Each Firefox download has a unique identifier
Internet users who download the Firefox web browser from the official Mozilla website get a unique identifier attached to the installer that is submitted to Mozilla on install and first run.
The identifier, called dltoken by Mozilla internally, is used to link downloads to installations and first runs of the Firefox browser. The identifier is unique to each Firefox installer, which means that it is submitted to Mozilla whenever it is used.
While it is possible to download new installers each time a new Firefox version is released, it is also possible to use the downloaded installer again for that purpose.
A bug report on Mozilla's official bug tracking website confirms the use of the download token. The linked document is not public, but the listing itself confirms the use and provides an explanation on why it has been implemented:
This data will allow us to correlate telemetry IDs with download tokens and Google Analytics IDs. This will allow us to track which installs result from which downloads to determine the answers to questions like, "Why do we see so many installs per day, but not that many downloads per day?"
According to Mozilla's description, the identifier is used to analyze downloading and installation trends among other things.
The feature is powered by Telemetry in Firefox and it applies to all Firefox channels.
Interested users may verify the findings. One of the easier ways is to check the hashes of two or more Firefox installer downloads (the same version, language and architecture). Each hash is different. A search for dltoken using any hex editor reveals the string in the Firefox installer.
Firefox users who prefer to download the browser without the unique identifier may do so in the following two ways:
- Download the Firefox installer from Mozilla's HTTPS repository (formerly the FTP repository).
- Download Firefox from third-party download sites that host the installer, e.g., from Softonic.
The downloaded installers do not have the unique identifier, as they are identical whenever they are downloaded.
Mozilla notes that the opt-out mechanism is the standard Telemetry opt-out. How users may opt-out before the installation of Firefox is unclear. A quick check of Chrome installers returned identical hashes each time.
Now You: how useful do you think is the information to Mozilla? (thanks PMC for the tip)
Thanks, for all of the valuable information that you provide!
It is their stab at killing the TorBroswer anonymity which relies on FF
I’m curious where it’s stored on the system after install. It doesn’t make sense to store it in a profile since that could be wiped, so it must be located in the installation folder or ProgramData or in the administrator account or something. ?
Moreover, the GUID is embedded in a UPX-compressed executable file and is the ONLY difference, yet the files’ digital-certificates still validate, as do their CRCs. How? ? Are they generating the GUIDs to have collisions?
It seems that getting Firefox from GNU/Linux repos (Debian, etc.), doesn’t come with unique IDs.
Thanks, Martin. Yes, I got version 98.0.1 from that webpage and installed it, and I have now downloaded the new V98.0.2.
(And yes, I now have a sore finger from scrolling — why don’t they reverse the order?. And why are the dates ‘Last Modified’ missing?)
* QUESTION 1: But should I have first uninstalled Firefox (preferably with Revo Uninstaller), then reinstalled Firefox and configured its settings and extensions again?
* QUESTION 2: And will I need to repeat this uninstall–reinstall with each new version of Firefox?
You could turn off Telemetry in the settings, as this prevents the sending according to Mozilla.
I have already done this. In fact I have already followed all the steps that Sven Taylor advises in https://restoreprivacy.com/firefox-privacy .
All I want to know is, to avoid the unique identifier:
* Do I have to uninstall and reinstall Firefox (and then reconfigure settings and extensions)?
* Do I have to repeat this at every update?
Hi Fred, you can download it from here: https://ftp.mozilla.org/pub/firefox/releases/
Just open the folder with the version that you are interested in. Happy scrolling.
Martin, could you also update your article with straightforward recommendations for non-techies about how to download and install Firefox without the identifiers. Do I presume that this new installer would need to be run only after a full uninstall of Firefox?
There is a great deal of informed techie discussion here, but it is hard for non-techies to follow, and some simple instructions would be very welcome.
(By the way, the most recent Softtonic download is V96.0, whereas Firefox is now at V98.0.1. After some searching, every download that I looked at either had an old version, or a very old version, or didn’t say what version it had, apart only from filehorse.com, which had V98.0.1. Is that site safe?)
Wow, even EVIL Google doesn’t track user installations with a unique identifier.
Mozilla is getting EVILER everyday.
Hopefully, when Mozilla dies, someone will continue developing Firefox, while firing the woke developers who are ruining the browser.
@Tom Hawack said on March 17, 2022 at 5:45 pm
// RESET IDs AT START
clearPref(“toolkit.telemetry.cachedClientID”);
clearPref(“browser.newtabpage.activity-stream.impressionId”);
Where is “clearPref” values, in user.js file or is it in some other file? Is Firefox Autoconfig an extension?
