Isn't sharing browser fingerprint without user consent illegal (in relation to GDPR)?
Dear Mozilla,
First, please know that I am a fervent defender of freedom and that for this reason, I try to only use Firefox as a web browser. I think that you have done an outstanding job so far and I encourage you to continue in this direction. I am grateful that organisations like yours exist.
The following is thus not so much criticism: you should much more consider it as suggestions and maybe as a list of (arguably) potential law breaches which you might want to address. Please note that I am no lawyer and that I might be wrong in the way I interpret the GDPR or parts of it. Please also note that I am an experienced software engineer, with more than a decade of web app development and design experience.
In the context of GDPR, I think that sending "browser fingerprint" information to website servers without receiving user consent for every single website is illegal processing of data - either from Mozilla's Firefox or from the website itself (I don't know for sure).
I would enjoy seeing in Firefox a feature which would allow users to avoid browser fingerprinting. I would like to decide by myself what data the browser shares and with which website it shares the data.
According to GDPR, consent must be a positive, well described, easily understandable action done by the user. Thus, by default, sharing any data with a website other than what is strictly required should be disabled until the user specifies his consent.
Of course, keeping proof and records of consents should also be done.
By the way, web browsing works: - without sharing the list of system fonts - this is not essential and is thus subject to user's consent. - without sharing the screen size and colour depth - this is not essential and is thus subject to user's consent. - without sharing browser plugin detail - this is not essential and is thus subject to user's consent. - without sharing hash of canvas fingerprint - this is not essential and is thus subject to user's consent. - without allowing supercookies at all - this is not essential and is thus subject to user's consent. - without sharing the timezone - this is not essential and is thus subject to user's consent. - without sharing the Hash of WebGL fingerprint - this is not essential and is thus subject to user's consent. - without sharing the platform (Linux, windows...) - this is not essential and is thus subject to user's consent. - without sharing the user agent - this is not essential and is thus subject to user's consent. - without sharing touch support - this is not essential and is thus subject to user's consent. - without specifying if cookies are enabled or disabled - this is not essential and is thus subject to user's consent.
These features are often not really useful to implement web applications, and many web applications could be or are implemented without these.
I know that this is an incredibly complicated matter, as it would mean that it would break some features of websites, but that is what is required by the GDPR.
This kind of feature would enable users to regain control of their data (and here, it is data that most users ignore that they share).
If any website of Mozilla collects this data, I would also recommend that you require explicit user consent before you collect it and process it in any way.
You have my email, if you have any questions, don't hesitate to contact me.
All Replies (7)
Hi
Firefox comes with a pref to "Resist Fingerprinting" that is false by default because it can cause issues with websites when you enable this.
For instance the Add-ons website isn't working properly because the user agent is changed to the current Firefox ESR version (52) and Add-ons that require a more recent Firefox version can't be installed. Having the Time set to UTC can also have unexpected issues with emails that are dated wrongly.
Hello,
I am perfectly aware of this, which is why I think that such websites should explain why they need such data, and why the user should be able to consent to sharing the data - knowing that not consenting may break some features, when the data is absolutely necessary to the task at hand.
If the data is not necessary, then it MUST NOT be processed, according to GDPR. And the set of information used for fingerprinting MUST NOT be seen as one single data item.
Actually, the GDPR implies that the way that many websites/webapps work and have been designed will have to be changed to reach compliance.
By the way, according to GDPR, NOT sending personal data, and thus fingerprinting data, MUST be the default.
Then, IF the user explicitly consents to it by some positive action, the data may be processed in ways where it is shared.
Although many sites depend on fingerprinting data to work, this data is actually not fundamental to make the web work: it is possible to implement fully-fledged webapps without this data. Thus, not consenting to share some or any fingerprinting data items MUST NOT be a reason to refuse any service or feature to the user - unless some fingerprinting data item is absolutely necessary to realise a feature of the webapp - and this is really not frequent at all.
But then, anyway, if Firefox shares fingerprinting data, then Mozilla MUST explicitly notify the user of what data has been shared, with whom and for what purpose.
That's my understanding of GDPR's terms.
Mozilla has been looking at various ways of reducing fingerprinting over the years.
https://wiki.mozilla.org/Security/Fingerprinting https://wiki.mozilla.org/Fingerprinting
The user agent is an example as there were major changes done as of Firefox 4.0 and 16.0.2 which is why the UA looks pretty generic ever since if you are a long time Firefox user. Since Fx 16.0.2 things like the minor version and the b, a1, a2 for the channel builds was removed which is why the Firefox 60.0.1 release shows as 60.0 in UA.
James দ্বারা পরিমিত
L'arsouille said
By the way, according to GDPR, NOT sending personal data, and thus fingerprinting data, MUST be the default.
Part of that responsibility falls upon the organization that builds the browser; many Linux distros build their own version of Firefox and don't use the Linux version that users can obtain directly from Mozilla.
Also, the localization version the user installs from Mozilla may have an impact on whether that "switch" that cor-el mentioned is enabled. It seems that many EU users are using the en-US version of Firefox where that "switch" is off by default. And when that happens I wonder who has the ultimate responsibility under GDPR?
I can envision many issues down the road. Some changes will need to be made by everyone involved and hopefully the GDPR will bring about changes in the users favor for all users around the globe and just the EU.
Many issues: that's obvious, and I don't deny that.
What I am worried is that Firefox may have an illegal behaviour and that at some point Mozilla might have to pay the price. I don't care much about Google, MS, Apple etc., but I definitely wouldn't want to see Mozilla in justice and pay GDPR fines because of stuff like fingerprint sharing...
I'm sure that mozilla doesn't share your fingerprinting data, which are not processed on our servers and aren't shared elsewhere. Sharing is very inapropriate word, I wouldn't use it in this context...
https://blog.mozilla.org/blog/2018/05/23/the-general-data-protection-regulation-and-firefox/