[HN Gopher] Each Firefox download has a unique identifier ___________________________________________________________________ Each Firefox download has a unique identifier Author : gslin Score : 173 points Date : 2022-03-17 19:48 UTC (3 hours ago) (HTM) web link (www.ghacks.net) (TXT) w3m dump (www.ghacks.net) | EastSmith wrote: | Dead browser moves. | sciurus wrote: | It's sounds like this is describing the stub attribution feature. | You can read more details at | | https://wiki.mozilla.org/Firefox/Stub_Attribution | | https://bedrock.readthedocs.io/en/latest/stub-attribution.ht... | moonshinefe wrote: | "Principle 4: Individuals' security and privacy on the internet | are fundamental and must not be treated as optional."[1] | | https://www.mozilla.org/en-US/about/manifesto/ | encryptluks2 wrote: | If you tell a lie big enough and keep repeating it, people will | eventually come to believe it. | zagrebian wrote: | How was this principle violated in this case? | kreeben wrote: | It gives Mozilla the opportunity to connect my IP address | with my browser with my Mozilla account. Mozilla needs to bow | down to the US govt and supply them with this information | should they have stored it, if the govt feels they need it. | bayindirh wrote: | > A quick check of Chrome installers returned identical hashes | each time. | | OK, however, are we completely sure that Chrome installer doesn't | generate this token on launch and talk with the mothership? | | This sounds like whitewashing Chrome just to increase the impact | of the article or push Chrome or both. | | Like Chrome is not tracking me in and out of the internet and in | the kitchen making tea and noting its brand and reporting to | Google. | Tijdreiziger wrote: | Chrome has the X-Client-Data header: | https://github.com/bromite/bromite/issues/480 | aftbit wrote: | Of which there are (supposedly) only 2^13 possible variants: | | >Additionally, a subset of low entropy variations are | included in network requests sent to Google. The combined | state of these variations is non-identifying, since it is | based on a 13-bit low entropy value (see above). These are | transmitted using the "X-Client-Data" HTTP header, which | contains a list of active variations. On Android, this header | may include a limited set of external server-side | experiments, which may affect the Chrome installation. This | header is used to evaluate the effect on Google servers - for | example, a networking change may affect YouTube video load | speed or an Omnibox ranking update may result in more helpful | Google Search results. | | https://www.google.com/chrome/privacy/whitepaper.html#variat. | .. | zagrebian wrote: | > This sounds like whitewashing Chrome just to increase the | impact of the article | | I removed ghacks from my RSS reader years ago because that | website tends to sensationalize these stories, and I can't | stand that. | brimble wrote: | Considering that ~everyone was tracking device or installation | IDs before Apple cracked down on it, on iOS, I think it's a | safe bet that ~everyone is still doing it on desktop, and yeah, | generating at install time is probably enough for most use | cases and makes your build and distribution processes simpler. | SahAssar wrote: | The way firefox does it can connect the downloading session | with the running session. You can argue with the value or | validity of that, but it seems like the chrome installer cant | do that, which is nice. | | As for why it's in the article I think it's valuable to include | it since if chrome was doing it too it might be seen as just | "normal", but now it seems even more weird that firefox which | is supposed to be the privacy alternative is tracking something | that google is not. | LordDragonfang wrote: | >OK, however, are we completely sure that Chrome installer | doesn't generate this token on launch and talk with the | mothership? | | That wouldn't give any information about where/when you got the | installer from, which is the topic of this article. Doing so | would be impossible without embedding information in the exe | (which would change the hash). | | While I agree that it's a little weird to specifically note it | for Google of all companies, the relevance to the article is | that Chrome isn't engaging in _this specific type of tracking._ | noobermin wrote: | Mozilla is fast becoming the bad guy even when they are pitched | as the "alternative to google (as in chrome)." This is so | disappointing. | klntsky wrote: | > This will allow us to track which installs result from which | downloads to determine the answers to questions like, "Why do we | see so many installs per day, but not that many downloads per | day?" | | What value does Mozilla see in being able to do that? | Barrin92 wrote: | the reverse case might