Martin, please update this article if solutions come about to disable “dltoken” __after__ installing. Thank you.
Alright…
What alternative do you guys have for Firefox Sync Server?
YOUR FF 10000.1B HAS SECURITY HOLES TOO, THAT WILL BE FIXED IN FF10000.2, WHICH WILL HAVE SECURITY HOLES THAT WILL BE FIXED IN FF …. WHAT’S TE DIFFERENCE WHICH HOLE MAKES YOU COMPROMISED? THE ONE PRESENT IN FF51 OR THE ONE IN FF102?
> I am still using the last best vrsion of Forefox 51 …not changing it any time soon.
Sounds like you never heard about SECURITY FIXES. Enjoy your compromised box.
Yeah, let’s get in for more of the same; one more time, again and again, and again and ….. !
I am still using the last best vrsion of Forefox 51 …not changing it any time soon.
@JonSnow
Perhaps you should consider Waterfox Classic (based on Firefox 56). Thank me later.
https://classic.waterfox.net/
They patch security issues at least.
Unfortunately, many sites break compatibility through JavaScript features like lack of catch binding.
Well, Firefox being Firefox removed Yandex and Mailru as search providers imagine using a browser that promotes censoring, de-platforming and full in bed with Google and their half billion dollars.
So that should be a reason not to even try to download Firefox and see if you get different hashes or not.
Clown company managed by clowns people in a clown world.
Wow what a fantasy, they have censored and deplatformed nothing. They wrote an article,that’s it.
Facebook,Twitter & Youtube do that all the time. The thing to note is Youtube is owned by Google
who also produce Chrome. You’d think people would stop using Chrome because of the banning &
censorship on youtube ,not so it seems.
The Beast stumbled in the dark for it could no longer see the path. It started to fracture and weaken, trying to reshape itself into the form of metal.
Even the witches would no longer lay eyes upon it, for it had become hideous and twisted.
The soul of the Beast seemed lost forever.
Then, by the full moon’s light, a child was born; a child with the unbridled soul of the Beast that would make all others pale in comparison.
—?from the Chronicles of the Pale Moon, 24:2
I’d like to know too. In France we’re far from it, even for adult contents they want website to check the age of a visitor with a certified method, but they don’t tell them how.
Another minus Mozilla!!!
I just downloaded Firefox Setup 98.0.1.exe from the main site (not FTP repository). and uploaded it to Virustotal but the file was already scanned, first submitted about a week ago. So I guess it is not completely unique.
I downloaded again using Tor, that one had a different SHA1 and was NOT already scanned by VirusTotal.
yea same, download from firefox have know hash but from tor have unique hash, strange..
i downloaded the whole firefox Firefox Setup 98.0.1.exe 53mb from their site
What if someone gets their Firefox software from the repos of a GNU/Linux distro – like Debian or Ubuntu for example? Would those packages also have a unique ID?
Firefox is now forced on Ubuntu users the Snap package version, and it has been super strange, almost like some kind of virus, buggy and crashes (maybe intentionally so they can fetch some extra “crash data”?), I removed it and installed ESR using the ordinary installer package, better.
Hi. I never liked Snaps all that much. I prefer the repos, then Flatpaks, then AppImages, in that order.
Windows 64-bit, English (US), on both Stable and ESR
https://www.mozilla.org/en-US/firefox/all/#product-desktop-release
Name: Firefox Setup 98.0.1.exe
Size: 55528896 bytes (52 MiB)
SHA256: 340b13d52f3987ebb1c01b66cd389d26d5fa13db225f6dc135c3b4a8cca781b1
SHA1: 5dcdb1e5ee9172b78510fc9fc1ce2a759b09201f
https://www.mozilla.org/en-US/firefox/all/#product-desktop-esr
Name: Firefox Setup 91.7.1esr.exe
Size: 55985512 bytes (53 MiB)
SHA256: 872449f18479088b2cb33ba5f3e91296c071de30e3a1ffed4c5a50dc3a27f67e
SHA1: 4c00b46b2a7a685801eaf6bdece68484338390b0
I can’t reproduce it on this page. I am not defending this behaviour, rather providing another potential solution. I have tried downloading it twice, using two different devices, running different operating systems and different browsers, on different ISPs. I always get the same file. You may want to check your downloads against mines, and if they match, it means this page is not distributing the moodified installer. I do wonder exactly what is modified, the reason why I tried this is that I wanted to see exactly what is different.
