Disable telemetry and data collection in mozilla Firefox Quantum (2018)
chefkochblog.wordpress.comMozilla people - this is a serious issue. If you want to champion privacy, you NEED to have a big red button that says "nothing gets sent out" and you NEED to have an end-to-end test to make sure Firefox respects it.
Why? Like, seriously. Telemetry is useful, and I am more than happy to provide them with some useful metrics so they know what to improve on - since I can’t really help with the code itself, since it is an insanely huge project.
It’s not like they use it to build a profile of you, as goddamn chrome does.
I feel that whatever Mozilla does can never be good enough for some people, even though they are one of the most important players in the “fight” of OSS. Just think about it, linux is only usable as a desktop OS because most of the desktop apps migrated to the web - and firefox is the only free browser that is actually capable, as well as the only engine that is not google-controlled. We should support them as much as we can.
It annoys me that Mozilla and Firefox are held to an almost impossible standard by this community, whereas others get a pass on behaviour that's far more intrusive. These posts seem to be lacking entirely in perspective. That doesn't mean that Mozilla can't be criticised, but ffs, don't blow minor issues out of proportion.
Impossible standard??? Not collecting information users have not explicitly consented to is the fucking baseline.
Software that sends surveillance data of user activity without first obtaining the user’s consent is malware, silently acting against the wishes of the user, co-opting their hardware and network to work against them to benefit a remote party.
It’s great that you consent. In that instance it is fine. Many do not, and to proceed with the assumption of consent should be a crime.
What is done with the data is irrelevant. Spying without explicit consent is the problem.
It’s not like they use it to build a profile of you, as goddamn chrome does.
Eh? Says who? Them?
So many times, companies have lied, cheated, made excuses. So many times "we don't", then they do.
So. Many. Times.
So I should just trust Mozilla, because... well, why?
And this doesn't even take into account new corporate owners, leveraging existing data in a new way. Or rogue elements in corps, employees stealing data for profit, or even data leakage due to misconfigured servers.
These thongs have all happened.
Corps have left dumps of entire client databases, credit cards, id, on open portals!
Over and over, again and again, we have been shown, never ever trust anyone with your data. Ever.
The client is open source (and you can go to about:telemetry to see for yourself what it’s sending), the server side is open source, and much of that data is publicly accessible at https://telemetry.mozilla.org
imho telemetry is more often than not used to neglect common sense
The preference controlling whether telemetry is sent anywhere is "datareporting.healthreport.uploadEnabled". The other telemetry settings are just about what telemetry modules are enabled to collect telemetry data locally (which you still can view with about:telemetry, but will not get send when you disabled "uploadEnabled"). [1]
Disable "datareporting.healthreport.uploadEnabled" and Firefox will not send telemetry data around. But users cannot be expected to mess around in about:config, right? That why there is a checkbox in the Firefox preferences just for this. In the Privacy & Security tab.
Also, when you create a fresh Firefox profile (e.g. when you use it for the first time), it will open their privacy policy page, with a somewhat hidden button that brings you straight to those checkboxes. I don't like that it's a bit hidden now by default, and they could do better there (and actually did better in the past, where there was a very visible popup asking you about this stuff).
As for "they should test this!": Right, and they do have unit tests[2].
[1] https://firefox-source-docs.mozilla.org/toolkit/components/t... [2] https://searchfox.org/mozilla-central/source/toolkit/compone...
Don't they have exactly that already for telemetry? You can go to the preferences and turn it off instead of using about:config
Apparently this still leaves a boatload of telemetry options switched On.
I had the Preferences option Off for years and yet there was a laundry list of telemetry options enabled in about:config.
This is shady as fuck if you pardon my French. Completely unacceptable.
No, it doesn't: https://news.ycombinator.com/item?id=25057424
No. They even install an additional telemetry service that runs independently of Firefox.
Only on Windows I believe. Every time Firefox is updated, it installs back the "Firefox Default Browser Agent" in the Task Scheduler.
And FWIW it’s not just a “telemetry service.”
Agreed. This is probably one of the fastest way to loose users in 2020.
I'm all for this functionality but if the said users go to Chrome because "Firefox has no privacy" this is ridiculous. Firefox is our best browser in this domain, let's not kill it by complaining indefinitely on it.
