Mozilla Will Delete Firefox Crash Reports Collected by Accident

Catalin Cimpanu, writing for BleepingComputer: Mozilla said last week it would delete all telemetry data collected because of a bug in the Firefox crash reporter. According to Mozilla engineers, Firefox has been collecting information on crashed background tabs from users' browsers since Firefox 52, released in March 2017. Firefox versions released in that time span did not respect user-set privacy settings and automatically auto-submitted crash reports to Mozilla servers. The browser maker fixed the issue with the release of Firefox 57.0.3. Crash reports are not fully-anonymized.

Telemetry and privacy.

At least they're doing better than Windows 10.

Inverted bugs ?

[Laxator2]

In the past bugs meant that the product was _not_ doing what it was supposed to do. For example a bug would mean that Firefox would fail to collect the reports.

Same with Google's voice-activated assistant: a bug would mean that it does not record conversations.

However, recent bugs mean that the Firefox collects everything, and that Google's assistant records 24/7. Or when Google's cars doing the mapping for Street View "accidentally" slurped all wi-fi passwords they could find.

I think a new word should be invented to describe this type of "mistake". How about "gub" instead of "bug" ?

Re:Inverted bugs ?

[mysidia]

I call it Accidental Spyware. Since this sort of bug is a type of defect where user information is LEAKED to the software vendor through call-home after the user SPECIFICALLY chose the opt-out box in order to NOT leak information back to the software vendor.

It just comes to show.... even open source software normally thought of benign such as Firefox CANNOT reasonably be trusted to have implemented opt-out correctly and completely in the client, even when opt-out is offered.

This speaks in favor of having 3rd party solutions to "monitor" applications' you are using for unexpected telemetry transmission.

Re:Inverted bugs ?

What are you talking about?

if (spyOnMe = YES_PLEASE) {
    sendAllMyInfoToTheMotherShip();
}

Totally a bug. And not malicious.

oh that is nice of them.

But what about the copy of the data that was made in transit by the criminals in secret services fishing in the upstream? When will they delete it?

It's a stupid idea to send raw contents of a crashed process over the internet, no matter how you frame it.

Re:oh that is nice of them.

[TheRaven64]

Or copies that ended up in backups, or copies that were on engineers machines that were lost, and so on. It's nice of them to try, but the general rule of data is that the only way you can guarantee that something is completely deleted is to make sure that something important depends on it and rely on Murphy's Law.

Time for more Firefox hate.

Slashdot loves to hate Firefox, with Waterfox, Palemoon and now Basilisk available there is no reason to use Firefox anymore. Mozilla took their credibility and smashed it up. Only losers now use Firefox in 2018.

Re:ALERT

A method of avoiding virtual world fatigue by generating an active avatar in an avatar wallet. The method includes creating and storing an active avatar in the avatar wallet, selecting target worlds for the active avatar to visit, modifying the initial appearance, the user information, the contact map and the characteristic sharing information of the active avatar in accordance with user preferences with respect to each of the target worlds so as to generate a version of the active avatar for each of the target worlds, and initiating a submission of a version of the active avatar to the corresponding target world such that the version is automatically tailored to allowable avatar properties of the corresponding target world.

ffs tom what were you thinking
where is the use case

about:config

I have been doing searches for "mozilla.org" deleting telemetry related URLs and any other privacy leaking addresses for a long time now just to be on the safe side. Unless those addresses are hard-coded, that should stop any telemetry info going to mozilla regardless of the privacy settings.

Gone, but not forgotten?

[geekmux]

Since they're being open about a bug that "accidentally" captured user telemetry data, would Mozilla now care to share what they've done with that data since March of 2017 when v52 was released? Who else has that data? Has it been bought and sold already?

When it comes to controlling not-so-anonymized information, a half-assed effort is essentially fucking worthless.

Re:Gone, but not forgotten?

I'd like to know why it took them so long to realize "Hey, all of a sudden everyone's opted in to giving us crash reports!"

I find it difficult to believe they didn't notice something was up, assuming they didn't cause it on purpose. Were people starting to catch on to the bad behavior to make them come clean? :p

But what about Google?

Do the crash reports go straight to Mozilla's servers, are are they fed into google analytics that moziila uses? (and yes, as of last year Mozilla does use GA for some stuff. But don't worry, they have a iron-clad contract with google to protect your privacy).

any references apart from the article?

