Mozilla ships Cliqz experiment in Germany for ~1% of new installs, collects surf data, including URLs

I haven't seen this posted here, so I will translate the neccessary bits into english. It's really sad what Mozilla is doing and this doesn't help their reputation :/

Mozilla [announced today](https://blog.mozilla.org/press-de/2017/10/06/ein-neues-cliqz-experiment-in-firefox/) that they will start a new experiment next week: **Under one percent of German users who download Firefox from Mozilla will get a version which has recommendation by Cliqz automatically activated**.

Mozilla [invested](https://blog.mozilla.org/press-de/2016/08/23/mozilla-tatigt-strategische-investition-in-cliqz-um-innovationen-bei-der-websuche-im-bereich-datenschutz-zu-ermoglichen/) in the Cliqz GmbH last year. Taken [directly](https://cliqz.com/en/about) from the Cliqz website:

>The mission of the German startup Cliqz GmbH is to redesign the Internet for the user by combining the power of data, browser, and search. In Munich, more than 100 experts from over 30 countries develop browsers and browser extensions with integrated search engines to bring users to their destination in the most direct way while protecting their privacy. Cliqz quick search works with its own independent web index, powered by the company’s Human Web technology. It is available in the Cliqz browser for Windows, Mac OS, Android and iOS or as an extension for the Firefox desktop browser.

>Jean-Paul Schmetz founded Cliqz GmbH in 2008. Since May 2013, Cliqz GmbH has been majority-owned by Hubert Burda Media, one of Europe’s leading media corporations. In August 2016, Mozilla joined as a strategic minority investor. In February 2017, Cliqz acquired the world’s leading anti-tracking tool Ghostery.

There's also a [Cliqz experiment on Test Pilot](https://testpilot.firefox.com/experiments/cliqz) for German users which displays search results in real time. **Cliqz collects data about search and surf activites, including typed text in the address bar. They also collect interactions with the website like how you move the mouse around, spent time on the site, etc**.

The main experiment in Firefox includes this data tool - so they collect the full URL of the sites visited. **This data is send to the Cliqz servers**. This data is "anonymized" and the code is [public](https://github.com/cliqz-oss/browser-core/blob/master/modules/human-web/sources/human-web.es). The cliqz addon can be deactivated and uninstalled of course (normal users may not know how to do this).

How can Mozilla and Cliqz say that they are privacy-oriented when they collect this much data?

15 thoughts on “Mozilla ships Cliqz experiment in Germany for ~1% of new installs, collects surf data, including URLs”

  1. These things MUST BE OPT-IN, with clear descriptions what’s happening so that my grandmother can understand. Everything else is (borderline) spyware.

    Reply
  2. It’s incredible how a company advertising with privacy can make so many bad decisions. Recently we had:

    * Discussions about collecting browsing data without user consent.
    * Firefox not properly clearing local databases in private-browsing mode for many years (although the problem was known).
    * Firefox using Google Analytics to collect data on the addon page which still can only be avoided by enabling DNT for all websites and thus making users more vulnerable to fingerprinting techniques. And due to missing WebExtension APIs even uBlock is not able to block Google Analytics on the addon page anymore.
    * Firefox Screenshots not clearly communicating about the pictures being uploaded to Mozilla servers. Such upload features also should be more “difficult” to use in order to prevent data leakage by users accidentally clicking the wrong button.

    There really is only one scenario in which a browser concerned about privacy is supposed to send data: When the user has explicitly told it to do so by entering a URL in the address bar. I personally don’t think there is a valid reason for any other data being transmitted, but if Mozilla really thinks otherwise, this can only happen after having asked the user for permission and providing in-depth information about what exactly is transmitted and when and to whom. Anonymization can not be used as an excuse for silent data collection. The data belongs to the user, the device the data is stored on belongs to the user and it is up to each individual user to decide whether sharing data is in their interest or a violation of their privacy.

