Privacy is a goal increasingly desired by Internet users; it’s also a promise increasingly hoisted by web browser developers. And yet sometimes it seems that what they give us with one hand they take from us with the other.

Without going any further, it has now become known that Mozilla Firefox —whose developers support multiple pro-privacy initiatives—, unknowingly provides its users with an individual identifier already present in the installer executable.

The ‘dltoken’ is ‘recorded’ in the installer at the time the Firefox website generates the download

This identifier, baptized internally at Mozilla as ‘dltoken’ is used to link downloads (hence the ‘dl’ in its name) to installations and first runs of the Firefox browser, being sent to Mozilla whenever it is used.

As the most usual thing is that the browser updates itself (although we can choose to download a different installer with each new version of Firefox), this allows Mozilla to keep track of active installations and their update rateas well as relate them to telemetry IDs and Google Analytics IDs.

It was a bug report on Bugzilla, Mozilla's official bug tracking website, published a year ago, the one that has allowed to discover the existence of the 'dltoken'; Unfortunately, the Google Drive document linked in said report, and which could expand the information on this controversial mechanism, is not public.





What options does a privacy-conscious user have?

In any case, if you prefer to check it out for yourself, searching for ‘dltoken’ while opening the Firefox installer with any hex editor will reveal the contents of the individual string of your dltoken.

The problem for the user is that this function is implemented in all ‘channels’ (stable, beta, development…) of Mozilla Firefox, so users of this browser who prefer to download an installer without this identifier only have two options:

And if you’re thinking of using Firefox’s telemetry opt-out mechanism, you should know two things. One, which only affects standard telemetry; two that it is impossible to activate it before Firefox notifies Mozilla of the existence of your installation.