I have tried some TOR exit nodes:
Name: Firefox Setup 98.0.1_germany.exe
Size: 55528896 bytes (52 MiB)
SHA256: 2d8164d547d8a0b02f2677c05e21a027dc625c0c1375fd34667b7d039746d400
SHA1: 71302acbee6895b84cf0dfae99050926f2db59ef
Name: Firefox Setup 98.0.1_austria.exe
Size: 55528896 bytes (52 MiB)
SHA256: a139a45dd5737ab981068ca2596b7fdfde15e5d4bc8541e0a2f07a65defd3e4e
SHA1: 28630a0aababa162ca9e7cbca51e50b76b9c3cff
I have labeled the file for the corresponding country of the exit node.
I’ve also ran the fc command of each file against the original one, and again between themselves:
https://pastebin.com/XZnGtJue
The dirrefences between the tampered files themselves is smaller than it is betweeen the original and a tampered one, so a part of the UID is similar.
Extracting the archives results in the exact same content as the original file:
Folders: 11
Files: 86
Size: 217733346 bytes (207 MiB)
SHA256 checksum for data: b70eb1850d03d0bc4c1a8c4a0de6027268a2a47a3210aeda422c4f12cd1941b8-0000002B
SHA256 checksum for data and names: de9b5e07b1c373fc0e4a84aae9137eea2ca03d9e7da0e7887bb80c06df0369b9-0000002C
SHA1 checksum for data: 62f4440f5bf05a94d740b8842b2102583bd74240-0000002B
SHA1 checksum for data and names: 749b1df2713ab4be3b50c5acf0d3e283c6f4f401-0000002E
So it’s only the installer which has been modified and phoning home during inistallation. 7-zip does warn during the extraction of the tampered installers that there is a checksum error. It does not do so during the extraction of the original file.
Also, yes, TOR will always download the original ffile when downloaded from their ftp-wannabe site.
This is I think a regional only thing.
Strange that Martin gets different hashes each time.
I have the same hashes for downloads performed from 3 download sources, and the same each time.
Hashes are the same as those mentioned by Yuliya for Firefox 98.0.1
Downloaded with Firefox 98.0 x64 on Windows 7 x64
Firefox Setup 98.0.1.exe from
[https://www.mozilla.org/en-US/firefox/all/#product-desktop-release]
[https://archive.mozilla.org/pub/firefox/releases/98.0.1/win64/en-US/]
[https://ftp.mozilla.org/pub/firefox/releases/98.0.1/win64/en-US/]
SHA-256: 340B13D52F3987EBB1C01B66CD389D26D5FA13DB225F6DC135C3B4A8CCA781B1
SHA-1: 5DCDB1E5EE9172B78510FC9FC1CE2A759B09201F
Can you try and download from the same source twice and compare the hashes?
@Martin, downloading from the same source twice had been performed as I wrote it, “I have the same hashes for downloads performed from 3 download sources, and the same each time” : “…and the same each time”. I can test again. Any preference for the source, all three?
Firefox Setup 98.0.1.exe from
[https://www.mozilla.org/en-US/firefox/all/#product-desktop-release] : / Firefox / Windows 64 / English (US)
Unchanged :
SHA-256: 340B13D52F3987EBB1C01B66CD389D26D5FA13DB225F6DC135C3B4A8CCA781B1
SHA-1: 5DCDB1E5EE9172B78510FC9FC1CE2A759B09201F
What you encounter is odd. PLEASE : anyone else experiencing such a hash disparity?
“…anyone else experiencing such a hash disparity?”
Yes.
I tried downloading the EN-US “Firefox Setup 98.0.1.exe” file from the UK at the following link: https://www.mozilla.org/en-US/firefox/all/#product-desktop-release
Using Windows 10 (19044.1586) and Microsoft Edge Stable (99.0.1150.46), I get different SHA256 file hashes most times when downloading from within Windows Sandbox.
However, when I download it from the same host machine (rather than in Windows Sandbox), the file hashes all match the correct hash (340b13d52f3987ebb1c01b66cd389d26d5fa13db225f6dc135c3b4a8cca781b1) found on the Mozilla site: https://ftp.mozilla.org/pub/firefox/releases/98.0.1/SHA256SUMS
Initially I though it was perhaps because I was using uBlock Origin on the host machine, however I installed uBlock Origin in the Windows Sandbox, and the hashes still differed in the sandbox. Odd.
Despite the hash difference, the code-signing digital signature remains valid, therefore it appears Mozilla are doing the same as Google Chrome:
https://twitter.com/SwiftOnSecurity/status/1213286893976207360
FWIW I just downloaded again Firefox Setup 98.0.1.exe from
[https://www.mozilla.org/en-US/firefox/all/#product-desktop-release] : / Firefox / Windows 64 / English (US)
This time with FF’s ‘User-Agent Switcher’ extension set with ‘Windows 10 / Chrome 96’ : same hashes…
When I download from the page you linked, I get different hashes each time. Which browser did you use for the downloading?