    Reply
  3. It seems they did everything in a transparent way: you can know what happens with the collection and you can opt-out. Ok, it should be better if you opt-in instead of opt-out data collection but it is also just an experiment

    Reply
  4. There’s always skepticism about moves like these, because the internet has become indeed scary & those who care about privacy are biased to always assume the worst. There are a few things that are worth considering and investigating further before reaching conclusions though:

    – Everyone needs search & search without data is impossible
    – Right now, the vast majority of users go to Google for this solution (and some to other huge corporations like Microsoft’s Bing etc)
    – The threat to privacy is not the mere collection of data points. The fundamentally dangerous thing is when all this data is *centralized* and data points can be aggregated on a per user basis. That’s when things get dangerous, that’s what enables companies to know everything about you.

    * Cliqz is a relatively small search provider. Some data going to them & some going to Google is imo definitely better than all data going to Google. If you care about privacy, you should root for de-centralization of the web.

    * How Cliqz claims to collect data can be summed up in a few words:
    They say they know that someone typed “fa” and landed on facebook.com, but they don’t know that the same person who did that, also looked for shoes later & landed on amazon. They also provide a built-in anti-tracking tool which prevents the ad tech giants from collecting private information on most pages you visit.

    Now you can decide to not believe this, in which case the company has only one choice: tell you “here’s the code, you can check it.” And Cliqz is doing this. Now of course most people won’t understand that code or won’t even bother, but how else can a company prove that they’re not lying?

    I’ve been using CLIQZ for quite some time & it’s immediately obvious that I get fewer personalized ads, the number of trackers they catch on each site is larger than any other anti-tracking tool I’ve used and I have yet to experience a site breaking because of it.

    My point is: when there’s a small player coming into a big market, in which all current players are collecting & using sensitive information as they see fit, if the former is claiming they’re privacy-sensitive, either give them a chance, or try to prove them wrong. Simply assuming that they’re bad doesn’t help anyone and doesn’t support the de-centralization of the web.

    Reply
  5. People with technical knowledge who can prove that the information provided to Cliqz can be traced back univocally to the users it was taken from: please reply here. Everyone else: please abstain.

    Reply
  6. Privacy statement (emphasis mine):

    > By using Cliqz you are choosing to protect your privacy. We do not need to know anything about you as a person in order to help you navigate the web. **Your *age, gender, interests, and preferences* are none of our business. That is why – unlike some other search engines – *we never gather such information*. We don’t store any data about you or any data that could be used to identify you on our servers.** Personal data remains where it belongs: on your device, in your ownership, and under your control.

    > Based in Germany, our company complies with one of the strictest data security and privacy regulations in the world. However, we go way beyond to what we’re legally obliged to do. As a team dedicated to redesigning the Internet, it is one of our top priorities to improve the way our users’ data is handled.

    > Today, the Internet is dominated by companies that implicitly say: “To be able to provide you with tailored services and personalized ads, we need to know as much as possible about you. You need to trust us to not misuse your data.”

    > At Cliqz, we do just the opposite. We don’t need to know anything about you and **we don’t collect any data about you on our servers**. Your personal data stays on your device. Instead of demanding your trust, we offer you privacy by design.
    Privacy by Design

    > Privacy by Design means that the complete architecture of Cliqz is built on privacy and data security from the ground up. Our servers never store any personal or personally identifiable data. IP addresses and other critical data is deleted automatically as soon as it reaches our servers. **Statistical data about searches are strictly separated from website traffic statistics. As we don’t store session-IDs, it is impossible to combine consecutive searches and website visits.** This way, we rule out conclusions on individual users.

    > Our data infrastructure is protected by state-of-the art, multi-layer technologies. This is not only true of our servers, but also of the communication between the Cliqz software on your device and our servers. Privacy by Design makes sure that nobody is able to use data gathered by Cliqz to find out who you are.
    Location Services

    > If you choose to share your location with Cliqz so that search results can be enriched with local information, Cliqz will only use the minimum data required to provide this service.

    > We utilize the Mozilla Location Service (MLS) API, an open service that lets devices determine their location based on the IP address and nearby network infrastructure like WiFi access points and cell towers. As an open source project, the MLS code can be accessed and reviewed for privacy conformance. Neither Cliqz nor Mozilla will ever save or use any information to identify or track you.

