Hacker News new | comments | show | ask | jobs | submit login
Firefox tracks users with Google Analytics in the add-on settings (github.com)
230 points by kuschku 191 days ago | hide | past | web | favorite | 172 comments

Quick breakdown of what's going on here (I work at Mozilla, and have worked on the Add-ons site in the past):

The "Get Add-ons" view in Firefox is an iframe to a page hosted by addons.mozilla.org. AMO, as all Mozilla sites, use GA to collect aggregate visitor statistics. We negotiated a special contract with Google [1] to only collect a subset of data and that that data is only used for statistical purposes.

Google Analytics is only loaded when this view is loaded, and is not otherwise "inside" Firefox. I filed an issue [2] to make sure that our privacy policy is linked from the Get Add-ons view so users can be better informed.

Mozilla tries to walk a very thin wire to ensure that we have the data we need to make sure our products are working properly without being intrusive, and to let concerned users opt-out of even that baseline data collection.

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=697436#c14 [2] https://github.com/mozilla/addons-frontend/issues/2789

    The "Get Add-ons" view in Firefox is an iframe
Please don't hide behind technical details. If click something in the browser and it causes Google to be notified, then you have send data about me to Google. Without my consent.

    privacy policy is linked from the Get Add-ons view
Nobody reads those and you know it. The reason people use Firefox is to not get tracked by Google.

Honestly, you hugely fucked up with this one. You lost a massive amount of trust with me that took years to grow.

> Nobody reads those and you know it. The reason people use Firefox is to not get tracked by Google.

If you care about privacy, blind trust is never something you should have.

This has all the trappings of a mistake to me. A group of developers responsible for developing one area (the add-ons page), was not considering the impact it might have on another (the browser developers). Perhaps they should find a different solution, but it rings hollow to argue that a privacy conscious user shouldn't be expected to have read the privacy policy.

Someone submitted a PR to Mozilla to fix this, and the Mozilla devs closed it, arguing that Google Analytics does not count as tracking. See: https://github.com/mozilla/addons-frontend/pull/2787#issueco...

The TOR devs are fixing this part in their browser, and their comment was:

> Disallow `about:addons` unless the extensions directory is volatile, because regardless of what Mozilla PR says about respecting privacy, loading Google Analytics in a page that gets loaded as an IFRAME as part of an `about:` internal page, is anything but.

Check that issue again. Before you posted this they agreed and pushed the issue to the add-ons team. Do not track should turn off Analytics.

But that's not my point. As I said, they could well be wrong, but it's over the top to argue that it's Mozilla's fault for disclosing this in the privacy policy (which apparently no one reads). If you are so privacy conscious that this bothers you that much, the privacy policy should be required reading.

> If you are so privacy conscious that this bothers you that much, the privacy policy should be required reading.

No, this is something that by law I have to be informed about. And Mozilla has a reputation of working for their users, so I actually trusted them.

I do agree with you after this, the trust was misplaced, Mozilla is not any better than Google, NSA, MfS/Stasi or GeStaPo, just not giving a single fuck about privacy, but I did trust them before this, and so did many others.

In fact, people only used Mozilla products because of this trust.

There goes yet another example of Goodwin's law in action, but I'm not so glad for the arguably rash, overly emotional, and definitely not balanced analogy.

May I suggest that Mozilla stops walking a "very thin line" between telemetry and user privacy and instead walks beside a very thick line, on the side of user privacy. This incident has proven how easy it is to step off a very thin line into territory that your users are disgusted by.

Choose to walk the thick line and even if you stumble, you will not fall.

That’s all fine and nice, but how did Mozilla Legal approve this in the first place?

It’s obvious this violates both the so-called "Cookie Law" and the Google Analytics ToS, as both require any page with tracking to specifically tell the user that they will track the user. And the so-called "Cookie Law" goes even further, and requires it to be directly done in a modal.

How did Mozilla, a company saying they fight for privacy, approve something that does not even meet the absolute minimum bar for privacy, the actual privacy laws?

It's not "obvious" that it violates either of those.

The general consensus is that normal GA tracking alone does not meet the standards to trigger either the EU or the stricter Dutch cookie notification requirements since they are using first-party cookies not tied to PII and don't follow you across sites. And that's assuming a standard GA snippet, not the smaller subset of data Mozilla is collecting here.

And the GA ToS require you to have a privacy policy and to make users aware of it. It doesn't require a link on every page. You already agreed to the Mozilla privacy policy as part of the Firefox install process, right?

The general consensus is that normal GA tracking alone does not meet the standards to trigger either the EU or the stricter Dutch cookie notification requirements since they are using first-party cookies not tied to PII and don't follow you across sites

Do you have a good reference for this? Especially the "don't follow you across sites" seems weird as Google will end up collecting hits from the same IP/browser/etc combo across sites, which trivially allows following.

Found a source for this opinion. Here [1] are instructions from the Dutch Government's "Personal Data Authority" on setting up GA in compliance with their laws in a way that does (did?) not require an explicit notice. See [2] for an explanation in english

[1] https://autoriteitpersoonsgegevens.nl/sites/default/files/at... [2] https://www.iabeurope.eu/eucookielaws/nl/

TLDR: If you use the following code. You are fine to use GA without a notice under Dutch law.

ga('set', 'forceSSL', true); ga('set', 'anonymizeIp', true);

Thank you! This is really useful.

