Created attachment 8936291 [details] telemetry-disabled.png User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36 Steps to reproduce: 1. I noticed that I have lots of ~/.mozilla/firefox/*.default/datareporting/archived/* ~/.mozilla/firefox/saved-telemetry-pings/* which is strange because I have all reporting disabled (see attached screenshot). 2. Then I searched the web for info and found these 2 sources: https://www.ghacks.net/2015/11/09/how-to-disable-the-firefox-saved-telemetry-pings-and-archive-folder/ https://stackoverflow.com/questions/28410049/how-to-disable-firefox-promt-firefox-automatically-sends-some-data-to-mozilla-s Firefox 52.5.0 ESR openSUSE 42.3 Actual results: Checking my settings I find that: datareporting.healthreport.service.firstRun = true toolkit.telemetry.unified = true toolkit.telemetry.archive.enabled = true Expected results: 1. As a FOSS Firefox must respect user privacy. By default any data reporting must be disabled. 2. If the user says "No" to data reporting one expects no data will be sent (and home directory will not be filled with unnecessary data) without the permission and knowledge of the user.
I am not an expert in telemetry, but I will assign a component to this issue in order to involve the developers team and get an opinion.
Component: Untriaged → Telemetry
Product: Firefox → Toolkit
Thank you for popping this over our way, :CosminMCG! Thank you for bringing your privacy concerns to us. You're right to expect us to treat your privacy carefully and keep user choice paramount. The definitive documentation for what the preferences are and do are the docs you can read over here: https://firefox-source-docs.mozilla.org/toolkit/components/telemetry/telemetry/internals/preferences.html#id1 These docs have been updated for the current Firefox Nightly, so they may have drifted since 52. (There was a largish change in 58 and they are ongoing. The bug tree is rooted at bug 1406390 if you want to take a look, but it isn't relevant to your questions so you can skip it) So, to your questions. 1) Why is datareporting.healthreport.service.firstRun true? That I don't know. What I do know is that I'm unable to find any code that reads that value, so its value shouldn't change how things operate. If it's like other telemetry firstRun prefs, it signifies whether or not you've run healthreport or Firefox the first time and have been shown some onboarding notices. So it is probably set on startup when it realizes this isn't your first session. 2) Why is toolkit.telemetry.unified true? I don't know. Telemetry has been Unified since 42 (on Desktop), but it's a default, not locked. This is a configuration switch, not an on/off switch, so its value doesn't change whether we save or send something or not. 3) Why is toolkit.telemetry.archive.enabled true? I don't know. Are you using this Firefox under some sort of "managed" situation? (School, Work, Library...) Or is it your personal one? Do you have addons installed? Are these preferences locked if you choose "Restart with addons disabled" from the Help menu? Oh wait, I notice just now you're running OpenSUSE. Did you install this from your distro's repository, or from our website? Many Linux distributions configure and build their own Firefox packages. It may be a mistake in the distro's configuration. We do expect to be able to work with the telemetry archive disabled. It is supported. (So if something's wrong, we'll file and fix a bug and write some more tests) 4) Why is the archive on in the first place if I turned all Telemetry reporting off in Preferences Probably so we have data to show the user in about:healthreport so a user can see how their Firefox performs. Unfortunately, FHR (Firefox Health Report) wasn't given the best of care, so plumbing through the logic "The user has turned off FHR, so we no longer need those archives" doesn't seem to have been completed. For this and other reasons we removed healthreport in Firefox 59 with bug 1352497. We're thinking about adding its capabilities directly to the now-redesigned about:telemetry page in 2018. This, along with the Preferences reorganization in... 56? (the redesign was 57), makes the situation much more clear on the Preferences front for new users. -- Please let me know where your Firefox package came from. If it's not from our servers, the nature of FOSS means we don't control what others do with it. But we have contacts, so we can probably get erroneous configurations fixed. Please let me know if it is still a problem in a profile with no addons. Legacy addons are able to do nearly anything to Firefox... which as you can imagine is a double-edged sword. Please consider updating to the latest release. I'm much more up-to-date on the behaviour of our up-to-date code :) (This is just me, though. To the best of my knowledge we have dedicated user support resources for ESR. But they'll be focused on user support, not power user features like about:config, so YMMV). The choice is yours, though, of course.
Chris, thanks for the detailed feedback. I didn't really ask the "why" questions, I rather shared my observations but I appreciate the time taken to answer :) To answer your questions: I am not using FF in a "managed" situation. It is personal. Extensions installed: uBlock Origin, uMatrix, HTTPS always. Also tested with a clean profile without extensions (check the link below). FF 52 ESR comes from openSUSE's repo. I also tested with 57.0.2, starting from a new (blank) profile, applying the preferences as explained. The situation there is actually worse because after all those preferences (that I do NOT want to send any data reporting whatsoever) in about:config there are still telemetry things enabled. I was honestly "a little" shocked by all this. FOSS itself implies user control - at any time. Not some organization monitoring the user (for whatever purpose, especially enabled by default in a quite hidden way to the normal user). So all the telemetry stuff going on behind the scenes - I don't quite see how it applies to user freedom at all. Forgive me if that sounds harsh but I am being honest. Actually these findings made me question browsers as a whole (including Chromium), so I did a few more tests and the results weren't really good. I shared them in this thread, so I would appreciate if you kindly have a look and consider further improvement on the user privacy: https://forums.opensuse.org/showthread.php/528559-Paranoid-browser-test-is-there-privacy-in-FOSS I have found Waterfox which claims to remove all telemetry. I haven't tested it yet but the very existence of such project confirms there is something not quite right in Firefox. Another project attempting to improve the privacy of Firefox is https://github.com/ghacksuserjs/ghacks-user.js I am not a security expert but considering what is going on in the world right now, one can see why the need for reliable software which respects user privacy is becoming more and more important. I really hope you as developers will pay serious attention to all this. Again - forgive me if I have sounded harsh :) If there is anything else I could help with, please let me know.
Thanks Chris. I appreciate your feedback. I have not touched C code for 20+ years so digging in your code which involves quite newer technology would hardly give me much info, so I monitored network traffic. In any case one logical question comes to mind instantly: If Mozilla cares about user privacy - why telemetry 1) exists 2) is on by default 3) why on every browser startup there are behind-the-scene requests to *.mozilla and *.google and other (ocsp etc)? I don't mean to sound impolite but from a practical and sane viewpoint this is anti-logic: "We respect privacy" <===> "We use telemetry (by default, unless you disagree (consider a 15yo reading policies etc))" Privacy = *nobody* knows what the user does. Ever. If A (the average user) want to connect to web site X, there must be only packets between A and X and no other. Right now it is not like that at all. On each browser start with empty tabs and no extensions there is some form of hidden communication going on. Similar thing seems to happen upon and after browser has been closed (as explained in the forum thread). What do you say?
For large questions like that I defer to Rebecca Weiss, our Data Steward, who captured our strategy and some recent changes in a blog post from a couple of months ago: https://blog.mozilla.org/futurereleases/2017/09/06/data-just-living/ For the specific questions about network traffic that aren't Telemetry, I'm afraid I don't know the answers. If there are bugs (preferences that don't stick, don't work), please file bugs in Bugzilla. There might be IRC channels where people may be able to help you find out what features are making those requests and to answer your questions that aren't bugs. Since this is Bugzilla, I guess we should get back to the bug... :) To make sure I have this correct, the STR are to: 1) Install the openSUSE-packaged Firefox 52 2) Open about:config and disable datareporting.healthreport.service.firstRun, toolkit.telemetry.unified, and toolkit.telemetry.archive.enabled 3) Restart Firefox and check those properties using about:config Is that right? With STR nailed down we can investigate to see if we can reproduce it locally. : https://wiki.mozilla.org/Irc
(In reply to Chris H-C :chutten from comment #6) > For large questions like that I defer to Rebecca Weiss, our Data Steward, > who captured our strategy and some recent changes in a blog post from a > couple of months ago: > https://blog.mozilla.org/futurereleases/2017/09/06/data-just-living/ Considering the comments in the first link of her article (which received zero answers) it seems quite a lot of people are very angry with the whole data collection business. And for a good reason: giving someone a light bulb with a default opt-in for "we may look in your room each time you turn on the light... you know, to help engineers and decision makers identify easier if you have problems in using our light-bulb in your bedroom, to measure how things happen in the bedroom and so we can optimize the light to monitor the bedroom better in next light bulbs" is typical for corporate talk, not RYF approach. I appreciate the time you spent to clarify for me the whole picture and I do understand that it is not up to you personally to take those decisions about the software. So my next step will be to look for another browser which truly respects freedom (if such one exists at all). > Since this is Bugzilla, I guess we should get back to the bug... :) > > To make sure I have this correct, the STR are to: > 1) Install the openSUSE-packaged Firefox 52 > 2) Open about:config and disable > datareporting.healthreport.service.firstRun, toolkit.telemetry.unified, and > toolkit.telemetry.archive.enabled > 3) Restart Firefox and check those properties using about:config > > Is that right? The STR is in the opening post. To clarify: with all data reporting disabled (from preferences), data reporting and telemetry is obviously not disabled (when checking in about:config - before and after restart).
