Update May 20th 19:42Z+0100: Mozilla have re-instated the ant.com downloader to the addons site, however it is now classed as ‘experimental’. As I have said elsewhere in this article, it was pretty clear this mechanism was involved with traffic ranking, however it would have been great if the privacy policy had been correct and told me that the behavior happened and that it did have unique (U)UID’s & cookies in there. I wish ant.com the best of luck with their search engine project and software, just please – keep the privacy policy a little more accurate next time chaps?
*end update*

I was recently doing some web development and discovered that a popular 4 star rated Firefox addon with nearly 7 million users (source: here) is behaving in a way which I did not expect. The Addon in question is the ant.com video downloader and player, which allows viewing or downloading of videos from sites like youtube.com and many other popular video sites.

What I discovered has prompted me to write this article – that this addon is in fact, contrary to their published privacy policy, clandestinely collecting data about every site that the addon users visit (not just ant.com or video sites) and specifically tying this back to you via a cookie and what appears to be a unique identifier, aka Ant-UID. This happens in regular browsing, browsing on your corporate VPN, ‘Private browsing’ mode and browsing via proxies or anonymising services such as Tor, completely bypassing many layers of anonymity and security afforded by services such as proxies, Tor and corporate VPNs.

This is beyond normal cookie or LSO tracking – this is where the plugin itself is ‘phoning home’ to ant.com every time I visit any website. Thats right – a HTTP POST is made to rpc.ant.com for every URL that I was visiting on the internet, my private LAN or VPN.

Those methods, In my book, I consider personally tracking and identifying someone.

Additionally, details about your browser are collected, but lets face it thats nothing new in the world – it happens all the time.

Im hoping that perhaps this behaviour is some kind of bug, though I have upgraded the ant firefox addon to the 2.3.0 version just now and the behavior is still there so I consider that a remote possibility. I will outline my findings later in this article, but before I do, Id like to point out the privacy policy which Ant.com set out when you first install the addon concerned. From what I can see, nowhere does it tell me that every site that I visit or send data to (including those when browsing in ‘privacy’ or other anonymous mode) will be logged by ant.com and connected to a cookie or other unique identifier (Ant-UID) – infact it appears to tell me the opposite. Nor does it tell me this information will be transmitted to a server based in the USA. In fact, the Ant privacy policy implies to me that I will not be uniquely tracked and that only data bout the ant.com sites I visit will be collected. Can you tell me, dear reader, am I reading this wrong?

Ant.com Privacy policy
Openess and security

As a responsible member of the community of website owners, Ant.com solutions (Here in after Ant.com) takes the privacy and security of its users with the highest regard. Ant.com provides a service for user which requires Ant.com to collect certain information, public and non-public. This Privacy Policy explains the use of that information and how it pertains to each of Ant.com’s users.

Information Ant collects and its purpose

Ant.com collects non-personally-identifying information when you are visiting our site or using our software applications, this infomation made available typically from web browsers and servers. Some of the infomation type is: the Uniform Resource Locator (URL) of the web page from wich you came, the date and the time for each page you view, settings such as browser languages, etc. This infomation allows us to better understand the behavior of vistors using our sites. We will also use non-personally-identifiable information for such things as KeyWord popularity reports and regionally website migration patterns, etc.

Ant.com may collect statistics about the behavior of visitors of its websites. For example, Ant.com may monitor the most active user accounts on the Ant.com site or use spamming filters to help identifying spam. Ant.com may display this information to public or provide it to others.

Ant.com also collects infomation made public to us that can be considered personally identifyable, such as your internet protocol (IP) address. Ant.com does not use such information to identify its visitors and does not disclose such information.

There are events in which visitors to Ant.com’s websites who choose to interact with Ant.com in ways that require Ant.com to gather identifying information. For those visitors the infomation collected will depend on the nature of the interaction. For someone who signs up for Ant.com’s social bookmarking service, he will be required to submit his email address. Also, users are able to sign up for advertsing throughout Ant.com’s network of sites. From time to time this process may be automated, in which case Ant.com will ask for further personal and financial information required to complete such a transaction.

Ant.com may disclose potentially identifying information only to those of its employees, contractors and affiliated organizations that need this information to work on Ant.com’s behalf to provide a service available at Ant.com’s websites. These employees, contractors and affiliated organizations have agreed not to disclose information to others, nor using the information given in a unauthorized way.

The location of such contractors, employees and affiliated organizations can be anywhere in the world, and will not necessarily include your home country. By using Ant.com’s websites you consent to the transfer of such information to them. Ant.com will not rent or sell potentially identifying information for any purpose other than what is described here in this privacy policy.

Ant.com also provides software applications that are to be used in certain web browsers. These applications are solely for the purpose of user enjoyment. At no time do we collect information other than what is laid out in this privacy policy with our software applications. Also, Ant.com does not hijack nor change your browser of choice in a way that is not expected or laid out in the applications information pages.

Ant.com also guarantees that any registered user can close its user account at any time, and that no personal data will be kept after the closure.

