With the new, free! Firefox VPN, your data gets routed through the servers of Mozilla’s service partner, Fastly, a content delivery network.
Mozilla delegates responsibility to Fastly
First, not every service is created equally: Mozilla’s Mullvad-based VPN explicitly promises not to collect data if you use their paid VPN service, and says its partner Mullvad does not collect data:
Network data. When you activate Mozilla VPN, it will encrypt your internet traffic and send it to Mullvad. No logs of your network activity are maintained by either Mozilla nor our partner Mullvad when you’re using the Mozilla VPN service in any circumstance. Learn more at Mullvad’s Privacy Policy.
To Mullvad’s credit: It has been audited, and it has been battle-tested. But this isn’t a look into Mullvad…
I cannot find a similar promise for the free “VPN” in Firefox, but Mozilla washes their hands of data shared to third parties that presumably include Fastly for this free service.
The VPN servers’ Jurisdiction: the USA
While testing, I managed to only connect to Fastly servers in one part of the United States, specifically through
p.m1.fastly-masque.net
I tested this while spoofing an IP address from these countries (while using the free tier of Proton VPN):
- United States
- Japan
- (Sorry, it was just those two)
Unless I’m missing something here, this might be the only available jurisdiction.
Data collection: Your behavior and interests, based on your online activity
In its privacy policy, Fastly enumerates the data they collect about you:
- “[N]ame, postal address, e-mail address, or telephone number, either actively or passively, and billing information such as credit card number and tax address.”
- “Information about your Internet connection and Internet protocol (IP) address, your login data, the equipment you use to access our websites and applications, time zone settings and location, browser plug-in types and versions, operating system and other technology on the devices you use to access or use our websites.”
- “Behavioral Data: Inferred or assumed information relating to your behavior and interests, based on your online activity and your use of our websites.”
In its privacy policy, Fastly describes collecting data with various technologies that may include your private data.
Fastly and our partners use cookies or similar technologies (such as web beacons) to gather information, analyze trends, administer our websites, track users’ movements around our websites, and to gather demographic information about our user base as a whole. These technologies may provide us with personal data, information about devices and networks you utilize to access our websites, analytics information and other information regarding your interactions with our websites.
Fastly collects client IP address information on a limited basis to provide and improve its services. Fastly also may collect and retain for its legitimate business purposes client or Customer IP addresses associated with suspicious activity that may pose a risk to the Fastly network or our Customers, or that are associated with administrative connections to the Fastly service.
Data retention: 7 years or more
According to the Fastly privacy policy, user data is retained for 7 years after the end of service, or longer. They maintain a long list of reasons to not delete it:
The retention period shall not exceed the duration of our business relationship with you plus (7) years unless we have a legitimate business interest need to retain the information for a longer period, which include maintaining a record of your preferences, securing the integrity of databases, conducting audits, complying with our legal and contractual obligations, resolving disputes, and enforcing our agreements.
Data sharing: They do it
Unsurprisingly, Fastly shares your data with other companies.
We consequently share information, including personal data, with these contracted third-party service providers in connection with using their services…
We share information, including personal data, with our subsidiaries and affiliates in the operation of our global business because our subsidiaries and affiliates may provide you services under our contracts or other functions…
Fastly may buy data about you
From their privacy policy:
We may receive information about you from other sources, including publicly available databases or third parties from whom we have purchased data, and combine this data with information we already have about you. This helps us to update, expand and analyze our records, identify new customers, and provide products and services that may be of interest to you. If you provide us personal data about others, or if others give us your information, we will only use that information for the specific reason for which it was provided to us. If we receive personal data about you from a third party in order to engage in marketing of our services, then we will market to you only in your capacity as representatives of companies we wish to sell to and we will present you an opportunity to opt-out of future communications.
Examples of the types of personal data that may be obtained from public sources or purchased from third parties and combined with information we already have about you, may include:
- Contact information about you, including your name, email address [sic] telephone number…
- Data purchased from third parties, such as social networking sites… to create more tailored advertising and products.
As i said when this news broke. There are no trustworthy public VPNs and claiming anything else is malicious.
when u say public do u mean free?
Not public as in not hosted by yourself or people you personally know IRL and trust.
VPNs are just a piece of software running on some computer. The trust depends on the person running the server side software, so if you cant 100% trust that person then the VPN isnt trustworthy.
I don’t think Fastly’s Privacy Policy is relevant here, as you’re not entering into an agreement with Fastly. The Firefox VPN FAQ states:
We collect technical data needed to provide, maintain, and ensure the performance and stability of the service, as well as interaction data to understand usage of the feature and help guide improvements. For example, we may log whether a connection succeeded or failed, or record that 2 GB of data was used on a certain day.
Importantly, VPN never logs the websites you visit or the content of your communications.
Other than that, I think it’s the Firefox Privacy Policy that you should be looking at.
Also worth noting is that, when I review Privacy Policies, I distinguish between sharing data to provide the service I’m signing up for, with the only allowed use being providing that service, and sharing data for other purposes. The former is basically unavoidable for any online service, whereas the latter is often shady.
Important distinction: Mozilla is talking about their part in collecting data here. “We collect.” They aren’t claiming to be Fastly or to represent their privacy policy.
When you use their paid VPN, they refer to their partner Mullvad specifically. There is no clarity about the third party in their free VPN, nor any clarity about what Mozilla shares with them… Only that Mozilla claims it’s necessary.
Or whether it falls under Mozilla sharing that data at all, since you are the one initiating the requests to Fastly’s servers in American jurisdiction! What is your computer’s relationship with fastly-masque.net when you connect to it? Even the Invisiv VPN service intentionally hid things from it, but Fastly is the exclusive proxy for web browsing on Firefox VPN.
I’m not going to crawl through the notices now, but e.g. the Firefox Privacy Policy says:
To perform the purposes listed above, we work with partners, service providers, suppliers and contractors. We have contractual protections in place, so that the entities receiving personal data are contractually obligated to handle the data in accordance with Mozilla’s instructions. Learn more.
This includes Fastly (see also the Learn more link). That is the policy that applies, not Fastly’s own policy.
I saw that. That doesn’t help because there’s no detail on what the policy does! Are they even applicable, ie how about those seven years of data retention? How about everything Fastly says they store?
If you click through, you’ll find no concrete answer, just a list of three vague categories of data Mozilla says Fastly gets.
- Browsing data
- Technical data (including IP address)
- Unique identifiers
What does this entail?
Is it actually related to the VPN and not other Mozilla-Fastly services (e.g. usage data collection)?
If this applies to VPNs, why isn’t Mullvad mentioned on the page?
When it comes to privacy policies, these things are written by lawyers. It’s dangerous to assume pure intent from a corporation. Should we really read the Fastly privacy policy - the service you connect to - and assume that it doesn’t apply to us because we’re using a certain browser to access it?
It’s related to Firefox, and Firefox VPN is a Firefox feature. It does not apply to Mozilla VPN, which links to a separate policy from its home page, which indeed does mention Mullvad.
And no, you never consciously initiated a service agreement with Fastly, and so its policy doesn’t apply. The policy of the service you choose to use applies, this doesn’t have to be difficult.