be more interesting. Many downloads but | few install follow throughs may suggest the installation | process is to cumbersome or something along those lines. | cxr wrote: | The prevailing belief in the industry is that any problem can | be solved with more data, dumpster-grade[1] though it may be. | It's appealing to think that it can be used in lieu of just | making thoughtful decisions. | | 1. https://news.ycombinator.com/item?id=25016532 | ahmedfromtunis wrote: | I have no idea what the actual answer is, but one can image | that they want to understand where are people getting these | copies of ff if they do not download them themselves. | | Why would this be important, again just speculating: to try to | leverage whatever channel this might uncover to distribute even | more copies of the browser. | | Is this ID thing the best way to do it, though? Probably. | foerbert wrote: | Does this even help with that though? Without some further | means of identifying users, what use is there in saying | download#123 got installed x times? Even if you add the | obvious IP information to this, then what? Run GeoIP and say | "oh, interesting" when they do or do not correlate? | | What could they realistically figure out from this that could | help them figure out how people are getting Firefox? | noAnswer wrote: | > but one can image that they want to understand where are | people getting these copies of ff if they do not download | them themselves. | | These people are getting it obviously from their admins! | (Like myself. I push Firefox updates to close to 1000 PCs. I | thought (amongst other things) I'm doing them a favour by | saving them traffic.) They obviously know that! The real | reason they are doing this is simply because they started | collecting data. Now they are hooked and constantly want | more. That is all there is to it. They already identify each | individual installation, so someone on the team said: Let's | identify each download too. | detaro wrote: | > _These people are getting it obviously from their | admins!_ | | That's one possibility. And even if you pretend it's the | only one, it's still interesting how that's distributed. Is | it X admins of 1000-PC orgs, or X*500 people who also | install it on dads PC? | xnx wrote: | This is late-stage Firefox behavior. Like Yahoo in 2012. | marginalia_nu wrote: | This wouldn't be so bad if it wasn't that the entire brand | identity of Firefox is Privacy. | | It's like discovering there's ham in a vegetarian sandwich. When | you ask them they look puzzled and say their focus group was | clear it tastes a lot better that way, besides it's just a little | bit and the bread is vegetarian and there's way more meat in a | Big Mac. | detaro wrote: | This also wouldn't be so bad if people were capable of nuance | instead of acting as if everything involving data were the same | thing. I won't claim Mozilla is in any way perfect, but even as | someone who is very much pro-privacy it is a little bit | ridiculous how much people loose their shit about tiny things | like this and claim there is no difference to what other | trackers do. | [deleted] | Wojakmeme wrote: | Opt-out after tracking already happend? Sounds GDPR violating to | me. | Teandw wrote: | That's not how GDPR works. This isn't gathering personal data, | PII or anything similar so wouldn't fall under the scope of | GDPR. | pbhjpbhj wrote: | IP address can be PII. | | What are they hooking the download tracking code to if not | IPs? | | If you sign up for a Mozilla account, providing PII, are you | saying they then throw away the link between the install and | original download? | gjsman-1000 wrote: | Remember what happened when Firefox OS died? It was forked into | KaiOS, which has become a superior product that actually found a | market. | | I will not mourn the death of Mozilla. When it collapses, may it | be forked and turn into something decent by more competent | leaders who don't give themselves multimillion dollar salaries | and make pointless acquisitions. | soundnote wrote: | But KaiOS is not a high status Cali techie project. | [deleted] | cf141q5325 wrote: | From the linked bugzilla | https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0 | | >One note, in case it's not already clear: The download token | will be available in the telemetry environment, but all web | session data that it is linked to will NOT ever be included in | telemetry, it is being deliberately kept in a separate data set, | and we will be limiting access to the ability to join these data | sets to a small set of people. | | Small set of people? Pls do tell me more | blibble wrote: | how does this get through the MS smartscreen and authenticode | checks? | dataflow wrote: | In fact this _is_ how you get past SmartScreen checks. Windows | freaks out a lot more when it sees the same file being | downloaded by lots of people, but if you make them all | different, then it calms down. | laurent123456 wrote: | As long as the executable is signed (and it must be), and the | company well known, Windows should be fine with it. | whatshisface wrote: | Package manager installations wouldn't have this problem because | everybody gets the same copy of the same binary and associated | files, rights? | Tijdreiziger wrote: | Chocolatey and WinGet don't. | | Looks like Chocolatey gets the binary from download.mozilla.org | [1], while WinGet gets it from download- | installer.cdn.mozilla.net [2] (which looks to be the HTTPS | repository mentioned in the article, thus being exempt from | tracking?) | | [1] https://community.chocolatey.org/packages/Firefox#files | | [2] https://github.com/microsoft/winget- | pkgs/blob/master/manifes... | eikenberry wrote: | This is the difference between a distribution and a simple | package manager. Linux distributions have a more holistic | approach to this and enforce it with checksums, signatures, | reproducible builds, etc. A package manager really only cares | about managing the packages installation, dependencies, etc. | Not the integrity of the packages themselves. | pxeger1 wrote: | Package manager installations are normally built from source by | the distribution maintainers, not downloaded as binaries from | the Mozilla website. So they wouldn't have any "download | identifier", unique or not, in them. | Arnavion wrote: | Yes. Just like with the Audacity kerfuffle some time ago, it's | not a problem for distro packages, only when you get your | binaries from upstream. | politelemon wrote: | Correct and it's just one of many reasons why checksums and | signatures are so important in package managers. There's an | automatic enforcement of privacy and integrity. | gary_0 wrote: | Reproducible builds are important as well. | pxeger1 wrote: | Is the current Mozilla CEO a plant by Google with the goal of | driving Mozilla into the ground as much as possible? I don't | understand how they can keep fucking up their business so badly. | soundnote wrote: | "The simplest way to explain the behavior of any bureaucratic | organization is to assume that it is controlled by a cabal of | its enemies." | wubbert wrote: | Mozilla does get a lot of their funding from Google... | peakaboo wrote: | A download identifier really isn't that bad. Maybe they need to | actually show some numbers of their downloads to justify | budgets and other things. | | It's not like they are having tracking JavaScript on 80% of the | worlds Web sites like someone else I know, starting with | Googl... | paranoidrobot wrote: | Download counts dont need you to embed a unique token. | | At the most basic level, you can get this by doing a count | over http logs. | [deleted] | brimble wrote: | How... does that play nicely with signing and notarization on | Windows and Mac? Asking for a friend :-) | bradyd wrote: | From the dltoken_data_review.md [1]: | | >> 9) If this data collection is default on, what is the opt-out | mechanism for users? | | >> Standard Telemetry Opt-Out | | If you haven't installed it yet, how can you use the standard | telemetry opt-out? | | [1] | https://bug1677497.bmoattachments.org/attachment.cgi?id=9195... | tag2103 wrote: | Oh look- yet another company that has been discovered to be | dishonest in their approach to user privacy. | dmead wrote: | Why? | mindslight wrote: | IMO as market optimization turns the screws ever harder, the | escape hatch is to head towards source distributions. Outrage | articles are only necessary because people have come to rely on | these monolithic binary downloads with their "channels" and | "installers" and "auto updaters", that are gatekept by | centralized entities like Mozilla. Whereas if say the source | tarball used by Nix is engaging in similar shenanigans, that is | fixable with a self-applied patch rather than needing to convince | Mozilla to change. | russdpale wrote: | The state of web broswers is so pathetic I wish the government | would step in and limit the amount of out right spying that is | going on. We have created an entire society which thinks that so | long as the data is simply 1 degree removed from anonymity, that | everything is ok. | | Privacy is largely a mirage, where are our representatives to | protect our privacy when the "free" market cannot, and indeed | will not, do it for us? | fleddr wrote: | "Mozilla notes that the opt-out mechanism is the standard | Telemetry opt-out. How users may opt-out before the installation | of Firefox is unclear." | | As dry as German humor gets :) | gjsman-1000 wrote: | I hate WebKit and Blink's domination as much as anyone, but | rather than put up a strong fight, Firefox