(In reply to George from comment #7) > > To make sure I have this correct, the STR are to: > > 1) Install the openSUSE-packaged Firefox 52 > > 2) Open about:config and disable > > datareporting.healthreport.service.firstRun, toolkit.telemetry.unified, and > > toolkit.telemetry.archive.enabled > > 3) Restart Firefox and check those properties using about:config > > > > Is that right? > > The STR is in the opening post. To clarify: with all data reporting disabled > (from preferences), data reporting and telemetry is obviously not disabled > (when checking in about:config - before and after restart). Thanks for clarifying, from comment 0 this is working as expected. We will always respect user choice. The expectation here is to use the UI in about:preferences to disable our data collection. The values in about:config are an internal implementation detail (which is admittedly confusing for the moment, but not user-facing).
Status: UNCONFIRMED → RESOLVED
Last Resolved: a month ago
Resolution: --- → WORKSFORME
Created attachment 8937240 [details] ff-tcpdump-1.log (In reply to Georg Fritzsche [:gfritzsche] from comment #8) > We will always respect user choice. 1. Download Firefox 57.0.2 x64 for Linux from mozilla.org 2. mv ~/.mozilla/firefox/ ~/.mozilla/firefox-backup 3. Unpack downloaded Firefox and run it Two tabs are opened initially: - "Welcome to Firefox" - "Firefox Privacy Notice" (in background) 4. Close "Welcome to Firefox" tab 5. On "Firefox Privacy Notice" unfold "Improve performance and stability for users everywhere" and find the _hidden_ button "Choose how you want to share this data in Firefox." This opens about:preferences#privacy 6. Uncheck all checkboxes (= do not send any data to Mozilla, supposedly) 7. Go to Preferences and set: General: - Always check if Firefox is your default browser = OFF - When Firefox starts = Show a blank page - Check your spelling as you type = OFF - Downloads =Always ask you where to save files - Play DRM-controlled content = OFF - Allow Firefox to = Never check for updates - Automatically update search engines = OFF Search: - Default Search Engine = DuckDuckGo - Provide search suggestions = OFF - Remove all other search engines. Leave only Wikipedia (uncheck it) Privacy & Security: - Remember logins and passwords for websites = OFF - Choose "Use custom settings for history" and disable all these: -- Remember my browsing and download history -- Remember search and form history -- Accept cookies from websites - Tracking protection = Always. Set block list to "Disconnect.me" strict protection (restart Firefox as suggested) - Send websites a “Do Not Track” = Always - Block dangerous and deceptive content = OFF (to prevent connections to Google's hosts where blacklists are stored) - Query OCSP responder servers = OFF (to prevent connections to these hosts) Firefox Account: Do not sign in 8. Close all tabs, leave a new empty one. Click the cog wheel and turn off all checkboxes (search, top sites, highlights, snippets). Click the tour tooltip and "Skip tour", say "No thanks to the suggestion to import bookmarks, history and passwords" 9. Press Ctrl+Shift+Del and clear "Everything" 10. Close Firefox. 11. Turn off other system network services (like ntpd) to prevent "parasite" connections during the test 12. Reboot and login to Plasma desktop. Do not start any applications. 13. In a console run: # tcpdump -i eth1 -l > /tmp/tcpdump.log & tail -f /tmp/tcpdump.log (so far it shows nothing) 14. Start Firefox (it opens with a blank tab, no sites are opened) and watch tcpdump output EXPECTED: no packets should show up, no communication with any host should happen without the user explicitly starting it ACTUAL: In less than 2 seconds more than 100 network requests are sent to various hosts of Mozilla, Amazon, Akamai, Cloudfront, edgesuite.net etc. This is not respectful to user preferences and a privacy issue - the hosts on the other side of the wire are practically informed about what the user does (starts the browser), maybe also some other info is sent (I am not an expert enough to dig further). It is a form of telemetry which happens without user knowledge and approval.