Be aware, this changes in 316 days, when the EU GDPR comes into force, and makes even for those cases opt-in required.

Opt-in via published policy or some silly explicit checkbox?

Opt-in via an explicit dialog, and, most importantly, you have to give the user the ability to select "no" and still use your website (in which case you aren’t allowed to do any tracking).

I don't know what firefox addon pages does (and i see they have a special arrangement) and am not taking sides but for IP at least there is an option partially scrub it before it gets to disk at Google.


Edit: what do we think?

> The general consensus is that normal GA tracking alone does not meet the standards to trigger either the EU or the stricter Dutch cookie notification requirements since they are using first-party cookies not tied to PII and don't follow you across sites

I don't know about following you across sites, but "PII" is a US legal term, so I highly doubt it's a determiner in applying EU law. GA may not collect PII under US law, but it does fall into EU data protection compliance.

The problem in the EU is the system of enforcement. EU directives require member states to legislate individually, and to enforce their own legislation individually. If that enforcement is deficient, the case can be taken to the ECJ on an individual basis (at possibly significant cost). This doesn't work. Which has motivated the creation of GDPR[0], but unfortunately this doesn't come into play until 2018

[0] https://en.wikipedia.org/wiki/GDPR

I'm not sure what the "Mozilla Legal" process is, but this thread[0] from 2012 seems to be a recurring source of authority on decision-making around this, from my reading of Bugzilla.

This is what tofumatt was referring to when closing this Github thread.

[0] https://groups.google.com/forum/#!msg/mozilla.governance/9IQ...

Given Firefox's pro-privacy positioning vs Chrome [1] and the fact that, by virtue of being in about: these requests get sent even if the user is browsing in private browsing mode or has extensions installed explicitly to block this kind of traffic [2] it's surprising the Mozilla employees in that thread are so keen to dismiss this.

[1] https://mobile.twitter.com/meatcomputer/status/8813107782251... [2] https://github.com/mozilla/addons-frontend/issues/2785#issue...

I can understand @tofumatt's desire to restrict that Github thread to the specific problem and its fix.

However, given Mozilla's recent advertizing attempts slinging mud at Google/Chrome, it seems like they're asking for their credibility to be shredded publicly, in the media. This is an important enough matter that it deserves immediate escalation, to get a clear and coherent response at the organizational level that is communicated convincingly to users. Anything short of that (especially a simple local bug fix) risks winning the battle but losing the war, as Firefox's fundamental selling point now seems duplicitous and disingenuous.

I sincerely hope that Mozilla/Firefox developers have the vision to recognize that, and consider this matter of utmost importance. All the features and technical improvements they might hope to ship in the next several months are irrelevant compared to this single issue.

To me, this debate is a great example of a situation where an organization must be guided by its core principles -- not by what seems convenient in each specific instance.

All the features and technical improvements they might hope to ship in the next several months are irrelevant compared to this single issue.

Which "single issue" is that then? That AMO is using GA (and has been for years)? Or that TP doesn't work correctly for the in-browser UI?

I'm going to have to disagree with you there.

They are both issues. My principal point is that they're all part of the same problem in the bigger picture, which is: Mozilla is breaking its privacy promises to its users.

1. Mozilla casts aspersions on Google/Chrome for not respecting users' privacy. (eg: recent billboard advertizements)

2. Mozilla doesn't respect users privacy because it uses tracking, that too third-party, that too from Google.

Pot -> kettle -> etc...

Mozilla risks losing credibility. What fundamental principles do they claim to stand for, if they're willing to compromise those for convenience?

Siloing the GA data that is obtained from Mozilla (required by the contract Mozilla has with Google) would stop the privacy-breaking aspects (which exist due to aggregating over sites).

But this may be a case where even though Mozilla is technically doing the right thing, perceptions will tend the opposite way. Without that statement in that old bug, most people would never know the Mozilla GA data is siloed.

Siloing, schmiloing. If the user has installed an extension that blocks Google Analytics, and you disable that extension, you're clearly ignoring the user's privacy choices.

WebExtensions are never active on about:* pages, that's a documented design choice not specific to content blockers or GA or whatever.

Note that old-style extensions do work and currently still block this.

The 2nd issue is huge, as are the 3rd and 4th issues:

3. that a part of the browser chrome (which is technically iframing a website, but should still meet user expectation of being a part of the browser) is tracking users who have explicitly opted out of browser telemetry.

4. that in-browser telemetry includes sending user data to 3rd-parties without that being explicitly consented to.

Tbh, AMO using GA is something I don't really find acceptable, and would much rather was phased out, but having been aware of it for so long, it'll hardly drive me away. Most importantly, I can block it with an addon (unlike this issue).

Really though, the crux of the issue here from a PR perspective is not any individual technical failing, but the really disappointingly dismissive attitude of the Mozilla devs replying to comments on Github and here. If an employee of Mozilla can't see the significance of this, I worry about Mozilla's adherence to it's own stated mission.

> That AMO is using GA (and has been for years)?

They should stop that now after this PR disaster.

@tofumatt's responses sound pragmatic but very tone-deaf given Mozilla's privacy stance. I feel like the only right answer here is to tie all of this into the telemetry opt-in and don't load GA if the user hasn't opted in.