Changes of your information and our privacy policy

While most changes to this privacy Policy will be minor, please note that from time to time we may change our Privacy Policy and such changes will be at the sole discretion of Ant.com. We encourage our users to check our Privacy Policy frequently and also be on the look out for alerts that show up from time to time in your user account with Ant.com.

(Source https://addons.mozilla.org/en-US/firefox/addon/video-downloader-player/privacy/

The Grind
Back to the meat of the story. I cant remember why i had the ant player/downloader installed, but while I was doing some development on an AJAX application on a local server I needed to do some network level traces to diagnose problems I was having with my development. I’ll stress that the problems with my AJAX application were completely unrelated to what I found out about the ant.com plugin The problems with my AJAX app were just the trigger to me finding out what was going on with the ant.com plugin.

When I started up the packet capture software (tcpdump) I noticed that for every HTTP GET or HTTP POST I made to my local server (and every internet based server), packets of information were being sent over the internet to an IP address owned by ‘reality check network corp’ in New York (rpc.ant.com). The data appeared to be in JSON format and specifically telling that rpc.ant.com server details of the hostname and full URL of sites I was visiting, as well as containing data about my browser, several persistent ‘cookies’ and a mysterious ‘Ant-UID’ which appears to conform exactly to the UUID specification (for the un-initiated, think of a non changing UUID as like a registration plate/license plate from your car)

The Network Data
These are examples of such packets (including response from ant.com). First, lets look at what ant.com sent themselves when I visited theregister.co.uk


POST / HTTP/1.1
Host: rpc.ant.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110422 Ubuntu/10.04 (lucid) Firefox/3.6.17
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Content-Type: application/json; charset=UTF-8
Content-Length: 327
Cookie: __utma=1.1249745586.1303010447.1305056403.1305056954.3; __utmz=1.1303010447.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=1.4.10.1305056954
X-Ant-UID: {0D908E35-A6A6-4326-B03A-CD7408A7FC79}
X-Ant-Agent: vdmoz-2.3.0-stable.linux-linux-i686
Pragma: no-cache
Cache-Control: no-cache
{"version":"1.0","id":1,"method":"rank","params":[{"url":"http://www.theregister.co.uk/","ref":"","uid":"{0D908E35-A6A6-4326-B03A-CD7408A7FC79}","uagent":"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110422 Ubuntu/10.04 (lucid) Firefox/3.6.17","lang":"en-us, en"}],"agent":"vdmoz-2.3.0-stable.linux-linux-i686"}

Response:

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 50
Server: thin 1.2.7 codename No Hup
Connection: close
Date: Tue, 10 May 2011 20:19:09 GMT
{"version":"1.0","id":1,"code":0,"result":"4,086"}

As you can see (or maybe not for those that dont understand HTTP) – there is uniquely traceable information in the header – cookies and that Ant-UID. There is a ‘JSON’ post which details the site visited (along with that unique UUID again) as well as information about the browser I am using. They respond with the date and time that this action happened.

The same information is sent even when I am talking to a local server on my own network:


POST / HTTP/1.1
Host: rpc.ant.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110422 Ubuntu/10.04 (lucid) Firefox/3.6.17
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Content-Type: application/json; charset=UTF-8
Content-Length: 325
Cookie: __utma=1.1249745586.1303010447.1305056403.1305056954.3; __utmz=1.1303010447.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=1.4.10.1305056954
X-Ant-UID: {0D908E35-A6A6-4326-B03A-CD7408A7FC79}
X-Ant-Agent: vdmoz-2.3.0-stable.linux-linux-i686
Pragma: no-cache
Cache-Control: no-cache
{"version":"1.0","id":1,"method":"rank","params":[{"url":"http://192.168.1.2/iedit/","ref":"","uid":"{0D908E35-A6A6-4326-B03A-CD7408A7FC79}","uagent":"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110422 Ubuntu/10.04 (lucid) Firefox/3.6.17","lang":"en-us, en"}],"agent":"vdmoz-2.3.0-stable.linux-linux-i686"}

And the response:

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 50
Server: thin 1.2.7 codename No Hup
Connection: close
Date: Tue, 10 May 2011 20:20:25 GMT
{"version":"1.0","id":1,"code":-101,"result":null}

Though I suppose that unique Ant-UID or cookie Id could change, I have not seen it change for the duration of the time I have performance my analysis.

What else is disturbing me
Additionally to the fact that my browser habits are being tracked with unique identifiers – I’m concerned about these unique identifying UID and cookies. They remain the same for me even after I have un-installed the addon, shut down firefox and then re-installed the addon. In other words, they seem to persist for me between installations. I can remove the addon, but if I install it again, those unique identifiers stay the same as they were the last time I had the addon installed. The only way I could get the UID and Cookie ID to change on my installation was to shut down firefox, completely remove my ~/.mozilla directory (aka reverting firefox to a ‘factory default’ setting), start firefox and the installing the addon. I’m not sure if this behavior is a bug in the addon or not, but persisting my unique identifiers after an un-install/re-install seems suspicious to me.

