Closed Bug 1614065 Opened 5 years ago Closed 5 years ago

Extension Block Request: Add-ons collecting personal information without consent

Categories

(Toolkit :: Blocklist Policy Requests, task)

Product:
Toolkit
Component:
Blocklist Policy Requests
Type:
task
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: mattgaspar10, Unassigned)

Details
Extension name Add-ons collecting personal information without consent
Extension versions affected <all versions>
Platforms affected <all platforms>
Block severity hard

Reason

Two add-ons collecting personal information without consent. Based on the URL format, looks like they are from the same developer. I'm guessing they have a template and have more add-ons like this.

loginhelper.co - GUID without consent
hxxps://hp.hemailaccesshere.com/get/js/impression?uc=20200207&ap=appfocus1&source=d-ccc4-lp0-cp_6642425452-bb8&uid=256604bc-78b3-4029-a905-6d341f61bb7e&i_id=email_99&cid=app@EmailAccessHere

freeformsnow.com - GUID without consent
hxxps://hp.hfindingformspro.com/get/js/impression?uc=20200207&ap=appfocus1&source=d-ccc2-lp0-bb9&uid=34e1fe26-3bbd-4369-995a-30952756adea&i_id=forms_99&cid=webext@FindingFormsProTab

Extension IDs

sp@FindingFormsPro
sp@EmailAccessHere

Thank you for the report. Can you elaborate how GUID is personal information?

Flags: needinfo?(mattgaspar10)

No problem. Per add-on policy, GUID qualifies as personal technical data, which requires consent to collect it. In this context, it is an identifier for a single user.

https://extensionworkshop.com/documentation/publish/add-on-policies/#data-disclosure-collection-and-management

Flags: needinfo?(mattgaspar10)

Can you quote the exact sentence you are refering to? What I see on that page is:

personal data actively provided by the user (such as a name or email address)

You copied the correct sentence. Name and email address are two examples, but I believe GUID applies as well. It is used to identify a single user.

The following section is also relevant.

Personal Data
If you are collecting any personal information, the user must provide affirmative consent (i.e., explicit opt-in from the user). It must be clear to the user that they give consent to the collection of personal data.

This brings us back to my original question: What is the personal data you are referring to? GUID does not seem to be personal information.

Flags: needinfo?(mattgaspar10)

GUID is the only data point I'm referring to here. If GUID is not personal information, is it ancillary?

Flags: needinfo?(mattgaspar10)

Closing as invalid as there is no personal data collected and non-personal data collection comes with a data collection consent dialog.

Group: blocklist-requests
Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.