The problem with that approach is that, many technically literate Firefox users will deliberately opt-in to Telemetry as a component of their support for a pro-privacy product.

Telemetry actively benefits development of Firefox, and a pro-privacy user will want to strategically share their data with entities they trust in order to row back against the tide of entities that they do not trust.

Frankly, Mozilla are shooting themselves in the foot by sending any data from any of their products or web properties to their primary competitor.

The problem here is that GA is quite frankly Telemetry For Websites.

Frankly, Mozilla are shooting themselves in the foot by sending any data from any of their products or web properties to their primary competitor.

This ship sailed a long time ago. Mozilla negotiated stricter privacy in their contracts with Google, and Mozilla Legal clearly believes Google will uphold those agreements despite it being a competitor.

> This ship sailed a long time ago

You may be right, but I hope not. The fact Mozilla negotiated stricter privacy in their contracts is a step in the right direction, so this shows some desire to improve. It needn't be the final step.

Beyond that, there are other areas where there's been similar change. The Mozilla Stumbler project, for example, is explicitly designed to improve user choice in a privacy-sensitive area dominated by a Google service; a service that was embedded in Safari, Firefox and Opera 12 (Presto) for a long time without users being aware their browser was phoning home to Google.

I would hope this GA fiasco could someday be similarly resolved with enough user pressure.

But it begs the obvious question, why use Google Analytics at all? If it's just about gathering statistics there's several non-invasive ways to acquire that data.

Apparently it's an awesome product. I stopped using it myself because I didn't want to deal with EU cookie notices, which is why I'm surprised to see claims here they are compatible with EU cookie laws.

Sending these requests with TP enabled (i.e. in private browsing) is a plain bug as far as I'm concerned.

Granted disguising things as a bug is also one of the sneakier and better ways to implement the feature if that was the intent to begin with ;-)

Given that the discussion in the issue is "hey let's use DNT/tracking protection as a signal to not load this", assume we're looking at a reasonable mitigation here and that this was at worst an oversight.

It's more that the people implementing and reviewing the feature (cough) didn't expect about:* pages to end up loading frigging Google Analytics.

Google Analytics T&Cs[0] make it explicitly clear that users must disclose to visitors that they use it. "You must post a Privacy Policy and that Privacy Policy must provide notice of Your use of cookies that are used to collect data. You must disclose the use of Google Analytics, and how it collects and processes data."

I know many people ignore it just like with all the other "I agree" check-boxes that pollute websites, but it is a breach of the Terms to sneak it onto your site or service.

Mozilla just launched a new podcast called "IRL" and in the first episode they warn people about all the creepy third-party tracking out there[1]. To listen to the podcast you have to allow third-parties to track you, and there is no privacy policy on the website to warn you.

It's actually a good podcast episode and I recommend checking it out.


[1]https://irlpodcast.org/ , https://twitter.com/tombrossman/status/883972350387134464

To be fair, there's a link to the Mozilla Privacy Policy at the bottom of every add-on page, that explicitly states that they may use analytics (and even names Google Analytics).

Currently there is no such link at the bottom the discovery page, this is still an open PR, and was created as response to this thread.

Additionally, this still violates the Cookie Law.

> The addressees of the obligation are Member States, who must ensure that the use of electronic communications networks to store information in a visitor's browser is only allowed if the user is provided with “clear and comprehensive information”, in accordance with the Data Protection Directive, about the purposes of the storage of, or access to, that information; and has given his or her consent. The regime so set-up can be described as opt-in, effectively meaning that the consumer must give his or her consent before cookies or any other form of data is stored in their browser.

Does that mean that I could sue Mozilla?

Potentially. I recommend you check with your Landesdatenschutzbeauftragter, in Schleswig-Holstein, that’d be the https://www.datenschutzzentrum.de/ (you can send them E-Mail via GPG), and discuss that with them. Additionally, you might get help from the Verbraucherzentrale.

You agree to that same Mozilla Privacy Policy when you install the browser. It's linked from the browser's About screen. There's no requirement it be on every page.

What about Firefox coming preinstalled in Linux distributions?

Interesting comment by Gorhill from the above discussion:

>> I thought web extensions couldn't block that content.

> I just ran a couple of tests, and I believe you are correct.

> Legacy uBlock Origin can block the network request to GA.

> However webext-hybrid uBO as per Network pane in dev tools does not block it. Same for pure webext Ghostery, the network request to GA was not blocked, again as per Network pane in dev tools.

> What is concerning is that both uBO webext-hybrid and Ghostery report the network request to GA as being blocked, while it is really not as per Network pane in dev tools. It's as if the order to block/redirect the network request was silently ignored by the webRequest API, and this causes webext-based blockers to incorrectly and misleadingly report to users what is really happening internally, GA was not really blocked on about:addons, but there is no way for the webext blockers to know this and report properly to users.

> This is what I have observed, hopefully this can be confirmed by others.

Sounds like a bug to be filed. I'd encourage people to try the webext versions of those add-ons so we can catch things like this in time for 57.

I installed the latest Firefox Aurora (55.08b), latest uBlock0.webext.xpi and a MITM proxy.

uBlock WebExt does not block GA.

I added a specific filter for the GA domain, but still uBlock failed to block again.

Unrelated, I noticed Firefox also made a connection to aus5.mozilla.org which sets cookies named _ga and _gid.

