In October, we intend to start a gradual roll-out of a set of new privacy-preserving telemetry probes to help us continue combating browser fingerprinting. These probes are subject to our standard data collection policies and telemetry opt-out. We’re also implementing some additional protections for these probes as described below.
First, some background. While we already have strong protections for cookie based tracking (e.g. Total Cookie Protection), online trackers are adopting alternative ways to track people online. One of the most common ways is browser fingerprinting - combining small individual characteristics about a user’s browser or computer into a unique fingerprint. This fingerprint can be used to identify users across websites and browsing sessions without Cookies or IP Addresses.
Firefox already offers fingerprinting protection [0], but it’s a difficult problem to address, in part because it’s difficult to get concrete facts about it. We know it occurs, we know many of the characteristics used to uniquely identify users, and there have been some publications that give indicators about what the most troublesome characteristics are to make users unique. But these publications are based on a biased sample, are several years out of date, and have verifiably incorrect (or inapplicable) results, such as navigator.plugins being a purported source of entropy when it is in fact hard-coded in modern Firefox for over two years [1].
By collecting real-world data in a privacy-preserving way, we intend to find out which Web APIs to modify such that most of our users are no longer unique. Ideally, arriving at large sets of users with the same fingerprint. These measurements will help us build effective and robust protections in Firefox against online fingerprinting.
This technical data is not sensitive in the traditional sense: it’s mundane information like screen resolution and CPU core count. However, because bad actors are currently using these same kinds of data points to track users, we are taking a number of additional precautions with the collection:
- not linking the received data to any other telemetry pings and omitting all additional ping metadata, both of which prevent the submission from being correlated to other telemetry data and expanding the scope of disclosure
- limiting the data retention period to a maximum of 90 days and limiting the access controls for the data to the specific team working on this,
- and perhaps most notably - submitting the data over Oblivious HTTP (OHTTP) [2] to provide verifiable unlinkability. We already don’t record the IP address used to submit telemetry, but this provides technical enforcement behind that policy, allowing anyone to inspect the code and verify it cannot be linked to the sender.
The meta bug tracking this work is
https://bugzilla.mozilla.org/show_bug.cgi?id=1879151 . The more noteworthy artifact is our public Decision Brief (
https://docs.google.com/document/d/1m_j0BQEprQleRHZ7tVT7mG-krc8UA171GD5Vl6gZbL0/edit ) which lays out the reasoning behind doing this collection, the specific questions we intend to answer with it, the alternatives we explored, and the safeguards we are including.
The new telemetry probes respect the existing Telemetry opt-out settings. They can also be disabled individually by setting “toolkit.telemetry.user_characteristics_ping.opt-out” to true. The telemetry collection will not be sent from every client, it will be requested from a random sampling of users. Over time we may expand the collection in order to inform research for developing fingerprinting protections.
[0]
https://support.mozilla.org/en-US/kb/firefox-protection-against-fingerprinting[1]
https://bugzilla.mozilla.org/show_bug.cgi?id=1720353[2]
https://www.ietf.org/rfc/rfc9458.html