Martin,
Windows 10 > Chrome Dev 32-bit PAF and Firefox 64-bit ESR
Android 12 > Chrome ARM/64-bit
All four downloads match.
Just checked it myself, my downloads from those pages match the ones from their ftp-wannabe page. Maybe it’s a regional thing?
If I have deleted the ID from the keys
browser.newtabpage.activity-stream.impressionId
toolkit.telemetry.cachedClientID
and I update via Help/about Firefox, will tracking be re-enabled?
@hg, I’m not savant enough to know if what applies to my Firefox 98.0 / Windows 7 environment applies to all.
What I can say, as I noted above, is that deleting the values of the preferences you mention (either within about:config either within a user.js file) doesn’t make it : the preferences remain with the same values.
In my case, because I use Firefox’s Autoconfig [https://support.mozilla.org/en-US/kb/customizing-firefox-using-autoconfig] I can *clear* (not delete) these values which means they will be reset and modified on Firefox restart. Deleting only theses values will have them be reset to what they were previously but *not* modified.
// RESET IDs AT START
clearPref(“toolkit.telemetry.cachedClientID”);
clearPref(“browser.newtabpage.activity-stream.impressionId”);
In other words there’s nothing you can do about these prefs without Autoconfig.
But don’t worry : these prefs may very well be insignificant but because I’m uncertain I tried to play around with them, see how I could control them. Be noted that having these prefs get a new value at every start is better than having them set to nul (blank) in that it won’t set you apart :=)
my firefox: 91.7.1esr.
i cleared and then deleted both:
– “toolkit.telemetry.cachedClientID”
– “browser.newtabpage.activity-stream.impressionId”
after restart:
– “browser.newtabpage.activity-stream.impressionId” was re-enabled with value
– “toolkit.telemetry.cachedClientID” stayed deleted. no reset, no re-enabled, no value
@klimbim, that partially confirms what I wrote above :
– deleting the values of the preferences (either within about:config either within a user.js file) doesn’t make it : the preferences remain with the same values.
– there’s nothing you can do about these prefs without Autoconfig.
Except that in your experience “toolkit.telemetry.cachedClientID” stayed deleted. I’ll have to check again with my config.
Is “browser.newtabpage.activity-stream.impressionId” reset with the *same* value? Because that’s the whole point : it’s always reset when deleted but it should be with a different value. In my case the value is different when processed with Autoconfig but not when simply deleted in about:config.
Moreover : your FF version is 91.7 esr whils my experience was conducted on a later FF version. That could explain differences between our experiences (mainly “toolkit.telemetry.cachedClientID” staying deleted. not reset, not re-enabled, no value).
@klimbim, I’ve just tested again :
after restart:
– “toolkit.telemetry.cachedClientID” is reset BUT only after several minutes. I’ve just tested thoroughly and noticed its inclusion in about:config after 6 minutes and 30 seconds (+-10 seconds). So you’ll have to test it again after a few minutes ….
sorry for my late reply – i was for 2 days on the road.
well, 2 days are a little more enough than 6 minutes and 30 seconds. ;)
so i looked again for this beast “toolkit.telemetry.cachedClientID”.
and yes, you’r right – its back.
but now, when i cleared and deleted it once more and tested it again after 10 minutes – “toolkit.telemetry.cachedClientID” stayed deleted (same like at the first time).
but i thing it will come back the next day at the latest.
“Is “browser.newtabpage.activity-stream.impressionId” reset with the *same* value?”
no, with a different value – as you described.
btw:
to stop the telemetry in my firefox i used about:config and all the switches listed under “Healthreport und Telemetriedaten für Mozilla”:
https://www.privacy-handbuch.de/handbuch_21n.htm#telemetrie
@klimbim, this is a mystery as far as I’m concerned. I have no idea of whats and hows. That’s all I can say at this time : why is “toolkit.telemetry.cachedClientID” always reset even when all of telemetry is blocked in a Firefox user’s profile settings, why is it after a delay which seems to fluctuate?
@Tom Hawack
“this is a mystery”
yes.
now 10 hours after my last comment and test, in my main firefox “toolkit.telemetry.cachedClientID” stay still deleted.
but in my other foxes (portable) its back. i cleared and deleted “toolkit.telemetry.cachedClientID” in all foxes at the same time.
my os is linux.
well, for me its enough that there is continuous no data under “about:telemetry”.
