Because, usually the kind of people that’d opt in are techies/power users or work (volunteer, or paid) for Mozilla themselves. Let’s say only 1% of your userbase opts in to this, how is that not biased? (As it currently stands, I believe this is a further optin in a tucked away menu).
Then they should make the possibility to opt-in more prominent, instead of switching to opt-out with the option tucked away in some menu where only techies/power users will disable it.
The Mozilla user base is already biased. Plus they can run experimental test fixtures to canvas sites. This sounds like a solution looking for a problem.
>They claim is biased but is it really biased? How do they know? I think this is just making up excuses so they can collect more data.
Informed, constructive opinion there.
One clear sign of the bias is that the crash rate of the browser goes up massively every time a new version transforms from beta to release. Clearly, it's not renaming that string that makes the browser crash. The populations are just fundamentally different.
To give an obvious example, beta users are overwhelmingly more like to have up to date video drivers. (Which can be seen in crash reports, but is also very logical).
That's not how it works. Most users don't care and will simply use whatever the default is; and when it comes to anonymous usage statistics, "most users" is _exactly_ the group of people you want to be collecting them from; otherwise your results will be skewed heavily in favor of a small minority of power users.
I hope not. If that's true, then Firefox is in serious trouble. There aren't nearly enough power users and privacy enthusiasts around to make Firefox a significant player in the browser market all on their own.
Why would optimising for the power users be wrong though? In most cases if it's good enough for the power users who tend to break things more often than regular people it is perfect for the regular users.
Quite the opposite if the focus too much on the regular users they might get too much noise and never notice issues in the more complex features that only power users tend to use.
You want the heavy users of your product sending in reports not the average Joe because he is less likely to even notice a issue.
Higher level features are less likely to be covered by tests and more likely to break just because of their complexity however you wont have many average people using them.
Because there's much less power users than normal users, and browsers that only cater to power users are useless because they end up not working on any websites. That's webcompat for you.
Precisely. Most people don't have an explicit preference. And collecting data on every possible human would give better results -- useful even if they don't plan on justifying running any specific test. We should probably use our expertise in computer networks to create universal, unjustified surveillance. As long as there is an opt-out option (hopefully we can use a complex tracking method so people don't understand the implications of not opting out -- oh, wait, RAPPOR already does that! Mozilla really stepped up their game here).
[EDIT: Firefox branding used to use the word privacy a lot. I can't find it on their website much at all anymore.]
When I browse to firefox.com I get [1] which has this text:
More privacy
Firefox doesn’t sell access to your personal information
like other companies. From privacy tools to tracking
protection, you’re in charge of who sees what.
Here’s how Firefox protects your privacy
So yes they still advertise with that as one of the major features.
Indeed, I didn't find the subpage until later. I also like how, it isn't that you _have privacy_, but _more privacy_, because access isn't being sold like other companies. Someone must have noticed that they should only make promises they'll keep and toned down the language.
For instance, from the same page 8 years ago: "we have experts around the globe working around the clock to keep you (and your personal information) safe."
Most users do not care because they do not understand the true ramifications of their not caring. It is not like that looked at all the data, then made made an informed choice to share everything.
FF should be at the heart of caring for users privacy EVEN IF THEY THEMSELVES DO NOT.
The average person does not understand technology, how much data they are leaking about themselves and how this data can be used against their interests
Taking advantage of that ignorance for any type of gain is unethical IMO, most companies willfully exploit this collective ignorance Mozilla should be better than most companies.
This might finally prompt me to start compiling Firefox for all my devices, or at least evaluate some of the high profile forks.
It's not just about the data, it's about the lack of consent. If you just ask people for permission on the initial startup, I'm sure most people will be fine with enabling it. Last time I installed Firefox, it just showed a tiny bar at the bottom of the window, which is pretty easy to miss. I'd expect fewer dark patterns from Mozilla, that's the kind of shady behavior you see coming from Microsoft. I always try my best to disable or block anything which phones home without explicitly asking for consent.
Tunnelblick [0] is a good example of this being done well. On the initial run they ask if you want to enable automatic updates. It includes the option to disable sending anonymous system information, as well as including a disclosure widget with a brief explanation and a table showing the information that would be sent. [1]
This might not be so bad as I expected from the title, but implementation details will really matter. If, for instance, they collect exact homepage URLs, they cannot make it anonymous (some site include username as URL components).
While I do understand the allure of collecting this kind of data I find it highly disturbing to see this from Mozilla.
I think not having perfect information about the users is a trade off that should be made in order stay an alternative to most other browsers. There are still ways to get more data by other means, though. When it comes to most visited websites, for instance, the alexa ranking should give a good, if not perfect, idea.
I say it over and over. You can not completely anonymize data with any reliability. Please note the qualifier, many systems work for many vectors, but any sufficiently large dataset can be used to graph habits and correlate them. Maybe there is a safe way, but I put the onus of proving it on the person implementing it.
> You can not completely anonymize data with any reliability.
Well... there's actually a field for that. I forgot what they call that field because of how niche it is but my friend at google is doing just that.
He said there are math theorem to prove that it's sufficiently anonymize.
He gave an example of how Netflix competition with the data they gave researchers were able to deanonymize it. And his job was to prevent that at google.
I can see why if you're trying to sell users data while maintaining privacy.
Not to mention, if we're talking about IPv6 addresses, they often get allocated as /64 (or even /60 or /56) blocks. Such "anonymization" becomes useless at that point.
Google Analytics has nothing to do with this. As clearly linked in the mailing list, you can read the paper and source code for the client-side differential privacy tech used.
I've removed all URLs from about:config and replaced them with localhost (search for "http"). This should help with privacy-related issues as long as no API endpoint is hardcoded.
> Name resolution APIs and libraries SHOULD recognize "invalid" names as special and SHOULD always return immediate negative responses. Name resolution APIs SHOULD NOT send queries for "invalid" names to their configured caching DNS server(s).
It's only SHOULD, not MUST. And in fact, the glibc resolver (and I bet also other major implementations) does send such queries to the DNS server.
> And in fact, the glibc resolver (and I bet also other major implementations) does send such queries to the DNS server.
Using the glibc resolver as baseline is a bad idea, it’s broken beyond hope.
Try resolving http://-emmawatson.tumblr.com/, which is a valid URL under newer standards, and works on all other systems. The Glibc authors refuse to merge patches fixing this, because they disagree with the standard.
I think the burden here is backwards? URLs may contain Protected Health and other Identifying Information. If this data leaks SSL and could be sent to a 3rd party, then it makes Firefox an unsuitable client for a great many applications.
EDIT: OK. It's boolean flags (like use of flash) plus an eTLD+1 (example.org; not myname.example.org?). Even so, I believe this tracking should be opt-in with a disclosure screen that explains exactly what Mozilla is recording. Informed consent is a practice we should be promoting, even if it seems unnecessary.
They're not planning to send full URLs, only domains. Also, the system described is resistant to attacks even if the data is captured (SSL leaks). I don't have enough statistical knowledge to understand how that works, though.
Mozilla has been violating even the minimal legal standards in the EU for years, and no one cares.
It’s insanity that an organization promoting its products with privacy doesn’t even meet the minimal legal standards. We’re seeing Google Analytics tracking in parts of the browser ("Get new Addons" page, for example), without even the legally required cookie warning.
EU law is clear on this, as soon as you store any data, do any tracking, connect to any third party, or transmit anything for analytics, you have get opt-in.
My concern is that it relies on differential privacy, or privacy through deniability. Which seems like a poor fit when it comes down to submitting URLs visited, unless they plan on submitting fake URLs when the "coin flip" comes up as tails twice in a row?
Not to mention, people will tend to visit the same websites repeatedly. The entire premise of DP is that the real data will stand out from the noise, creating a compelling picture of what an individual visits on the web. How will that aggregate data be anonymized, when it is reported with (a minimum of) an IP?
In short, this still requires a lot of trust in Mozilla, even with the DP algorithm, to not do the wrong thing with the dataset. And, in my eyes, making this opt-out and not opt-in already compromises that trust.
They don't plan on collecting URLs, just (eTLD+1). The only real issue I can see here are users who have registered their own domain under an eTLD, and have it set to their home page.
I'm not sure if they're planning on collecting every homepage domain here, or just asking something like "Is your homepage domain in the list of top 1000 domains?". In the former case, just having the domain listed could leak information. In the latter case, I can't see any issues.
It's more like: "Is your homepage google.com? Flip a coin, if it's heads tell me the truth, otherwise flip another coin and answer yes if it's heads or no if it's tails." (A bit simplified, but that's the general idea behind differential privacy.)
What do you mean, a URL must not contain PHI? You can't prevent a non-tech minded person from submitting questions about their health to any text field linked to a form with a GET method.
I'd argue that domains are the same- there are tons of domains that clearly indicate what they're about (e.g. stop-drinking.example)
> What do you mean, a URL must not contain PHI? You can't prevent a non-tech minded person from submitting questions about their health to any text field linked to a form with a GET method.
You can't, but that can't be part of Mozilla's threat model, and it's not relevant here anyway because Mozilla isn't collecting it.
And even if they were, that's not considered PHI legally. You are free to type any information about your own health that you want anywhere; that doesn't make it legally PHI, unless you are providing it to a Covered Entity.
> I'd argue that domains are the same- there are tons of domains that clearly indicate what they're about (e.g. stop-drinking.example)
This information is not legally considered PHI. As for privacy, SNI means that all domains you visit are already visible in transit, even if you are using SSL. Domain names are not considered private.