> Firefox is our best browser in this domain
Best is irrelevant - it's not good enough.
Article is from January 2018.
And Mozilla has lost a lot of users since then. Coincide? I think not.
What are you going to switch to? Chrome? Sure, it would be nice to have an easy switch that disables all telemetry, but let's not forget that every other major browsers collects far more data, and the most popular browser steers you toward to storing your entire web and location history on their servers as soon as you log into your email account. Kinda puts non-identifying information about Firefox's performance into perspective, doesn't it?
agree
agree
A related anecdote: Firefox disabled ALSA support because their telemetry showed nobody was using it, but it turned out that the kind of people who use ALSA are also the kind of people who disable as much telemetry as possible:
https://chuttenblog.wordpress.com/2020/11/05/data-science-is...
Disabling telemetry is like refusing to register to vote: you minimise the chance of people doing bad things to you, but you also minimise the chance of people doing good things for you. Maybe that trade-off is worth it for you, maybe it isn't, but don't complain that the trade-off exists and don't get annoyed that other people choose differently.
More like refusing to vote if it can't be done anonymously. That said, I have telemetry turned on in my personal browser because I trust Mozilla not to abuse my data.
At work I handle more sensitive data and there it's turned off (the basic stuff, without diving into about:config to make it completely silent).
On the other extreme, I also use Firefox during security assessments. My browser making noise on a network where I'm not supposed to be detected is not something I can have happen. Removing all URLs and disabling all telemetry settings in about:config used to be enough, but recently they added a new system and that URL doesn't seem to be in about:config, I guess it's hard-coded. With covid-19 our on-site assessments are on hold anyway, but sooner or later I'll need to disable that either in Firefox itself or in the proxy configuration (on localhost, which logs any requests I make).
> More like refusing to vote if it can't be done anonymously.
It's already anonymous, no? Of course if you consider a CGNAT IP address not-anonymous then nothing can help you.
The definition of personally identifiable information, as I recall it, is info for which there exists a party that can trace it back to a person. Just because I can't find your name using your social security number doesn't mean that your SSN is not PII, because there exists a party that knows whom this SSN belongs to.
Similarly, it's not as if CGNAT is an anonymisation technology. Crooks would love it: download and upload whatever you want and nobody can ever tell it was you! No, ISPs log who used which IP and port at which time.
Processing the IP address and port number is essential for TCP to work, and even if you don't store it and filter it on your network's edge, it's still covered by privacy law–technically. A judge might not award you damages, but technically the processing (not storage) of personal data is also covered by privacy laws.
Of course, if they don't store it then I would consider it anonymous. The question to me is what they do with the data. But it's not correct to assume that it's anonymous just because you share an IP address with others, or to assume that everyone has CGNAT. Where I live a personal address is the default.
You are conflating separate things. The fact that your ISP can match an IP/port pair to a person doesn't make Mozilla's IP based telemetry "personal data".
So it is the privacy conscious people's fault for opting out? Hard disagree. If moz://a implements bias in their feedback loop that is on them.
> even after you disable these options, Firefox still collects and sends data to servers
I am surprised, for a product that claims to be privacy focused to behave in this way. I am a Firefox user and have not disabled telemetry since I think it can help Firefox and I trust them no to do anything wrong with it. But I would have expected that unchecking the telemetry option would actually disable telemetry.
I know there are a lot of people hanging around here looking for a business idea or a side project with some potential, so here's one idea:
Create a customized version of Firefox that:
- has support for removing the top bar when tst or something similar is installed. It should probably be possible to disable/reneable it using a menu option and an optional toolbar button.
- actually disables all telemetry when you try to disable telemetry
- optional but recommended: a "getting started wizard" where you select your preferred search engine, if you want to install TST or Sidebery, and if you want to set memory consumption to sane defaults.
- otherwise works exactly like Firefox
- Charge $50 a year, possibly more.
I'd probably sign up immediately.
Questions:
Q: what if Mozilla finally gets it and implements this?
A: Fine, just go to the next thing they broke.
Seems like someone would earn exactly $50 from doing that
I can't be the only one to miss old Firefox features and UX without wanting to leave behind all improvements we've seen the last few years on security, support for new standards and also performance.
