[German]Mozilla Foundation started last November shipping Firefox Focus as a privacy browser for iOS devices. But behind the scenes, this iOS app comes with a third-party tracking framework, that sends user tracking data to a big data collecting company. And: User tracking is enabled by default – and this framework comes also with the Android app. Here are the details I know so far.
Did you read all the overwhelming articles introducing Firefox Focus for iOS last November? See Mozilla Launches Firefox Focus, a Standalone Private Browser for iOS (Bleeping Computer), Privacy-Enabled Web Browser 'Firefox Focus' Launches on App Store With Automatic Ad Blocking (Mac Rumors), The iPhone Just Got A New Super-Private Firefox Browser (Forbes).
Somehow I read that stories, but I didn't managed to get my fingers on this app. Ok, my old iPad 3 stucks on iOS 9 and I only use it from time to time. So Firefox Focus was "just another app" for me. Today I'm glad, I missed that thing – because: Think about, if that "Super Private Firefox Browser" (Forbes) isn't as private as estimated and tracks, and sends user data.
Recently I wrote about the privacy gate caused by browser plug in Web of Trust, caught sending user tracking data and WoT sold it to big data harvesters. I've covered this story within my blog post Web of Trust harvesting and selling user's surfing data.
Firefox Focus, the privacy browser …
After I stumbled upon the user tracking issue (more below) I have had a 2nd look at the iTunes Firefox Focus page. Here's what they say:
Firefox Focus: The privacy browser – By Mozilla
Browse like no one's watching. The new Firefox Focus automatically blocks a wide range of online trackers — from the moment you launch it to the second you leave it. Easily erase your history, passwords and cookies, so you won't get followed by things like unwanted ads.
"Private browsing" on most browsers isn't comprehensive or easy to use. Focus is next-level privacy that's free, always on and always on your side — because it's backed by Mozilla, the non-profit that fights for your rights on the Web.
– Blocks a wide range of common Web trackers without any settings to set
– Easily erases your history — no passwords, no cookies, no trackers
– By removing trackers and ads, Web pages may require less data and load faster
Also Mozilla's blog contains several articles like Introducing Firefox Focus – a free, fast and easy to use private browser for iOS or Privacy made simple with Firefox Focus – and there is a Mozilla support page What is Firefox Focus? detailing the new browser:
Firefox Focus brings added privacy by allowing you to block known website trackers by category:
- Ads, analytics and social trackers
- Other content trackers – this category includes embedded videos, photo slideshows, and news article embeds that could track you. Blocking other content trackers may cause many sites to stop functioning properly.
And they posted a Settings screenshot on their page, that shows a lot of privacy options (see left picture below).
Unfortunately the Settings screenshot was cut on the lower part – don't know, if that was by intention – on German Mozilla pages I found the full view of this settings page (see a localized screenshot shown above on the right). The settings page contains an option Send anonymous usage data, that will be enabled by default after app install.
Firefox Focus is tracking user data, will be send to Big-Data specialist Adjust
A reader of my German blog send me yesterday a tip. There has been a techtalk with the title Mozilla Klar saugt Daten ab, held in German broadcasting station Deutschlandfunk between Manfred Kloiber (moderator) and the journalist Peter Welchering. Peter obviously stumbled upon the option Send anonymous usage data in Firefox Klar (the German name for Firefox Focus). He contacted Hermann Sauer, a security expert, to analyze this case further. The result:
Firefox Klar (and Firefox Focus) tracks user data about the users behavior using the app and surfing the web. Data, which websites are visited, where the app has been downloaded, the IP address, a tracking id and many more data are being send to German Big Data specialist Adjust.
The same constellation, that I reported within the Web of Trust #privacygate (see Web of Trust harvesting and selling user's surfing data). Mozilla's developers intended to receive telemetry data to improve their app. Therefore they like to receive anonym user data. Peter Welchering says, it's not wrong by default, to collect anonymized telemetry data. But an app may never be installed with telemetry activated by default. If a user decide to provide tracking data to Mozilla's developers, he has to activate that option. So my conclusion: Mozilla's developers have had a good idea, but things went worse. But wait, there is still more.
Tracking data send to a big data collecting company
Mozilla announced Firefox Focus as a "privacy browser" stopping user tracking. Welchering and Sauer found out, that the app sends user tracking data not to Mozilla's servers. The (raw?) data will be send to the German big data harvester Adjust – then the data will be anonymized and transferred to Mozilla.
The Adjust GmbH is engaged in tracking business and has customers from the "advertising industry". Welchering tried to contact Adjust and Mozilla Foundation, to obtain a statement about what will be done with this data – but say he didn't receive an answer. So the whole thing is just a black box.
Ups, they use a third party tracking framework
At this point I started a web search and came across the document Send anonymous usage data from Firefox on mobile devices on Mozilla's support pages. This document gaves me a clue, what's happened. The document is for developers, and we can read:
Firefox for Android, Firefox for iOS, Firefox Focus and Firefox Klar collect data about installations and retention using a third-party tracking framework called adjust. This helps Mozilla determine the origin of the installation by answering the question,
With my todays knowledge I got another piece of the puzzle. Mozilla's developers are using a third-party tracking framework adjust. They write:
This framework consists of a software development kit (SDK) built into Firefox and a data-collecting Internet service backend run by the German company adjust GmbH. The adjust SDK is open source and MIT licensed (see the github repository).
Open Source and MIT license sounds trusteable. But, what's about the data-collecting Internet service backend, run by a third party? And: All Firefox browser apps for Android and iOS are tracking user data, as you can read in the text below.
For a new install, the application sends an anonymous "attribution" request to the adjust servers. This request describes how the application was downloaded, for example, whether it was downloaded directly via the App Store or through a marketing campaign link. The data includes an advertising ID, IP address, timestamp, country, language/locale, operating system and app version.
Firefox for iOS, Firefox Focus, Firefox Klar and Android will also occasionally send anonymous summaries about how often the application has been used. These summaries only include information regarding whether the app has been in active use recently and when.
Additionally, Firefox Focus and Firefox Klar will also report what features of the application are being used. It will send an anonymous report containing the specific filters being selected and count how many times the search, browse and erase button is pressed.
As a conclusion: They can write a lot about anonymity, but they are handing tracking control over to a third-party tool and the data are being send to a third party server – so Mozilla has (in my reading, maybe I'm wrong) no control about that. Also tracking will be switched on by default during app installing – a night mare. In short: If Mozilla would have mentioned the tracking issue prominent on all app download pages and deactivate the tracking framework by default, it could be a move to improve trust. But the current approach is a no go – imho.
Addendum: A few additional remarks
I've informed CATALIN CIMPANU from Bleeping Computer via mail about the article. He has now published this article with a statement from Mozilla. I can't say anything about the statement, that Welchering never contacted Mozilla.
Welchering mentioned in the techtalk broadcasted, that security specialist Sauer tested Firefox Klar on Android. I agree with Mozilla, that is wrong (Firefox Focus – or Firefox Klar, the German product name) isn't available on Android. There is only a Firefox app installable, shipped with the tracking framwork. If somebody has experience of the context of a techtalk, send via broadcasting, he knows, that some spoken sentences can be misleading – statements, that would have not been found in a written aticle (the "newspaper" Beeping Computer is referencing, is a broadcasting station, and the "article" is a transcription of the techtalk held by a moderator and a journalist, Welchering).
2nd update: I just spoke with Hermann Sauer – he confirmed, that it was his fault during a telephone interview with Mr. Welchering. While he had "Android mobile app is shipped with the ajust tracking framework" in his head, he told Mr. Welchering wrongly, that he tested Firefox Klar on Android (that's wrong, because it was Firefox for Android).
But Mozilla's speaker, that's my reading of the Bleeping Computer article, tries to wave the whole article as not serious due to the inaccuracies. Pointing to Adjust's privacy compliance page, as the statement published at Bleeping Computer did, is – for my reading – a kind of "white rabbit". Ok, Adjust received a ePrivacy seal – but for what? They write about a "legal adherence to European data protection law" – that may be the case. But all communication is ssl encrypted, so a user can believe that Adjust did all things in the right manner, but a he also may refuse to trust. It hasn't be the first case, that anonymized data could be deanonymized. And it hasn't been the first time, that security researcher found issues in "ssl protected software". So, freely spoken: The whole thing is a black box – and Mozilla, and Ajust says "just trust us". The critics from the techtalk broadcasted from Deutschlandfunk and within my above article is: Mozilla should have communicated clearly, that Firefox Focus will be shipped with a tracking framework and tracking should have been deactivated by default. But that was not the case – and this issue hasn't been addressed within the Mozilla statement so far.
Postscript: We have had a lot of smoke within this case. I have to sort a few things out and plan to write a further article with more thoughs and maybe insights. Because there is more in store.
Cookies helps to fund this blog: Cookie settings