Any connection to Mozilla's servers reveals your IP to them. Given the amount of telemetry in Firefox, it's foolish to assume they don't log these IPs. And in either case, they could be legally compelled to. But afaik, under US law, they cannot be compelled to subvert their software, e.g. to add such spyware features if they were not already present.
Even if they don't (currently) feel that they need them, they could be compelled by law enforcement to retain logs and forbidden from revealing this fact publicly. Or their network could get infiltrated.
How do you propose to prevent a user from leaking their home IP address to Mozilla without undermining the ability to:
* Download the browser
* implement a safe browsing mechanism
* support automatic updates (which are a critical security feature)
If the updates are signed, then there is no danger in downloading them from a third party mirror. As for finding a mirror, Mozilla could put locations as TXT records in the DNS.
There would still be the problem that someone would have a log of your IP address downloading a Firefox update, but it wouldn't be Mozilla. Also, with a big enough list of mirrors, across 100 different jurisdictions, the probability of any given mirror being subpoenaed and having data on any given user is very small.
As for how to bootstrap the whole thing by letting the user securely download Firefox in the first place, that is of course difficult, but it should be an infinitesimally rare event compared to checking for browser updates. A user could therefore take special care to use public Wi-Fi when doing the initial download.
What part of Mozilla's behavior makes you assume they don't? It's easy to come up with some dubious internal justification to store IPs (like to determine where to focus internationalization efforts).
It's not even internal justification, it's just plainly the default for practically any web server that does logging. You would have to go out of your way to disable it.
Yeah, it definitely is. But that doesn't automatically mean they actually did it.
"Best practices" are moot unless they're implemented, and since the default is to log these things, then something (even a blog post from them claiming it's been done) has to exist to show it's there and doing the right thing.
They had to serve you the file, for which they needed your IP. If they're willing to assign each downloaded client a unique ID what are the odds they are not storing the IP address associated with that unique ID?
Why would they need installer IDs? The question is if they collect it, not if they need it, and all their other behavior suggests that they do collect it.
They can probably reach the same conclusions about why there might be more installs than downloads by thinking about it for maybe 5 seconds instead of tracking people.
Easiest explanation off the top of my head, without reading the article, would be IT departments including Firefox in their base image they use on all their standard issue computers, resulting in hundreds and possibly thousands of different installs having the same download ID. That alone by itself would cause an absolutely massive discrepancy between download and install numbers. My company includes Firefox in our base image and it's on at least 200,000 different laptops and desktops, with a handful of different download IDs between them depending on when they got issued the computer.
You seem to be unaware that intelligence services have been hoovering up internet traffic wholesale for decades, and that telcos do it internally as well. Verizon's "supercookie" is a great example.
On the other hand, if intelligence agencies are personally targeting you it's already over. This might help them, but even they can probably get everything they need on you with way less effort.
Are you suggesting in good faith that Mozilla would implement and transmit a unique ID without linking you to your download session? I've never come so close to breaking hacker news etiquette.
Since when does Mozilla collect IP addresses?