Doesn't block it generally, or doesn't block it for the "Get Add-ons" page?

The latter is expected. The former isn't. In any case you should report this to the author, not here.

How do I get the webextension version of uBO?

  As I mentioned in #1107: we will not be 
  removing analytics support entirely. It 
  is extremely useful to us and we have 
  already weighed the cost/benefit of 
  using tracking.

Ew. Firefox, I am ashamed to know you.

That bugged me a lot too. The weight of the cost of user privacy should be infinite so, unless they found an infinite benefit, the choice should have been clear.

Deleted based on similar response below.

"Which browser should I use"

Will take a look, thanks, first time I've heard of brave.

Pale Moon

okay, finally bit the bullet and blocked it in hosts file.

The Google Analytics scripts runs on a page that appears to be a system/UI page in Firefox, when you search for new add-ons. The response from Mozilla about Piwik being too much work is concerning.

The optional NoScript add-on does stop this script from running, even on that page. You'd have to configure NoScript to block Google Analytics. I, for one, globally block Google Analytics scripts.

Incidentally, I also block third-party-site Google.com scripts, but that is harder on websites like Hacker News, which will sometimes send for a Captcha check that only completes successfully with Google.com enabled in NoScript.

[edit: I am using the legacy add-on, which Mozilla I guess will disable in November 2017]

NoScript only blocks it if you use the legacy add-on – WebExtension addons can’t block requests from about: pages. Which makes this even more annoying.

It's worth knowing that Mozilla negotiated an opt-out with Google around the re-use of this (and other) Google Analytics data


I'm not sure I understand the "opt-out" they negotiated with Google. Is this a user-level opt-out? Or did Mozilla convince Google to silo the Mozilla data?

From the linked bug, it sounds like the data is silo-ed and no user opt-out is needed.

Yet, they don’t even ask the user if the data should be sent to Google Analytics. Not even a cookie notice.

I'm not sure why you're being downvoted (unless Mozilla does indeed provide this information).

All sites using Google Analytics are supposed to inform the user according to Section 7 of the GA ToS: https://www.google.com/analytics/terms/us.html

Just because "no one else does it" and Google turning a blind eye towards violators doesn't mean they're not violating the ToS.

If they negotiated a special contract regarding what data is collected, and where and how it's stored and used by Google... What exactly makes you think that ToS has any relevance to the relationship between Mozilla and Google?

AFAIK almost no US based website does this, even if they are using GA.

As a European this is annoying, but one has to ask itself the question if Mozilla should willfully disadvantage itself here.

Does Mozilla not have a presence in the EU?

It has some subsidiaries, AFAIK. I don't know how the legals work there.

I was going to say Google does the same, but an actual clean profile shows that Google.com shows a banner "A privacy reminder from Google" on first use.

Howdy all, Kev Needham here, and I'm the Product Manager for add-ons. I want to make sure everyone understands that we're going to be making changes.

Some parts of Firefox populate the content of some “about:” pages (like about:addons) from web-based sources. Thanks to your comments, we better appreciate how users may not know that content in those pages can come from a web service, and can use third-party analytics. We don’t like to surprise our community, and are disappointed that we did.

It's always been important for us to use Google Analytics and other analytic services in a way that meets the expectations of Firefox users. We have taken great care to ensure that our partnership with Google is structured so that they are prohibited from creating user profiles from our website data, or from tracking users across other websites. We also need to help ensure that we are clear where Mozilla products and services make use of those services.

We want to make sure we follow our “no surprises” rule (https://www.mozilla.org/privacy/principles/) , so we are exploring solutions that inform our users about how these pages in Firefox use web content and analytics tools - and provide our users with tools to better control the data that may be sent. We’ll be making changes in the near term, and will publish updates as we make progress.

I hate these public bugs that blow up. They always turn into these dumb dogpile rants from uninformed users. Tofumatt's doing a good job, but they should really lock this bug report from commenters before it gets out of hand.

>dumb dogpile rants...

Pot meet kettle

You're comment hasn't added any value to the conversation, it's just a rant.

Thing is... he's right, though, and it IS rather on topic. Public bug trackers only function as long as the peanut gallery doesn't decide to descend. Once it DOES descend on an issue, the issue often becomes a cluttered off-topic mess of ill-informed nastiness.

Just look at any Mozilla bugzilla issue addressing Linux video acceleration, as an example.

For an extreme example, see the Android bug tracker. It is hopeless.

> Just look at any Mozilla bugzilla issue addressing Linux video acceleration, as an example.

Can you provide a link?

> You're comment

Need to thank you though, for adding value.

>You're comment hasn't added any value to the conversation, it's just a rant.

I disagree, his meta-analysis of how these conversations tends to go adds to the conversation by making us all aware of trends bigger than this one story.

Your post criticizing him, however, seems to add nothing to this conversation.

I, on the other hand, am contributing by rejecting your baseless assertion and supporting the meta-analysis of the on-topic topic, that comment threads about public bugs tend to be low quality.

I'm also supporting the topic materially, if you catch my drift.

What browser should users opt for if they want performance, broad compatibility with websites and absolutely no tracking/analytics? Preferably open source and cross platform.

Firefox is a good one. They're clearly implementing a fix for this bug.