Does anybody know please if the same applies when we download plugins or addons (.xpi) from Mozilla?
Does each xpi download (or online install) of any plugin has a GUID?
XPIs are the same to all users. They have an internal ID that is the same to all of us and used for the sqlite databases. Like where uBlock stores their filter rules and your settings. So no addon has access to the data of other addons.
No, extensions IDs are randomized once, so it’s different for every user, it was supposedly a privacy protection but turns out such ids are sometimes leaked by some extensions what gives a ~100% fingerprint chance. It has been reported already, 5 years ago.
“And I think to myself~ What a wonderful world~”
I wonder what the Linux Mint Maintainers will have to say about that!
It’s not just Mozilla and that is the broader issue here, it has become a tech cultural issue now that is so rampant. Once Google came in with their filth and then Microsoft weighed in with their lowbrow operating system from 8 upwards it was all downhill from there. These kinds of activities and practices were once heavily frowned upon and referred to as spyware then someone decided to change the name to Telemetry to remove any negative connotations or to attempt to undermine the perception of what it actually is.
It’s not a new practice, people that reverse software have been dealing with this kind of thing long before Mozilla started doing it but the fact that every man and their donkey are doing it now suggests that this kind of thing is accepted by the tech companies which is troubling indeed. We even have spyware (aka Telemetry) in drivers these days.
Mozilla isn’t the first to do it and they certainly won’t be the last. Mozilla is practically a lost cause these days. I don’t see them ever redeeming themselves and changing their ways anymore, the only thing one can hope for is that someone forks their work and heavily rewrites everything at which point they will take over all operations and have their team, community and skill set down. Mozilla will be left to languish and vanish to the sands of time and the world will keep spinning.
Others have tried to but failed to capitalize on such a plan so who knows. They just never managed to gather any real traction and capture the magic in a bottle that was once Firefox. I’m not begrudging any such projects and wish them much success but at this point its a huge uphill battle for the respective brands.
It’s almost as if they stayed in the shadows of Mozilla which is not where you want to be especially when Mozilla is in such a state.
Except the world does not spin, the bible says earth is fixed and unmovable.
Well said
Along with this there is something else about telemetry that should concern us
When you turn off telemetry you don’t actually turn off the collection of data. You just save it locally.
You don’t send it to Mozilla, but you do store it.
Perhaps in some future upgrade they will turn on the telemetry during install and collect all your past telemetry.
So many new intrusions by Mozilla, Google-sponsored white knight of privacy(TM), how do you guys even keep track of all the newly introduced settings you need to toggle with each new update? But then, in a way, it is good that most Firefox diehards appear to be masochists that keep using this crap no matter how heavily Mozilla is betraying them. This list of 200+ settings you need to toggle in order to turn Firefox into what it is being advertised as (the most privacy-respecting browser out there short of Tor) is MASSIVELY off-putting to newbies. Good for other browsers in the privacy space, I don’t complain at all.
Bingo. I’ve always found their reactions hilarious.
“That’s it, I’m not going to use it after ” (Were you sleeping under a rock since 2011 when they started down this path by imitating Chrome?)
“Mozilla does respect privacy! You can always change these 50 about:config settings to be private again!” (Until they get rid of it altogether, as they did with making extension signing mandatory).
I use Pale Moon as a primary (unlike what you’ve said elsewhere, it works great with 99% of the sites I use, and Google/Facebook are not among them). Brave is my backup browser and it works great as well.
This si the reason I can’t trust Brave actually
https://www.portablefreeware.com/forums/viewtopic.php?f=6&t=22458&start=15
@Marc
You can’t trust Brave because of referral / affiliate links (that are not even a thing anymore)? How do you live with the search deals all browsers brokered years ago then? They are all realized via referrals, notice the Firefox referral in the address bar on the search results page of any Google search? Yep, that one doesn’t have to be there for the URL to work. Neither did the Binance referral have to be there in Brave’s case.
Referrals have nothing to do with privacy or security or web compatibility.
Is this also a problem with the FF fork Librewolf? Very disappointed in FF. At the very least, this should be OPT-IN. Back to searching for a strong-by-default privacy browser.
wow, Mozilla turns into yet another doxing enterprise
Question is why do they care about things like “Why do we see so many installs per day, but not that many downloads per day?”. I can’t think of any reason why a developer would want or even need that question answered.
Maybe a software developer can enlighten me.
*facepalm*
Scary! What if you had the installer from another computer using a mirror download link and installed Firefox offline on thousands of computers? Would it count once you get online?