As there is this unique identifier, patterns could be built up about where I go – for example if I use my laptop at work, at a public wifi hotspot, at home or a friends house – that UID and cookie can be tied to all of those IP addresses, building a picture of not only what I am doing online, but where I am doing it from.

What alarms me a bit more is that the data that is transmitted about me and my browsing (even anonymously) is going onto servers in New York, USA. What if I were visiting site I did not want anyone to know about? What if the US government subpoena ‘Reality check network corp’ for all information stored on their servers about my IP address, cooke, or UID? Lets think even more simplistic, what if a party to a divorce case subpoenas for that data to prove a partner was visiting certain sites at certain times? Assuming this data is recorded by ant.com on their server rpc.ant.com in New York (and lets face it, why would they send such data with unique identifiers if it were not recorded?), my entire browsing history is there laid before the subpoenaing court or government. Every site I visited. Every page I looked at.

At the end of the day, I think I see what ant.com are trying to do – they want to give their ranking engine a better understanding of browsing habits. Building a search engine isn’t easy, especially when one or two pretty much corner the market. Finding an edge in that market is definitely going to help and data like this is a gold mine.

That being said, misleading me with a privacy policy that purports this behaviour does not happen in order to to get that data from me and then sending that data on USA based servers is, to quote my English kinsmen, “just not cricket.”

All the best

Simon

Bootnote: I did try to query this with ant.com but the only contact method I could find was via their website form. I filled that in but, to date, have received no reply

Share this post

76 Comments

  1. I am really inspired together with your writing skills as neatly as with the layout on your blog.
    Is that this a paid subject matter or did you modify it your self?
    Either way keep up the excellent quality writing, it is uncommon to peer a
    nice weblog like this one today..

    April 12, 2014 Reply to this comment
  2. Hey all. I stumbled upon your current web site the utilization of windows live messenger. That is definitely an incredibly savvy document. I’ll be certain to take a note of the idea accessible returning to get more information of your useful data. Information article. I’m going to definitely comeback.

    February 21, 2014 Reply to this comment
  3. We’ve been a team of volunteers and commencing a new plan within our neighborhood. Your web site provided us beneficial information and facts to your workplace on. You have carried out a remarkable process and also our total local community may be happy for you.

    February 8, 2014 Reply to this comment
  4. Even though they are geared towards a cell phone, I have actually used these to DJ before.

    All in all a nice addition to the product eco-system surrounding Apple’s “i”
    product line and one that offers fitness fashionistas something fun and useful
    to add to their collection. I need good “thump” to be satisfied with a pair of headphones, and these didn’t cut it.

    December 4, 2013 Reply to this comment
  5. What i don’t realize is in reality how you’re not actually much more well-favored than you might be right now.
    You are so intelligent. You realize thus significantly
    when itt comes too this topic, produced me personally imagine it
    from a lot of varied angles. Its like men and women aren’t fascinated until it is something to
    do with Girl gaga! Your individual stuffs nice.

    Always maintain it up!

    November 28, 2013 Reply to this comment
  6. We are a group of volunteers and starting a new scheme in
    our community. Your web site offered us with valuable info to
    work on. You’ve done a formidable job and our whole community will be thankful to you.

    October 25, 2013 Reply to this comment
  7. off

    Oral Stage: This stage takes place until a child is about a year and a half old, and
    the important event that occurs is being weaned from breastfeeding.
    Once enrolled in a program, you can maximize your potential for earning a master degree
    or doctofal degtree by networking with other students and appropriately managing yur study
    and work time. It is a task which we may peform with increasing skill, bbut never really finish; in fact, it is
    suggested that we work these steps ffor thhe rest of our lives.

    October 6, 2013 Reply to this comment
  8. Is it possible that ant.com is feeding information to Malibu Media the patent troll

    October 3, 2013 Reply to this comment
  9. Is it possible that ant.com is feeding information to Malibu Media the patent troll?

    October 3, 2013 Reply to this comment
  10. In fact, after securing a job and getting funded, management is easily the most important part of the job, and construction
    software is a management must-have. So, choose according to your needs,
    and you will be completely satisfied. When there are multiple departments
    involved in manufacturing and selling products in a company,
    it is to the best advantage of the company to find a good
    supplier of software dedicated to an erp system, Arizona, New Mexico and California are just some of the western states taking advantage of this kind of
    system.

    September 28, 2013 Reply to this comment
  11. Usually I don’t learn article on blogs, however I would like to say that this write-up very forced me to check out and do so! Your writing taste has been amazed me. Thanks, quite great article.

    July 9, 2013 Reply to this comment
  12. I all the time used to study article in news papers but now as I am a user of net
    so from now I am using net for posts, thanks to web.

    May 29, 2013 Reply to this comment
  13. Superb website you have here but I was curious if you knew of any forums that cover
    the same topics talked about in this article? I’d really like to be a part of community where I can get comments from other experienced individuals that share the same interest. If you have any suggestions, please let me know. Kudos!

    April 20, 2013 Reply to this comment

Leave a Reply