is _begging_ to lose. | | And unfortunately, I can't help but admit that Firefox _deserves_ | to lose (not just from this, but from other terrible decisions | added up), even if the consequences of a web monoculture are | terrible. | noobermin wrote: | How much of the drama of the last three years can be laid | squarely at the feet of the CEO who gave themselves a raise | right when they laid off the MDN staff? | car_analogy wrote: | Suppose you want to do something anonymously. | | 1. Download installer from Mozilla from your home network - | Mozilla now has your home IP and installer ID. | | 2. Transfer it via USB key to a secure, anonymous computer - one | not linked to you, on a network not associated with you, such as | public WiFi. | | 3. Install Firefox using that installer on said computer. It | transmits the installer ID to Mozilla, which matches the one | given to your home IP, thereby deanonymizing you. | | 4. Mozilla receives a warrant for this information, or it is | hacked, or the organization is infiltrated by a single government | or corporate spy. | | Edit: It gets worse. Suppose a newspaper IT department takes care | of providing Firefox and other trusted software installers to | their reporters. Now Mozilla can determine who that newspaper | helped with IT, such as journalists or sources. Or if you provide | trusted software to your friends, Mozilla gets part of your | social graph. | zagrebian wrote: | > Mozilla now has your home IP | | Since when does Mozilla collect IP addresses? | car_analogy wrote: | Any connection to Mozilla's servers reveals your IP to them. | Given the amount of telemetry in Firefox, it's foolish to | assume they don't log these IPs. And in either case, they | could be legally compelled to. But afaik, under US law, they | cannot be compelled to subvert their software, e.g. to add | such spyware features if they were not already present. | zagrebian wrote: | Why would Mozilla need the IP address? It doesn't seem | useful for their telemetry. | idiotsecant wrote: | They had to serve you the file, for which they needed your | IP. If they're willing to assign each downloaded client a | unique ID what are the odds they are _not_ storing the IP | address associated with that unique ID? | zagrebian wrote: | Why would Mozilla need the IP address? | bobkazamakis wrote: | ...to respond to requests to their server? you can't | establish a tcp connection without both ends. | car_analogy wrote: | Why would they need installer IDs? The question is if | they collect it, not if they need it, and all their other | behavior suggests that they do collect it. | zagrebian wrote: | The article explains why: to figure out why there are | more installs than downloads. | kreeben wrote: | Playing your game, why would Mozilla need to know this? | Zircom wrote: | They can probably reach the same conclusions about why | there might be more installs than downloads by thinking | about it for maybe 5 seconds instead of tracking people. | | Easiest explanation off the top of my head, without | reading the article, would be IT departments including | Firefox in their base image they use on all their | standard issue computers, resulting in hundreds and | possibly thousands of different installs having the same | download ID. That alone by itself would cause an | absolutely massive discrepancy between download and | install numbers. My company includes Firefox in our base | image and it's on at least 200,000 different laptops and | desktops, with a handful of different download IDs | between them depending on when they got issued the | computer. | KennyBlanken wrote: | You seem to be unaware that intelligence services have been | hoovering up internet traffic wholesale for decades, and that | telcos do it internally as well. Verizon's "supercookie" is a | great example. | zagrebian wrote: | But Mozilla is not a government agency or a telco. | foerbert wrote: | Are government agencies somehow restricted to compromise | telcos but not any other organization? | systemvoltage wrote: | I can't remember exactly but Apple also does this with apps. | "Downloaded from ...". | dylan604 wrote: | Isn't that just storing the domain name from which served the | file? I actually find this useful for those times when I | can't remember where a file came from but need to use the | site again. Having that data in a Get Info windo has been | useful and faster than web searching. | weikju wrote: | Except this is an attribute saved on the file locally on your | system, added by your browser when you download it, not | something that Apple stores on their servers and tracks. | Nbox9 wrote: | What's your point, that someone can attempt to do something | anonymously and fail? | car_analogy wrote: | My point is that they failed only because they