I guess I'm interested in browsers who's developers wouldn't have done this in the first place - a browser which has privacy as a core principle and who's develop we wouldn't consider pushing any data, regardless of aggregation or commercial value, to a third party without explicit consent..

To be blunt, you're not going to find one. Developing a modern browser is extremely difficult, on the order of developing an entire operating system. Mozilla does respect privacy rights, and it is clearly treating this as a bug to be fixed. You're going to have to cut them some slack for not being 100% perfect always.

The fact they thought this was a good idea to begin with speaks volumes about their actual position.

They really didn't actively think it was a good idea. They changed the discovery tab to be a web page, which as the github repo linked by the OP will show you, is now handled in the same repo (by the same people) as the AMO website proper.

It was a mistake, and not as huge of one as people are making it out to be. As they have repeatedly pointed out, their GA contract makes it essentially a non-issue, unless you believe Google is so obsessed with tracking that they will violate their contract with Mozilla.

I disagree. I think people who believe in protecting their privacy can also be OK with Google Analytics processing, anonymizing, and aggregating the data. I also understand why someone would not feel that way. I think it's something about which reasonable people can disagree. This is why Mozilla provides the option[1].

[1] Which is, incorrectly, not being respected. This is a bug which they will fix.

"performance, broad compatibility with websites"

These are things which are greatly helped by having good analytics (Telemetry for the browser, analytics on your sites). You have to realize that to some extent these goals aren't mutually compatible. Developer resources don't appear out of thin air, even for open source software. Note how in the threads Mozilla explicitly acknowledges alternatives to GA.

I opt(ed) in to Firefox Telemetry for this reason (and will in future if this bug is satisfactorily fixed). I did not expect that would mean sending my data to 3rd parties I don't trust.

Your comparison is a false equivalence, because it's not about telemetry vs privacy, it's about consent. If Mozilla devs adhered to the ethos of the company they took a job at they simply would not have implemented this feature.

It's only a false equivalence because you just moved your goalposts from "no tracking/analytics" in the original post to consent.

If Mozilla devs adhered to the ethos of the company they took a job at they simply would not have implemented this feature.

It looks as when the problem was reported, this was in fact the reaction: make it respect DNT. Using GA by itself rose no red flags because Mozilla has a privacy-enforcing deal with Google about it.

I'm not sure what you mean by moving goalposts? I was mainly just discussing my own expectations, but also, it looks like the above comment from davb that you replied to did discuss consent.

> Using GA by itself rose no red flags because Mozilla has a privacy-enforcing deal with Google about it.

I saw that, and I guess that legal contract may appease some people. Personally, I would rather not have to trust a company with a well-earned reputation for breaking the law when it comes to respecting users' privacy. I would rather they spent the time they invested into negotiating that contract on self-hosting instead.

Maybe the solution is for everyone bothered by this to disable Firefox Telemetry on their computers. There's also the "submit feedback" menu option.

>> broad compatibility with websites

> a browser which has privacy as a core principle

Sorry, but sad truth is, those two things are mutually exclusive.

The modern web is all about running pieces of code. Websites give you a code and expect you to run it (or they'll break). You can throw in some heuristics (e.g. blacklist known offenders and replace them with do-nothing shims) and try to keep up with the ever-changing world, but here is just no way to have this guesswork as a core principle and expect things to not break.

Wouldn't it be possible for a browser to implement js but simply not implement any functions that can be used to track you?

Yes, but by "functions that can be used to track you", you're including user accounts, logins, forms, surveys, &c.

The term "tracking" has become abstracted to a point where many forget that they usually want to be "tracked" (by hitting "reply" here on HN, YCombinator is "tracking" who I am - user account - and what I've written).

If you'd be happy with a browser exclusively to view public, static content, then it could be done.

For selectively disabling tracking, you need uMatrix[0], but a component of the Firefox bug being reported here is that the extensions API used by uMatrix is failing to block GA in this particular case.

[0] https://addons.mozilla.org/en-US/firefox/addon/umatrix/

> Yes, but by "functions that can be used to track you", you're including user accounts, logins, forms, surveys, &c.

These are not javascript functions. All of these can be (and are) implemented without JS.

> but a component of the Firefox bug being reported here is that the extensions API used by uMatrix is failing to block GA in this particular case.

uMatrix and uBlock Origin fail to block GA only when using their web extension versions.

Firstly, it's not entirely clear how big this subset is, and not implementing known parts of it for sure breaks the web.

What's the status of blocking third-party cookies again? (cries)

Like not implementing cookies, LocalStorage, screen resolution info, font enumeration, canvas, WebGL, WebRTC, etc etc?

It's probably realistically possible to disable those with the existing browsers. Problem is, that will also break sites that expect you to have all those available. And it's said that there are too many of those (I never saw a proper analysis, though)

Just consider: there are sites (one of my favorite pizza delivery sites does that) that break if you just block Google Analytics ga.js (or their newer versions, whatever they're called) scripts. Just because they have stuff like `_gaq.push` hardcoded into click handlers and if those raise exceptions, they fail.

Firefox has an extension called "self destructing cookies" that implements those the way they should be done everywhere.

There is absolutely no need for font enumeration. A browser can decide do download fonts it does not have from the site (what will indeed open it to some tracking), or use another cache (with other, different tracking possibilities). But any way it chooses, it just needs to cache the fonts locally to avoid most of the tracking.

There's no reason for local storage to permit 3rd party tracking. WebRTC was a mistake, and WebGL although well meant is so complex that will never work well.

A lot of out javascript signature could be simply removed without any ill effects.

it just needs to cache the fonts locally to avoid most of the tracking.

Caching is one of the ways of tracking you. If site A says it needs some custom font, the browser will have to download it. If then site B (affiliated with A) asks for the same font, and the browser loads it from cache instead of asking site B, then it knows that you've been to site A.

Cookies are still needed for site logins so it would be quite difficult to get rid of them, it would be possible however to enable them only for the sites that you are planing to log into.

As for local storage, I only needed it for some greasemonkey extensions. Do legit sites actually use it?

> font enumeration, canvas, WebGL, WebRTC

I have all of these disabled for the last 2 years or so actually and I don't feel like I miss anything. Only a few non-important sites need these.

> Just consider: there are sites (one of my favorite pizza delivery sites does that) that break if you just block Google Analytics ga.js (or their newer versions, whatever they're called) scripts. Just because they have stuff like `_gaq.push` hardcoded into click handlers and if those raise exceptions, they fail.

I think that uBlock Origin avoids that if you have the experimental filter enabled.

You need localStorage to login in your mozilla account - I block it and lost access to my account.

IMHO this should be blocked by Tracking Protection.

The general policy at Mozilla – which I'm pretty sure addons.mozilla.org follows (given https://github.com/mozilla/addons-frontend/blob/28410742c206...) is that we don't use Google Analytics on websites if you have Do Not Track on.

It's a little less clear here because we're embedding a website into an interface that appears to be part of the browser, which is why there was a suggestion by a maintainer in the first response that we should use both Do Not Track and a Firefox data collection flag. But the Do Not Track preference is just as well-exposed as other flags, so I doubt that would have an effect on many users who would object to this tracking (who are very likely to have turned on Do Not Track).

The discovery.addons.mozilla.org page does not respect Do Not Track, but as a result of the thread, someone just made a PR to implement that feature: https://github.com/mozilla/addons-frontend/pull/2787

Currently, no matter what privacy settings you set, you are being tracked, without being informed about it, without opt-out. This is likely even illegal in the EU.

The pull request was closed without merging


That facepalm hurt. Honestly, what the fuck are they even trying to do? This has to be the most mis-managed situation I’ve seen yet.

Use separation of concerns.

Block ads / tracking outside the browser, eg using a hosts blacklist: https://github.com/StevenBlack/hosts

This allows you to use any browser. I've found Firefox to be buggy and slow on OS X so I use Chrome. It's great on Windows though.

There is https://github.com/Eloston/ungoogled-chromium and also the tor browser.

There is also netsurf and dillo but they are not as compatible due to the lack of js and incomplete css support.

> performance, broad compatibility with websites and absolutely no tracking/analytics

Pale Moon (not too cross-platform), qutebrowser (if you're fine with Webkit and keybindings).

Mozilla mismanages Firefox for several years, and dropped Thunderbird. I can't use Firefox even for dev work anymore because of too many regression bugs and newly introduced UI annoyance and removal of classic addon-API, etc. The Rust/Servo movement is good, but Firefox needs badly a reboot/lightweight fork.

I suggest to have a look at Iron browser (open source Chromium with phone-home stuff patched out) or Chromium build in general (with curated settings or stuff patched out yourself). And Vivaldi (reminds one to older Opera UI) is quite good, though closed source.

At this point, you need to take things into your own hands and modify your hosts file:


Ironically Mozilla does not allow third-party developers to include Google Analytics in any way shape or form in a Firefox Add-on.

Users who care about privacy are, quite literally, the only demographic that cares about Firefox at this point. The numbers clearly say that. I'm not even remotely versed in how to run a business, but in what twisted universe does it make sense to alienate us?

I put up with Firefox's single threaded nonsense for years, with their outright refusal to properly implement hardware acceleration for Linux, and with their clearly inferior performance. And now I find out they've got Google Analytics on a page where uBlock Origin can't even block it (at least not post FF 56), and that doesn't even respect my telemetry settings (which I've obviously disabled). Every decision they've made lately seems to be targeted at gaining the attention of people who clearly couldn't be arsed to get off Chrome if they proved it gives you cancer, instead of making it better for people who are keeping it afloat.

Congratulations, Mozilla. You've put a whole bunch of us out on the lookout for a replacement. Enjoy your descent into obscurity.

What's your preferred alternative browser? Serious, I haven't found one I like yet.

A fork like IceCat or Pale Moon?

The main reason I use and recommend Firefox is that I don't trust Google to respect user privacy. I'm sure I'm not alone in that. Mozilla has violated user trust here, and the responses to the bug report are very disappointing.

Any other recommendations for privacy-respecting, open source browsers? This seems like a good time for a competitor to earn some market-share.

If you are using Linux check out Eolie or Poseidon:



  As I mentioned in #1107: we will not be 
  removing analytics support entirely. It 
  is extremely useful to us and we have 
  already weighed the cost/benefit of 
  using tracking.
“The Party seeks power entirely for its own sake. We are not interested in the good of others; we are interested solely in power, pure power.”

