sorely lacking in many recent decisions by the Mozilla organization.

      In some ways, Mozilla seems to want to be, or at least be known as, the “privacy” browser, at least amongst the big four web browsers. If that is really true, then they should start with themselves. They should stop the forced data collection. They should stop with the secret, intrusive downloads. They should come out of their self-imposed cocoons of telemetry data and start talking with and, most importantly, listening to their users again, especially the more technically sophisticated users who are knowledgeable enough and who care enough to disable or block the telemetry and whose opinions also are probably rather influential among their colleges, friends, and family members.

    3. Ross Presser said on September 22, 2018 at 1:09 am
      Reply

      If giving information about my usage is a requirement for me to use your software, fine. Be upfront about it, announce it on the page where I download from, and remind me at installation time. Let me know exactly what’s being tracked and why; let me know more than once and make it easy to read it again; and give me plenty of chances to decide NOT TO USE YOUR SOFTWARE before one single byte is sent.

      Otherwise, deal with the inevitable fallout you will get for being a sneaky, snoopy developer who cares more about usage data than they do about users.

    4. Anonymous said on September 22, 2018 at 4:00 am
      Reply

      When something like that happens users report it. It has worked that way for decades before telemetry existed. There is an obvious agenda by all the major tech companies to track users and collect data that isn’t solely to “improve products”.

    5. ULBoom said on September 22, 2018 at 5:12 am
      Reply

      Yeah they do. Repairing incompatibilities is not improving software, it’s making it work right. Your example would be fine and does represent the world 20 years ago but telemetry has grown into data brokering. I’ve never had a significant issue that wasn’t documented somewhere online: people use forums.

      Some people; most have no idea how to troubleshoot problems. Even so, there’s no way to know what info is available to all the different packages in a device with free telemetry. Assume everything in it.

      In windows, between system and trusted installer, everything can be read. Where does MS draw the line?

    6. nonameforachange said on September 24, 2018 at 10:21 am
      Reply

      I do understand that mozilla dev have no clue about telemetry and that it’s been used to force unwelcome change on people in an esr release while not even mentioning it in the changelog and adding a useless message with a broken link. Yes I’m talking about the removal of alsa support to force pulseaudio on every linux user because they had no clue that almost all linux distro removed telemetry as a privacy concern before packaging firefox.

      1. Anonymous said on September 26, 2018 at 6:36 pm
        Reply

        Telemetry wasn’t removed by Linux distros out of privacy but rather no one wanted/cared to go extra mile just to enable it then get negative feedback. If you try to build Firefox from source telemetry is disabled by default.

        https://bugzilla.mozilla.org/show_bug.cgi?id=1352981#c5

  5. Anonymous said on September 21, 2018 at 8:12 pm
    Reply

    So Mozilla wants telemetry (corporate name for spying) on users who turned off telemetry. That’s so Mozilla. I would love to watch one of their brainstormings.

    Partial solution for Firefox to limit Mozilla silently installing garbage on your computer at any time :
    user_pref(“extensions.systemAddon.update.url”, “”);
    user_pref(“extensions.systemAddon.update.enabled”, false);
    then remove the .xpi system extensions in the Mozilla Firefox\browser\features folder. The good surprise is that it’s mostly crapware concentrated in there, no big loss. Maybe keep screenshots@mozilla.org.xpi which is borderline. The only drawback I’ve noticed is that at browser updates, it will first try a differential update that will fail, then at the second try it will download the full next browser version.

    Better solution : use Waterfox instead, it ensures that no system extensions at all gets installed. There are only language packs in the folder.

    1. Richard Allen said on September 21, 2018 at 10:51 pm
      Reply

      In my Test profile of FF v62 I had ““extensions.systemAddon.update.enabled”” set to false without deleting the URL and still got the Firefox Monitor and Telemetry Coverage addons. Which is part of the problem with this whole scenario with Mozilla sending addons after someone took the time to dig into about:config.

      I’m fine with Mozilla knowing what percentage of users have telemetry disabled, I just wish there was some way of doing it without making themselves look like idiots and pissing everyone off.