were betrayed | by the free software tool they thought they could trust. | encryptluks2 wrote: | No the point is that Mozilla is dishonest about their causes | and consistently take actions that are hostile to user's | privacy. | hosteur wrote: | How is this not a blatant violation of EU GDPR? | | This is involuntary non informed tracking. | woodruffw wrote: | My understanding of the GDPR is that it doesn't apply if the | analytics are fully anonymized, and only partially applies if | the analytics are pseudonymous[1]. It's exceedingly likely that | one of these cases applies, since the ID in question is tied to | a single Mozilla _installation_ , not individual user or even | browser profile. | | [1]: https://www.ucl.ac.uk/data-protection/guidance-staff- | student... | kbelder wrote: | Firefox users who prefer to download the browser without the | unique identifier may do so in the following two ways: | Download the Firefox installer from Mozilla's HTTPS repository | (formerly the FTP repository). Download Firefox from third- | party download sites that host the installer, e.g., from | Softonic. | | It's nuts and another indication Mozilla doesn't understand the | reason they exist, but it's not that hard to get around... if | you're one of the 0.1% that hears about this. | [deleted] | freediver wrote: | Zero telemetry is the only way to go for a modern browser with a | sense of decency for the web and the users. | | I invite everyone on a Mac to try and support Orion browser - | zero telemetry by default. | layer8 wrote: | > This will allow us to [...] answer questions like, "Why do we | see so many installs per day, but not that many downloads per | day?" | | That's really not something they should spent much time puzzling | over, much less implement tracking IDs for. | knodi wrote: | wtf Mozilla, why are you making me stop using you? | seba_dos1 wrote: | As if there was any serious alternative that wasn't much worse. | tick_tock_tick wrote: | I mean if they both are going off the deep end for tracking | chrome is faster and a ton of developers seem to only care if | it works on chrome.... | seba_dos1 wrote: | Well, Firefox' tracking is usually meant for determining | things like where did the installer came from and | collecting feature usage data, while Google's is all about | building marketing profiles to sell targeted ads. You | decide how bad each of them is. | [deleted] | idonotknowwhy wrote: | So downloading from the arch Linux repo via pacman, I don't have | a unique ID? | encryptluks2 wrote: | No, but unless you go tweak a bunch of things you are still | sending your information to Mozilla. Also, they've had a few | "convenient" bugs that reverted privacy settings in the past. | gandalfff wrote: | I don't really understand telemetry. How is Google Analytics | helping them to improve the browser? Is it to see which features | are actually being used? | brimble wrote: | Imagine you could stick a camera over your users' shoulders, | mostly without them knowing you're doing it, instead of doing | actual user research. | | That's what the stuff's for. Some of the tools for these things | record entire sessions, including mouse movements. It's creepy | as hell and even the tamest of "telemetry" 100% would have | gotten something classed, unambiguously, as spyware, in the | distant past of ~15-20 years ago. | emerged wrote: | They ignore their users in all other aspects so it seems | unlikely to be driven by that. | gjsman-1000 wrote: | How much R&D do you think Firefox squandered on making a custom | installer generator for every download and being unable to cache | the files on a cheap CDN? | oh_sigh wrote: | Not much? I did exactly this when I worked on a really popular | P2P file sharing client (at one point estimated to be installed | on >15% of all PCs worldwide). It even improved our actual | installs, but that is probably about just using an ultralight | weight installer rather than having a tracking ID integrated | into it. It literally took me a week. Granted, things were | really fast and loose back then. It would probably take me 2 | years and a team of engineers to do a similar thing at my | current FANG job. | ordu wrote: | They seem to be trying to gather a lot of telemetry to measure | how they can boost popularity of Firefox. I wonder did they tried | to measure how the measurement itself influences popularity? | Social measurements are like quantum ones, they change reality. | | There was a funny story of a Hawthorn Experiment[1], which tried | to find ways to boost productivity but at the end managed to | state just that the very attempt to conduct an experiment boosts | productivity. It seems to me that with Mozilla the effect has a | opposite sign and any attempt to measure decreases the target | variables