Internet users who download the Firefox web browser from the official Mozilla website get a unique identifier attached to the installer which is submitted to Mozilla upon installation and first run.
The identifier, called dltoken by Mozilla internally, is used to link downloads to installations and first runs of the Firefox browser. The identifier is unique for each Firefox installer, which means it is submitted to Mozilla each time it is used.
Although it is possible to download new installers each time a new version of Firefox is released, it is also possible to use the downloaded installer again for this purpose.
A bug report on the official Mozilla bug tracking site confirmed the use of the download token. The linked document is not public, but the listing itself confirms the usage and explains why it was implemented:
This data will allow us to correlate telemetry IDs with download tokens and Google Analytics IDs. This will allow us to know which installs result from which downloads to determine answers to questions such as “Why do we see so many installs per day, but not so many downloads per day?”
According to Mozilla’s description, the ID is used to analyze download and installation trends among other things.
The feature is powered by telemetry in Firefox and applies to all Firefox channels.
Interested users can check the results. One of the easiest ways is to check the hashes of two or more Firefox installer downloads (the same version, language, and architecture). Every hash is different. A search for dltoken using any hex editor reveals the string in the Firefox installer.
Firefox users who prefer to download the browser without the unique identifier can do so in two ways:
- Download the Firefox installer from Mozilla HTTPS Repository (formerly the FTP Repository).
- Download Firefox from third-party download sites that host the installer, for example from Softonic.
Downloaded installers do not have a unique identifier, as they are identical each time they are downloaded.
Mozilla notes that the opt-out mechanism is standard telemetry opt-out. How users can opt out before installing Firefox is unclear. A quick check of Chrome installers returned identical hashes every time.
Now you: how useful do you think the information is to Mozilla? (thanks PMC for the advice)