>Interested users may verify the findings. One of the easier ways is to check the hashes of two or more Firefox installer downloads (the same version, language and architecture). Each hash is different.
I just tried downloading it (US version) and:
If I download in Firefox, all installers are exactly the same, with the same hash (SHA256 starting with 340b1…, just like the one in your screenshot).
If I download in Chrome, the installers are different.
Same here. Which is why I find wording of this article interesting.
Anyway as with all software – Linux, Windows, Android – I always turn off internet connection especially on start and allow it only after changing certain settings. Time consuming yeah but hey this is modern world. New tech and all which we were crying for.
just downloaded Firefox Setup 52.9.0esr with ff, chrome – hash is the same
8FAB6469F06E62236A2E3F2291FB7DFCF927EBBDBDAC73BC90977E0579A4E69428899A388B7EED62B39385A0012502C8D7F5D422A219E7FC9FF711CF96148136
An installer triggering an outbound connection is actually fairly common, though the reasons may vary. It’s usually to check if you’re installing the latest version but by default I block all such connections. I’ve noticed before that installing Firefox triggers my firewall but I didn’t know that THIS was the reason why. Well now I know. ;)
Does this apply to Tor Browser as well?
Off topic: To add an extra layer of defense against ransomware, just add russian as an extra language on your computer.
Why would anyone download directly from Firefox? It’s already in the repos for nearly all distros. Is this article about Windows or Mac users? They are already uniquely identified in so many different ways, why should they care about this?
LOL
there are 800 ways to install Firefox, even through Microsoft Store, people don’t need to download it, I mean, people don’t even need to download Firefox at all, Microsoft includes Edge now and MacOS have the Safari which is okay as well.
You make it seem like only because you are Linux you are already protected. If you really care about “being tracked” you would NOT use internet or any device or phone (because I am sure you have either Android or iPhone).
You are pretty much telling the world “please track me” when you are on the internet, it doesn’t matter which OS you use. Of course the world tracks you regardless if you use internet or not, or a phone or not, or a computer or not. So I don’t understand what are you even on about if you can’t avoid being tracked only because you use ‘linux’.
I mean, on Linux its default Firewall can’t even block individual apps and only one 3rd party firewall can do it, so if you don’t use that one, all apps will send data to whatever server they want to send, something pretty basic for Windows and for its 3rd party firewalls, especially the ones that are fully based on WFP, so they are easier to use, but use the same ‘firewall platform’ as Windows Firewall.
But sure… nobody is tracking you in Linux lol.
What a delusional people “I am on the internet but I am not on the internet because I magically visit websites and I don’t get tracked because I am using the magical Linux”.
Repeat after me “it’s all BS what I am saying because EVERYONE IS TRACKING ME”
Even if you care or not, you get tracked, you can’t stop it, you can reduce it if you have the balls and stop using dumb devices and services and phones and computers.
When you were born, you got an ID carved on your forehead, if you don’t have that ID you will not be able to function… do you think the government does that so you don’t get tracked? nah, they do it because they want to track you. And you think using Firefox or Linux will save you?
You are leaving a trace to track you when you check the box “Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy” do you think you are anonymous in this world? any computer could easily figure out who you are by now with just your two comments and IPs and all.
>”You make it seem like only because you are Linux you are already protected.”
No, I was merely pointing out that this particular unique identifier does not affect anyone on a Linux system who gets Firefox from their distro’s repo. You should learn to read. I actually agree with you on most of your other points – going online is being tracked; posting to the forum is consenting to giving some info away. My point about Microsoft and Apple is that they are already in possession of your system information and are already sharing it with their corporate partners, many of whom are the same as Mozilla’s corporate partners. I do not see what a person would think they are gaining by hiding their system data from Mozilla on a Windows or Apple device.
If you knew more about windows you’d know you can turn any of that stuff off
Firefox has more remote tracking by default than windows
Fortunately I know how to stop both, though admittedly most people don’t. And frankly, most people don’t care in the slightest about tracking. Every smartphone provides far more information about you to others than even the most open PC
I’m sure both of you using Linux will be fine, but the vast majority of us will be using Windows.
Personally, I started downloading from the ftp site as soon they started using those horrid stub-installers way back when.
For firefox? I would imagine the percentage of users on various distros is quite high. We’re not talking about Chrome. Firefox is the default browser on nearly every distro.
That is defeatist thinking and whataboutism. Because one company tracks you, all others must as well? Cool. Also try reading the article, your other questions are already answered in it.
Cool, I guess it’s a concern for Windows and Mac users, in which case I do not care. Those who desire to be identified and tracked, and spend their money to be identified and tracked, will be identified and tracked.
