A Mozilla spokesperson has denied a report from German newspaper Deutschlandfunk that the Foundation is collecting personal user data from iOS devices running Firefox Klar, the German version of Firefox Focus, a new privacy-focused browser launched last year.
The accusations were made in an interview with Deutschlandfunk by German security researcher Peter Welchering, who said Mozilla was collecting personal user details and then sending the data to a third-party, a local German data aggregation company named Adjust GmbH.
The researcher says the data collection feature is disguised under the "Send anonymous usage data" option in the browser's settings section, which comes enabled by default for all new users.
Welchering and another researcher, Hermann Sauer, said they analyzed the app and discovered that some of this data sent to Adjust is not anonymized and includes personal user details.
The two have not specified in depth what exact details the browser collects, which makes their accusations look a little bit shallow, but were adamant "the collection of personal user data is quite extensive" (translated text).
The accusations were made in an interview with Deutschlandfunk by German security researcher Peter Welchering, who said Mozilla was collecting personal user details and then sending the data to a third-party, a local German data aggregation company named Adjust GmbH.
The researcher says the data collection feature is disguised under the "Send anonymous usage data" option in the browser's settings section, which comes enabled by default for all new users.
Welchering and another researcher, Hermann Sauer, said they analyzed the app and discovered that some of this data sent to Adjust is not anonymized and includes personal user details.
The two have not specified in depth what exact details the browser collects, which makes their accusations look a little bit shallow, but were adamant "the collection of personal user data is quite extensive" (translated text).
Mozilla has nothing to hide
In a support page detailing data collection practices on mobile devices, Mozilla openly disclosed when and what data it collects from users. Mozilla even disclosed its relation with Adjust, admitting that all data is sent and saved to Adjust's backend, and not Mozilla's.
According to Mozilla, Firefox Focus includes the Adjust SDK, and this SDK is also included with Firefox for Android, Firefox for iOS, and Firefox Klar, the German version of Firefox Focus.
For a new install, the application sends an anonymous "attribution" request to the adjust servers. This request describes how the application was downloaded, for example, whether it was downloaded directly via the App Store or through a marketing campaign link. The data includes an advertising ID, IP address, timestamp, country, language/locale, operating system and app version.
Firefox for iOS, Firefox Focus, Firefox Klar and Android will also occasionally send anonymous summaries about how often the application has been used. These summaries only include information regarding whether the app has been in active use recently and when.
Additionally, Firefox Focus and Firefox Klar will also report what features of the application are being used. It will send an anonymous report containing the specific filters being selected and count how many times the search, browse and erase button is pressed.
According to Mozilla's support page, the only somewhat "personal" details the SDK collects is the user's IP address at installation time. The rest is the type of data you'd expect, and we've seen other software products collect in the past, with a focus on how users interact with the apps.
German blogger Günter Born has thrown fuel on conspiracy theories that Mozilla was doing something shady when he pointed out that Mozilla's announcement for Firefox Focus included an image that was cut off right above the data collection feature, as to hide it, which was enabled by default.
Firefox Focus settings section (as in Mozilla blog post)
Firefox Focus settings section (full view, via Günter Born)
Mozilla launched Firefox Focus in mid-November 2016 as a bare bone browser that comes with default features that blocked ad trackers, analytics trackers, and social media tracking code. Firefox Focus is currently available only for iOS devices.
Mozilla says report contains major factual errors
Bleeping Computer has reached out to Mozilla for comment on the accusations and a Mozilla spokesperson said the German newspaper's report contained major factual errors.
First of all, "Firefox Klar is NOT available for Android. The reporter seems not to have checked this," the spokesperson said.
"Firefox Klar DOES NOT send user information that is not anonymized," and "Firefox Klar DOES NOT track user browsing histories," he added.
"The company that Mozilla uses for this service, Adjust is a German company that complies with German data and privacy laws - among the strictest in the world," the spokesperson added. "Here is a link to their privacy compliance page."
Furthermore, "the reporter who wrote this article DID NOT contact Mozilla (at least not in any way we have been able to identify) to get detailed information."
The fact that Mozilla had previously publicly disclosed its data collection practices and that the researchers didn't present concrete evidence about what "personal details" Firefox Klar was collecting, makes this report unreliable.
Until the two researchers reveal what they found in more depth, Mozilla doesn't appear to be guilty of anything outside enabling this usage data collection feature by default.
