Intent to Ship: 3rd Party Install Tracking

126 views
Skip to first unread message

Mark Finkle

unread,
Mar 18, 2015, 2:29:32 PM3/18/15
to mobile-fi...@mozilla.org, dev-platform
We wanted to start some transparency around a new integration coming to
Firefox on Mobile [1]. We are planning to integrate a 3rd party install
tracking SDK from a company called Adjust [2] which will send data,
possibly device identity data [3], to a 3rd party server. We don't do this
very much at Mozilla so we wanted to be proactive about messaging.

There are good reasons for wanting to collect the data. Our marketing and
growth goals for 2015 will require spending non-trivial amounts of money.
The data will help us spend the money responsibly and efficiently.
Advertising metrics on Mobile is not as simple as some Desktop systems. On
Desktop, we can do most of this using the download links on our web pages.
Mobile installs come from App Stores, and it's harder to integrate into
those system.

This is Mozilla, so we are worried about integrating the SDK from a privacy
and tracking concern. The goal is to limit the data to non-PII sensitive
information and we'll only allow the data to be pushed once, on an
INSTALL_REFERRER intent [4] sent when Firefox for Android is first run
after being installed from the Play Store, and only when the install is
coming from an advertising campaign. No other data will be sent at any
other time. Normal installs from the Play Store would not have any data
collected.

We still need to audit the open source SDK to see exactly what data is sent
and how it's collected. We also have started doing a security/privacy/legal
audit of the vendor and their collection/storage practices.

Just a note, this is not the first attempt to add such 3rd party data
collection to Firefox on Mobile. The other attempts did not happen because
we found flaws in the systems or the system failed to meet our concerns
about privacy. The proposed system seems to have a decent chance of passing
our audits around privacy and security, so it's time to open the discussion
to a wider audience.

Here are some other notes about the Adjust system:

* This is an open source SDK, fully transparent, based in Germany, widely
adopted and regarded, beholden to the strictest EU privacy standards.
* We will collect the absolute minimum data, once, to measure for install.
We’ll know exactly what data is being passed.
* We’re paying for the SDK and service, which is good because the vendor's
model is not based on monetizing our data in aggregate to develop
behavioral segments for other advertisers.
* This will allow real-time optimization of marketing dollars, much like
virtually all major mobile apps do, and much like we have already been able
to do on paid marketing desktop for quite some time
* We likely use this system until we can figure out how to do it by
ourselves, in house. Until then, we need to be pragmatic.

This is just a heads up email. We want the effort to be open and
transparent. Questions and comments welcome.

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1143888
[2] https://github.com/adjust/android_sdk
[3] The SDK requires the use of the Google Advertising ID to uniquely track
the device
[4] https://github.com/adjust/android_sdk/blob/master/doc/referrer.md

kgu...@mozilla.com

unread,
Mar 18, 2015, 2:49:50 PM3/18/15
to
On Wednesday, March 18, 2015 at 2:29:32 PM UTC-4, Mark Finkle wrote:
> There are good reasons for wanting to collect the data. Our marketing and
> growth goals for 2015 will require spending non-trivial amounts of money.
> The data will help us spend the money responsibly and efficiently.

> We still need to audit the open source SDK to see exactly what data is sent
> and how it's collected. We also have started doing a security/privacy/legal
> audit of the vendor and their collection/storage practices.

These two statements to me imply that (1) we don't have a clear idea of what data we *want* in order to help us make spending decisions and consequently (2) we are free to pick a 3rd party provider which provides as-yet-unknown amounts of data, with the assumption that it will give us what we want.

It seems to me that when doing something as privacy sensitive as this we should probably figure out exactly what data we want to collect *first*. Then, if and only if we can't collect it using in-house code, we should consider going with a third party service. Thoughts?

kats

Mark Finkle

unread,
Mar 18, 2015, 3:08:29 PM3/18/15
to kartikaya gupta <kgupta@mozilla.com>, dev-platform
Good points. I can clarify a bit:

1. We only need to send enough data to allow the 3rd party vendor to
associate an install with an ad campaign. We believe that should only be
the Google Advertising ID. And we should only need to send this ID when
launching an install that occurred from ad campaign. We have been doing
this via the Google Campaign Tracking [1] system, which we convert to
Mozilla Distribution IDs. We can't do that with any of the important Mobile
Ad Networks because they strip (or override) the Campaign Tracking URL sent
to Firefox via the INTENT_REFERRER intent.

A side note: The Google Advertising ID should also allow the Ad Engine to
optimize the way Firefox ads are served to various ad networks too. This is
the "using our money efficiently" part.

2. The vendor and SDK allow for collecting more data. The SDK supports
mechanism that mirror Mozilla's FHR and Telemetry data collection systems.
We do not want any of these systems or data to be collected and sent, even
accidentally. The audit of the SDK and a discussion with the vendor will
hel;p us lock down parts of the SDK we do not want to activate.

All that said, we are continuing to audit and discuss with the vendor to
make sure our assumptions are valid.

[1]
https://developers.google.com/analytics/devguides/collection/android/v4/campaigns

Mark Finkle

unread,
Mar 18, 2015, 3:12:28 PM3/18/15
to Gupta, Kartikaya, dev-platform
On Wed, Mar 18, 2015 at 2:49 PM, <kgu...@mozilla.com> wrote:

>
> It seems to me that when doing something as privacy sensitive as this we
> should probably figure out exactly what data we want to collect *first*.
> Then, if and only if we can't collect it using in-house code, we should
> consider going with a third party service. Thoughts?
>
>
I should have called this out more explicitly: Right now, even though we
can collect the Google Advertising ID ourselves (and maybe we should use it
for the FHR persistent ID since it's the same across installs and
profile-resets) we can't connect to the Ad Networks and be able to figure
out for a given Google Advertising ID, from which ad campaign was Firefox
installed. Mozilla does not yet have any linkage into the Ad Networks.
Maybe someday.

Robert Kaiser

unread,
Mar 19, 2015, 9:22:56 AM3/19/15
to
Mark Finkle schrieb:
> and maybe we should use it
> for the FHR persistent ID since it's the same across installs and
> profile-resets

I think it's a *very* bad idea privacy-wise to use the same ID across
different data collection services as that opens up all the scary
cross-system-user-tracking scenarios that we warn people of in other cases.
Out of that same reason, I think everything that wants a per-install-ID
should have a separate one that is independent of any other
per-install-ID for any other data collection mechanism.

KaiRo

Mark Finkle

unread,
Mar 19, 2015, 6:24:10 PM3/19/15
to Robert Kaiser, dev-platform
Valid point
> _______________________________________________
> dev-platform mailing list
> dev-pl...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
>
Reply all
Reply to author
Forward
0 new messages