      You’re right about WF and the way it handles system addons, which is great. But,it’s still making a lot of connections to Mozilla and sharing data unless and until someone digs into about:config.

      1. TelV said on September 22, 2018 at 11:23 am
        Reply

        @ Richard Allen & Anonymous,

        The prefs setting you both mentioned is present in WF as: about:config?filter=extensions.systemAddon.update

        It disappears if the word “enabled” is added to the string i.e. about:config?filter=extensions.systemAddon.update.enabled

      2. Anonymous said on September 22, 2018 at 6:28 pm
        Reply

        @ TeIV

        I don’t see a “extensions.systemAddon.update” pref in Waterfox 56.2.3 .

        The “extensions.systemAddon.update.url” pref exists in WF and points to an empty update.xml file on the waterfoxproject.com domain, so the default is good here, no need to blank it.

        The “extensions.systemAddon.update.enabled” pref is not in WF 56.2.3 as it was introduced in Firefox 62 I think, so it would be doubly useless to create it in WF.

      3. Anonymous said on September 23, 2018 at 10:36 am
        Reply

        Little correction : the update xml is on the waterfoxproject.org domain of course, not .com

    2. Anonymous said on September 22, 2018 at 6:45 pm
      Reply

      I just tested with the Firefox 62.0.2 update that in spite of this new FF 62 pref “extensions.systemAddon.update.enabled” that I had set on false, system extensions were all back in their folder after browser update. Including Pocket, Activity Stream, Form Autofill… The only solution is still to delete the folder content after every browser update. Nice one again, Mozilla.

  6. Dan said on September 21, 2018 at 8:27 pm
    Reply

    Mozilla, like a lot of other organizations, is very much enamored of the idea that if only they had collect-it-all perfect data on everything, all their problems would be solved and they could make optimal decisions and so on. Maybe that’s the case, but they also don’t seem to want to admit that data collection fundamentally conflicts with privacy. Not wanting to admit this has been the source of all sorts of attempted hacks and bodge-jobs at Mozilla and in many other places, attempting to “fuzz” the collected data a bit to preserve its statistical power while interfering with de-anonymization of it, or just making promises about how no, we totally swear we won’t be malicious with this information.

    Not that we’d have much of any recourse against them if they changed their minds and decided to do something evil. Which they’ve done before, remember how they pushed that “Looking Glass” addon a while back? They had a user base and they decided, hey, lets give them a steaming heap of marketing garbage, right in the browser. After the fact they didn’t seem very sorry that they’d done it. They seemed indignant that people were upset with them at all. So no, you bet I don’t trust them to have “telemetry” data, no matter how innocuous they claim it is.

    If they claim to respect their users privacy, which I don’t think they really do, they have to accept that they *can’t have perfect data*. You have to give up on that data-driven dream if you want to be anything more user-respecting than a completely totalitarian walled garden, because the user needs to be free to say “No, I don’t care what promises you make about this data, or how beneficial you say it is, I don’t want to share it with you.” You, Mozilla, just need to deal with that.

    1. John Fenderson said on September 21, 2018 at 9:51 pm
      Reply

      @Dan:

      The thing that made the Looking Glass debacle so bad wasn’t that there was a privacy violation (there wasn’t). It was that they abused the shield study mechanism (and therefore users trust) in order to engage in what amounted to advertising, then compounded the issue with the tone-deaf response — that, as you note, continues to this day.

      What it never did was collect or transmit any data about you or your use of your computer.

  7. John IL said on September 21, 2018 at 8:32 pm
    Reply

    Never was concerned about reporting crashes and sending telemetry for that. But a lot of telemetry like with Windows and some apps is way beyond just useful crash data which is what many find over kill and intrusive.

  8. Ayy said on September 21, 2018 at 8:56 pm
    Reply

    I’m guessing Mozilla is doing this because they are perhaps realizing, albeit too late, that the core of their argument for killing features “because the telemetry said it wasn’t used” is a stupid one. Privacy is one of the biggest selling points of the browser, if Mozilla can’t respect that and develop good software at the same time I fail to see the point in continuing to use it.

