Mastodawn

Electric Gremlin Mar 1, 2025

Reminder that Firefox has a pathway to specifying some settings, including ones not exposed to users any other way, with a config file stored on disk.

They call it enterprise policies but anyone can use it by just putting a file in the location indicated on that site.

You can disable entire features, opt out of Telemetry before your first launch of Firefox on a new install, declare you never want to be part of studies, turn off their ML integration and keep it off, force about:config preferences in a way that can't be "accidentally" reverted, etc.

policy-templates

Policy Templates for Firefox

policy-templates

Show thread

Andrej Shadura Mar 1, 2025

@trysdyn, why would I want to disable telemetry or studies?

Show thread

Amin Girasol

@andrew_shadura @trysdyn who benefits from them? Whose information is input for them?

Show thread

Andrej Shadura Mar 1, 2025

@fluidlogic, the developers of Firefox, so eventually the users including myself. To me, they carry the same value as crash and bug reports.

@trysdyn

Show thread

Tom Ritter Mar 2, 2025

@fluidlogic @andrew_shadura @trysdyn I do. I've used telemetry to deploy security features including working around and not breaking completely unsupported Firefox hacks that bring back old style add-ons (to the bewilderment of some coworkers...), to get baseline data for deploying privacy features for anti-fingerprinting, determine how much fingerprinting actually takes place on the web, and figure out the best algorithm for doing anti-fingerprinting protections while being minimally invasive to your CPU.

That's just me. There's hundreds of other developers who have used it for hundreds of others of things.

If you want to disable telemetry that's fine, and I've written code to make telemetry even more granular so you can disable an individual ping that you might not like while still submitting all the other telemetry.

And there's definitely a discussion to be had about old probes that maybe no one is looking at (we have nag alerts that ask us to renew these if we still need them but things can always be done better).

But the argument that no one benefits from the telemetry just isn't true. 🙂. And while I respect large deployments (distros, corps) disabling it en masse - it definitely gives us a blind spot to problems they may be experiencing.

Show thread

Garth Kidd Mar 3, 2025

@tomrittervg @fluidlogic @andrew_shadura @trysdyn as a hypothetical, how would you adjust the telemetry so an adversary who could read your data couldn’t fingerprint your users with it?

I’d want to simulate it first, but I suspect from my work with OpenTelemetry it’d hurt less than one’d at first suspect to send a subset of signals with each ping? Send the random bitmask used for selection along with the data in case some queries should only consider samples with all metrics of interest present.

That’d augment basic sampling. You’re no doubt familiar but, for those in the back: we can draw operationally useful and statistically defensible conclusions as long as we have enough samples per interval. If N=100K is strong enough, collecting more embiggens our cloud bills without any improvement in our results. Instead, we can throw out 90%… or 99%, or more. Fun!

If you have 100M users, it might suffice to have each user send a ping only on 0.1% of the intervals. Or, to make fingerprinting harder, only 10% of the signals on 1% of the intervals? Maybe some, you simply don’t ever send in combination with others? Might be a paper or two to be had in that.

Show thread

Tom Ritter Mar 3, 2025

@garthk Okay so this isn't my field of expertise, but the first two things I'd ask are "Can you just use DAP for your metric(s) to avoid this entirely?" and "What does fingerprint mean?"

Like, a website operator steals the dataset and wants to correlate a visitor to a record?

Show thread

Garth Kidd Mar 6, 2025

@tomrittervg I don’t know DAP, but this isn’t the kind of metrics that help you understand your web site’s “traffic”?

Fingerprinting in web advertising is embedding a script into your ad to produce a close-to-unique identifier from every morsel of data the browser leaks about the user and their computer. Screen dimensions and available fonts can be enough. If you embed it in the URL for an image, you can track people from site to site without them carrying cookies and despite them changing browser or opening an “incognito” window. Grab a sneaky copy of whatever they’re typing, while you’re at it.

Show thread

Garth Kidd Mar 6, 2025

@tomrittervg Back to DAP: if we gather metrics about the site and its performance e.g. time-to-paint, there’s no privacy concern or my threat model isn’t thorough. Feeling safe is as good as being safe, right?

If we gather metrics about the user and their actions, it becomes possible to draw conclusions about them. Those conclusions can be dangerous even if they’re incorrect. If we fail to secure our data, and to make it expensive or impossible to correlate it with other data—is the user’s IP address still in there?—then that failure makes us part of the surveillance machine, now or in the future.

Show thread

Garth Kidd Mar 6, 2025

@tomrittervg The kind of metrics we were talking about are gathered close to the machine, without any of the browser’s protection against fingerprinting, and at a global scale. It could be misused on its own, or help tie fingerprints to identities thus people to their browsing history.

I have every sympathy for developers wanting that data to help support the product. Given the plausible harm if the data is misused, however, the users are right to refuse to send it unless the developers take steps to prevent its misuse, explain those steps to their satisfaction, and provide means to verify the steps are still in place.

Show thread

Garth Kidd Mar 6, 2025

@tomrittervg Sending only some of the data, some of the time, could help mitigate the harms and could be locally verified.

Or, like I said, maybe my threat model needs work.