> Do you have any sources that go into more detail? When I've worked on PII in analytics...
PHI is an incredibly well-defined term legally and is not equivalent to PII. Some things that constitute PHI actually wouldn't qualify as PII.
There are a lot of resources that explain HIPAA in great detail; if you want to know the specifics like here, you have to read the bill and the case law itself.
I don't care what the legal definition of PHI is, I am concerned that Mozilla is collecting actual personal health information (if not through URLs, the domain name concern is still valid). And I know that DNS resolution is not necessarily secure from snooping, but having one extra orginazation explicitly collecting this data is more dangerous than not having one extra org collecting it.
You can argue it all you want. Whoever is storing that is responsible under the Canadian laws criminally. It's probably the same if not worse in other countries (Germany, etc).
As a practical matter, there are lots of applications that use GET for user submitted search data. Since GET requests encode user entered information into the URL and since the URL is typically found in web server logs and other tracking/history mechanisms, it is unwise to use GET for user-submitted data in applications that are concerned with privacy. However, it was not always considered unwise: REST advocates recommend GET when the underlying information representation doesn't change as a side effect of the request. Therefore, one might just as well say that logging of URL query parameters is the technical problem.
That said, when a "breach" has occurred is a legal distinction involving the control of information -- when protected data moves beyond those who have a duty to protect it. Saying that a particular technical approach creates breach is inaccurate.
I think logging is unrelevant here because it can be set up to log POST data too or not to log query string. But the problem with leaking data via referrer exists. Google encrypts (or obfuscates) search query in referrer for example.
A group of URLs tied with the IP accessing them may leak such data. Maybe not in exact violation of the law, but it would allow for a reasonable estimate of the chance of someone at that IP address having some given condition.
Sure, except that with differential privacy, say 5% of telemetry reports would be marked as visiting do_I_have_very_bad_medical_condition.com anyway – regardless of whether they actually did.
Any submission of data requires the transmission of an IP address, which is personal data and necessitates appropriate protection.
I very much hope that the Debian maintainers (and hopefully also the guys preparing Fennec in F-Droid) will disable such data collection mechanisms, either completely or hidden behind an explicit opt-in instead of the opt-out suggested in the e-mail.
Then don't send the correct source IP address, with simple statistics gathering like this I hardly expect they require a response. It would mean there would be no personal data whatsoever.
You'd just send a UDP packet with a spoofed source address and forget about it. There's no need to open any sort of 2-way connection for data that's only being transmitted in one direction (from browser to metrics server).
Tor is blocked in some places and viewed as very suspicious in others. If you're already in a place where you're trying not to draw attention to yourself, using Tor might not a good option.
Wouldn't spoofing IP addresses risk the data packets being filtered out by ISPs or other upstream network providers? IMO if keeping IP addresses hidden is a concern, it'd be better to use something like TOR.
Most ISPs filter spoofed IP addresses nowadays[1]. Even if your ISP doesn't prevent it, NAT might. You wouldn't get a whole lot of responses this way, and there'd be a strong bias because of regional differences w.r.t. filtering.
Yes[1], no[2]. An IP address is "personal relationships" data and collecting, processing or using such data is prohibited unless allowed by law or the concerned person gives consent.
The way I interpret this, if you don't collect, process or use the IP address beyond it being incidentally involved in the transmission of anonymized data, it shouldn't require explicit consent.
Otherwise literally everything that connects to the internet in some way would have to treated in that way, and that's not how the law is currently enforced.
> Any submission of data requires the transmission of an IP address, which is personal data and necessitates appropriate protection.
Do you have a citation for that broad assertion? My understanding is that this is highly variable across legal jurisdictions and even in Europe, which typically leads the way in privacy, it's not that simple. See e.g.
https://www.whitecase.com/publications/alert/court-confirms-... discussing an EU Court of Justice ruling that had two requirements: the ISP can link that IP address to an individual AND the website operator can get that information from the ISP.
Within the new European GDPR framework, IP addresses are to be considered as personally identifiable information, so the concern is warranted. What's decisive when characterizing an information as identifiable or not is not the fact of being actually able to perform the de-anonymization of the information (e.g. via the ISP in case of an IP address), but the mere possibility of it.
Legally though Firefox would be allowed to collect this anonymous data from the user by having him/her send the data e.g. to an API endpoint they provide via IP-based communication, they would just not be allowed to associate the data with the IP address of the user submitting the data. In the end, it comes down to trusting the party that collects the data, at least if they don't perform anonymization of the IP address via other means, e.g. by passing the information through a third party proxy server.
BTW, GDPR does forbid to turn on such data collection by default (privacy by default), so they would be required to get the explicit opt-in from the user for that.
>Within the new European GDPR framework, IP addresses are to be considered as personally identifiable information,...
My understanding is that many of these details are yet to be settled with GDPR. The case referenced above was not interpreted under GDPR, which has yet to take effect. The definitions of personally identifiable data data rather vague, and precedent has not been set. A quick search showed conflicting opinions, but one perspective to consider is quoted below:
> In addition, businesses should note that Recital 26 to the recently adopted EU General Data Protection Regulation ("GDPR") states that the test for whether a person is "identifiable" (considered in detail above) depends upon "all the means reasonably likely to be used" to identify that person. The CJEU in Breyer did not directly consider the issue of likelihood of identification. If the BRD was not reasonably likely attempt to identify Mr Breyer from his IP address, this could potentially give rise to a different analysis under the GDPR. Consequently, it may be necessary for the CJEU to revisit this issue after enforcement of the GDPR begins on 25 May 2018.
This is a few years old, so if you know of some new decision or regulation that clarifies it would be great to know!
The GDPR does not provide a list of data types that are considered personal or not personal, instead it uses a definition which states what criteria need to be met for data to be personal and gives a list of relevant categories, which explicitly includes "online identifiers":
Now, you could of course argue that often it's not possible to infer the identity of a person given an IP address (e.g. because it is a dynamically allocated IP address by an ISP or an IP address of a proxy server through which many users connect to the Internet) and therefore store it, it would be very hard to impossible though (IMHO) to ascertain that none of the IP addresses which you store could be used to identify a specific person (what e.g. if there are 5 % static IPs in your data?). This in turn would make treating all of your IPs as non-personal data a risky business to say the least, as there will almost certainly be a way to identify at least some of your users from their IP addresses. The fact that you don't know about a particular way of doing this identification is not relevant for this.
My advice: If you do not use a very robust method for making sure that all the IPs you store are non-identifiable I would recommend not storing them at all (or at least truncating them to 24 bits, which does also not always eliminate deanonymization risk though).
Because it's neither obvious nor globally true. Legal status varies around the world and from a technical perspective an IP address on its own doesn't usually identify a person unless you have other information — account data, correlated data from other sites, etc. — and things like NAT and public wifi make that necessary to reliably link activity.
I think it's important to talk about this issue – especially the importance of not storing it long-term — but from my perspective the real concern is the industry dedicated to linking and sharing your online activity. Without that an IP has little value and with it they can deanonymize most people without using IPs.
> Any submission of data requires the transmission of an IP address
Not true. Tor has demonstrated that it's entirely possible to transmit data over the internet without revealing your IP address to the party you're transmitting to.
Actually no, it doesn't matter who controls the exit nodes as long as your only concern is keeping your IP private. (Exit nodes can indeed do bad things to unencrypted traffic, but that's irrelevant for this use case.)
Latency also doesn't matter here; this telemetry could take 5 minutes to reach its destination and it wouldn't matter, so long as the data is eventually received.
No, seriously; why? I don't get this mentality at all.
Let's ignore the exact implementation here for a moment, and assume that Firefox is somehow magically doing this data collection in such a way that it is guaranteed the data collected cannot be traced back to you as an individual. (E.g. "sufficiently anonymous".)
What problem do you have with that, specifically? How does this harm you in any way?
If it's through "secure" code, you can't always guarantee it in the future nor what Mozilla does with this data in the future. Also it doesn't set a good precedent to proceed in this direction of opt-out behavior in Firefox.
In this case, it's not through secure code though, it's through the nature of the data being sent itself. Differential privacy is meant to ensure you _can't_ use the data to make any sort of inferences about individual users; only about users as a whole.
That's kinda beside the point here though, as the GP seemed to be against collecting this data _regardless_ of whether or not it's anonymized or not. I'm interested in hearing why.
Because data collection that is "sufficiently anonymous" _does_ respect privacy. If it's completely impossible to tie the data collected to any one particular user, how does the existence of that data compromise privacy in any way?
We can go into an amazing yet pointless semantical argument of what "privacy" means. But let's look at this from a different perspective:
I like your faith. However, if this change goes in, and the capability is there, it will get misused. Because, statistically that's how these things go on this planet+capitalism.
Actually, the way they're implementing this, even if Mozilla decided to try to misuse the data in the future, they still wouldn't be able to, since the data itself is "sufficiently anonymous" (unless of course you want to argue otherwise, like the root comment was suggesting you do).
Or are you saying you're worried that they could _start_ collecting non-anonymized data in the future? If so, I don't really get that argument either. People always have the ability to change what they're going to do in the future, Mozilla deciding now not to collect this data wouldn't change that.
Imagine I came to your house, and photocopied all your documents.
Don’t worry, I blanked out the name, so it’s completely anonymous, and everything is where it used to be.
