What hannibal5 says: Trackers are there after you're off of Google's site(they know whether you've been bad or good, so be good for goodness' sake), and Firefox doesn't need to phone home to Mozilla for your browser to enable others to track you.
In other words, neither Google nor Mozilla has to be involved to track you.
Let me lay out a specific scenario.
It's easy enough for insurance companies (or a 3rd party who's willing to sell that data to an insurance company) to run genuinely informative health sites that have good rankings on Google's SERP, and thus get high clickthrough. Such a site can on clickthrough set a cookie on your client for you, and/or fingerprint your browser (c.f., EFF's panopticlick), and/or use an ETag as a 'cookieless cookie'/browser identifier.
Once they've got a way to identify past behavior for a browser (i.e., look up health concerns for an identifier), they have something to sell to insurers.
Okay, well, clicking on an organic result is a weak signal of health risk / pre-existing condition, all you know is they ended up on a page.
Suppose you, as an insurer, want a stronger signal of whether the person using that browser has a health risk/pre-existing condition. Just put out some AdWords. Here's where Google really helps a website build valuable, saleworthy data.
Search for something:
https://www.google.nl/#q=breast+check
Click adwords ad for breastcancer.org
Opens a page to: http://www.breastcancer.org/symptoms/testing/types/self_exam/bse_steps?gclid=CMC0rI74uLkCFQSS3godSSAA_Q
With this value in the HTTP request's Referer header:
http://www.google.nl/aclk?sa=l&ai=CA_XBGe0qUqOhD4e--QbWkoHoBqzGitEBlN6ongr-x6YMCAAQAVCVu9RFYJGEk4X8F6AB7qeO_wPIAQGqBCBP0MOny_HlmSNBJ-QDgpzV0OqbNNjg7FAjv3nX9hy9u4AH-tdx&sig=AOD64_1DSbXWQm-KpW0fMRFiY3lcjn3kQg&rct=j&q=breast+check&ved=0CCwQ0Qw&adurl=http://www.breastcancer.org/symptoms/testing/types/self_exam/bse_steps.jsp
I was logged into my Google account while I did this.
Google empties the Referer for organic results always (if I've read&remembered correctly, for a few years they scrubbed Referer only for logged-in users, as a privacy boon). But they still leave it for their paying advertisers!
So, if you run breastcancer.org and put out some ads and are selling your data to insurers, you now can link search terms to impressions to clickthroughs to a browser identifier. Then you just need to offer a low-latency service that serves the insurer a list of health conditions for which a particular browser seems to be at-risk for.
Note that all of this works end-to-end, so SSL/TLS doesn't prevent the host serving a clickthrough from sharing data.
The part where your browser is identifiable (uses etags, sends cookies, presents a consistent fingerprint) is the weakest link.
Disclaimer: I have no reason to believe breastcancer.org is anything but altruistic, I just needed to find a medical condition for which there was a clickable AdWords ad and which is expensive to treat.
In other words, neither Google nor Mozilla has to be involved to track you.
Let me lay out a specific scenario.
It's easy enough for insurance companies (or a 3rd party who's willing to sell that data to an insurance company) to run genuinely informative health sites that have good rankings on Google's SERP, and thus get high clickthrough. Such a site can on clickthrough set a cookie on your client for you, and/or fingerprint your browser (c.f., EFF's panopticlick), and/or use an ETag as a 'cookieless cookie'/browser identifier.
Once they've got a way to identify past behavior for a browser (i.e., look up health concerns for an identifier), they have something to sell to insurers.
Okay, well, clicking on an organic result is a weak signal of health risk / pre-existing condition, all you know is they ended up on a page.
Suppose you, as an insurer, want a stronger signal of whether the person using that browser has a health risk/pre-existing condition. Just put out some AdWords. Here's where Google really helps a website build valuable, saleworthy data.
So, if you run breastcancer.org and put out some ads and are selling your data to insurers, you now can link search terms to impressions to clickthroughs to a browser identifier. Then you just need to offer a low-latency service that serves the insurer a list of health conditions for which a particular browser seems to be at-risk for.Note that all of this works end-to-end, so SSL/TLS doesn't prevent the host serving a clickthrough from sharing data.
The part where your browser is identifiable (uses etags, sends cookies, presents a consistent fingerprint) is the weakest link.
Disclaimer: I have no reason to believe breastcancer.org is anything but altruistic, I just needed to find a medical condition for which there was a clickable AdWords ad and which is expensive to treat.