Closed Bug 1003609 Opened 8 years ago Closed 7 years ago

Privacy considerations for Stumbling (as enabled by Settings > Mozilla > Mozilla Location Service)


(Firefox for Android Graveyard :: General, defect)

Not set


(Not tracked)



(Reporter: garvan, Assigned: garvan)



(Whiteboard: geolocation, mozilla location services)


1) Limit on how long stumbling data is stored. 

How long do we store data on the device in the case the device has not had a batch upload opportunity? Two weeks seems sufficient. We will lose the stumbling data of some users no matter what time window we chose. 

2) Encryption of the stumbling data.

Should we encrypt the data we are storing? The data that is being stored is far less sensitive than most other data stored on the device (private documents, banking, personal emails, etc.). Would a user who has opted-in to stumbling be concerned about short-term stumbling data? The stumbling data has no device ID, the timestamp is only the current month; we consider the data we are storing to have low privacy implications.

That said, we do have Settings > Privacy > Use master password, which when enabled gives us a straightforward method to encrypt data on the device.
Version: Firefox 32 → Trunk
Hi, I added you to the cc list for this bug, which was created when bug 1001211 got split out to separate issues. I agree with your first point (re: deleting old data).

I agree in principle for the second point, although it was explained to me that we have a built-in encryption system (using Firefox's "secret decoder ring" service). The data is decoded locally on the device, then sent through HTTPS to the MLS server, so it should be an equally secure method. The counter argument is that it is only enabled when a user enables the 'Master Password' setting in Fennec. Moreover, someone who is concerned about that level of device security might also be concerned about sharing stumbling, and choose not to share data. 

Thanks for the feedback!

(In reply to rdandu from bug 23456, comment #53)
> If for some reason the data is not uploaded after a certain time, we should
> delete it from the device (eg: after 30 days). This is to prevent data from
> being forever, if the device never gets an opportunity to connect.
> The data should be temporarily saved in a manner unaccessible to other apps.
> Encryption can work: Data is encrypted with MLS-server-public key. Only
> MLS-server-private key can decrypt it.
Oops, that was supposed to say: in reply to rdandu from bug 1001211, comment #8
Comment moved here from [:hannosch] on bug 1001211, comment #9:

For encryption, I'd avoid it in the initial work. If we data is only stored for a short time on the device, the potential leakage of private data is minimal. And other apps on the same device can already collect the same data. There are enough apps where users are either willing to grant location access to them, or many users who will just blindly accept any permissions an app asks for.

There's also a question of transparency vs. privacy here. A user should be able to inspect and verify the data we collect here. For MozStumbler we want to make sure users can export this data and analyze it themselves or contribute it to other projects. That use-case isn't quite as important for the more minimal data gathered in Fennec, but transparency vs. privacy is still a valid concern.
Do we really thing that this is not a big deal? iOS was caught with their pants down,
It is a big deal, worthy of careful consideration. Hanno has a good post about the privacy considerations in light of what other companies do: I probably should have put than earlier.

Please try to be specific so we can address your concerns.
Closing, as I am not aware of any outstanding issues here, and we have been through privacy and legal reviews of MLS in the past year.
Closed: 7 years ago
Resolution: --- → FIXED
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in before you can comment on or make changes to this bug.