Firefox installer assigns a unique identifier to the browser

[German]Did you know that Firefox registers a unique installer ID in the browser? When someone downloads the Firefox installer from the Mozilla web pages and then installs the Firefox browser, a unique identifier is generated during this process and sent to Mozilla when the browser is first launched. This identifier, called dltoken, is confirmed in a Mozilla bug report. Addendum: Statement from Mozilla added.

Firefox  is considered a privacy browser par excellence, and Mozilla users advertise this accordingly on the Firefox download page, as can be seen below.  Firefox-Download-Seite entsprechend, wie nachfolgend zu sehen ist.

But possibly the Firefox browser is a wolf in sheep's clothing. Blog reader Elim G. emailed me over the weekend to point out this fact (thanks for that), which was first published by Martin Brinkmann on Ghacks.net.

Firefox generates dltoken identifier via installer

If you download the Firefox installer from the Mozilla web pages and then install it, you don't expect it to generate a unique browser identifier. But that is exactly what happens during the installation. That's because Internet users who download the Firefox web browser from the official Mozilla website are given a unique identifier associated with the installer. This identifier is transmitted to Mozilla during the installation and the first execution.

Discussion about Firefox dltoken in the bug tracker

The mechanism is briefly mentioned in the Bugzilla bug tracker – and ghacks.net describes here that the hash value generated this way is unique for each installation.

I tested it

I did a quick test and downloaded the Windows installer from the Mozilla Firefox download page twice in a row. Then I displayed the MD5 and hash values (SHA1) etc. of the two downloads in HashMyFiles (see the following figure).

Although both downloads have an identical file size and were downloaded within seconds of each other, it is immediately apparent in the above figure that the digital fingerprint in the form of the hash values (MD5, SHA1, SHA256, etc.) and the CRC32 value are different.

This means that Mozilla creates a digital fingerprint every time Firefox is installed and actually every time Firefox is started, which could be used for tracking. A user could indeed use a new installer each time a new Firefox version appears. However, most users will use the browser's update function. The identifier assigned during installation would therefore be retained over a Firefox lifetime.

What does Mozilla intend with the identifier?

The developers write that they want to be able to correlate the telemetry IDs with download tokens and Google Analytics IDs using this data. This way they can track which installations result from which downloads. This should provide answers to questions like, "Why are we seeing so many installs per day, but not so many downloads per day?" So actually a noble goal: analyzing download and installation trends. Ghacks writes: The feature is supported by telemetry in Firefox and applies to all Firefox channels.

With me, however, all alarm bells now shrill, because if an installer identifier exists. Firefox is also in the Tor bundle – although they use their own installer. But if they create installations with unique identifiers, then I would not rule out misuse. At least my trust in Firefox has suffered a lot at this point – because I didn't find anything in the privacy policy regarding this identifier. Here you can read that the whole thing can be turned off via opt-out. None of this is transparent.

Statement from Mozilla

Addendum: Mozilla has send me the statement below.

"Every day, people download the Firefox browsers from mozilla.org. There are times when they download it through a third party site. When that's the case, we want to understand which sites new users are coming from and whether they stick around to install Firefox. Understanding this user journey can then help us design a better installation process and improve the experience of new users.

In order to gain this better understanding, we created a download token, i.e. an identifier, that would be associated with the unique download event. This allows us to capture that the download has happened which in turn helps us understand how many installs come through third-party sites and what those sites are. We disclose our "Campaign and Referral Data" in the Firefox Privacy Notice, where we say: "Firefox by default sends Mozilla HTTP data that may be included with Firefox's installer. This enables us to determine the website domain or advertising campaign (if any) that referred you to our download page. Read the documentation or opt-out before installation." That "documentation" link includes a disclosure of the download token and a description of it.

We do not keep the download token with any personally identifying information, and we store the download token in a database that is separate from other telemetry information under  a strict access policy.

If a user is interested in removing their association with the download token they can opt out of Firefox telemetry once they have installed the browser. We delete all of the historical telemetry data that we have collected for that user's Firefox profile, including all records containing the download token. This makes it impossible for us to associate the web site visit with that profile, even for activity that took place before the opt out was specified. Alternatively, users who want to prevent a download token association from ever happening in the first place they can download Firefox from our FTP site at ftp.mozilla.org/pub/firefox/."