Would you be okay with that?
I certainly wouldn’t.
Making this opt-in or opt-out is a question of consent, and choosing opt-out shows that you don’t give a flying fuck about me, and only want your own benefit.
What is uncivil in this comment? I’m sorry, but I don’t see anything problematic in there, and I’d say the same to anyone’s face IRL, given the same circumstances.
There is a swearword used, but it’s not in the context in any way uncivil, as the plural "you" that it is referring to is an abstract person, a hypothetical entity – not any actually involved person. (In this case, the potential future group of people at Mozilla who might decide to override an explicit choice I made for their own convenience)
Profanity isn't an issue on HN but "you don’t give a flying fuck about me, and only want your own benefit" is not, to my ear, the sort of thing one says to an abstract entity.
Have you also read the "and choosing opt-out" before that?
The topic is a choice that Mozilla plans to make, and is questioning users, and more about.
The decision has not been made.
My argument is that, if Mozilla (and whatever users Mozilla asks to give an opinion), choose to override the current decisions of users who do not want telemetry, and require a new hidden opt-out, then that would be proof that they (as group) don’t really care about the users choices.
The user I was talking to has no power in making that choice, nor do I. Nor is all of Mozilla making that choice.
I was using "you" with the meaning of the German word "man", (I’m natively German): one; you; they; people (indefinite pronoun; construed as a third-person singular).
Ok, probably a linguistic misunderstanding in this case. But you've straddled the civility/incivility line so often in your comments here that I still wish you would take a few more steps in the right (for HN) direction. I bet translation issues would cease to be a problem if you did.
And I don't get the mentality where I should justify why I don't want my tools to report what I am doing.
I'm ok with testing things and sending feedback, but when I switch to a production environment, I just want my tools to behave like my tools, not the testing farm for somebody else.
Why should I prove to you that it would harm me? I just do not want it, it should be enough.
I don't know, to me that's a bit like running a torrent client and expecting the default setting to be "no seeding, download only". After all, the torrent client is _your_ tool, right? Why should it do anything except the bare minimum required to download the files you want? Why waste upload bandwidth on something that doesn't benefit the user?
Obviously that's ridiculous, right? If the default setting was to not seed, torrent clients would be much less useful for everyone involved. Browsers sending usage stats are much the same way. While no individual user benefits from _their machine_ sending those statistics, it's better for the user population as a whole if the default setting is to send them, since those stats help the browser vendor build a better browser. (And before you cry "privacy", remember that in this context we're talking about a situation where the statistics are being sent in a way that is "sufficiently anonymous" such that privacy isn't an issue. See the GP.)
So while I agree you certainly should have the right to disable sending usage statistics if you wish (just as many Torrent clients let you disable seeding), expecting that to be the default setting is a bit strange.
Ok, we changed the title from "Firefox planning to anonymously collect browsing data" to (hopefully more representative) language from the first paragraph of the article.
This is ridiculous. I use and recommend Firefox for pure ideological reasons, because frankly, Chrome/Chromium is miles ahead of them.
If they start opt-out tracking using the same approach as Google I do not see any reason to use it nor install it for my friends and family. That's some data for you, Mozilla.
How is Chrome miles ahead? Both seem to work just fine for me, neither being noticeably faster or better. I like a couple of minor Firefox features, so that's what I stick with.
Firefox -> Chrome is a sidegrade at best. Literally only reason I use it is because I got fed up with weird little CSS quirks I couldn't replicate in IE or FF, but were very present in Chrome.
My point is not the way you label gathering information from your users but rather that it is about implementing something Google proposed.
If the mechanism works, fine, but why should I use Firefox over Chromium then? Opt-out data collection is in violation to my core beliefs and what I believed to be Mozilla's principles.
Collecting data without asking the user about it is - to me - in violation to the very definition of privacy and calling some way to anonymise data (who guarantees that the cryptographic approach to this is not obsolete in a few years?) "differential privacy" is at the very least dishonest.
So, I read that, and already see two problems. One - DP provides privacy by deniability. How does that apply to URLs (or even just domains)? For a domain to show up, I have to have visited it (unless Firefox will report back random domains).
Two - DP is only really private over a small data set per individual. If DP were enabled for even two days, you could get a very accurate picture of the sites I visit, since a majority of the domains reported would be necessarily be accurate values.
> I'm pretty sure that the idea is to report back random (existing) domains, yes.
Here's a concern that comes up from that implementation option: any outliers from the set of existing domains (which would likely simply be implemented as a list of strings) would immediately be able to be called out as a "True" value, while a single reporting of a domain could reliably called out as a "False" value. Unless, of course, you choose a randomization algorithm which exhibits a very strong clustering trait.
You could also limit reports to those domains which are in the whitelist, but that would voluntarily neuter the reporting; something they seem less-than-eager to do.
Ultimately, it will all come down to the implementation details, which are unlikely to be available until after the opt-in release, and auditable by a remarkably small number of people in the open source community.
Your stance is paradoxical, because Chrome has been improved based on data mined from users, and not in as nearly a considerate way as Mozilla is proposing.
You want Firefox to succeed as a browser, but to be able to better compete it needs better usage data.
Wouldn't you prefer for Firefox to be the best browser available, AND also be considerate towards your privacy rights?
Wouldn't you prefer for Firefox to be the best browser available, AND also be considerate towards your privacy rights?
I prefer absolute privacy over some minor advantages on irrelevant webpages.
How do you even think this system would work in restricted environments such as governments where even the presence of code that could collect data is an absolute no-go?
If Google does not respect my privacy, why is the proposed way to gather information based on Google's approach?
And if the way Mozilla gathers data is much more considerate, what results can I expect from it? Better parallel requests and data fetching, hardware acceleration, etc are all features that are missing for me as a Linux user. They don't need my dataset for that, it's probably all in their bug tracker.
Company A does bad thing which benefits them massively, allowing them to have a better product. Some people dislike that approach and flock to company B which promises not to do the bad thing. Now company B start doing the same thing 'for better good' but promises to 'keep it moderate'.
At this point why would anyone stay with the company B which broke its promise once, just in the hope that it won't break the promise again? It has already lost the trustworthiness and it also has the worse product. Might as well use products from company A.
This is specious reasoning. Company B is not doing "the same thing" at all. Company B is collecting data, but not only is it far more limited (e.g. collecting domains instead of URLs), it's done in a way that protects privacy. You can't just throw up your hands and say "well, they're collecting some data, therefore we may as well just throw away all privacy protections and use the browser by the company whose business model is based on collecting all the personal information they possibly can".
Opt-Out vs Opt-In is a question of consent. Do you value your own benefits more than my own right to determine my own life?
If yes (and that’s what you get when you choose opt-out), then we’re done. There is no gradual change there, it’s a binary question if you value the user or your own benefit more.
The world is not black & white. If Firefox starts collecting a small amount of data in a privacy-sensitive manner and makes it opt-out, that does not at al make it equivalent to e.g. Google collecting all the user data it can.
Except that's not true. Firefox collecting a small amount of data in a privacy-aware manner does not mean "convenience being always more important than privacy", not by a long shot. I don't understand why you're insisting on such an absolute black & white viewpoint.
Firefox being so arrogant to presume I want to collect the data by default is a very rude thing. You don’t just assume someone wants it, and do it for them, especially if it might hurt them.
First ask, then fuck up. Is that concept so hard to understand?
If you’d do that IRL to someone they’d never talk to you again, it’s the same with Firefox if they do this.
Firefox collecting data in of itself isn't at all rude, or problematic. Nobody cares if Mozilla has "data". What they care about is if they collect data that violates the user's privacy. The whole point of RAPPOR and differential privacy is it's an approach to collecting data that is supposed to preserve user privacy. So the real question is, does it preserve user privacy sufficiently that it's ok to make something opt-out instead of opt-in? But that's not what you're complaining about, you're just ranting because they're collecting data, period, without actually understanding the extent to which your privacy is being violated (if at all).
And of course this all started with you saying that you may as well switch to another company's products, a company which you know violates your privacy quite significantly. You still haven't explained why Firefox collecting a small amount of data in a way that tries to minimize any privacy violations means you should just give up any semblance of privacy and use a product that tries to collect as much personal information as possible.
First off, I’m a developer myself. A developer in the EU. In Germany. Working on open source. In fact, on open source with goals to preserve privacy.
I’ve dealt with these issues before myself.
And I understand well what they collect, how, and why. I understand how painful it is when you have no data on what is used, and how, or not even crashreports.
But there also is a limit to how far you can go, and where consent is required.
And when transmitting anything, or collecting anything, consent is required.
You could make it dependent on situation. If a performance issue occurs, show a bar: "Is this website slow? Click [Here] to submit a report so it can be improved. [Details] [X] Always submit".
This gives the user a far better understanding of what is submitted, why it is needed, it is contextual, and it is still opt-in (but with far better conversion)
I've been using Firefox as my only browser for at least 12 years. If they go through with this, I'll switch to something else. I don't know how they could think that this is acceptable.
I think Mozilla's boldness in stating the plan to systematically leak user information, is a tipping point. Will increase usage of Opera, Midori, Chromium. As for Tor integration with Firefox, that really is a shame, I hope Tor integrates with something else.
Oh, it’s simple. Just comply with EU law, and it’s all okay.