  9. Mikhoul said on September 21, 2018 at 9:09 pm
    Reply

    Mozilla = Telemetry/Spyware Factory 🤢

  10. K@ said on September 21, 2018 at 9:27 pm
    Reply

    Well, I dumped everything Mozilla, when they shifted to Quantum, or whatever it was. I won’t be going back. They’re beginning to make Google and M$ look ethical.

    1. John Fenderson said on September 21, 2018 at 9:45 pm
      Reply

      @K@: “They’re beginning to make Google and M$ look ethical.”

      This is just silly. Mozilla has earned plenty of legitimate criticism over these issues since they’ve changed their stance, but they’re certainly nowhere near as bad as Google and Microsoft. Saying they are is not only unfairly disparaging Mozilla, it’s also minimizing the issues with Google, Microsoft, etc.

      1. Richard Allen said on September 21, 2018 at 10:39 pm
        Reply

        Well said Mr. Fenderson.

      2. K@ said on September 22, 2018 at 10:43 am
        Reply

        I DID say “Beginning to”. i.e. They’re on their way to becoming that bad, if they carry on as they are.

    2. michlind said on September 21, 2018 at 11:50 pm
      Reply

      Google and “ethical” should never be mentioned in the same sentence.

    3. ULBoom said on September 22, 2018 at 5:18 am
      Reply

      Good for you.
      You went where? Found a browser more customizable than FF?
      Which one? I’d love to know.
      Element 24?

      1. Anonymous said on September 22, 2018 at 7:57 am
        Reply

        There is almost none(excluding Vivaldi). That’s why the users from other browse will also not move from their browser. Firefox right now doesn’t have anything unique compared to the competitors

    4. Anonymous said on September 22, 2018 at 10:44 am
      Reply

      It’s unethical precisely because Mozilla/Firefox is trusted by so many users for privacy reasons. For that tinfoil-hat portion of the internet population, privacy is a requirement for safety, and this one move alone defeats their privacy strategy in so many different ways.

      Not outright condemning Mozilla for this, but they might be chasing an impossible meta-telemetry dream: I predict that the fallout from this measurement technique will affect the actual numbers of people who use Firefox with telemetry off and on.

  11. Anonymous said on September 21, 2018 at 10:30 pm
    Reply

    In addition to creating toolkit.telemetry.coverage.opt-out, might want to look at deleting the broadcast-listeners.json file Firefox created in the profile folder on version 62. It was not part of the actual install but is created about 24 hours later as long as Firefox is opened. It then repeats that every 24 hours as long as it can.

    {“version”:1,”listeners”:{“remote-settings/monitor_changes”:{“version”:”\”0\””,”sourceInfo”:{“moduleURI”:”resource://services-settings/remote-settings.js”,”symbolName”:”remoteSettingsBroadcastHandler”}}}}

    The addons and extensions.json files follow the same schedule now. That is why the features folder with fxmonitor@mozilla.org and telemetry-coverage-bug1487578@mozilla.org keep silently come back.

    Probably have to change the about:config preferences for extensions.systemAddonSet and extensions.webextensions.uuids also as just deleting the features folder with fxmonitor@mozilla.org and telemetry-coverage-bug1487578@mozilla.org will automatically clean out the extensions.json of them but not the prefs.js file of their remains.

    user_pref(“extensions.systemAddonSet”, “{\”schema\”:1,\”addons\”:{}}”);

    and remove the following portion from extensions.webextensions.uuids, \”fxmonitor@mozilla.org\”:\”fc60f3d9-f46a-4c7f-8021-bb2fb44acb69\

  12. Clairvaux said on September 22, 2018 at 12:13 am
    Reply

    And here is Brian Krebs validating my often-made point that Firefox relies too much on extensions, for features which should be already present and polished in the core program :

    Browser Extensions : Are They Worth the Risk ?
    https://krebsonsecurity.com/2018/09/browser-extensions-are-they-worth-the-risk

    First we’re told : there’s an extension for that, and then we’re told : don’t use so many damn extensions.

    1. Anonymous said on September 22, 2018 at 8:01 am
      Reply

      This(and many prior cases) proved that WebExtensions did not increase security. The only thing gained from removing the legacy extensions are the limited capabilities.

      1. nonameforachange said on September 24, 2018 at 10:28 am
        Reply

        They also gained a major loss of users that only used firefox due to extensions giving features that mozilla does not understand people need and want.
        They also gained a major loss of extensions developers who got fed up with being abused by mozilla.
        They also gained a major hit in credibility and trust.

        Personally I had been pushing firefox to my clients for over a decade and got hit and bitten by mozilla forcing stupid change like this on users and had to explain that free software sometimes is not that good and apologize and lose time and money doing unnecessary support. I’ve since removed firefox from every client computer I maintain to avoid this happening again.

  13. SocialMediaGrandpa said on September 22, 2018 at 12:23 am
    Reply

    I don’t think this is necessarily malicious in any way, I just think it shows very well that currently Mozilla values your privacy exaxtly as far as they feel they have to until it interferes with what they want to achieve. They’re fine with disrespecting your wishes and privacy as long as they feel it’s for the greater good. Thankfully we can totally count on Mozilla to not ever do anything problematic, so nothing to worry about right? Let’s just give them the little finger, it’s not like they’d ever want our whole hand.

    1. Richard Allen said on September 22, 2018 at 2:54 am
      Reply

      LoL
      The little finger? I love it! :)

  14. neo said on September 22, 2018 at 12:34 am
    Reply

    *ALERT* Firefox/TorBrowser: Nasty MitM possibility with the blocklist service
    ——————————————-
    https://trac.torproject.org/projects/tor/ticket/22966
    ——————————————-
    Once a day the Firefox/Tor browser will do a call to the Firefox blocklist service. The URL of this endpoint is (extensions.blocklist.url):

    https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%APP_ID%/%APP_VERSION%/%PRODUCT%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/%PING_COUNT%/%TOTAL_PING_COUNT%/%DAYS_SINCE_LAST_PING%/

    Example:

    https://blocklist.addons.mozilla.org/blocklist/3/%7Bec8030f7-c20a-464f-9b0e-13a3a9e97384%7D/52.2.0/Firefox/20170202030101/WINNT_x86-gcc3/en-US/release/Windows_NT%2010.0/default/default/34/34/1/

    1) The browser suppresses bad certificate errors on this URL
    The Firefox blocklist service suppresses bad certificates errors while downloading the blocklist.xml. In this way it is quite easy to setup a MitM attack and remove revoked certificates from the blocklist.xml

    (Proof of concept and Technical info within article’s top post)

    2) Mozilla is able to see Tor user specific information:
    There is a lot of OS/platform/browser specific information in the URL. So Mozilla has a lot of statistics about the Tor browser usage. Not necessary IMHO.

    APP_ID
    APP_VERSION
    PRODUCT
    VERSION
    BUILD_ID
    BUILD_TARGET
    OS_VERSION
    LOCALE
    CHANNEL
    PLATFORM_VERSION
    DISTRIBUTION
    DISTRIBUTION_VERSION
    PING_COUNT
    TOTAL_PING_COUNT
    DAYS_SINCE_LAST_PING

    The TOTAL_PING_COUNT (stored in extensions.blocklist.pingCountTotal) is also interesting. Because this number increments every time you start the Tor browser. (note: once a day). As you can see the number in the URL above is 34, what means that the Tor browser was started at least 34 times/days.

    Related tickets:

    Sanitize the add-on blocklist update URL
    https://trac.torproject.org/projects/tor/ticket/16931

    The default value of the extensions.blocklist.url preference is

    https://blocklist.addons.mozilla.org/blocklist/3/%APP_ID%/%APP_VERSION%/%PRODUCT%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/%PING_COUNT%/%TOTAL_PING_COUNT%/%DAYS_SINCE_LAST_PING%/

    and sends detailed information about the operating system to Mozilla.