You are “thinking”.
About 95% do not “think”, they just follow. They have no clue in what ways and how they are tracked. Nor are they able to see how this will affect the future of humanity as a whole. It is impossible for most people to see small things leading to something much bigger. So they do not “desire” to be tracked, they just don’t understand any of it (and don’t care to much because they do not see a bigger picture).
If you do see the bigger picture and do care I suggest you try and help these people (and thus all people) instead of saying “I don’t care”. If you “don’t care” for anyone but yourself or your own “group” you are worse than the ignorant. You can’t blame people for not knowing or being able to see the things that are coming: it’s just how it works.
“If you do see the bigger picture and do care I suggest you try and help these people”
I tried and I was l laughed up by… my folks.
@Andy Prough
Quick reality check for you: Mozilla tagging their installers with unique IDs is not the fault of Apple or Microsoft.
And “wanting to be tracked”… If needing applications to run which are not available on Linux is the same as “wanting to be tracked” for you, then yes.
The fact that FF is downloadable without a unique ID is not the issue, and not even that useful since most users are unaware of the possibility and/or will not make use of it.
The elephant in the room is that that unique ID can, and undoubtedly will some time, be used for installations and 1st runs.
In other words, this is another step down the Google path.
FF’s telemetry is changed almost every time there is an update, so you have to check again and again what has changed and correct/counteract it.
Is because Google pays Mozilla corporation to not become mainstream
I do download a new installer each time a new Firefox version is released and perform a clean install (previous version is uninstalled). I always download the installer from [https://archive.mozilla.org/pub/firefox/releases/] but I do acknowledge [https://ftp.mozilla.org/pub/firefox/releases/] provided in the article. I just downloaded FF98.0 from the latter and it’s exactly the same as the installer from the former : hence, no dltoken identifier.
Besides this dltoken, there are two more IDs right in a Firefox’s profile, in the prefs.js file, accessible as well in about:config : toolkit.telemetry.cachedClientID AND browser.newtabpage.activity-stream.impressionId
No idea what the second relates to, but the first is surprising given all telemetry is blocked here.
Setting both to “” (about:config or with user.js) doesn’t change anything, but because I set pref values with Firefox Autoconfig rather than with a user.js file I can clear both on start and this time they are rebuilt but with different values :
// RESET IDs AT START
clearPref(“toolkit.telemetry.cachedClientID”);
clearPref(“browser.newtabpage.activity-stream.impressionId”);
Am I over-reacting? Maybe. I just dislike IDs hanging around and if my battle doesn’t change anything at least it doesn’t harm.
See what they’ve done to me, ma? Twenty years ago when I started surfing on the Web I’d post my name, email and so on (fortunately a good guy told me then to at least always avoid sharing my true “snail-mail” address) and now I behave as a newborn soldier, always cautious, often over-cautious, maybe occasionally paranoid. But, hey, we’re all like special agents in that we have to be aware of not only the bad guys but as well of the “good guys”, those who track us for our good, to protect us, for a better e-experience …
The beat goes on, baby.
“See what they’ve done to me, ma? …e-experience …”
Ah! Ah! Ah! Terrific. A hymn of pain. Not to mention that our category is the most suffering possible: we are not computer scientists but neither people who don’t care. We do what we can with the awareness of our own limits knowing that if we give them an inch, they’ll take a mile.
After buying that useless device called ‘smathphone’ imposed by changing times, joking about it, I thought: maybe I could put an ad on Tinder peer looking for a better half who is competent in the matter.
@Shiva, >”A hymn of pain”. Everything is relative. When I wrote “I behave as a newborn soldier, always cautious, often over-cautious, maybe occasionally paranoid.” I should have emphasized on the difference with an armed soldier which faces blood and blasted bodies. Pain in our case, half moral and psychological half humorous, is not comparable to a soldier’s pain, sufferance when defending his invaded country, but also when attacking another (soldiers endorse, governments and sometimes a leader by himself decide.). Imagine moreover those facing the same without being soldiers …
I’m adding this as I just watched a TV documentary.
@Tom
Ok, “A (browsing user’s) hymn of pain”. I doubt that anyone has interpreted the sentence outside its figurative context. But considering the current crap of yet another ongoing war, let’s insert the clarification.
Of course, the game of democracy is also played in front of the browser, moreover there is always someone who does not understand that apart from a few considerations on personal privacy, the real problems concern something else:
https://www-agendadigitale-eu.translate.goog/cultura-digitale/le-nostre-vite-gestite-dalle-big-tech-le-sfide-per-cultura-democrazia-e-regolazione/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en
‘Smartphone’. It sucks so bad that I keep making the mistake writing ‘Smart’.