Although I haven't used them - there are several other firefox forks like waterfox or the tor browser that support privacy/anonymity
waterfox claims:
* Telemetry is removed
* Data collection is removed
tor goes much further
I've tried those a couple of years ago, but aren't they still based on older versions of Firefox?
My idea here was taking the latest version of Firefox and just fix the worst problems. I'd still pay for it.
Needs (2018) in the title.
Is there anything these preferences disable that isn't disabled by unchecking the three boxes (telemetry, experiments, crash reports) in the regular Privacy & Security tab of the Firefox preferences?
FF has a default link that it checks for capture portals on wifi networks. I think that it must be turned on all the time, though something in the about: pages might turn it off.
Right, captivedetect.canonicalURL: http://detectportal.firefox.com/success.txt
Tho that isn't mentioned in the article, and I'd be surprised if mozilla collects any data there (other than something like a hit count).
Of course, there are also the update checks, both for Firefox itself and extensions (both not mentioned in the article either, and probably a bad idea to disable this functionality unless some external source like a package manager does the updating for you).
To see what the telemetry actually entails, go to about:telemetry. It looks like enough for fingerprinting, but doesn't seem to include websites visited. A bit more info here: https://www.zdnet.com/article/firefox-now-shows-what-telemet...
> It looks like enough for fingerprinting
No fingerprinting required.
Telemetry > General Data > Id is a GUID. ClientID is also a GUID.
You can clear the latter in about:config and it sticks, but clearing the former causes it to be regenerated on the restart.
> doesn't seem to include websites visited
I mean, that would be China++ level surveillance. Of course it doesn't include what sites you visited.
Of course, but some people seem to be reacting as if that's what's happening, and knowing which sites problems occurred on would be useful for a browser vendor to know.
Alright, this is a click bait, misleading title, the title should be:
"How to disable all telemetry and data collection in mozilla Firefox Quantum"
It doesn't seem like click bait or misleading [1]. Maybe it's changed in the last few minutes? Adding "How to" and messing with the capitalisation doesn't seem like an improvement.
[1] Currently "Disable All Telemetry and Data Collection in Mozilla Firefox Quantum"
The point is hadding "how to" nothing about capitalization ..
Firefox is lame in this respect.
I've gone through countless iterations trying to turn stuff off, but it still makes all kinds of requests.
I had to block it with Little Snitch.
On the other hand, plenty of other "privacy focused" companies are worse (apple is horrendous).
Does anyone know if this is still an issue in 2020?
It is. Telemetry turned off, all URLs removed from about:config, still making requests to "buckets/monitor/collections/changes/records" at the domain firefox.settings.services.mozilla.com (spotted this one in my proxy while trying to do a website audit).
Are you certain that is related to telemetry, and not a request for one of Firefox's other services?
It constantly pings the servers with my IP address, timestamp, and user agent if nothing else. They can see where people are over time. I was busy so haven't looked into what it's sending (just exempted the domain from interception for the duration of the audit), but in the EU and IP address with timestamp is personally identifiable information.
Was this fixed given that the story is from 2018?
I don't think the claim that Firefox sends telemetry even after disabling it in the preferences has ever been true. It will still contact Mozilla servers for other reasons, like retrieving lists of malicious add-ons or checking for updates, but it won't send telemetry.
Here's an example of Firefox sending telemetry even after users disabled telemetry: https://www.ghacks.net/2018/09/21/mozilla-wants-to-estimate-...
There's a lovely irony in that article being littered with double click ads
At least those can be blocked by extensions.
Any idea why option to edit 'toolkit.telemetry.enabled' is disabled?
Yes, read: https://firefox-source-docs.mozilla.org/toolkit/components/t...
That preference has nothing to do with actually sending data to the mothership:
If I let someone into my space and they carry out a bunch of shit, they,re not coming back in ...
Then let a bunch of rabid wild animals in your place, as that is what the only alternative is (every chromium based browser).
Also, it is a click-bait, out of date article without much truth to it, don’t believe everything you read online
Article is from 2018 (thanks Fnoord)!
Ooh, now do Chrome!
Quite impossible without extensive sourcecode changes. Where FF has extensive user-configurable flags in about:config, Chrome is just a totally unconfigurable blob.
There's a reason X-Client-Data telemetry being sent to DoubleClick servers in Chrome browsers is undisclosed to users, hard coded and impossible to disable.