firefox-esr: leaks data to third-parties
Open, NormalPublic
Actions

Description

Dear friends of freedom and privacy,

I would like to share with you some of my recent findings about popular FOSS browsers which (imo) disrespect user privacy.

I am sharing with you direct links to the reported issues:

Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1424781
Chromium: https://bugs.chromium.org/p/chromium/issues/detail?id=795526
IceCat: I have reported this directly to GNU and FSF, so there is no link but I will try to attach it here

icecat-privacy.txt3 KBDownload

I am using openSUSE Leap 42.3. I still haven't tried PureOS or PureBrowser but I thought I would share these with you as you might want to check more in-depth the validity of my concern and hopefully prevent code disrespecting privacy to propagate in your systems.

FWIW here is also a discussion I started in the openSUSE forums about all this (others seem to confirm what I notice through testing via wireshark):

https://forums.opensuse.org/showthread.php/528559-Paranoid-browser-test-is-there-privacy-in-FOSS

Related Objects
Search...

Status	Assigned	Task
Open	None	T268 firefox-esr: leaks data to third-parties
Resolved	jonas.smedegaard	T281 purebrowser - reports telemetry data to Mozilla
Open	jonas.smedegaard	T156 firefox-esr: default search engine tracks users
Open	None	T282 firefox-esr - leaks interactive typing in search field
Open	None	T283 firefox-esr: reports opt-out from telemetry reporting to Mozilla
Open	None	T271 PureOS tolerates third-party user tracking (e.g. ads) in Mozilla applications
Open	None	T299 [multipe issues] firefox-esr: promotes upstream-distributed addons
Open	None	T305 firefox-esr: Addons screen links to upstream-distributed addons
Duplicate	jonas.smedegaard	T532 purebrowser: Home screen advertises Firefox brand with links to Mozilla addons service
Resolved	jonas.smedegaard	T826 "Recommended Extensions" feature in Purebrowser allows unvetted 3rd party software source

Event Timeline

george created this task.Dec 16 2017, 05:02

zlatan.todoric reassigned this task from hema.prathaban to jonas.smedegaard.Dec 16 2017, 08:26

zlatan.todoric added a subscriber: hema.prathaban.

zlatan.todoric removed a subscriber: hema.prathaban.

jonas.smedegaard added a subtask: T281: purebrowser - reports telemetry data to Mozilla.Dec 24 2017, 06:58

Thanks for sharing!

This is - in our use of the term - not a freedom issue but a privacy issue. Or rather it is multiple privacy issues some related and some unrelated.

I will separate the distinct actionable issues I can identify from your - similarly convoluted - referenced discussions, and will quite likely close this issue as too convoluted to act on directly.

NB! We value your concerns and your work on identifying/proving the issues involved, but please in the future break down your research and report in issue trackers only distinct actionable items. Broader principal "issues" covering multiple features or (as here) even multiple independent code projects are hard to sensibly track in an issue/bug tracker, and such convoluted bugreports are at high risk of not being taken seriously but closed without action.
Write an essay on the broader principal aspects instead - e.g. in a blog - and link between your essay(s) and the distinct issues you report. Such essay is then also accessible to others than geeks reading issue trackers, and promote all the places you dive in technically (which is impressive!).

jonas.smedegaard renamed this task from [FREEDOM ISSUE] purebrowser to purebrowser leaks data to third-parties.Dec 24 2017, 07:26

jonas.smedegaard added a subtask: T156: firefox-esr: default search engine tracks users.Dec 24 2017, 07:43

jonas.smedegaard added a subtask: T282: firefox-esr - leaks interactive typing in search field.Dec 24 2017, 07:48

jonas.smedegaard added a subtask: T283: firefox-esr: reports opt-out from telemetry reporting to Mozilla.Dec 24 2017, 08:10

jonas.smedegaard edited projects, added Restricted Project; removed Freedom.Dec 24 2017, 08:56

Sorry for the late reply. Happy new year!

I reported this as a freedom issue as I was advised to do so by Mladen (to whom I emailed the info initially). You are right that privacy is more specific as it illustrates the particular aspect of freedom which is broken. In any case I hope the info and the comments in the linked external reports make it clear enough that it is not a case of free software but of software which uses the user for the purposes of an organization without first asking and without even a post-factum option for complete privacy. Obviously that is not a priority (if at all) neither for Firefox, nor for Chromium developers, so those browsers are not fully free software, at least to my understanding.

FWIW I also received direct reply from the developer of IceCat:

I'll be working on more a more strict cleanup of those "features" for the next IceCat release cycle.

ETA: The output of tcpdump shows that even with telemetry and data reporting turned off from about:config, and after all privacy tuning of settings there is still background communication going on to various networks of Amazon, Akamai etc. which results in what I call "indirect telemetry" as explained in the bug at Mozilla's tracker. In that sense the output of tcpdump when testing Chromium seems much better as well as the reply received by chromium devs is much more sensical. It seems Chromium is fine as a browser if safe browsing and other Google's tools are not used and all it lacks is a default setting which ensures that privacy level.

jonas.smedegaard closed subtask T281: purebrowser - reports telemetry data to Mozilla as Resolved.Apr 12 2018, 08:15

jonas.smedegaard added a subtask: T532: purebrowser: Home screen advertises Firefox brand with links to Mozilla addons service.Aug 7 2018, 05:06

jonas.smedegaard added subtasks: T271: PureOS tolerates third-party user tracking (e.g. ads) in Mozilla applications, T299: [multipe issues] firefox-esr: promotes upstream-distributed addons.Aug 7 2018, 05:23

jonas.smedegaard removed a subtask: T532: purebrowser: Home screen advertises Firefox brand with links to Mozilla addons service.Aug 7 2018, 05:46

• thegoat added a subscriber: • thegoat.Aug 11 2018, 10:46

jonas.smedegaard closed subtask T156: firefox-esr: default search engine tracks users as Resolved.Aug 14 2018, 10:58

jonas.smedegaard removed jonas.smedegaard as the assignee of this task.Aug 20 2018, 00:27

jonas.smedegaard added a subscriber: jonas.smedegaard.

jonas.smedegaard removed a subscriber: jonas.smedegaard.

jonas.smedegaard reopened subtask T156: firefox-esr: default search engine tracks users as Open.Jan 5 2019, 16:35

jonas.smedegaard closed subtask T156: firefox-esr: default search engine tracks users as Resolved.Jun 3 2019, 07:09

jonas.smedegaard renamed this task from purebrowser leaks data to third-parties to firefox-esr: leaks data to third-parties.May 28 2021, 01:05