That includes:
1. You can not collect anything without explicit opt-in
2. You can not transmit any data to a third party
3. If a user requests it, you have to provide all data stored about them, and have to provide a way for them to delete all of that. (And you have to provide this at least once every 12 months via letter, fax or email for free) (compare §34 BDSG)
That includes IP addresses (just connecting to a socket without a user explicitly starting that action), names, emails, hashed IPs, it includes usernames, CC data, messages, interactions with webpages.
Anything that in any way is connected to a person is covered by this.
This directive is also the origin of the cookie disclaimers, which require opt-in before collecting statistics or loading any third party tracking solution.
But be aware, in May 2018 it all changes as the new EU GDPR comes into force, and that’s a bit more restrictive (and even applies to anyone processing or storing data of EU citizen, no matter where the processing entity is located)
The code in the browser is a stub. No data gets collected let alone sent anywhere until the user adds a Pocket account. Pocket updated their privacy policy, and they open-sourced the browser integration code. https://venturebeat.com/2015/06/09/mozilla-responds-to-firef...
But based on the article, it wasn't addressed until users raised a stink about it. And it wasn't just privacy, it was also closed-source, unnecessary features that should be an addon, etc.
Why would it be addressed before anyone complained? And it was planned as part of the Readability feature, which is very popular and not considered "unnecessary". But FF devs were having a hard time making a good read-it-later UI and decided to use Pocket instead of reinventing the wheel.
Edit: To be clear, I think the browser code was always a stub, and the privacy policy was modified before the feature launched as part of Firefox.
My concern is that Mozilla has been on a "Sure, you can provide feedback, but we're gonna do it anyway" streak. Pocket is quite unnecessary, and would be a great candidate for an add-on. I don't know their reasons for bringing it in, but it seems pretty cut and dry that there were a lot of users who didn't want it even after it was cleaned up, and Mozilla ignored them.
I think you're probably just underestimating how popular it is. Tagging activity tripled from 2012 to 2017. They had 10 million monthly active users in February when Firefox bought them.
"If Mozilla starts reading a tiny bit of user data using well-researched techniques for preserving user privacy and anonymity, I'm going to ditch my browser of 12 years and switch to the competition, which is perfectly happy to grab as much personal information as they possibly can from me in order to monetize me."
(well, unless you're going to switch to Safari, since Apple also cares about privacy, though, spoiler alert, Safari's also using Differential Privacy to collect data).
Why use the quotes? My guess is if the personb you're replying to thought of what Mozilla is proposing in the same way you think of it, they would have said so.
The quotes are because that's basically what suby said. I'm guessing that suby's not actually serious about switching browsers though, because doing so would be cutting off their nose to spite their face.
I liked Firefox for years. I have lived through years of shenanigans such as broken extensions, forgetting what tabs I had open because Firefox accidentally closed without restoring them, moving icons and menus around for no reason, and recently, an update on my Ubuntu that broke scrolling of pages (with PgUp/PgDown). And now this..
I am starting to think that they just don't want people to use Firefox.
Yeah, I know it's free software, so I have no right to complain. I just wonder why?
Where governments and corporations are concerned, the "why" condenses down to two simple answers: commercialization(profit) or weaponization(control)... it is easily conceivable that both will result over time. I hope Tor & EFF start giving more love to Pale Moon & it's ilk, but that may just be mitigating the inevitable death by 1000 cuts to privacy.
I think it's worth approaching this with an open mind and giving Firefox at least a little bit of the benefit of the doubt. It's pretty plain to see how such aggregate usage data would lead to a better product for everyone.
How many people here use website/app analytics to improve products they work on?
Browser performance is very closely tied to specifics of the content. That's why optimizing for e.g. JS benchmarks doesn't always result in a browser that feels any faster.
There is a story about people getting driver's license having a check box to opt-in into being organ donors, and very few said yes. Once the box was changed to opt-out, very few said no :)
The question is are people saying no because they are privacy conscious, or because they don't care. My money is on latter. In general more people care about Firefox being fast than security.
What's a bigger issue for Firefox is deprecating its add-ons. That's going to hurt its marketshare way more than telemetry data.
That is, however, not a sufficient analysis of the problem domain and how the data gathering is offset by potential privacy intrusions. Right now it reads as if dev comfort is prioritized over user privacy, which might not be the case, but you cannot suggest sweeping changes like this in a few lines on a message board without proper analysis and communication. Mozilla should know better by know, especially since their market share is diminishing and target audiences are increasingly disappointing with Firefox.
"One recurring ask from the Firefox product teams is the ability to collect more sensitive data, like top sites users visit and how features perform on specific sites."
I would say that is none of the browser vendors business.
Please stay away with your opt-out stuff - it bothers me. Make it opt-in, always and forever.
Even opt-in is a problem. There's no way to be 100% sure the checkbox in the UI is and always will be respected. It maybe something as innocent as logic woopsie or something as nefarious as intentionally and quietly changing it to opt-out during an update. A better option, keep the data sharing code out of Firefox; opt-in to log locally; if they user decides they want to share something with Mozilla, give them instructions on how to email or upload the files.
1. Any data collection at all deanonymizes the user, cf panopticlick.
2. Frankly even opt-out is not acceptable. I can't recommend any software that peridically asks users for data access, since there exist non-technical users who have a nonzero chance of clicking yes to everything. If they are related to me in some way this compromises my privacy also.
1. Any data collection at all deanonymizes the user, cf panopticlick.
This isn't true. Panopticlick collects a ton of data about your browser that this proposal will not. There has been a lot of research done in this area and we know how to collect anonymous datasets. https://arxiv.org/abs/1407.6981
Look at it from a security-conscious user's perspective: I would have to verify that:
1. The concept is sound.
2. It is implemented as described.
3. It is implemented with no bugs.
4. Mozilla is trustworthy
5. Any third-parties Mozilla involves in this process are also trustworthy.
6. All of the above will remain true.
Doing this would take a tremendous amount of both time and expertise, if even possible. If every piece of software I use makes me do this every year or so, I would get nothing else done.
In practical terms, your argument is no better than just saying, 'trust us, we're good for it', regardless of the merits of your tech. And we know Mozilla baked Google Analytics into FF's addon page, so trust is in short supply.
Except if you actually read and understood the link, points #1, 4, 5 aren't a concern. Moreover, points #2, 3, and 6 apply to just about every piece of software used.
what percentage of FF users on the planet do you expect could read a paper on differential privacy and actually verify those points, while understanding all the ifs and gotchas, and be able to tell if any of the arguments are wrong? What percentage of that elite group would actually be willing to devote the time and energy, for free, for every one of the thousands of softwares they use?
Not many, certainly. Which is perhaps why it's better for this to be implemented (since differential privacy is a known, rigorous definition for privacy), rather than to leave it up to the larger majority of users who (by your implication) don't understand it and won't be bothered to understand it.
...or you could just scrap the whole idea and not bother with it.
This is true for the user, too. If the only viable choices are 'verify claims at great cost and no gain every few months', or 'use some other privacy-respecting browser', I am going to recommend the second.
I wonder how valuable the data is going to be for the Firefox team? The cost in reputation may be large, so I'm guessing this must be pretty important for them.
On one hand Mozilla doing something like that is anti privacy. On the other hand how is Mozilla supposed to impprove FF w/o detailed usage data.
In theory can be done, but in practice they are competing with Chrome and their team has waaay more data to use. And th is data gives them an edge at least on the decision which parts are worth improving.
So they can either start collecting some data and really piss off their most vocal privacy minded users and try to use this data to improve FF and steer it away from the death spiral it's on. Or they can keep the vocal privacy minded people happy continue to work in the dark and pretty much ensure that FF will become one of the insignificant .3% market share browsers.
Because somehow I kind of feel that multimilion fundraisers to make FF popular again aren't gonna happen second time.
English is not my native language so maybe I didn't express myself clearly.
It is not on a death spiral bevause of the missing user tracking. It's on a death spiral because of Google and Chrome. And tracking is a way of catching up. It's much easier to improve when you know what your users do with your software.
The problem with our own browsing data--by which I'm assuming you mean the browsing habits of our ~1000 employees--is that it's wildly non-representative of the broader population. For instance, people here routinely have browser sessions with 10, 100, or even 1000+ tabs. These numbers also indicate that the browser is an application you start, and then you just leave up for a while, perhaps until you restart your computer or you have to update for whatever reason.
The latest statistics we collected on a broader sample of users indicates that the average number of tabs is...2. The average session length is on the order of minutes, not days. Such knowledge leads to very different choices when deciding what browser features to prioritize.
And it's not just browsing usage, either: most employees probably have a top-of-the line (or close to it) Mac laptop, Windows desktop, or Linux desktop; developers have a machine with four, eight, or even more cores. These machines are hardly representative of the wider Firefox user base: a significant majority of our users (~70%) has a machine with two cores, and users with a single core in their machines outnumber users with 8+ cores. We'll not even cover graphics hardware or screen resolution here; see https://hardware.metrics.mozilla.com/ for more examples.
Using our own browsing habits and our own machine specs for making decisions is not feasible.
Then I realize Firefox is not a browser made for me. I don't care about the marketshare of my browser. I want it to to make my browsing easier and faster, while never compromising on security and privacy. _Any_ outgoing connection without my action is not OK. Not even Googles Safe browsing. If have to decide between having both Javascript and Google Safe Browsing, or neither, I would take the latter.
I value the expertise at Mozilla. Could you point to a browser that might fit me?
The single largest advantage of Firefox over other browsers is that despite all odds and occasional missteps they managed to respect users' desire for complete privacy.