@Shiva
Just say you are typing on a virtual keyboard on a phone. Those smear and swipe keyboards are disliked but pretty much everyone with a mechanical keyboard.
For all of smathphones flaws, you can’t beat its usability factor when you need to do something quick while walking or outside. It may not be perfect but with few switches here and there, it can help albeit on a limited basis.
We do need a way to completely stop audio recording on smartphones without breaking usability and also a way to use history but without making it accesible to websites. If there are already ways to do so please I’m eager to know…
Stop audio recording – simple disable Google Assistant and revoke all recording permissions. Look at LineageOS too without GSF. Personally with switches here and there Android can be made privacy friendly. Same you have to do with Windows.
@Yash Thank you. Question is then easy to re-enable recording say for the moment I actually need it?
@Yash
Sure, but I’m still thinking about buying a simple Nokia and using that other (smart)thing in the rare cases I need it. It’s not a matter of privacy or anything else, I just don’t usually use it and I also find it cumbersome. I can spend time behind laptops, hardware components for assembled PCs, various technologies… but strangely I’ve never been interested in mobile phones. Well I guess I’m wrong since they are all stuck in front of the phone lately.
A Nokia N9 and put Linux on it, nice spot, or a N900 if you want keyboard and better support
And that is the thing:
All telemetry they collect is useless, since they scared away the tech savvy crowd. The clever people still use Firefox, especially on Linux. But they have become mutes toward Mozilla.
At the same time they wonder why so many people complain on bugzilla, yet use the argument they are a minority. They are not! Just because I disable telemetry in about:config and on DNS level doesn’t mean I am irrelevant or a minority.
I simply would prefer not to bug my machine to have a right to veto terrible changes to the browser I love!
“O Mozilla, your leaders have been like foxes among ruins.”
— modified from Ezekiel 13:4
Even on Linux, I’m not sure all builds of FF are safe. Old fashioned repositories and Flatpaks should be good, but I’m very suspicious of Snaps. On the next Ubuntu LTS, they say FF will come as a Snap by default. I personally use Librewolf on my setup though.
“The beast that you saw was, and is not, and is about to rise from the bottomless pit and go to destruction. And the dwellers on earth whose names have not been written in the book of life from the foundation of the world will marvel to see the beast, because it was and is not and is to come”
— Revelation 17:8
@Tom Hawack
“the book of life” aka the “tree of life”, aka the “right hand of god”, aka the right hemisphere of the brain.
Sorry for the off-topic, couldn’t resist.
@Neutrino, no problem! I had tried myself to comment the quote but after 5 minutes gave up and considered that I’d appear smarter without trying to be. Remains the verse is increasingly questioning as you read it again and again. I found it by searching for revolt+bible, I’m not at all an exegete :=)
Back to our beasts, those which are!
This ‘feature’ appears to enable interested persons to identify specific computers accessing specific sites. I suspect our ‘security services’ would find this ‘feature’ very useful should they have access to the data.
Mozilla questioning everything but their poor approach to the browser and community. How to fix this and win back marketshare? The answer invariably is MORE TELEMETRY!
And they all cheered in their board meeting!
“IT’S GOLD!!”
“MAKE IT SO!!”
“WINNING!!”
Morons!
This is a deal breaker. They have now made me a Mozilla basher. Screw them!
Wait until you see the stuff the EU is planning in order to “protect” you. They want an end to anonymity completely.
Doesn’t sound like a bright future. Can you specify what you are talking about?
Is it true you work for Google or Microsoft?
You might like LibreWolf.
LibreWolf isn’t a privacy enhancing browser: quite the opposite in fact: https://www.unixsheikh.com/articles/choose-your-browser-carefully.html#librewolf
Personally though I stripped FF of all the Google shite along with most of the telemetry crap using 0XDE57’s recommendations at https://gist.github.com/0XDE57/fbd302cef7693e62c769
Awww
It’s useful enough for them to have implemented it. GA telemetry isn’t horribly invasive. Google is a bit slicker and implements the install tagging server-side leaving as little client side evidence as they can.
As for Firefox, you can prevent launch of the first-run OOBE via their Enterprise Policies, they have an atomic policy toggle for all outbound telemetry as far as I know, doubt it changed in the past 5 months since I stopped bothering to use FF. (Edge Enterprise FTW!)
Original sin: softwares developers do not commit this sin but rather contract it from the Fall of Larry Page and Sergey Brin.