    However, Mozilla’s list of blocked add-ons and certificates is not OS specific, and updates just need

    https://blocklist.addons.mozilla.org/blocklist/3/%APP_ID%/%APP_VERSION%/

    so that should be the default value of extensions.blocklist.url in Tor Browser.

    —————————————————-
    Tor Browser 8.0 sends OS+kernel+TOTAL_PING_COUNT in update queries to Mozilla

    – Tails 3.9, which ships with TB 8.0, is also affected.

    ######

    User report:[1]
    https://blog.torproject.org/comment/277375#comment-277375

    – Sanitize the add-on blocklist update URL
    https://trac.torproject.org/projects/tor/ticket/16931

    related, old, closed ticket (unresolved):

    – TBB-Firefox sends OS+kernel in update queries to Mozilla
    https://trac.torproject.org/projects/tor/ticket/6734

    related, old, closed ticket (also unresolved):

    – Nasty MitM possibility with the Firefox blocklist service
    https://trac.torproject.org/projects/tor/ticket/22966

    [1]: “TBB-Firefox sends Linux kernel version in extensions blocklist update queries to Mozilla. 6 years old ticket closed https://trac.torproject.org/projects/tor/ticket/6734 without fix this privacy issue.

    From Ubuntu 18.04.1 LiveCD
    /v1/blocklist/3/%7Bec8030f7-c20a-464f-9b0e-13a3a9e97384%7D/60.2.0/Firefox/20180204030101/Linux_x86_64-gcc3/en-US/release/Linux 4.15.0-29-generic (GTK 3.22.30 libpulse 11.1.0)/default/default/1/1/new/”

    “about:config
    extensions.blocklist.url”

    “Also it send TOTAL_PING_COUNT to tell mozilla how many days you use TBB.”

    ######

  15. Darren said on September 22, 2018 at 3:34 am
    Reply

    Don’t they already have an idea? Most people have their browser at least checking their servers for updates or extensions.

  16. ULBoom said on September 22, 2018 at 5:34 am
    Reply

    “Mozilla revealed in August 2018 that it had no data on the number of Firefox installations with disabled Telemetry.”

    If they tell me how many installations (I) they have (each has a unique identifier) and how many of those send telemetry data (T), with the use of complex math, I-T, I’ll sell them the result.

    They somehow determined what number 1% of their users represents. I bet those smart guys already know lots of good stuff.

    Mozilla collectively needs to spend some time outdoors. This, that stupid logos for toddlers thing and the other tinfoil hat stuff they’ve come up with lately…

    1. user17843 said on September 22, 2018 at 8:50 pm
      Reply

      This is the relevant answer. Nobody can convince me they don’t already estimate this kind of data.

      But since they lost the connection to the real world, someone, during a meeting, probably said something significant like:

      “Wait guys, for years now we are making decisions solely based on telemetry because we stopped communicating with our lame community. What if most of our users don’t even use telemetry?”

      *silence*

  17. handsome butcher said on September 22, 2018 at 10:38 am
    Reply

    about:config -> telemetry

    set everything at false, blank out URL strings. this still won’t fix it.

    oh, and there’s a little sneaky fucker:

    devtools.onboarding.telemetry.logged

    even if you toggle it to false, when you relaunch FF, he might be re-enabled with ‘true’.

  18. John C. said on September 22, 2018 at 11:57 am
    Reply

    Given the way that Mozilla ignored all the complaints about Firefox 29 “Australis” interface, they pretty much do whatever they like without any concern about the effect it has on end users anyway. No, IMO they’re using telemetry for unacceptable purposes just like everybody else is doing. And when they make telemetry mandatory (yes, they are indeed headed in that direction, count on it) like M$ has done with their W10 spyware, I will go back to an older version of their browser and stay there.

    1. what her fox said on September 24, 2018 at 10:31 am
      Reply

      switch to waterfox it is exactly what you expect from the name.

  19. trebuche-memes said on September 22, 2018 at 4:36 pm
    Reply

    They are going to discover that the “vocal tin-foil hat wearing minority” are literally just that.

    1. Anonymous said on September 22, 2018 at 6:48 pm
      Reply

      “They are going to discover that the “vocal tin-foil hat wearing minority” are literally just that.”

      If only the knowledgeable minority could be silenced once and for all !

  20. Barnabas said on September 22, 2018 at 4:40 pm
    Reply

    I don’t really know what’s in this “harmless” data they’re collecting. So I turn it off. But then it collects megabytes of log and json files anyway. They need to come up with some other way to collect JUST what they need, no more, and reassure users it’s REALLY harmless and anonymous.

  21. Money said on September 22, 2018 at 5:20 pm
    Reply

    ITT: people trying all sorts of things to disable MozCo spying. How pitiful.

    thereisonlyxul.org

    1. Anonymous said on September 22, 2018 at 8:01 pm
      Reply

      I’m not sure that the first things I would insist on removing from Firefox are Rust, Servo or WebExtension support. WebExtensions suck because they’re inferior to classic ones, but removing them completely is just losing functionality. Also what’s so wrong with Rust and Servo to justify forking because of them ?

      1. Nightfall said on September 23, 2018 at 6:40 pm
        Reply

        FYI Basilisk has basic WebExtensions support.

        Nothing wrong with Rust or Servo, but UXP applications and its users are doing just fine without them, by using time-tested languages and technologies.

  22. Anonymous said on September 22, 2018 at 6:04 pm
    Reply

    Even with toolkit.telemetry.coverage.opt-out set to true and extensions.fxmonitor.enabled set to false, the profile features folder with fxmonitor@mozilla.org and telemetry-coverage-bug1487578@mozilla.org still come back every day.

  23. Anonymous said on September 22, 2018 at 6:27 pm
    Reply

    As long as it’s a once a year thing limited to as small a subset of users as possible, as long as IP is stripped properly (nothing more precise than country level), then fine.

    But it shall be the sole instance of this ever happening, the only measure that can be taken with telemetry off shall be the % of users having telemetry off.

    I think everything I said is the plan, so I’m fine.

  24. Steve said on September 22, 2018 at 6:27 pm
    Reply

    As long as it’s a once a year thing limited to as small a subset of users as possible, as long as IP is stripped properly (nothing more precise than country level), then fine.

    But it shall be the sole instance of this ever happening, the only measure that can be taken with telemetry off shall be the % of users having telemetry off.

    I think everything I said is the plan, so I’m fine.

  25. 420 said on September 23, 2018 at 1:09 am
    Reply

    I have not read through all the comments but this is how i disabled fxmonitor@mozilla.org and telemetry-coverage-bug1487578@mozilla.org

    1. about:config

    2. search for monitor

    3. modify extensions.systemAddonSet to {“schema”:0 instead of 1

    4. close firefox, open firefox and verify with ccleaner tools that they are disabled

  26. Anonymous said on September 23, 2018 at 9:12 am
    Reply

    What Mozilla wants is to always be at the top of the news like spyware do.

  27. Ross Presser said on September 23, 2018 at 6:06 pm
    Reply

    firewall block *.mozilla.org unless you’re using right that minute

  28. nochangeforaname said on September 24, 2018 at 10:29 am
    Reply

    reporting a typo in the article:

    > and so where other decisions Mozilla made in the past.

    and so *were* other decisions Mozilla made in the past.

  29. AnoreKnee Merce said on September 24, 2018 at 11:03 am
    Reply

    Estimated number of FF users with Telemetry set to OFF =
    = total number of FF users — the number of FF users with Telemetry set to ON.

    So, from the above simple maths of substraction, there is no actual need for Mozilla to sneakily preinstall this Telemetry system.addon on 1% of FF users.
    Btw, how did Mozilla arrive at this 1% figure.?

    1. John Fenderson said on September 24, 2018 at 5:04 pm
      Reply

      @AnoreKnee Merce

      How would they know how many Firefox users there are?

  30. privacynight said on September 24, 2018 at 12:39 pm
    Reply

    I’m wondering how this is in any way compatible with the recent RGPD, I hope someone will go to court against mozilla and drain them of their remaining cash flow putting an end to their long agony and freeing firefox from their grasping hands.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.