Firefox Focus privacy scandal

Discussion in 'mobile device security' started by TheWindBringeth, Feb 12, 2017.

  1. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
    https://www.ghacks.net/2017/02/12/firefox-focus-privacy-scandal/
    Emphasis is mine. For more info, including opt-out instructions, click through to:

    Send anonymous usage data from Firefox on mobile devices
    https://support.mozilla.org/t5/Prot...ata-from-Firefox-on-mobile-devices/ta-p/37739

    Edit: Appears to affect Firefox for Android, Firefox for iOS, Firefox Focus, and Firefox Klar to different degrees. A quick search turns up *.adjust.com endpoints. So that is one domain to look for in captures/logs.

    Edit2: Thanks for the move moderator. Forgot we had a mobile forum now.
     
    Last edited: Feb 12, 2017
  2. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    939
    Location:
    Land o fruits and nuts, and more crime.
    Just like factChecks.org who will fact check them?
     
    Last edited: Feb 12, 2017
  3. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    63,776
    Location:
    U.S.A.
    You're welcome! Take care.
     
  4. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    1,413
    Location:
    Triassic
    Mozilla denies report that Focus collects private user data.

    https://www.bleepingcomputer.com/ne...hat-firefox-focus-collects-private-user-data/

    The data includes an advertising ID. <== :blink:
     
  5. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
    Never allow a telemetry/analytics developer to enter your home. They will walk off with things without asking, and if caught, spew BS excuses. But you invited me into your house! But you handed me that piece of silverware at dinner! But this doesn't actually have your name on it!

    Simply put: their value system is broken and they can never be trusted.
     
  6. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,588
    Location:
    USA
    Well said. There are devs who are not what they appear to be.
     
  7. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
    Of course :( As you likely know, the telemetry/analytics people always gravitate towards collecting one or more unique identifiers (in addition to IP Address) so they can more accurate identify the target and associate information about the target. Often using fingerprinting techniques as a supplement and/or fallback where IDs are blocked.

    Even the US FTC, which is soft on related industries and players, acknowledges the threat posed by this and warns about representations:

    https://www.ftc.gov/news-events/blogs/business-blog/2016/04/keeping-online-advertising-industry
    Mozilla?
    Emphasis mine.
     
    Last edited: Feb 14, 2017
  8. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    1,413
    Location:
    Triassic
    So little is said about the advertising ID. Developers sold us out on this. It is not just Smartphone Apps, Windows 10 automatically assigns an advertising ID to each user on a device tied to the email address that's on file. Using that ID, the company can tailor ads for web-browsing and using certain applications.

    There is a saying: 'Watch the organ grinder, not the monkey'. But in this case it is the monkey that you need to watch.
     
  9. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
    I don't think I've heard of an OS that supports presenting a different advertising ID to different apps (has anyone?). Which means that even third-parties... especially those that develop SDKs that get integrated into many apps and phone data home to their own service (which is what we are talking about here)... could associate information from multiple apps running on someone's device.
     
  10. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    Thanks for posting this TWB and thanks for the link emmjay. Wow what a read. If they do this to mobiles, who is to say they won't do it to DT's etc. How sad that Mozilla keeps going down this slippery slope - it seems to be just one thing after another with them. It is typical now for people like this to just lie and deny or flat out contradict themselves. With this cat and mouse game I must confess I still have to rely on the best method possible. "Pull the plug where necessary" (meant in a broad sense). Right now I'm contemplating what the heck I'm going to do about updating my old G2 cell phone when that becomes redundant, probably later this year. It has no camera etc and is ancient but it does all I need. I know so little about all the implications these newer phones present and of course my big concern is privacy.
     
  11. pandorax

    pandorax Registered Member

    Joined:
    Feb 14, 2011
    Posts:
    386
    Advertisers is pushing because firefox blocks ads.
     
  12. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
    To a degree they already are via Mozilla's own telemetry sending/receiving system. Which you know of, but some info here (note the use of a client ID). But some factors led them to use this third-party analytics SDK and service for their mobile builds. Rather than (or is it in addition to?) use their own existing code/system (trimmed down and/or adjusted as necessary). I also wonder if such or similar factors could, at some point, lead them to use a third-party SDK and service for non-mobile versions too.

    Does someone here know the "Adjust SDK/service" backstory and/or have handy links to where its use was debated? I don't expect it to change the basic equation... Firefox telemetry/analytics should be opt-in rather than opt-out, and when someone is opted-in their data should be well protected from third-parties... but the Adjust SDK/service discussion, or lack thereof, might tell us something.
     
  13. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    Yes about the telemetry settings. (BTW, love your analogy about not letting "them" enter your home )
    The worst thing is default settings and a close second is nebulous terminology. When telemetry settings are allowed by default, most people are NOT going to go through their browser settings to turn them off and chances are they won't give a second thought to the word telemetry either. Maybe a little OT but still relative - I don't know about about later versions but the telemetry panel on my (DT) version is buried and requires many (potential) clicks for someone who doesn't know their way around the settings, and not many less for those who do. Whatever the platform, Imagine if FF was upfront about their intentions and made those highly visible. Instead of the "data choices" tab what about "how we spy on you" and after clicking that tab, how about "switch this off if you don't want us to spy on you" instead of telling us all about how it's going to improve everything.

    This "over time" stuff REALLY gives me the creeps and the thought of sites slowly aggregating info on you is a huge turnoff.

    Taking into account I don't code or understand developers language I still hover around the boundaries of this area and I'm still interested as to what actually happens between the browser and the website where other local hardware identifiers are given out. Are these UIDs solely dependent on javascript being allowed?

    In the general scheme of things my stance is still the same - if in doubt leave it out. That means I start with a default deny approach. I always have javascript off, and only allow it on a case by case basis when absolutely necessary - likewise with first P cookies. 3rdPC's don't even get a look in. I would sooner back out of a site and move on if it won't show itself with the settings I have. I don't see ads. Good. Can't stand them anyways. I don't need fancy graphics when all I want to do is to read something. If the page doesn't render properly but I get the text, I'm good with that.

    In light of recent posts with this cross browser fingerprinting I'm beginning to see the sense in having different hardware for different sites as one method to help with compartmentalization.

    Opting out is a reprehensible practice. Broadly speaking it is part of the ongoing erosion of our privacy online and off, and financial gain isn't the only (sinister) reason for it's use. They make it as inconvenient as possible in that YOU have to expend the effort to stop what you never asked for in the first place. Clean out cookies, you'll have to do it all again. That's not on my list of things to do. The sneaky thing about it is sites count on the fact that almost no one is going to be bothered with this stupid tortuous process so by default they potentially have another piece of the puzzle on you. Opt outs should be outlawed. It definitely should be opt in.

    People have become so lax about about their privacy, they're moving toward the concept of the whole internet as just one big happy family and so it's just get with it, get onboard and go with the flow- ultimately- who cares about 3rd parties. How sad. One day it's gonna bite people hard.

    Edit: will have to take another route to see your link TWB as my current way blocks mozilla.
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,004
    Location:
    The Netherlands
    LOL, they should be ashamed of themselves. It's really sad that you can not even trust the so called "good guys" anymore.
     
  15. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,588
    Location:
    USA
    It's the "New normal".
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,004
    Location:
    The Netherlands
    Yes it's sickening, you can not even trust a lot of popular security and privacy tools anymore. Yes they might protect you from others, but it's them doing the shameless spying. I think there should be made new laws against this, because it's getting out of control.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.