For Firefox we want to better understand how people use our
product to improve their experience.
Sure thing. But the fact that they are unhappy that some (many?) people are opting-out from the data collection is merely a sign that they don't want to understand why people are using Firefox in the first place. By opting out from the data collection people effectively tell them over and over again that they don't want for Mozilla "to understand how they use Firefox" or "to improve their experience", not at the expense of their privacy.
No phoning home. No telemetry, no data collection. No "light" version of the same, no "privacy-respecting" what-have-you. No means No. Nada. Zilch. Try and shovel any of that down people's throats and the idea of Firefox as a user's browser will die.
It's more that a lot of people really don't care one way or another, and will neither go out of their way to opt-in or opt-out.
Additionally, it's not that Mozilla just disregards user privacy here: differential privacy being used would mean that no user has to reveal their private information, but looking at all the data in aggregate would still allow Mozilla to gain useful information on how to make Firefox better.
It's not even that not enough people are opting in, it's that the people opting in are "people that would opt-in", i.e. they match a certain profile that makes them not representative of the average user, and thus less good sources to draw conclusions from. Because presumably, the users who opt-in are tech-savvy users who actually read dialog windows presented to them, and thus behave very differently from the average user.
I'm not really sure what your concern is here. Let's assume for a moment that Firefox's implementation of differential privacy in this scenario is completely correct, and that as a result it's completely impossible (even in an information-theoretic sense) to learn anything about any individual user using this data; only about many users in aggregate.
In this scenario, how exactly would Firefox's actions here compromise anyone's privacy?
Fair point. What would you accept as sufficient proof that their implementation is correct?
If your answer is "nothing" then I think you're being unreasonable. Firefox risks compromising security/privacy with _every_ new feature they implement, not just this one, and it's clear from [other comments][1] in this thread that this feature is just as important for the overall functionality of Firefox as any other feature would be.
in 2017, how hard is it to understand that many of us don't trust some sweet talking companies? simple things work. simple NO is simply... NO. there is nothing more to discuss.
if they will follow with it, they will lose tons of customers and what is worse, credibility. why bother if there is chrome?
Why are they not letting people decide? If it is not harming anyone's privacy, and they make it clear that it isn't, then what is the problem with letting people opt-in to it?
Instead, it's telling that they are choosing to force people to opt-out. They know that their users don't want this, but don't care.
Opt-in inevitably results in data being heavily biased in favor of the small minority of users who go out of their way to opt-in. For some stuff that's fine, but for certain types of data you really do need a broad, unbiased sample of users in order for the data to be at all meaningful. (Usually to answer questions like "What percentage of users use x feature?" Or "What level of jank does the average user experience on facebook.com?")
They still _are_ planning to let people decide for themselves whether to participate (via opt-out), they're just using a default that's more likely to result in unbiased sample data.
Again though, what's your actual concern? Provided this feature doesn't compromise anyone's privacy even _if_ its enabled, what's wrong with having it be opt-out?
I have no way of knowing how this may or may not compromise my privacy without a deep understanding of the techniques being used. I am meant to trust Mozilla and hope that they haven't overlooked some weakness in the algorithms used. The obvious security choice is to not add this feature in. The 'Provided this feature doesn't compromise anyone's privacy' is a fantasy, because no-one can be sure of that.
But that's true of _any_ new feature that gets added to Firefox. Anytime you change code, there's a chance you could be creating a new vulnerability that compromises users' privacy or security in some way.
If, as some commenters here [have suggested][1], this telemetry would help improve Firefox by significantly reducing the amount of time it takes Mozilla to fix bugs and performance issues in the browser, what makes you think that's not worth the risk when other features (such as the performance fixes themselves) are?
It's obviously far, far more likely in code that is designed to send my browsing habits to a 3rd party (in whatever encoding). Do you not see this, or are you just trying to extend out these arguments to some ridiculous extreme for the sake of it?
I don't know what level of risk this implementation carries with it. Probably more than a performance fix to the JavaScript interpreter, yes, but is it really a significant enough risk to make this feature not worth implementing? Maybe it is, maybe it isn't; I honestly don't know.
You just seemed to be arguing that _any_ amount of risk would be too much, which in my view is ridiculous since, as I said, all new features carry with them some amount of risk.
> In this particular instance, I think the risk and the unknowns are clearly too much.
But why? I don't claim to know enough about RAPPOR to say for sure that the risk _is_ worth it, but it seems a little presumptuous to claim it isn't without knowing _anything_ about the project or Mozilla's proposed use of it.
That's why I assumed you were arguing that _any_ amount of risk would be too much; you didn't include any sort of analysis of the risk/reward in your previous comments, and without knowing the risk the only way to conclude this feature is definitely _not_ worth it would be if you already considered the acceptable level of risk to be zero.
Well, the alternative is not a Firefox without telemetry, it's Chrome. If Firefox can't do what it needs to do to stay relevant it's going to die. Developers are already treating Firefox as a second class browser, so this is not an abstract threat.
It would, however, be useful data for the common user behaviour of people who opt in to tracking.
This doesn't really seem unreasonable to me. Obviously part of the inherent cost if not wanting to be tracked is going to be not having your raw user data included in evaluations of what people want.
Differential privacy does not ensure complete information theoretic security as you say. There is a parameter ε that determines the amount of privacy, and in this case you do not get to set it, somebody else does.
Interesting point. Admittedly, my understanding of differential privacy is very rudimentary, but isn't that only a risk under the assumption that you can ask the same user the same question multiple times, and get a new, independently chosen answer every time? If you can only ask each question once and every subsequent time you ask you just get the same answer, is that not secure in the information theoretic sense? Perhaps there's some other factor I'm missing?
> in this case you do not get to set it
Nothing's been decided yet. If this is something you want to advocate for, maybe consider suggesting that in the thread linked in the OP?
You are speaking of perhaps Google's RAPPOR protocol specifically, in which answers are sent through a series of BSC-like channels. These channels introduce noise, meaning the input signal is degraded, but by no means is it gone -- otherwise no statistics could be collected. Multiple independent reads would be an obvious attack; actually it's a form of repetition coding; but there are many other coding strategies against noisy channels -- there is an entire field dedicated to that task alone. To contrast, encrypting with a one-time pad is information theoretically secure.
Attacks aside, the point is really that in this age of statistical machine learning we should be vigilant against even this sort of data collection. A leak is a leak. Ideally people can opt into providing just enough information for the statistics they want to participate in and no more; realistically, more is always collected.
Ah, fair point. I guess it's incorrect to say it's impossible to learn _anything_ about a user as an individual using data generated using differential privacy. Just that what you do learn is more of a small statistical possibility than a sure thing. (E.g. "The user visited this site." vs "There is a 5% higher than average chance the user visited this site.") And that's even assuming you already know who "the user" is (which certainly isn't a given).
> No phoning home. No telemetry, no data collection. No "light" version of the same, no "privacy-respecting" what-have-you. No means No. Nada. Zilch. Try and shovel any of that down people's throats and the idea of Firefox as a user's browser will die.
I have been using Firefox since before it was called that. I develop my apps in it, even though most of my colleagues have switched to Chrome years ago. Even though it is (or was for a while) slower than Chrome for things like Canvas.
But I use because I believe in Free Software. But Mozilla keeps disappointing. DRM, bundled 3-rd party apps, analytics, tracking... It is just so very sad. :-(
Also, I have 17 add-ons installed (11 active). At present, of these 17, only 2 will continue working after November when the switch to WebExtensions is enforced.
Mozilla fought DRM until the very end and lost. If Firefox is to have any chance at remaining a mainstream browser it needs to support Netflix and the likes. You can't seriously blame them for this, because they are damned if they do and damned if they don't.
EME is implemented as unintrusively, securely and privately in Firefox as possible. No DRM is downloaded or run on your computer until you specifically consent to it, and the DRM components run in a sandbox.
> Mozilla fought DRM until the very end and lost. If Firefox is to have any chance at remaining a mainstream browser it needs to support Netflix and the likes. You can't seriously blame them for this, because they are damned if they do and damned if they don't.
Yes I can, and I will, because they sold out. They sold out their principles for the sake of market share. (And looking at their marked share, fat lot of good that did for them anyway.)
I'd suggest you research the topic of negative and positive liberty. I'm all for a free and open source experience but what about the liberties of content creators? What about my right to as a user to be offered content with the knowledge that I won't and don't want to know its inner workings as long as it's passive non-malicious code?
I will be happy to do so, once consumers and content creators (and specifically the companies they sell rights to) are on a level playing field in terms of legal protections and lobbying powers.
This isn't about the money or power you or I have. This is about freedom to distribute content and the agreement between the user and the creator while you're asking the browser to be the ideological arbiter of this transaction. If you're all for freedom, you should logically see that not including the DRM option is inhibitive of both the user's and the creator's freedoms. As a browser, it should be ideologically agnostic to my downloading of an executable or zip file that goes against freedom, privacy and all that we hold dear and it should still be my right and freedom to download and view as I legally please. The Richard Stallman approach does have its limits.
Excuse me, but did you support Mozilla with time/money?
> They sold out their principles for the sake of market share.
12% is still better than 1%, and the thing that mostly changed the landscape was the fact that mobile Internet heavily disfavors Mozilla (e.g. Android ships with Chrome, iPhone with Safari), and Google has a heavy advantage when it comes to advertising and engineering.