Is there any reference to an official Mozilla statement?
Because Catalin Cimpanu didn't mention any sources in his BleepingComputer article.
I wasn't able to find anything at Mozilla either. Did they really say that last week?

Firefox sold out to the NSA a long time ago

Who the fuck needs telemetry in a fucking browser.

Re:Firefox sold out to the NSA a long time ago

Who the fuck needs telemetry in a fucking browser.

CIA, FBI, NCIS, KFC, CHIPS, TLDR, BYOD, Mafia, hell, just about everyone!

Paranoid /. posters yelling at FF again

[bjdevil66]

To the paranoid weirdos here: Cut the FF devs and leadership some slack. They're coming clean about an accidental collection of some crash data - which has only been going on since 52.x, and they've said they're not selling that data to anyone in the past.

Yes, they're far from perfect. They ARE, however, the only browser left that at least tries to respect user privacy (even to their own UX's detriment). You should all be thanking them for even still working on the project vs. abandoning the project altogether and leaving you with Chrome's or Edge's data collection.

Re:Paranoid /. posters yelling at FF again

The only reason Firefox has value to me is that it is open source. That way, I can use a fork that has this kind of thing stripped out completely by someone who actually cares about my privacy instead of acting like they do. I have been using Firefox since Phoenix. Just visiting Firefox's website and reading their privacy policy makes it clear that Firefox is not for me.

Re:Paranoid /. posters yelling at FF again

The version of chromium without the optional features might also suffice. Or is Google so evil that nobody even bothers to check the chromium code?

Re:Paranoid /. posters yelling at FF again

[AHuxley]

People like FF for the ability to install support like No script.
The browser and its brand is just a way of getting the real tools needed working.
User privacy comes from what a user then has to install to make a browser great.

Fixed in Firefox 52 too

[Barefoot+Monkey]

This bug was also fixed in Firefox 52, on the same day that they released the FF 57 bugfix. So if you want to keep crash reports off, receive latest security updates and still have all your old extensions work then Firefox 52 is still an option.

What about 52 ESR?

[alexo]

What about 52 ESR, the version meant to be used in corporate environments? Will a fix be issued?

Re:What about 52 ESR?

[Barefoot+Monkey]

52 ESR was already fixed last week Thursday with version 52.5.3.

Crash report, Accident

Obligatory bad car analogy in 3...2...1...

This "accident" SHOULD NOT HAVE BEEN POSSIBLE!

Some accidents are truly accidents. They could not have reasonably been foreseen, and they could not have reasonably been prevented.

I don't classify this "accident" as being such an accident. This "accident" should not have even been possible!

Firefox should not include any sort of user data collection or transmission of this kind. None at all. It doesn't matter what it might have been tracking. It should not have collected this data. It should not have sent it to Mozilla. Mozilla should not have stored it. None of this should have even been possible.

If Firefox crashes, have it write any relevant information to a text file. Request that the user submit it manually, perhaps by email or by uploading it to a web site. But this data submission should never happen automatically.

This "accident" should not have happened, because the mechanisms that allowed for this disaster to occur should never have existed in the first place.

Re:This "accident" SHOULD NOT HAVE BEEN POSSIBLE!

The "should not have been possible" argument is a bullshit self-serving one that can be used to justify all kinds of irrational responses. If the feature exists in the product, it is possible that it might be malfunctioning, or (since people tend to love conspiracy theories) was maliciously enabled. Simple as that.

Likewise we "should not" have to rely on Mozilla as our petty emotional vent. We "should not" have to criticize everything they do as though it's an Intel-scale privacy disaster where doxxing attacks lurk in every corner. But we do. Because we love to choose easy targets rather than accomplishing something.

Re:This "accident" SHOULD NOT HAVE BEEN POSSIBLE!

Likewise we "should not" have to rely on Mozilla as our petty emotional vent.

Yet you want GP to accept your emotional turds. Hmmm

Re:This "accident" SHOULD NOT HAVE BEEN POSSIBLE!

AmiJojo, is that you?

Use Tor Browser

Tor Browser removes all telemetry/crash reports and it's optimized for privacy.
Also add MITM blocker to know about your connection.

Use the palemoon fork

no telemetry bullshit

the big question

Is Mozilla trustworthy?