of decision making. And therefore they need to find | ways to measure "non-invasively", not to measure every little | thing they can measure. | | [1] https://en.wikipedia.org/wiki/Hawthorne_effect | delusional wrote: | I think the physical analogy you're thinking about is "the | observer effect"[1]. And it's actually a pretty much universal | problem in physics, not just quantum mechanics. | | [1]: https://en.wikipedia.org/wiki/Observer_effect_(physics) | threatripper wrote: | Maybe they just kind of forgot how to make good software and | now desperately try to recreate that magic using loads of | metrics and social experiments leading to loads of competing | interpretations and infighting. | causality0 wrote: | Well they've spent a decade trying the "be more like Chrome" | method. I suggest they try the "be more like Firefox from when | Firefox was successful" method. | LordDragonfang wrote: | Firefox was successful when it was the alternative, better, | option to the dominant Internet Explorer. Now the dominant | browser is Chrom(e|ium). The two scenarios are _very_ | different. | causality0 wrote: | Precisely. Firefox is never going to defeat Chrome in the | "being Chrome" category. If it wants to exist as more than | a tool for Google to avoid antitrust lawsuits, it can't | keep playing that game. It has to differentiate. Privacy is | not differentiation because it's invisible and HN | commentators are 90% of the people who care about it. I | want the sense of power back. I want the feeling that | Firefox gave me a decade ago that my browser behaved | _exactly_ the way I wanted it to and _nothing_ about it | ticked me off because if I didn 't like it I could just | change it. | | Nowadays using Firefox feels more like holding a political | demonstration in an empty room than using the finely-tuned | instrument I once had. | function_seven wrote: | > _Nowadays using Firefox feels more like holding a | political demonstration in an empty room than using the | finely-tuned instrument I once had._ | | I can't think of better words to describe my feeling as a | Firefox holdout. It's still my default browser, and the | one I use for 97% of my work. Mozilla is breaking my | heart with their floundering. Like a fantasy author who | keeps getting mired in side quests and can never get back | to the main plot. | | Stop with the goofy marketing tie ins, the hostile | telemetry choices, the side products like Pocket and VPN, | and just make a fucking browser that doesn't attempt to | hide complexity from the user. Focus on that, do yearly | fundraising like Wikipedia does, and be content. | rurp wrote: | > They seem to be trying to gather a lot of telemetry to | measure how they can boost popularity of Firefox. | | This might sound like a crazy idea, but they could always try | listening to users! Everytime I get annoyed by something in | Firefox and try to find a fix for it, I find a _lot_ of people | with the same issue across HN, Reddit, the Mozilla forums, etc. | There is rarely any sign that a decision maker from Mozilla | cares one bit. But rather than listening to the many vocal | complaints, suggestions, and other copious public feedback... | they add a unique download identifier. Ok then. | | I really, really hope that Mozilla gets new management before | it's too late (if it's not already). | estaseuropano wrote: | That seems like a very harsh interpretation. Very few people | will care whether their specific download is tracked. I do | honestly wonder how that adds vakuento Mozilla, but no one will | _not_ use Firefox due to this- especially as every single | alternative is much worse than Firefox on such metrics. | rkagerer wrote: | How long has it been that way? | cf141q5325 wrote: | https://bugzilla.mozilla.org/show_bug.cgi?id=1677497 Its from a | year ago | lostgame wrote: | Okay, first the stupid fucking 'Turning Red' advertisement that | dared to call itself 'adorable', and now this? | | Seriously, does FireFox hate itself, or just hates it's dwindling | but loyal user base? | | We used to use Firefox because they _didn't_ do shit like this. | | I actually deleted Firefox after about 15 years of loyal use | after the 'Turning Red' incident. Glad to hear I made the right | call. | | I've been using Safari and have no regrets. | | Goodbye, Firefox. Good riddance, if this is how you'll behave. | | It's sad to watch the dream of a mainstream open-source browser | that wasn't evil vanish. | | We will need something else, but I don't see huge potential | adoption for anything. | | It was hard enough to get people to swap browsers in the 00's, | it's gonna be way harder with each platform pushing its own pre- | installed browser. ___________________________________________________________________ (page generated 2022-03-17 23:00 UTC)