Mozilla Developer also mentioned:

  Actually, @muffinresearch pointed out we could probably just observe Do Not Track here, 
  because this pane is actually a web page loaded in an iFrame inside the browser page. 
  That might be faster to ship. Just thinking aloud :smile:

  I'm definitely for giving users the option to disable this.
“Power is in tearing human minds to pieces and putting them together again in new shapes of your own choosing.”

- 1984, George Orwell.

I don't know how many incidents like this is needed before people realized Mozilla is not the angel it used to be.

When were they angels?

Don't forget the "bug" where Google's supercookie was un-deletable https://bugzilla.mozilla.org/show_bug.cgi?id=1008706

1) This bug is INVALID. Several people tried to reproduce it and failed.

2) The indicated cookie (from bug 1026538) is a cookie sandboxed for privacy reasons and NOT your real Google cookie. It broke the cookie manager exactly because it was sandboxed.

So tell me, what do you mean by using quotes around "bug"?

It's called FUD.

I don't mind if they take analytics--as long as it's on a completely Mozilla controlled server with a tight privacy policy.

> We won't use Piwik. Mozilla uses Google Analytics for website analytics. Hosting our own is more work for a worse product.

Hi Mozilla, Piwik team here. Would you mind explaining what you found worse in Piwik VS Google and reporting your feedback to us, so we have a chance to improve and in the future to see Mozilla use Piwik to track users, rather than Google?

Opt-in by default seems so often an admission that not enough would go out of the way to enable it, and that they don't have enough faith in the importance of thr item in question as to introduce install/update friction and just ask users what they want.

Notice: The mods just changed the title from "Firefox secretly tracks users with Google Analytics in the addon settings" to "Firefox tracks users with Google Analytics in the add-on settings"

@mods: The "secretly" was used to signify the fact that Mozilla does not inform users about this fact, their Privacy Policy does not cover it, and at no point does any page, modal, or disclaimer tell this.

The Privacy Policy seems to only cover '"personal information" means information which identifies you, like your name or email address."' So it's not surprising it doesn't mention GA.

The Firefox privacy policy is more explicit, but this is actually on a Mozilla page (which you can reach from other browsers), so I'm not sure it's relevant.

It’s not just a webpage, considering the browser automatically accesses it without me specifically navigating to it.

And discovery.addons.mozilla.org has no privacy policy, no legal notices, no disclaimers at all either.

Yeah, I don't disagree. The increasing usage of web pages in the browser UI has made this problematic and is what caused the root problem here in the first place.

I’d argue the root cause is more that Mozilla is willing to trade away privacy for developer convenience. That they made this decision in the first place, without anyone at Mozilla saying "maybe we shouldn’t do that", is very concerning w.r.t. privacy in the rest of the browser.

Even on a Mozilla webpage I wouldn’t expect to see Google Analytics, but instead something like Piwik.

I’d argue the root cause is more that Mozilla is willing to trade away privacy for developer convenience.

Oh, not arguing that. Even with Google out of the picture entirely, Telemetry is a nice example. But I'd argue it is needed to stay relevant as a browser. So it's not a good counterargument to Mozilla's decision here.

You can see from the relevant bugs that GA vs Piwik and such were certainly considered, so people are definitely thinking about "maybe we shouldn't do that". In the case of GA, it ended up with required data silo-ing on Google's side.

For some people that won't be enough.

> For --some people-- all firefox users that won't be enough.

The only reason people use Firefox nowadays is because they don’t trust Google. The intersection between "Trusts Google not to abuse data they get access to" and "uses Firefox" is the empty set.

Nah, as is evident by the amount of Firefox users that still have Google as their search engine.

It's a false equivalence. There is a difference between trusting Google not to abuse data they legally guaranteed not to abuse (Firefox), versus, well, pretty much plainly saying your data will be used, and knowing that the product has many features which make the tracking more pervasive and invasive (Chrome, Google Accounts, etc).

I'd love for Mozilla to not use any Google stuff at all, but I'd also love a pony.

Maybe because Firefox ships Google as default?

Speak for yourself.

I fully expect Google to abuse any data they think they can get away with. But I also expect Google Legal to make sure that Google adheres to the contracts they sign, and in this case they have a contract with Mozilla that requires the GA data to be silo'd. While I'd feel better if Mozilla didn't use GA at all, I also understand why they do use it, and I'm not going to pillory them over it.

Honestly this has never been secret. It's even in the configure flags to enable/disable it. So you van easily disable it as you wish.

There's a page on the wiki aboit various forms of data collections [1]. It os pretty descriptive of the information they send.

[1] https://wiki.mozilla.org/Firefox/Data_Collection

> There's a page on the wiki aboit various forms of data collections [1].

The page you linked to starts with "Firefox sends various data back to Mozilla".

Nowhere does it say "Firefox sends various data back to Google Analytics" on that page.

This is probably a better page, as the original one linked is indeed for sending data to Mozilla. This one also talks about "service providers": https://www.mozilla.org/en-US/privacy/firefox/

Though it also doesn't mention GA.

They're failing their own requirements though (IMO) by not respecting the "no telemetry" flag, and by not disclosing the use of Google Analytics.

Telemetry not associated with GA is generally considered to be different from telemetry collected via GA.

The question is, will you be informed about it if you only read the information that is directly linked, or shown to you, when downloading, installing, and running Firefox?

