Archive for October, 2013

How Does Firefox Protect Users’ Privacy?

October 31, 2013 Comments off

Mozilla seems to be making a big deal out of how Firefox protects its users’ privacy. I wondered if there was anything to that, or if it was just a bunch of Scroogled-style hype.

My curiosity was first piqued when a comment on an short piece about invasive advertising gave a link to the YouTube video Firefox Paranoia:

Well, you know how one YouTube video leads to another. One of the related videos was Firefox Squares:

In case you don’t feel like watching it, here’s the gist of “Firefox Squares”: When you surf the Internet, sites you visit keep track of you and sell information about where you’ve been to advertisers. Because Mozilla is a non-profit organization, however, Firefox protects your privacy.

Did you catch the non-sequiturs there? Just because the Mozilla Foundation is a non-profit doesn’t mean it’s not interested in making deals with big advertisers. For instance, they make a lot of their money from their deal with Google to make Google Search the default. Google, of course, is one of the biggest ad companies around, and it’s not like Google doesn’t do tracking.

There’s another non-sequitur, though: What does the browser have to do with the behavior of the sites you visit? The only way that makes any sense is if the browser comes with some kind of built-in tracking protection. However, that doesn’t seem to be the case. The best I could find so far is a list of “Advanced Security” features on the Firefox Features page, but for the most part, these features are not likely to be useful to an average user in preventing the kind of tracking mentioned in the video. Furthermore, they tend not to be unique to Firefox, which undermines the “switch to Firefox” message of the video. Here are the listed security features, along with my notes:

  • “Instant Web Site ID”: This is the popup with extra information about a site’s SSL certificate. Chrome has this, too and even IE has a version of it. Both browsers are made by for-profit companies.
  • “Content Security Policy”: The blurb isn’t helpful, but a Mozilla Security Blog post about Content Security Policy explains that it’s basically an anti-XSS measure that allows sites to send an HTTP header specifying what kinds of content may be included in a page. Of course, the same post says that Chrome and IE also support the header; in fact, it’s a W3C specification.
  • “Customized security settings”: Judging by the fact that the “Learn More” link took me to the “Security and passwords settings” page, this seems to mean only that Firefox will let you choose whether to save passwords for certain sites and add exceptions to allow sites to install add-ons. This, of course, has nothing to do with tracking cookies.
  • “Parental Controls”: Firefox enforces the parental control settings entered in Windows. I was under the impression that Windows handled that on its own without depending on the browser, and the Firefox Support page on parental controls does nothing to persuade me otherwise.
  • “Secure Updates”: Downloads updates for itself and its add-ons over an encrypted (https) connection. This has nothing to do with tracking.
  • “Private Browsing”: A separate mode that avoids saving history and cookies. Not hanging onto the cookies does help, but it’s not fool-proof because there are plenty of other ways to track you. Besides, The page that explains the feature in detail even admits that “Your Internet service provider, employer, or the sites themselves can still track what pages you visit.” The feature is less about tracking than about protecting your privacy on a shared computer (and it’s far from fool-proof even then, but it’s a start). What’s more, for-profit browsers IE and Chrome have equivalent features.
  • “Anti-virus integration”: This is a handy feature, but recent versions of Internet Explorer do it, too. It appears that Chrome does as well. So again, there’s no differentiation from the for-profit browsers.
  • “Clear Recent History”: Like private browsing, this feature is geared toward protection against snoops rather than online trackers.
  • “Anti-Malware”: The browser stops you from going to known malicious Web sites. Again, so does the competition.
  • “Do Not Track”: Not only do all major browsers have this feature, but it doesn’t offer any real protection against the kind of tracking in the video. Such tracking is implied to be at least somewhat sleazy if not outright malicious, but even legitimate (and “legitimate”) operations aren’t really obligated to honor do-not-track requests.
  • “Forget This Site”: This is basically a shortcut that lets you delete all information for a given site, rather than deleting history, cookies, and other information separately. It’s yet another feature that protects against snooping, but not against online tracking.
  • “Securing Website Connections”: If I’m reading the description right (and it’s not just a wordy way of saying Firefox supports SSL/TLS), Firefox automatically switches to an https connection when one is available. This feature protects against eavesdropping, not tracking. Advertisements and other content embedded in pages can still be used to track you, and as long as it’s encrypted too, you won’t even get a warning.
  • “Automatic Updates”: First of all, Chrome does this too. So does IE, albeit lumped in with Windows Update. Second, this isn’t really a privacy or security feature unto itself so much as a way to make sure that you get new privacy and security features (including patches for vulnerabilities) when they’re available. Third, and most importantly, this feature can sometimes reduce the security and privacy of the browser: Updates may contain bugs, and they can even contain “features” that reduce privacy, such as when a Firefox update recently removed the ability for normal users to turn off JavaScript using the options window—and re-enabled JavaScript for users who already had it turned off.
  • “Outdated Plugin Detection”: Again, this has little to do with online tracking, though it’s worth noting that exploits in plugins can be vectors for spyware, so it’s not totally unrelated. Chrome does this too.

To be fair, the features page doesn’t claim that all these features are intended to protect users from online trackers, or that they’re unique to Firefox. I listed all of them anyway only for the sake of completeness. My issue is with the video, not the features list. All I’m saying is that switching to Firefox isn’t inherently going to make people safer from online tracking just because Mozilla is a non-profit.

The moral of the story: Don’t use a product just because the company behind it (even a nonprofit) says it protects your privacy. Look at what it actually does.

Categories: Privacy, Software Tags: