Mozilla Firefox is one of the most popular and longest existing browsers. Its developers have earned it a reputation for being a "privacy and security-based browser, respecting the user" — but is it justified, or just marketing? In fact, over the years they have made several anti-privacy (and generally anti-user) decisions, but this article will focus exclusively on spying. Version tested: 52.5.0, with the default settings. Program used for testing requests: Mitmproxy.
After following the mitigation guide, this software is Not Spyware.
It sends a lot of different data very often (some of which could uniquely identify you). All the "services" that it provides, such as its default search engines and Pocket, are anti-privacy. The rating isn't higher because at least you can turn off or modify most of it, though it often requires diving deep into about:config.
Whenever you start Firefox, it makes this request:
In fact, it makes it every time you go to a website, and even a few times in a row for a single website. So Firefox "phones home" all the time, without your knowledge. Can be disabled ONLY in about:config. But, since you've already started Firefox, it will make this request at least once.
Websites you visit most often are added to the New Tab panel. When you then open a new tab, Firefox will sometimes make requests to the sites in there, including some of their trackers. I haven't determined how it works yet. Sometimes it doesn't make the requests at all; other times you end up with hundreds of images, scripts, trackers, etc. loaded simply because you opened a new tab (without visiting any website explicitly). Was NOT able to find a way to disable this, even in about:config.
Firefox has been integrated with the spyware platform called "Google Analytics". Firefox has been confirmed to now send analytics to Google. According to a Firefox developer the spyware in Firefox is "extremely useful to us and we have already weighed the cost/benefit of using tracking." and that Firefox will not remove Google Analytics support entirely. Firefox's position on privacy is made very clear with this quote:
"Wanted to address your position though: We don't give the "data directly to Google". See the discussion here: https://bugzilla.mozilla.org/show_bug.cgi?id=858839. The short version is: tl;dr: We now have an option to opt-out of Google doing anything with the data that Google Analytics collections on Mozilla websites. GA tracking is anonymous and at the aggregate level and we use it to improve the experience of our websites. We are collecting aggregate and non-identifiable data in numbers to ensure our development/UX changes are met well. We can respect privacy and still have analytics; in fact Mozilla's aim is for an experience that values user privacy and usability (I'd say Apple also wants UX that fits that mold, as an example). We need some data, anonymized and aggregated, to do this. "
The best takeaway to this is that Mozilla wants to pretend that including spyware in their program is somehow not a breach of privacy, and that Firefox could possibly be respecting user privacy while simultaneously collecting data on users and sending it to Google. It's strongly suggested reading the GitHub thread and the further anti-privacy statements the Mozilla employee makes while defending the spyware features in Firefox. It's very dangerous to assert that there is somehow a middle ground between respecting user privacy and datamining the user.
Allegedly used to protect you from "phishing" websites, but in the end, it makes a bunch of requests to Google every 30 minutes (according to Mozilla), including a POST request with your Firefox version and a unique, persistent, hidden cookie. Since whenever the current URL matches an entry in the cached local blacklist a request is made to Google servers, ostensibly to test whether that website is still on the master online blacklist, it allows Google to monitor specific websites transparently to the user by putting the URLs of interest on the local but not the online blacklist. Can be disabled ONLY in about:config.
From the horse's mouth: "For example, FHR sends data to Mozilla on things like: operating system, PC/Mac, number of processors, Firefox version, the number and type of add-ons. The data collected by FHR is tied to a Document ID that corresponds to a browser installation (explained above in question #4) so that the data can be correlated across a limited window of time." Also, according to Mozilla, new versions of Firefox will also collect telemetry data by default. Can be disabled through the GUI.
Not that bad compared to all of the above, I guess — but still installs something without your consent, with possible new privacy nightmares in there. There is no excuse to at least not make "Check for updates, but let me choose whether to install them" the default — it would still give the security benefit, but not take control away from the user. Can be disabled through the GUI.
Firefox also sometimes makes a request to "self-repair.mozilla.org" which looks like this:
It includes "optimizelyEndUserID" which probably means it uniquely identifies you. Can be disabled ONLY in about:config.
It also makes this request every time you open the default home page:
The number after the Firefox version is, again, uniquely identifying Can be disabled ONLY in about:config.
Firefox has a file with list of blocked addons that it considers "malicious" and it makes a request to update it every day (even if you don't have any addons installed). The request includes a uniquely identifying browser installation ID. Can be disabled ONLY in about:config.
Firefox will send information about almost every basic operation that you do back to Mozilla. This is tagged with a unique client ID and an ID for your current session, and any relevant information related to this action. By default, the following uses of the UI are reported to Mozilla:
Essentially, while this feature doesn't broadcast your search history to Mozilla, it proves an incredibly detailed walkthrough of exactly how you use Firefox's user interface. This can be disabled and is an opt-out spyware feature. You can disable it through the GUI as described here: Share data with Mozilla to help improve Firefox [web.archive.org] [archive.fo]
Mozilla has a feature called "Enhanced Tracking Protection". This feature's claimed goal is to protect the user from being tracked. This would be nice if Mozilla didn't whitelist a massive list of domains.
This review is also accompanied by a page about how to configure Firefox to be more privacy respecting, and links to other projects that have been created to solve this problem. You can read about that here. These are some of the flags in about:config mentioned earlier in the article, and the values that they should be set too:
|Spyware Feature||about:config flag||about:config value||Source|
|Phoning home||network.captive-portal-service.enabled||False||Turn off captive portal [archive.is]|
|Self-Repair||browser.selfsupport.url||""||How can I stop firefox from constantly connecting to self-repair.mozillia.org [archive.is]|
|pocket.enabled||False||Disable Pocket in Firefox [archive.is]|
firefox "about:config" settings
Firefox's Enhanced Tracking Protection whitelists Google, Instagram... and Winamp?
This article was originally written by digdeeper.neocities.org
Formatting changes and some sections were written by the site maintainer.
Other Anonymous contributors have added other sections and various changes to this article, as well.
Google Analytics is used to track users
2. FAQ for FHR [web.archive.org] [archive.li]
4. Snippets Service Data Collection [web.archive.org] [archive.li]
5. Metrics we collect [web.archive.org] [archive.li]
6. Turn off captive portal [archive.is]
7. How can I stop firefox from constantly connecting to self-repair.mozillia.org [archive.is]
8. Disable Pocket in Firefox [archive.is]
9. List of whitelisted trackers [web.archive.org]
This article was last edited on 5/25/2020
This article was created on 11/23/2017
If you want to edit this article, or contribute your own article(s), visit us at the git repo on Codeberg. All contributions must be licensed under the CC0 license to be accepted.Back to catalog