Thanks for looking at whether cookies are still being set Mook! I didn't bother to look since I had asked for that to be removed several times several years ago, I was told it wasn't needed since other data collection mechanisms were in place (at the time the blocklist ping), and I was assured that it was being removed. *sigh*
Robert On Wed, Jan 14, 2015 at 8:15 PM, Mook < mook.moz+nntp.news.mozilla....@gmail.com.please-avoid-direct-mail> wrote: > (Apologies to governance@; this isn't the right place for this, but > unfortunately going off-list and replying to just rstrong feels wrong too. > Setting f-up to privacy@ since that looks safely dead, but mail/new > shenanigans might prevent proper functioning there.) > > On 01/14/2015 11:08 AM, Robert Strong wrote: > >> On Wed, Jan 14, 2015 at 10:41 AM, Ehsan Akhgari <[email protected]> >> wrote: >> >> On 2015-01-14 6:29 AM, Gijs Kruitbosch wrote: >>> >> > Un Virumbi, naive question: would you really want to include the update >>> >>>> ping in disabling this? (ie no longer getting automated updates) >>>> Seems to me like its privacy issues (which are very small) shouldn't >>>> outweigh the risk of running a version with known security issues. >>>> >>>> >>> Well, to be fair, there is no right choice when choosing between privacy >>> and security. It would be nice if we ensure that update pings do not >>> have >>> any potential privacy issues associated with them so that users who feel >>> they need to take action against this type of issue do not have to >>> disable >>> updates. >>> >> >> The app update ping only contains data that is needed to serve the right >> update for the system. Example from my system: >> AUS:SVC Checker:checkForUpdates - sending request to: >> https://aus4.mozilla.org/update/3/Firefox/38.0a1/ >> 20150113030205/WINNT_x86-msvc/en-US/nightly/Windows_NT%206. >> 3.0.0%20(x64)/default/default/update.xml?force=1 >> > > Please remember that you still send cookies; here's what I got out of > Firefox debugging itself as I went to Help -> About: > > optimizelySegments=%7B%22245875585%22%3A%22direct%22% > 2C%22245617832%22%3A%22none%22%2C%22246048108%22%3A% > 22false%22%2C%22245677587%22%3A%22ff%22%2C%22869421433%22%3A%22true%22%7D; > optimizelyEndUserId=oeu1421293036707r0.8592334519134582; > optimizelyBuckets=%7B%7D; __utma=150903082.1914521133. > 1421293040.1421293040.1421293040.1; __utmb=150903082.2.10.1421293040; > __utmc=150903082; > __utmz=150903082.1421293040.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); > __utmt=1 > > So it's got Google Analytics and Optimizely; both are for tracking. > > Steps: > 1) New download of latest release, 35.0 > 2) Start with firefox -profile (empty directory) -offline > 3) Turn on browser + remote debugging; open the browser toolbox in Network > tab. > 4) Click on Try Again in the first run page to go online and trigger things > 5) Help -> About Firefox. > > I have not checked the addon update ping; that presumably has similar > behaviour. Being privacy-oriented there would likely involve fetching > updates for each addon separately over a period of time to avoid the > ability to track people by the combination of addons they have installed. > > Quick scan of things with timestamps in prefs: app update; addon update; > telemetry; FHR; sync; openh264 / gmp; safebrowsing; phishing. Not sure if > things like social that I've disabled involve pings. > > When trading between user privacy and designing a better web site, user > privacy lost. (It should be obvious, but: I believe the right choice here > would be a request with no identifying information beyond the build of > Firefox in use, the OS it's running on, and the source IP address so it can > send the response.) > > -- > Mook > > > _______________________________________________ > governance mailing list > [email protected] > https://lists.mozilla.org/listinfo/governance > _______________________________________________ governance mailing list [email protected] https://lists.mozilla.org/listinfo/governance
