Artificial truth

The more you see, the less you believe.

[archives] [latest] | [homepage] | [atom/rss]

Mozilla is still screwing around with privacy in Firefox
Sun 23 September 2018 — download

Mozilla is, again, screwing around with private data from its users, even those who explicitely opted out:

The Telemetry Coverage measurement will sample a portion of all Firefox clients and report whether telemetry is enabled. This measurement will not include a client identifier and will not be associated with our standard telemetry.

The blogpost was signed by Marshall Erwin, Director of Trust & Security, who's apparently confident in asserting that this spyware doesn't send a "client identifier", while it does actually send information about my operating system along with my ip address (yes, when ones makes an http request, the server always knows the ip address of the client.) and my firefox version: How are those not "client identifier" material‽

This is what the addon looks like:

picture of the addon installed

NO MEANS NO Mozilla, I do not want to share my data with you. Heck, how is this even remotely GDPR-compliant‽ The only way to opt-out is to create a new configuration flag, as "documented" in a comment, buried in your bugtracker:

The only other thing to test here is that this extension has a special boolean opt-out pref: "toolkit.telemetry.coverage.opt-out". This pref does not exist by default and must be created, if set to true then the extension should not send a payload as above for users in the 1% sample (such as the Telemetry client ID above will be)

Mozilla's blog is bitching on Facebook and bragging about how Mozilla is taking privacy seriously, being transparent and stuff, but for dog's sake, installing a spyware, err… a debug addon that doesn't even shows up in the regular addon tab, without telling me anything, to snitch if I explicitly disabled telemetry precisely because I don't trust Mozzila for not having this kind of shady behaviour is a whole new level of dickery.

No, I don't want to leak details about my Linux distribution, nor at what time I'm using my browser, not my kernel version, nor my IP address to you, just because I'm using your browser. But when I say you, it actually includes other parties, like Amazon:

$ dig telemetry-coverage.mozilla.org

;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14082
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;telemetry-coverage.mozilla.org.    IN  A

;; ANSWER SECTION:
telemetry-coverage.mozilla.org. 3599 IN CNAME   telemetry-coverage.r53-2.services.mozilla.com.
telemetry-coverage.r53-2.services.mozilla.com. 300 IN CNAME telemetry-coverage-1699465515.us-west-2.elb.amazonaws.com.
telemetry-coverage-1699465515.us-west-2.elb.amazonaws.com. 60 IN A 52.35.158.214
telemetry-coverage-1699465515.us-west-2.elb.amazonaws.com. 60 IN A 54.149.226.167
telemetry-coverage-1699465515.us-west-2.elb.amazonaws.com. 60 IN A 34.211.98.172

;; AUTHORITY SECTION:
us-west-2.elb.amazonaws.com. 157 IN NS  ns-1475.awsdns-56.org.
us-west-2.elb.amazonaws.com. 157 IN NS  ns-1769.awsdns-29.co.uk.
us-west-2.elb.amazonaws.com. 157 IN NS  ns-332.awsdns-41.com.
us-west-2.elb.amazonaws.com. 157 IN NS  ns-560.awsdns-06.net.

$

This is absolutely not ok Mozilla.