Internet users who download the Firefox web browser from the official Mozilla website get a unique identifier attached to the installer that is submitted to Mozilla on install and first run.
The identifier, called dltoken by Mozilla internally, is used to link downloads to installations and first runs of the Firefox browser. The identifier is unique to each Firefox installer, which means that it is submitted to Mozilla whenever it is used.
While it is possible to download new installers each time a new Firefox version is released, it is also possible to use the downloaded installer again for that purpose.
A bug report on Mozilla’s official bug tracking website confirms the use of the download token. The linked document is not public, but the listing itself confirms the use and provides an explanation on why it has been implemented:
This data will allow us to correlate telemetry IDs with download tokens and Google Analytics IDs. This will allow us to track which installs result from which downloads to determine the answers to questions like, “Why do we see so many installs per day, but not that many downloads per day?”
According to Mozilla’s description, the identifier is used to analyze downloading and installation trends among other things.
The feature is powered by Telemetry in Firefox and it applies to all Firefox channels.
Interested users may verify the findings. One of the easier ways is to check the hashes of two or more Firefox installer downloads (the same version, language and architecture). Each hash is different. A search for dltoken using any hex editor reveals the string in the Firefox installer.
Firefox users who prefer to download the browser without the unique identifier may do so in the following two ways:
- Download the Firefox installer from Mozilla’s HTTPS repository (formerly the FTP repository).
- Download Firefox from third-party download sites that host the installer, e.g., from Softonic.
The downloaded installers do not have the unique identifier, as they are identical whenever they are downloaded.
Mozilla notes that the opt-out mechanism is the standard Telemetry opt-out. How users may opt-out before the installation of Firefox is unclear. A quick check of Chrome installers returned identical hashes each time.
Now You: how useful do you think is the information to Mozilla? (thanks PMC for the tip)