Firefox Focus – ‘Privacy gate’, a 2nd view

MozillaHere is a second view on the Mozilla iOS Firefox Focus app and the data tracking / privacy issue raised last week. Firefox Focus is advertised as a "privacy browers", but comes with a tracking framework. Data are send to data harvesting company Adjust. 


Advertising

Some background information

Mozilla Foundation started last November shipping Firefox Focus as a privacy browser for iOS devices. But all Mozilla mobile browser apps (Firefox Focus, Firefox for Android Beta) contains a third-party tracking framework, that sends user tracking data to a big data collecting company. My blog post Firefox Focus: The 'Privacy Browser' with build in user tracking addressed this issue last week. But there has a lot of discussion, whether private surf data are transferred or not.

My critics and Mozilla's statement

I've criticized, that Mozilla promoted Firefox Focus as a "privacy browser", but includes a tracking framework, without communicating that offensively. Well, there is a document Send anonymous usage data from Firefox on mobile devices on Mozilla's support pages. But that's for developers.


(Source: Mozilla)

I would say: If Mozilla have had mentioned the tracking features within it's iTunes app description and if tracking would be an opt-in feature, it would never been an issue.

Also Mozilla's statement, published at a Bleeping Computer article didn't clean things. They pointed to the Adjust's privacy compliance page, Below is a screen shot of this page.


Advertising

You will find ePrivacyseal logo, Adjust claims to anonymize data and promise to be transparent. They are also claiming to be conform to European data protection law. But as a user I'm left on a "believe it or leave it" base. No further details about the ePrivacyseal – for what does it stand? Who has audited and proofed this? Also no further details about transparency – and European data protection law is just a paper – we have the EU-US Privacy Shield agreement, that doesn't protect data from individuals.

To make it clear: I have no proof, that Adjust does nasty things, but my point is: There are a lot of promises, but no facts, that I can check as an ordinary web site visitor. 

Deutschlandfunk have had a 2nd view on the case

The original case has been raised within a broadcast in Deutschlandfunk, where Peter Welchering and Manfred Kloiber talked about data collection in Firefox Klar (the German name for Firefox Focus). The point was: Firefox Focus is collecting data, the data are send to a private company Adjust, engaged in big data and advertising business, and it isn't clear, which data are transferred. Welchering says also, that Mozilla and Adjust didn't respond on his questions. Mozilla claimed later, that Welchering never has asked questions.

Nevertheless, Peter Welchering and Manfred Kloiber has token a 2nd look at this case within a yesterday broadcast. The German transcript with the title Welche Nutzerdaten die Firefox-App tatsächlich sammelt sheds some additional light to this case. Mozilla Foudation and also German Ajust GmbH has been in contact with Peter Welchering and answered questions raised from this case.

  • Welchering pointed out within his first broadcast talk, that "we don't know, which data about a user's surfing behavior are collected and transferred to Adjust's servers – but we know, that data are collected and send over to Adjust."
  • Mozilla and Adjust answered this question: If you use Firefox Focus or Android Firefox Beta on mobile devices and surfing the Internet, data are obtained (from Adjust SDK) and will be send to Adjust's servers.
  • The Adjust SDK collects some data and send it via HTTPS after starting a browser, during a session resume and during several events defined by Mozilla. 
  • Adjust uses an advertising ID, to assign the Firefox Focus installation to an advertising campaign.
  • Adjust GmbH says: "IP addresses will be send to our servers, it will be converted and combined with other data like device meta data. The result is a string, containing the IP address, user-agent and some application specific data. These data are used for matching between advertising interactions and app install. It will be stored as long, as the IP fingerprinting windows is opened (typical 5-10 hours, but it may up to 30 days). IP addresses are not stored for other cases."

Peter Welchering concludes "Firefox Focus sends a lot of data to Adjust's server, as we found out. Those data contains IP addresses, the name of the device, the CPUtype, an advertising ID, device ID and more. " There is no proof, that this data are misused – but the collected and anonymized data can be decoded (we have had cases, where researcher has been able via big data analysis to identify data from users).

And I have to mention, that IP addresses are private data, according to EU law (see this article, EU text). So the data are not anonym at all. As a conclusion: We have no signs, that Mozilla Foundation and Adjust GmbH are misusing those data and both are trying to become transparent. But there is an old rule: "Data that hasn't been collected can't be misused". So, the Firefox Focus privacy case was a kind of bad communication and sub-optimal implementation – imho.

Similar articles:
Firefox Focus: The 'Privacy Browser' with build in user tracking
Firefox privacy settings – what to know


Cookies helps to fund this blog: Cookie settings
Advertising


##1

This entry was posted in ios, Security and tagged , , . Bookmark the permalink.

One Response to Firefox Focus – ‘Privacy gate’, a 2nd view

  1. frank-e says:

    Update: As of v3.3, the Adjust SDK is completely excluded from Firefox Klar.
    Source: https://github.com/mozilla-mobile/focus-ios/wiki/Install-Tracking-in-Firefox-Focus-with-the-Adjust-SDK

Leave a Reply

Your email address will not be published. Required fields are marked *