No. That’s the big issue.

You have to actively search out if Firefox tracks you to find out that this happens. That’s pretty secret.

I don't disagree with you that the information can be made more easily available. I was just responding to it not being a secret.

As an aside it suprises me that this is so blown up today (while tracking shipped a long time ago). Many complaining users will even comment or share this via their Chrome browser, which is far worse than Firefox (still not saying that Firefox is doing everything right here :) )

I did a check of the traffic sent to various "extra servers" for both Chrome and Firefox, using Wireshark, some time ago.

After I learned that Firefox sends data to3rd party servers pretty much like Chrome, and that I was able to turn it off in Chrome, I've been staying with Chrome, as it is at least usable, performance-wise.

The worst part of this is, this also applies to the Tor Browser, and might potentially help Google to de-anonymize Tor users:


Why would this allow de-anonymization? Does the request not go through the Tor network?

I changed the wording of my post, but generally, the Tor Browser uses NoScript to block Google Analytics anywhere to improve security, and this page circumvents that, allowing Google Analytics to be loaded. This provides significantly more tracking information than if no GA script was ever loaded.

Additionally, that page has special access to allow installing addons, or removing them, and the Google Analytics script might be able to abuse that to install an addon that leaks your data.

You'd still see an installation doorhanger.

Fore sure, this will leak info you'd rather not, but I see no evidence it allows de-anonymization. If it did, any custom tracking NoScript doesn't know about would defeat Tor.

And that's not the case.

The issue is less random tracking, but that from 57 on no addon can block this, and that it runs in a privileged context.

Proposal: What about passing &track=false in the URLs to AMO/mozilla.org when user opted out from tracking in Fx settings / browses in private mode? And on server side, do not embed GA script in such case.

Simply respecting DNT (which is the fix that was proposed) works out to the same.

Overall, I don't mind Mozilla having these data but I'm more concerned with Google by extension having them too, that, is unexpected.

A browser vendor who peddles privacy and uses "not google chrome" as its selling point, decides to track its users and sell the data to google. Hackernews absolutely explodes, as it considers tracking evil (unless its them doing it). The rest bikesheds on privacy policy and nothing of value was lost.

Waterfox has a patch that disables GA tracking: https://github.com/MrAlex94/Waterfox/commit/d3e9b4534ab9069e...

Ugh. If Mozilla needs the data then they need to build their own service for harvesting it. Involving Google for this is not acceptable, opt-out or not.

I would argue for this on the GitHub issue but they would rather silence all opinions than work around the ill informed ones.

> Legacy uBlock Origin can block the network request to GA. /gorhill

uBlock Origin is no legacy, but probably one of the best options. Glad to see so much contempt from Moz leadership.

Legacy in this case is just referring to the API that was used to build the add-on. Also I assume you realize gorhill (who posted this sentence) is the person who created uBlock Origin, he is not a Mozilla employee.

As a long term Firefox user, I am totally shocked.

They are probably adding a new section in their privacy policy right now that includes the mess they made.

I find it quite amusing how the new web extensions are unable to block this in comparison to the "legacy" ones. https://github.com/mozilla/addons-frontend/issues/2785#issue...

I am really wondering why they want to replace xul addons with the web extension ones when they are so weak compared to the xul ones?

>when they are so weak compared to the xul ones

To many, I suspect that is the prime intent.

So far, the only difference I have noticed is that some useful add-ons that made Firefox significantly more attractive than some other browsers no longer work.

The single biggest loss for me personally has been the ones that would save unsubmitted form content in case of crashes, accidental window/tab closure, etc. When I checked recently, there no longer appeared to be any add-on available that provided this valuable functionality.

Also Tree-Style-Tabs is no longer supported. TST arranges the browser tabs in a vertical hierarchy, which has the dual benefit of logically arranging the tabs themselves and providing more vertical space (important on a 16:9 aspect ratio monitor).

There are sidebar tab WebExtensions, including one rudimentary one which supports tree indentation.

I even contributed to one this morning that is quite attractive, called Tab Center Redux.

FYI, there's another one called Tab Tree that works reasonably similarly. The original TST seemed not to be an option some time ago, but the alternative seems OK.

Without elaborating on opt-in or opt-out, there is one clear fact: A user that has telemetry disabled has clearly stated that he does NOT want to "Share performance, usage, hardware and accusation data about your browser with Mozilla". https://support.mozilla.org/en-US/kb/share-telemetry-data-mo...

If you do this add-on tracking despite this option is turned off, this is a clear breach of trust. If I have this option off, then I expect that exactly such a tracking of usage and customization like described above is NOT happening.

This seems more and more common with desktop software. Any way in which we can poison the collected data? Just turning it of does not seem harsh enough.

Tofumatt wrote "we will not be removing analytics support entirely. It is extremely useful to us and we have already weighed the cost/benefit of using tracking."

Which reads a lot like "they are giving us a pile of money to breach your privacy, so to hell with you."

They aren't giving out money, they're giving out a free service (GA). If they gave out money at least that could be used to set up a replacement :-)

More like "it is really critical that we understand how users engage with our product and we need a solid way of tracking that. GA is practically an industry standard."

And the cookie notice is also an industry standard, so that I know on which sites to use uMatrix to manually block the scripts.

I didn't expect that I'd have to do that on an about: page.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact