Firefox Focus

A Mozilla spokesperson has denied a report from German newspaper Deutschlandfunk that the Foundation is collecting personal user data from iOS devices running Firefox Klar, the German version of Firefox Focus, a new privacy-focused browser launched last year.

The accusations were made in an interview with Deutschlandfunk by German security researcher Peter Welchering, who said Mozilla was collecting personal user details and then sending the data to a third-party, a local German data aggregation company named Adjust GmbH.

The researcher says the data collection feature is disguised under the "Send anonymous usage data" option in the browser's settings section, which comes enabled by default for all new users.

Welchering and another researcher, Hermann Sauer, said they analyzed the app and discovered that some of this data sent to Adjust is not anonymized and includes personal user details.

The two have not specified in depth what exact details the browser collects, which makes their accusations look a little bit shallow, but were adamant "the collection of personal user data is quite extensive" (translated text).

Mozilla has nothing to hide

In a support page detailing data collection practices on mobile devices, Mozilla openly disclosed when and what data it collects from users. Mozilla even disclosed its relation with Adjust, admitting that all data is sent and saved to Adjust's backend, and not Mozilla's.

According to Mozilla, Firefox Focus includes the Adjust SDK, and this SDK is also included with Firefox for Android, Firefox for iOS, and Firefox Klar, the German version of Firefox Focus.

For a new install, the application sends an anonymous "attribution" request to the adjust servers. This request describes how the application was downloaded, for example, whether it was downloaded directly via the App Store or through a marketing campaign link. The data includes an advertising ID, IP address, timestamp, country, language/locale, operating system and app version.

Firefox for iOS, Firefox Focus, Firefox Klar and Android will also occasionally send anonymous summaries about how often the application has been used. These summaries only include information regarding whether the app has been in active use recently and when.

Additionally, Firefox Focus and Firefox Klar will also report what features of the application are being used. It will send an anonymous report containing the specific filters being selected and count how many times the search, browse and erase button is pressed.

According to Mozilla's support page, the only somewhat "personal" details the SDK collects is the user's IP address at installation time. The rest is the type of data you'd expect, and we've seen other software products collect in the past, with a focus on how users interact with the apps.

German blogger Günter Born has thrown fuel on conspiracy theories that Mozilla was doing something shady when he pointed out that Mozilla's announcement for Firefox Focus included an image that was cut off right above the data collection feature, as to hide it, which was enabled by default.

Firefox Focus
Firefox Focus settings section (as in Mozilla blog post)
Firefox Focus
Firefox Focus settings section (full view, via Günter Born)

Mozilla launched Firefox Focus in mid-November 2016 as a bare bone browser that comes with default features that blocked ad trackers, analytics trackers, and social media tracking code. Firefox Focus is currently available only for iOS devices.

Mozilla says report contains major factual errors

Bleeping Computer has reached out to Mozilla for comment on the accusations and a Mozilla spokesperson said the German newspaper's report contained major factual errors.

"Like most web browsers, Klar keeps a local copy of your browsing history during a browsing session. [...] This browsing history does not get sent to Mozilla or Adjust through the Adjust SDK," Mozilla says.

"To deliver great products for our users, we need to understand how our product is working and how successful we are. The Adjust SDK allows us to measure installations and interactions with the browser," the spokesperson added.

Regarding on the reasons why Mozilla is collecting user data, the organization said that "Klar as a browser is a new product with the need for early market fit validation. We decided to take an opt-out approach to gain insight from a diverse group of users about their first interactions with the product. We believe such approach helps us gather usage information as unbiased as possible to really understand how Focus is being used and consequently can be improved."

The fact that Mozilla had previously publicly disclosed its data collection practices and that the researchers didn't present concrete evidence about what "personal details" Firefox Klar was collecting, makes this report unreliable.

Until the two researchers reveal what they found in more depth, Mozilla doesn't appear to be guilty of anything outside enabling this usage data collection feature by default.

Update: Article updated on February 13 with a new official statement from Mozilla.

Related Articles:

US Supreme Court Rules Police Need Warrant to Track Cell Phone Location

Someone Is Taking Over Insecure Cameras and Spying on Device Owners

New Google Account Update Makes It Easier to Manage Your Data

Gaming Companies Remove Analytics App After Massive User Outcry

macOS Breaks Your OpSec by Caching Data From Encrypted Hard Drives