The Firefox Browser is not as private as you may think – especially on iOS and Android. Mozilla recently announced that they would be allowing any Firefox user a means to request Mozilla to delete stored telemetry data that is tied to said user. Mozilla maintains “strict limits” on how long they store this logged telemetry data, but any duration is too long if the telemetry data can be associated with an individual Firefox browser instance on a particular IP address through a government request. Sure, the collection of this telemetry data can be turned off, but the vast majority of Firefox users are not using Firefox with telemetry turned off, and are therefore incredibly vulnerable.

The change by Mozilla comes as a result of the California Consumer Privacy Act (CCPA), a state law which came into effect at the turn of the new year. 2020 is a year of clear vision, and we get to start it off with the revelation that Firefox stores telemetry data in a way that can be traced back to an individual user. After all, how else would Mozilla be able to delete just your telemetry data upon request? To answer this question, Privacy Online News reached out to Mozilla and a Mozilla spokesperson explained how the telemetry data is associated with your browser instance:

“By default, Mozilla collects limited data from Firefox to help us understand how people are using the browser, such as information about the number of open tabs and windows or number of webpages visited. This does not include data that can reveal sensitive information about users’ activity online, such as search queries or the websites users visit. The data collected is associated with a randomly generated identifier that is unique to each Firefox client. We refer to this as a clientID. That clientID is not linked to you personally or any sensitive data (for example to your name or phone number) but to your local Firefox software installation. It is never shared with third-parties. Full public documentation about this data collection, including the identifier, can be found here. When users choose to delete their telemetry, the Firefox browser will submit this identifier to Mozilla and we will then delete data on our servers associated with this ID.”

Specifically, when you request your telemetry data be deleted from Mozilla’s servers, you do so by sending a “deletion-request” ping which by virtue of how internet pings work, includes a timestamp, your IP address and your unique client ID – as confirmed by Mozilla. That is all the information that’s needed to tie your telemetry data back to your specific browser instance.

Mozilla confirmed to Privacy Online News that all this data is stored, but they don’t seem to consider it a privacy issue because they are stored separately. A Mozilla spokesperson explained how the IP address of all telemetry pings, not just the deletion-request ping, is stored:

“Mozilla does initially receive the IP as part of telemetry technical data. The IP is then stripped from the telemetry data set and moved to an environment with restricted access for security and error review purposes only. By moving the IP address into this restricted environment this de-identifies the collected telemetry data.”

Firefox stores your telemetry data in a way that can be tied back to you

While the fact that Firefox collects telemetry data may be well known to some security minded researchers, and even viewed as acceptable because of reasons such as “debugging,” it is quite the revelation that Mozilla actually maintains this data in a way that is matchable to an individual user’s IP address that is requesting said data be deleted.

Mozilla even tried to downplay the impact of their privacy decision, saying in their announcement:

“To date, the industry has not typically considered telemetry data “personal data” because it isn’t identifiable to a specific person, but we feel strongly that taking this step is the right one for people and the ecosystem.”

While it is arguable that telemetry data isn’t technically “personal data” when it is viewed on its own without other information; however, if there’s a way to link a given set of telemetry data to a particular Firefox browser instance and IP address – and Mozilla just revealed that there is – then that telemetry data all of a sudden becomes the most personal of data.

What does Firefox telemetry data include?

According to the Mozilla wiki, telemetry data includes all the information needed to answer the following questions:

How long does it take Firefox to start?

How long does it take Firefox to load a web page?

How much memory is Firefox consuming?

How frequently do the Firefox cycle collector and garbage collector run?

Was your session successfully restored when you last launched Firefox?

Reading into the questions, the technical pieces of data that Firefox needs to store to be able to answer these questions become apparent. Stay tuned to future posts from Privacy Online News that will dive into the Firefox codebase to showcase what constitutes telemetry data stored by Mozilla in association with your Firefox browser instance. For a preview, simply type about:telemetry into your Firefox browser. For Android and iOS versions of Firefox, parts of this telemetry data – and more – are also shared with a third party company called Leanplum.

What is Leanplum and why is it on Firefox for iOS and Android?

Firefox on the popular mobile operating systems iOS and Android has even larger privacy concerns beyond the telemetry data that is stored by Mozilla. Leanplum is a mobile advertising company that also receives your personal information, courtesy of Mozilla. According to Mozilla Firefox’s support website:

“Firefox by default sends data about what features you use in Firefox to Leanplum, our mobile marketing vendor, which has its own privacy policy. This data allows us to test different features and experiences, as well as provide customized messages and recommendations for improving your experience with Firefox.”

Mozilla sends information to Leanplum under the guise of testing different features. More information, also from Mozilla’s support team, gets into the specifics:

“Leanplum tracks events such as when a user loads bookmarks, opens new tab, opens a pocket trending story, clears data, saves a password and login, takes a screenshot, downloads media, interacts with search URL or signs into a Firefox Account.”

The horror story continues:

“Leanplum receives data such as country, timezone, language/locale, operating system and app version.”

More specific information on what Leanplum collects from your mobile Firefox browser can be found from the Leanplum privacy policy, which Mozilla defers to in their own support text possibly because it’s so heinous:

“[…] we automatically collect certain information, which may include your browser’s Internet Protocol (IP) address, your browser type, the nature of the device from which you are visiting the Service (e.g., a personal computer or a mobile device), the identifier for any handheld or mobile device that you may be using, the Web site that you visited immediately prior to accessing any Web-based Service, the actions you take on our Service, and the content, features, and activities that you access and participate in on our Service. We also may collect information regarding your interaction with e-mail messages, such as whether you opened, clicked on, or forwarded a message.”

The opening up of a privacy option to allow all users (not just Californian users) to delete telemetry data reveals a deeper, darker truth: that the popular browser actually keeps track of telemetry data in a way that can be connected back to your specific browser instance and IP address. Revelations like these are exactly what should be occurring after proper privacy laws are written, passed, and enacted. Just with this revelation, arguably, the CCPA has already done so much more than the GDPR for internet privacy. Firefox is not the privacy conscious browser that it has been masquerading as. Not on the desktop, and certainly not on mobile.