Created attachment 8937242 [details] ff-tcpdump-2.log Additional check: 15. Open about:config where the following are seen to be set to 'true', disrespecting user privacy preferences about no data collection: browser.newtabpage.activity-stream.feeds.telemetry browser.newtabpage.activity-stream.telemetry browser.ping-centre.telemetry toolkit.telemetry.archive.enabled toolkit.telemetry.bhrPing.enabled toolkit.telemetry.firstShutdownPing.enabled toolkit.telemetry.newProfilePing.enabled toolkit.telemetry.shutdownPingSender.enabled toolkit.telemetry.unified toolkit.telemetry.updatePing.enabled datareporting.policy.dataSubmissionEnabled 16. Set all these manually, explicitly to 'false' 17. Repeat steps 9-14 EXPECTED: (same expectation as earlier) ACTUAL: Even after the additional attempts to strengthen browser privacy, connections to the same hosts are seen in tcpdump. Facts prove that the browser does not respect user choice for privacy.
(In reply to George from comment #9) > ACTUAL: In less than 2 seconds more than 100 network requests are sent to > various hosts of Mozilla, Amazon, Akamai, Cloudfront, edgesuite.net etc. We should talk separately about: - service integrations that enable Firefox features (updates, service integrations, etc.) - data collection from Firefox (e.g. connections to incoming.telemetry.mozilla.org) The first are a part of the product, although some may be able to be disabled. Modern browser features need various services backing them. The latter is what the "data collection" toggle in about:preferences#privacy controls. - detectportal.firefox.com.edgesuite.net is part of captive portal detection - tiles.services.mozilla.com, tiles-cloudfront.cdn.mozilla.net, ec2-52-27-156-217.us-west-2.compute.amazonaws.com, etc. - is part of the "new tab" or Activity Stream AFAIK. - *.deploy.akamaitechnologies.com - we use Akamais as an active CDN, maybe other services - Cloudfront is an alternative CDN provider. I don't see any data collection standing out in attachment 8937242 [details]. If we do data collection (sending telemetry or data back to our servers) after data collection is disabled, that would be a serious bug that we will of course follow up on. If specific features do active connections after being disabled, we should file a bug specifically on that.
I'll check back though to confirm what i think these endpoints are.
Though I understand that technically certain services may be part some functionality, that still doesn't justify or abolish the fact that it results in indirect telemetry in the sense: 3rd parties receive a packet from user's computer without the user having initiated any connection explicitly (e.g. by visiting a website or by being given a chance to agree to that). By default upon first start: 1. The "Firefox Privacy Notice" is shown in a background tab. 2. This same notice does not list clearly and explicitly any of those services 3. This same notice says: > "Location data: When you first use Firefox, it uses your IP address to set your default search provider based on your country." (and that search provider is Google). In case you don't know (which I doubt) many people choose Firefox and not Google Chrome because they don't want to be tracked by Google. Firefox currently makes this choice meaningless, upon first start. The quoted text is in a collapsed section in a background tab. Who will read that at all? As someone who has worked on multiple UI/UX optimizations I am sure it will be seen by less than 1% of users. When one starts a browser, one's first job is not to read lengthy agreements (especially ones delivered in a background tab) but to type their favorite site URL and browse. Everyone knows that. Software developers must take this into account, not use it as a clever trick. > If we do data collection (sending telemetry or data back to our servers) after data collection is disabled, that would be a serious bug that we will of course follow up on. 4. Upon first start the user is forcibly put in a scenario of telemetry WITHOUT even being asked for consent. So Firefox does telemetry, by default. 5. A lot of steps are necessary to ensure at least a reduced background communication. And those steps are not something a non-expert would even pay attention to. Also there is visible difference between the number of requests sent in attachment 8937240 [details] and attachment 8937242 [details]. I don't know what that difference is due to (I haven't inspected packet contents as I don't know how) but logically it implies that the flags additionally disabled in step 16 actually have some effect and that effect is not possible to disable through preferences. Even if you can point me to the exact lines of code which show clearly what is sent to Amazon etc, perhaps I still wouldn't be able to understand fully as I haven't touched C programming for many years. But maybe it is worth showing that, possibly others are reading this too. 6. Obviously there is no way for the user to disable connections to those 3rd parties completely. Not even through about:config. Not even with an added note "If you disable these, you will have limited functionality". None of that is in user control. 7. This directly seems to affect also Firefox forks (more or less). This whole behavior of the program is not typical for free software, where the user is supposed to be in full control: https://www.gnu.org/philosophy/free-sw.en.html It denies Freedom 0: > "In this freedom, it is the user's purpose that matters, not the developer's purpose;" If *any* form of telemetry (direct or indirect) or connections to 3rd party services should happen at all (which I question) this should never happen by default. If that needs to happen in special cases, for support/debugging and development purposes, it should happen only after the user is given clear, short and explicit notice, in layman terms + a big red button "Yes, I agree that organizations X, Y, Z will look into my computer specs (or whatever) and how I browse the net" and there should be a green "No" button too which keeps all that blocked. Before the user pressing any of these buttons no single packet should be sent whatsoever. That would be respectful to privacy, ethical and righteous. But cleverly hidden, enabled by default, behind lengthy terms, impossible to disable and all the rest of it is something entirely different. I hope you understand.
I understand that you have a different vision for the product direction, which may differ from ours. Bugzilla is not the place to discuss these topics; the governance mailing list might be the right place for it: https://lists.mozilla.org/listinfo/governance I'm happy to investigate specific technical issues here.
(In reply to Georg Fritzsche [:gfritzsche] from comment #14) > I understand that you have a different vision for the product direction, > which may differ from ours. It is not my vision. It is Freedom 0. > I'm happy to investigate specific technical issues here. The full technical details of the issue have been given here.
It is a shame that generally a useful technical investigation is made all but useless by waving "freedom 0" around here. Your freedom is about the user using the program in any way you like - not having the program or the vendor DO exactly what YOU what. Hence the other freedoms to achieve that. Chris, SUSE Security here. I understand your comment #11 as indicating that these are various non-data-collecting functional services. They serve our various data / feeds etc, but otherwise are not concerned with telemetry? I know that tinfoil hat people will equate any traffic with data collection, just want to put that into categories. Comment #12 said you were checking further. Is there anything that came from that?
It was technically Georg on those specific comments, but he might be past his EOD so I'll step back in. Telemetry is very specifically anonymous usage statistics sent to https://inbound.telemetry.mozilla.com in a packaged format as documented in a few places (there are Very Relevant Reasons why they are in many places, I assure you :S ). Everything else at every other endpoint is something else, as you describe. They aren't Telemetry. They are things like Captive Portal Detection and Malware & Phishing Protection. : https://firefox-source-docs.mozilla.org/toolkit/components/telemetry/telemetry/index.html : https://wiki.mozilla.org/Telemetry : https://docs.telemetry.mozilla.org/
@Andreas - thanks for clarifying. Still I maintain that it should be up to the user (and not up to the vendor) to send network packets or not, for whatever purpose. So all this should not happen without prior consent. But the initial tabs (and overall settings) which are used by Firefox don't ask for such consent before starting directly the background communication (with telemetry enabled, by default). So raising the question about freedom and privacy seem valid because in this case the user has no way to know what will actually happen when he runs the program (suppose he has never used this program and just starts it). In other words - the program/vendor is in control, not the user.
(In reply to Andreas Stieger from comment #16) > Comment #12 said you were checking further. Is there anything that came from > that? I did double-check comment 11 earlier this week. The activity stream confirmed the endpoints that were not immediately clear to not be data collection, but feature integration. I'd like these to be documented better publically in the future, i'll check what we can do.
You need to log in before you can comment on or make changes to this bug.