    > This **geolocation service is optional** and can be enabled or disabled at any time. As a default, Cliqz will always ask for your permission first before accessing your location data.

    > **Based on the IP address, Cliqz can identify the country each query is coming from**. This very rough information is used to provide more relevant search results and to notify users if they are in countries where Cliqz results are not so “gut” yet.
    Human Web

    > What all search engines have in common is that they work with data. A lot of data. Put simply: the more data, the better (more relevant) the search results. Conventional search engines primarily work with data related to the content, structuring, and linking of websites.

    > The Cliqz search engine works differently: it is based on the ‘wisdom of the crowd’ and works with statistical data on actual search queries and website visits. Here at Cliqz in Munich we have developed the technology capable of collecting this information and then building a web index. We call it the Human Web, because the data is based on the behavior of users as a group, which should be a good indicator of relevancy. In other words: the search algorithm of Cliqz weighs data about people’s behavior on the web more than the technical analysis of websites.

    > Your privacy is protected. **No personal information or data about you or your device is identifiable**. In our Human Web you remain fully anonymous. Read more about the Human Web.

    If you think this is nefarious you better don’t use Google, Facebook, Instagram, Twitter, Snapchat, Reddit or the internet at all.

    I’m against the integration of third party *anything* in Firefox but you guys need to chill a little.

    Reply
  7. Already said this in the thread of at /r/de:

    > The cliqz addon can be deactivated and uninstalled of course (normal users may not know how to do this).

    If the normal user does not know how to remove an extension, he most likely will also not have the knowledge on how to install one. This means, that this user base is basically running around without any adblocker or similar. If you have that in the back of your mind, then Cliqz is basically nothing.

    Reply
  8. Everybody freaking out and I’m just over here like “better, crowd sourced search in browser through anonymous collection? Sure. FEATURES!”

    Reply
  9. I used to work for a company that was pretty hated. They would spend a ton of money on advertising and doing community relations to clean up their image, only to throw it away a few years later by doing something stupid (like funding very unpopular political initiatives). Mozilla needs to be careful.

    Reply
  10. There are hundreds of comments by zero-history accounts who are parroting information that is only present in a /g/ thread on 4chan. The /g/ thread links directly to this post, and is full of misinformation.

    I want to hold Mozilla responsible, but this thread has been incredibly toxic to both of the Mozilla employees who tried to comment, and they ended up deleting their comments. We can’t hold them responsible if they don’t feel like they can post here.

    I’m going to have to lock the thread.

    I don’t work for Mozilla or Cliqz, but I’ve done a lot of reading into this, and this is what I know:

    A small experiment affecting <1% of new installs in Germany adds the [test pilot experiment](https://testpilot.firefox.com/experiments/cliqz) Mozilla has been co-developing with Cliqz, which adds Cliqz’ suggestions to your address bar. Mozilla has invested in them, but does not have a majority share. The experiment can be removed like any addon.

    Cliqz is an open source privacy focused “quick search engine” that adds suggestions to the flyout under the URL bar. It doesn’t transmit any of your personal information, and they do not use any of it to track you.

    1. It doesn’t share your history, bookmarks, or anything identifying. At all.

    2. It doesn’t record your mouse movements, it records the number of times you move it (and not the direction or location).

    3. It anonymizes all information, and they don’t build profiles on users or attempt in any way to correlate data.

    4. We can trust them as much as we trust Mozilla. They’re working closely together on this, and Mozilla is an investor.

    The problem: These users are automatically opted in to “Human Web”, the tool they use to build their index. The information gathered for this is treated the same as above, but now includes: URLs of websites you visit, and for how long, queries sent to search engines, and text typed in the URL bar.

    Many, myself included, believe such a thing should be opt-in, even for brand new users.

    Sources: [Cliqz Privacy policy](https://addons.mozilla.org/en-US/firefox/addon/cliqz/privacy/) | [List of information recorded](https://cliqz.com/en/whycliqz/transparency) (German) | [Human Web source code](https://github.com/cliqz-oss/browser-core/blob/master/modules/human-web/sources/human-web.es)

    Reply

Leave a Comment