Also, Firefox has been adding things like Pocket while removing simple options that have been part of Firefox since the beginning claiming that it should be part of an add-on (like the option to disable javascript) and they are also adding privacy invasive options like "Block dangerous and deceptive content"... Firefox is still my favorite but that can always change...
Even worse, in that discussion, it appears that there's a backdoor built into Firefox so that WebExtension-based ad blockers can't block Google Analytics. Only old-style add-ons can block it.
"It's as if the order to block/redirect the network request was silently ignored by the webRequest API, and this causes webext-based blockers to incorrectly and misleadingly report to users what is really happening internally."[1]
This is a specific issue with that preference page. You can easily observe that the WebExtension version of uBlock does block Google Analytics, just not on the about:add-ons page.
There are probably security reasons why add-ons can't modify about:add-ons. Imagine an add-on that could hide itself by modifying that page.
I think he's saying that not having an opt-in/out feature would show FF's dedication towards privacy, but if they are going to have an Opt-feature, Opt-in is better than opt-out.
It's like describing to a spouse a system of sex with strangers that includes blindfolds and a hazmat suit. Such a system could be a great way for a person to learn more about their sexual tastes and improve coitus overall. If the spouse is anxious about the system, then all they have to do is find a problem with the hazmat suit that would endanger the...
Wait, spouse, you haven't even studied the system that I so carefully designed to protect you from the possibility of...
I'm not sure why Mozilla needs to track what sites I'm going to but if they add tracking into their browser then I'm just going to have to find another browser or at least put together a build of Firefox without the tracking. It's not so much that I have anything to hide but the fact that I'm not interested in being their product. If they can't remember that they're a nonprofit that's suppose to make a FOSS-based browser which doesn't spy on people and works well with web standards then they just need to shutdown. I know that's extreme but I'm just frustrated with the further corporatization of the Internet even on the margins like Firefox. Everything just has to be a product or a way to commodify the use thereof.
449 comments
[ 2.8 ms ] story [ 347 ms ] threadIMHO, this is a bad idea. Many people I know already use Firefox because they're weary to give Google (Chrome) all their data.
Firefox should make this feature opt-in only.
I agree, but note that they are explicitly trying to get more info than they can from the small, biased sample that is users opting in.
Just starting to collect your browsing data is a bad idea (tm) especially if your main claim is "more privacy".
Maybe because most people using Firefox use it precisely because they don't want the browser vendor to track their behaviour?
I wonder how the Torbrowser folks will deal with this.
They get good enough data from the people that have volunteered it. I don't know what makes them think it's biased but I seriously doubt that is true.
Informed, constructive opinion there.
One clear sign of the bias is that the crash rate of the browser goes up massively every time a new version transforms from beta to release. Clearly, it's not renaming that string that makes the browser crash. The populations are just fundamentally different.
To give an obvious example, beta users are overwhelmingly more like to have up to date video drivers. (Which can be seen in crash reports, but is also very logical).
These users will be installing Chrome, not Firefox.
And this move will also drive them away.
The switch barrier is non existent. Most of the replies in this thread are ideological. Nobody is arguing CSS rendering speed comparisons and such.
People use Firefox because they like it.
People are irrational but like is huge. Toyota over Hyundai. Vacations at the sea instead of skiing. Firefox over Chrome.
The like is a habit, but if all things are equal and free, a very flexible one.
Quite the opposite if the focus too much on the regular users they might get too much noise and never notice issues in the more complex features that only power users tend to use.
You want the heavy users of your product sending in reports not the average Joe because he is less likely to even notice a issue.
Higher level features are less likely to be covered by tests and more likely to break just because of their complexity however you wont have many average people using them.
Former Opera people can tell a few stories there.
[EDIT: Firefox branding used to use the word privacy a lot. I can't find it on their website much at all anymore.]
[1] https://www.mozilla.org/en-US/firefox/?utm_medium=referral&u...
For instance, from the same page 8 years ago: "we have experts around the globe working around the clock to keep you (and your personal information) safe."
https://web.archive.org/web/20090827204813/http://www.mozill...
Or this quote from the equivalent site 6 years ago:
"And, as a non-profit organization, protecting your privacy by keeping you in control over your personal information is a key part of our mission."
https://web.archive.org/web/20110902025003/http://www.mozill...
Most users do not care because they do not understand the true ramifications of their not caring. It is not like that looked at all the data, then made made an informed choice to share everything.
FF should be at the heart of caring for users privacy EVEN IF THEY THEMSELVES DO NOT.
The average person does not understand technology, how much data they are leaking about themselves and how this data can be used against their interests
Taking advantage of that ignorance for any type of gain is unethical IMO, most companies willfully exploit this collective ignorance Mozilla should be better than most companies.
It's not just about the data, it's about the lack of consent. If you just ask people for permission on the initial startup, I'm sure most people will be fine with enabling it. Last time I installed Firefox, it just showed a tiny bar at the bottom of the window, which is pretty easy to miss. I'd expect fewer dark patterns from Mozilla, that's the kind of shady behavior you see coming from Microsoft. I always try my best to disable or block anything which phones home without explicitly asking for consent.
Tunnelblick [0] is a good example of this being done well. On the initial run they ask if you want to enable automatic updates. It includes the option to disable sending anonymous system information, as well as including a disclosure widget with a brief explanation and a table showing the information that would be sent. [1]
[0] https://www.tunnelblick.net
[1] http://i.imgur.com/tWQX5aB.png
I think not having perfect information about the users is a trade off that should be made in order stay an alternative to most other browsers. There are still ways to get more data by other means, though. When it comes to most visited websites, for instance, the alexa ranking should give a good, if not perfect, idea.
Well... there's actually a field for that. I forgot what they call that field because of how niche it is but my friend at google is doing just that.
He said there are math theorem to prove that it's sufficiently anonymize.
He gave an example of how Netflix competition with the data they gave researchers were able to deanonymize it. And his job was to prevent that at google.
I can see why if you're trying to sell users data while maintaining privacy.
Which, according to Google’s FAQ, https://support.google.com/analytics/answer/2763052?hl=en, just blanks out the last byte of the IP.
Which is useless, because it still includes enough personalized data as to be completely and utterly reversible.
https://tools.ietf.org/html/rfc6761#section-6.4
> Name resolution APIs and libraries SHOULD recognize "invalid" names as special and SHOULD always return immediate negative responses. Name resolution APIs SHOULD NOT send queries for "invalid" names to their configured caching DNS server(s).
It's only SHOULD, not MUST. And in fact, the glibc resolver (and I bet also other major implementations) does send such queries to the DNS server.
Using the glibc resolver as baseline is a bad idea, it’s broken beyond hope.
Try resolving http://-emmawatson.tumblr.com/, which is a valid URL under newer standards, and works on all other systems. The Glibc authors refuse to merge patches fixing this, because they disagree with the standard.
Also interesting: the method they plan on using for anonymising this: https://en.wikipedia.org/wiki/Differential_privacy#Principle...
If that is not sufficiently anonymous, then please submit the reasoning why to Mozilla.
EDIT: OK. It's boolean flags (like use of flash) plus an eTLD+1 (example.org; not myname.example.org?). Even so, I believe this tracking should be opt-in with a disclosure screen that explains exactly what Mozilla is recording. Informed consent is a practice we should be promoting, even if it seems unnecessary.
Mozilla has been violating even the minimal legal standards in the EU for years, and no one cares.
It’s insanity that an organization promoting its products with privacy doesn’t even meet the minimal legal standards. We’re seeing Google Analytics tracking in parts of the browser ("Get new Addons" page, for example), without even the legally required cookie warning.
EU law is clear on this, as soon as you store any data, do any tracking, connect to any third party, or transmit anything for analytics, you have get opt-in.
Not to mention, people will tend to visit the same websites repeatedly. The entire premise of DP is that the real data will stand out from the noise, creating a compelling picture of what an individual visits on the web. How will that aggregate data be anonymized, when it is reported with (a minimum of) an IP?
In short, this still requires a lot of trust in Mozilla, even with the DP algorithm, to not do the wrong thing with the dataset. And, in my eyes, making this opt-out and not opt-in already compromises that trust.
eTLD: https://en.wikipedia.org/wiki/Public_Suffix_List
Doesn't the differential privacy system described above prevent even that from being an issue?
A URL must not contain PHI. If it does, a breach has already occurred.
And Firefox is only collecting the domain names, it looks like.
I'd argue that domains are the same- there are tons of domains that clearly indicate what they're about (e.g. stop-drinking.example)
You can't, but that can't be part of Mozilla's threat model, and it's not relevant here anyway because Mozilla isn't collecting it.
And even if they were, that's not considered PHI legally. You are free to type any information about your own health that you want anywhere; that doesn't make it legally PHI, unless you are providing it to a Covered Entity.
> I'd argue that domains are the same- there are tons of domains that clearly indicate what they're about (e.g. stop-drinking.example)
This information is not legally considered PHI. As for privacy, SNI means that all domains you visit are already visible in transit, even if you are using SSL. Domain names are not considered private.
How normal everyday people actually use their product cant be a part of the threat model... Really?
That is scary...
Do you have any sources that go into more detail?
When I've worked on PII in analytics, even TLDs were treated carefully. (obviously not the same from a legal perspective...)
PHI is an incredibly well-defined term legally and is not equivalent to PII. Some things that constitute PHI actually wouldn't qualify as PII.
There are a lot of resources that explain HIPAA in great detail; if you want to know the specifics like here, you have to read the bill and the case law itself.
That said, when a "breach" has occurred is a legal distinction involving the control of information -- when protected data moves beyond those who have a duty to protect it. Saying that a particular technical approach creates breach is inaccurate.
Wouldn't that still leak health information? Less overall, but if any is bad, this still isn't acceptable.
5%^10. Very very unlikely. Sounds very similar to "guilty beyond all reasonable doubt".
I very much hope that the Debian maintainers (and hopefully also the guys preparing Fennec in F-Droid) will disable such data collection mechanisms, either completely or hidden behind an explicit opt-in instead of the opt-out suggested in the e-mail.
And requires an opt-in under EU law, which makes this entire thing even more ridiculous.
[1]: https://spoofer.caida.org/summary.php
[1]: https://en.wikipedia.org/wiki/Bundesdatenschutzgesetz#Types_...
[2]: https://en.wikipedia.org/wiki/Bundesdatenschutzgesetz#Overvi...
Otherwise literally everything that connects to the internet in some way would have to treated in that way, and that's not how the law is currently enforced.
Do you have a citation for that broad assertion? My understanding is that this is highly variable across legal jurisdictions and even in Europe, which typically leads the way in privacy, it's not that simple. See e.g. https://www.whitecase.com/publications/alert/court-confirms-... discussing an EU Court of Justice ruling that had two requirements: the ISP can link that IP address to an individual AND the website operator can get that information from the ISP.
Legally though Firefox would be allowed to collect this anonymous data from the user by having him/her send the data e.g. to an API endpoint they provide via IP-based communication, they would just not be allowed to associate the data with the IP address of the user submitting the data. In the end, it comes down to trusting the party that collects the data, at least if they don't perform anonymization of the IP address via other means, e.g. by passing the information through a third party proxy server.
BTW, GDPR does forbid to turn on such data collection by default (privacy by default), so they would be required to get the explicit opt-in from the user for that.
My understanding is that many of these details are yet to be settled with GDPR. The case referenced above was not interpreted under GDPR, which has yet to take effect. The definitions of personally identifiable data data rather vague, and precedent has not been set. A quick search showed conflicting opinions, but one perspective to consider is quoted below:
> In addition, businesses should note that Recital 26 to the recently adopted EU General Data Protection Regulation ("GDPR") states that the test for whether a person is "identifiable" (considered in detail above) depends upon "all the means reasonably likely to be used" to identify that person. The CJEU in Breyer did not directly consider the issue of likelihood of identification. If the BRD was not reasonably likely attempt to identify Mr Breyer from his IP address, this could potentially give rise to a different analysis under the GDPR. Consequently, it may be necessary for the CJEU to revisit this issue after enforcement of the GDPR begins on 25 May 2018.
This is a few years old, so if you know of some new decision or regulation that clarifies it would be great to know!
https://www.whitecase.com/publications/alert/court-confirms-...
https://gdpr-info.eu/art-4-gdpr/
Now, you could of course argue that often it's not possible to infer the identity of a person given an IP address (e.g. because it is a dynamically allocated IP address by an ISP or an IP address of a proxy server through which many users connect to the Internet) and therefore store it, it would be very hard to impossible though (IMHO) to ascertain that none of the IP addresses which you store could be used to identify a specific person (what e.g. if there are 5 % static IPs in your data?). This in turn would make treating all of your IPs as non-personal data a risky business to say the least, as there will almost certainly be a way to identify at least some of your users from their IP addresses. The fact that you don't know about a particular way of doing this identification is not relevant for this.
My advice: If you do not use a very robust method for making sure that all the IPs you store are non-identifiable I would recommend not storing them at all (or at least truncating them to 24 bits, which does also not always eliminate deanonymization risk though).
Are you saying that people can not be identified by their IP address?
I think it's important to talk about this issue – especially the importance of not storing it long-term — but from my perspective the real concern is the industry dedicated to linking and sharing your online activity. Without that an IP has little value and with it they can deanonymize most people without using IPs.
Not true. Tor has demonstrated that it's entirely possible to transmit data over the internet without revealing your IP address to the party you're transmitting to.
Latency also doesn't matter here; this telemetry could take 5 minutes to reach its destination and it wouldn't matter, so long as the data is eventually received.
I don't want my browser to collect any kind of data.
No, seriously; why? I don't get this mentality at all.
Let's ignore the exact implementation here for a moment, and assume that Firefox is somehow magically doing this data collection in such a way that it is guaranteed the data collected cannot be traced back to you as an individual. (E.g. "sufficiently anonymous".)
What problem do you have with that, specifically? How does this harm you in any way?
That's kinda beside the point here though, as the GP seemed to be against collecting this data _regardless_ of whether or not it's anonymized or not. I'm interested in hearing why.
Remove all "we respect privacy" from the advertisement.
It's misleading.
I like your faith. However, if this change goes in, and the capability is there, it will get misused. Because, statistically that's how these things go on this planet+capitalism.
Or are you saying you're worried that they could _start_ collecting non-anonymized data in the future? If so, I don't really get that argument either. People always have the ability to change what they're going to do in the future, Mozilla deciding now not to collect this data wouldn't change that.
Imagine I came to your house, and photocopied all your documents.
Don’t worry, I blanked out the name, so it’s completely anonymous, and everything is where it used to be.
Would you be okay with that?
I certainly wouldn’t.
Making this opt-in or opt-out is a question of consent, and choosing opt-out shows that you don’t give a flying fuck about me, and only want your own benefit.
https://news.ycombinator.com/newsguidelines.html
There is a swearword used, but it’s not in the context in any way uncivil, as the plural "you" that it is referring to is an abstract person, a hypothetical entity – not any actually involved person. (In this case, the potential future group of people at Mozilla who might decide to override an explicit choice I made for their own convenience)
The topic is a choice that Mozilla plans to make, and is questioning users, and more about.
The decision has not been made.
My argument is that, if Mozilla (and whatever users Mozilla asks to give an opinion), choose to override the current decisions of users who do not want telemetry, and require a new hidden opt-out, then that would be proof that they (as group) don’t really care about the users choices.
The user I was talking to has no power in making that choice, nor do I. Nor is all of Mozilla making that choice.
I was using "you" with the meaning of the German word "man", (I’m natively German): one; you; they; people (indefinite pronoun; construed as a third-person singular).
I'm ok with testing things and sending feedback, but when I switch to a production environment, I just want my tools to behave like my tools, not the testing farm for somebody else.
Why should I prove to you that it would harm me? I just do not want it, it should be enough.
Obviously that's ridiculous, right? If the default setting was to not seed, torrent clients would be much less useful for everyone involved. Browsers sending usage stats are much the same way. While no individual user benefits from _their machine_ sending those statistics, it's better for the user population as a whole if the default setting is to send them, since those stats help the browser vendor build a better browser. (And before you cry "privacy", remember that in this context we're talking about a situation where the statistics are being sent in a way that is "sufficiently anonymous" such that privacy isn't an issue. See the GP.)
So while I agree you certainly should have the right to disable sending usage statistics if you wish (just as many Torrent clients let you disable seeding), expecting that to be the default setting is a bit strange.
If they start opt-out tracking using the same approach as Google I do not see any reason to use it nor install it for my friends and family. That's some data for you, Mozilla.
For more information, see https://en.wikipedia.org/wiki/Differential_privacy for instance.
If the mechanism works, fine, but why should I use Firefox over Chromium then? Opt-out data collection is in violation to my core beliefs and what I believed to be Mozilla's principles.
Collecting data without asking the user about it is - to me - in violation to the very definition of privacy and calling some way to anonymise data (who guarantees that the cryptographic approach to this is not obsolete in a few years?) "differential privacy" is at the very least dishonest.
Two - DP is only really private over a small data set per individual. If DP were enabled for even two days, you could get a very accurate picture of the sites I visit, since a majority of the domains reported would be necessarily be accurate values.
Two: That's an interesting question. You'd need to ask it to someone with more domain knowledge than me.
Here's a concern that comes up from that implementation option: any outliers from the set of existing domains (which would likely simply be implemented as a list of strings) would immediately be able to be called out as a "True" value, while a single reporting of a domain could reliably called out as a "False" value. Unless, of course, you choose a randomization algorithm which exhibits a very strong clustering trait.
You could also limit reports to those domains which are in the whitelist, but that would voluntarily neuter the reporting; something they seem less-than-eager to do.
Ultimately, it will all come down to the implementation details, which are unlikely to be available until after the opt-in release, and auditable by a remarkably small number of people in the open source community.
You want Firefox to succeed as a browser, but to be able to better compete it needs better usage data.
Wouldn't you prefer for Firefox to be the best browser available, AND also be considerate towards your privacy rights?
I prefer absolute privacy over some minor advantages on irrelevant webpages.
How do you even think this system would work in restricted environments such as governments where even the presence of code that could collect data is an absolute no-go?
And if the way Mozilla gathers data is much more considerate, what results can I expect from it? Better parallel requests and data fetching, hardware acceleration, etc are all features that are missing for me as a Linux user. They don't need my dataset for that, it's probably all in their bug tracker.
At this point why would anyone stay with the company B which broke its promise once, just in the hope that it won't break the promise again? It has already lost the trustworthiness and it also has the worse product. Might as well use products from company A.
Privacy is not a boolean.
If yes (and that’s what you get when you choose opt-out), then we’re done. There is no gradual change there, it’s a binary question if you value the user or your own benefit more.
And that’s strictly incompatible with mine.
First ask, then fuck up. Is that concept so hard to understand?
If you’d do that IRL to someone they’d never talk to you again, it’s the same with Firefox if they do this.
And of course this all started with you saying that you may as well switch to another company's products, a company which you know violates your privacy quite significantly. You still haven't explained why Firefox collecting a small amount of data in a way that tries to minimize any privacy violations means you should just give up any semblance of privacy and use a product that tries to collect as much personal information as possible.
I’ve dealt with these issues before myself.
And I understand well what they collect, how, and why. I understand how painful it is when you have no data on what is used, and how, or not even crashreports.
But there also is a limit to how far you can go, and where consent is required.
And when transmitting anything, or collecting anything, consent is required.
You could make it dependent on situation. If a performance issue occurs, show a bar: "Is this website slow? Click [Here] to submit a report so it can be improved. [Details] [X] Always submit".
This gives the user a far better understanding of what is submitted, why it is needed, it is contextual, and it is still opt-in (but with far better conversion)
That includes:
1. You can not collect anything without explicit opt-in
2. You can not transmit any data to a third party
3. If a user requests it, you have to provide all data stored about them, and have to provide a way for them to delete all of that. (And you have to provide this at least once every 12 months via letter, fax or email for free) (compare §34 BDSG)
That includes IP addresses (just connecting to a socket without a user explicitly starting that action), names, emails, hashed IPs, it includes usernames, CC data, messages, interactions with webpages.
Anything that in any way is connected to a person is covered by this.
This directive is also the origin of the cookie disclaimers, which require opt-in before collecting statistics or loading any third party tracking solution.
But be aware, in May 2018 it all changes as the new EU GDPR comes into force, and that’s a bit more restrictive (and even applies to anyone processing or storing data of EU citizen, no matter where the processing entity is located)
Why participate in a no-op?
source? I never saw anything addressed other than "don't worry about it, it's for your own good"
Edit: To be clear, I think the browser code was always a stub, and the privacy policy was modified before the feature launched as part of Firefox.
https://groups.google.com/d/msg/firefox-dev/B3jJq_kUuIQ/32zv...
https://www.reddit.com/r/firefox/comments/388ryl/pocket_and_...
This is the best I can do not being involved and two years after the fact.
(well, unless you're going to switch to Safari, since Apple also cares about privacy, though, spoiler alert, Safari's also using Differential Privacy to collect data).
I am starting to think that they just don't want people to use Firefox.
Yeah, I know it's free software, so I have no right to complain. I just wonder why?
How many people here use website/app analytics to improve products they work on?
No, it is not. Especially not for something such as a browser which is mostly transparent to the content.
Or why any external data would be needed at all, let alone why the opt-in data would not be sufficient?
> One recurring ask from the Firefox product teams is the ability to collect more sensitive data, like how features perform on specific sites.
> [for example]: "Which sites does a user see heavy Jank on?"
On the other hand, everyone complains Firefox is slow.
So,few pay, few opt in, and everyone complains.
There's the answer. And the response? "Tough shit", we'll take away that choice granularly. For our own good, apparently.
Moz has been giving tough shit with caveats for more than a few years now. Perhaps that is why market share is falling?
The question is are people saying no because they are privacy conscious, or because they don't care. My money is on latter. In general more people care about Firefox being fast than security.
What's a bigger issue for Firefox is deprecating its add-ons. That's going to hurt its marketshare way more than telemetry data.
I would say that is none of the browser vendors business.
Please stay away with your opt-out stuff - it bothers me. Make it opt-in, always and forever.
2. Frankly even opt-out is not acceptable. I can't recommend any software that peridically asks users for data access, since there exist non-technical users who have a nonzero chance of clicking yes to everything. If they are related to me in some way this compromises my privacy also.
This isn't true. Panopticlick collects a ton of data about your browser that this proposal will not. There has been a lot of research done in this area and we know how to collect anonymous datasets. https://arxiv.org/abs/1407.6981
1. The concept is sound. 2. It is implemented as described. 3. It is implemented with no bugs. 4. Mozilla is trustworthy 5. Any third-parties Mozilla involves in this process are also trustworthy. 6. All of the above will remain true.
Doing this would take a tremendous amount of both time and expertise, if even possible. If every piece of software I use makes me do this every year or so, I would get nothing else done.
In practical terms, your argument is no better than just saying, 'trust us, we're good for it', regardless of the merits of your tech. And we know Mozilla baked Google Analytics into FF's addon page, so trust is in short supply.
This is true for the user, too. If the only viable choices are 'verify claims at great cost and no gain every few months', or 'use some other privacy-respecting browser', I am going to recommend the second.
In theory can be done, but in practice they are competing with Chrome and their team has waaay more data to use. And th is data gives them an edge at least on the decision which parts are worth improving.
So they can either start collecting some data and really piss off their most vocal privacy minded users and try to use this data to improve FF and steer it away from the death spiral it's on. Or they can keep the vocal privacy minded people happy continue to work in the dark and pretty much ensure that FF will become one of the insignificant .3% market share browsers.
Because somehow I kind of feel that multimilion fundraisers to make FF popular again aren't gonna happen second time.
It is not on a death spiral bevause of the missing user tracking. It's on a death spiral because of Google and Chrome. And tracking is a way of catching up. It's much easier to improve when you know what your users do with your software.
The problem with our own browsing data--by which I'm assuming you mean the browsing habits of our ~1000 employees--is that it's wildly non-representative of the broader population. For instance, people here routinely have browser sessions with 10, 100, or even 1000+ tabs. These numbers also indicate that the browser is an application you start, and then you just leave up for a while, perhaps until you restart your computer or you have to update for whatever reason.
The latest statistics we collected on a broader sample of users indicates that the average number of tabs is...2. The average session length is on the order of minutes, not days. Such knowledge leads to very different choices when deciding what browser features to prioritize.
And it's not just browsing usage, either: most employees probably have a top-of-the line (or close to it) Mac laptop, Windows desktop, or Linux desktop; developers have a machine with four, eight, or even more cores. These machines are hardly representative of the wider Firefox user base: a significant majority of our users (~70%) has a machine with two cores, and users with a single core in their machines outnumber users with 8+ cores. We'll not even cover graphics hardware or screen resolution here; see https://hardware.metrics.mozilla.com/ for more examples.
Using our own browsing habits and our own machine specs for making decisions is not feasible.
I value the expertise at Mozilla. Could you point to a browser that might fit me?
No phoning home. No telemetry, no data collection. No "light" version of the same, no "privacy-respecting" what-have-you. No means No. Nada. Zilch. Try and shovel any of that down people's throats and the idea of Firefox as a user's browser will die.
That to me suggests the problem isn't that too many people are opting-out, it's that not enough people are opting-in.
This trend towards parentalism in software, especially software that is supposed to be user driven is frankly a steaming pile of garbage.
If you have any shred of pretense of being pro-privacy and pro-user dont do this mozilla.
Additionally, it's not that Mozilla just disregards user privacy here: differential privacy being used would mean that no user has to reveal their private information, but looking at all the data in aggregate would still allow Mozilla to gain useful information on how to make Firefox better.
Because most people don't care, it was decided to implement a feature that is flat out contrary to people caring.
Management decisions like this don't exactly inspire confidence about the future of the browser.
In this scenario, how exactly would Firefox's actions here compromise anyone's privacy?
If your answer is "nothing" then I think you're being unreasonable. Firefox risks compromising security/privacy with _every_ new feature they implement, not just this one, and it's clear from [other comments][1] in this thread that this feature is just as important for the overall functionality of Firefox as any other feature would be.
[1]: https://news.ycombinator.com/item?id=15072157
if they will follow with it, they will lose tons of customers and what is worse, credibility. why bother if there is chrome?
Instead, it's telling that they are choosing to force people to opt-out. They know that their users don't want this, but don't care.
They still _are_ planning to let people decide for themselves whether to participate (via opt-out), they're just using a default that's more likely to result in unbiased sample data.
Again though, what's your actual concern? Provided this feature doesn't compromise anyone's privacy even _if_ its enabled, what's wrong with having it be opt-out?
If, as some commenters here [have suggested][1], this telemetry would help improve Firefox by significantly reducing the amount of time it takes Mozilla to fix bugs and performance issues in the browser, what makes you think that's not worth the risk when other features (such as the performance fixes themselves) are?
[1]: https://news.ycombinator.com/item?id=15072157
You just seemed to be arguing that _any_ amount of risk would be too much, which in my view is ridiculous since, as I said, all new features carry with them some amount of risk.
Unfortunately that's exactly the kind of thing I was talking about, extending arguments to ridiculous extremes.
I have never said any amount of risk would be too much. In this particular instance, I think the risk and the unknowns are clearly too much.
But why? I don't claim to know enough about RAPPOR to say for sure that the risk _is_ worth it, but it seems a little presumptuous to claim it isn't without knowing _anything_ about the project or Mozilla's proposed use of it.
That's why I assumed you were arguing that _any_ amount of risk would be too much; you didn't include any sort of analysis of the risk/reward in your previous comments, and without knowing the risk the only way to conclude this feature is definitely _not_ worth it would be if you already considered the acceptable level of risk to be zero.
It’s Firefox without telemetry, or no Firefox at all.
The only Anonymous Data is data that is never collected. If they collect data it is a violation of privacy.
This doesn't really seem unreasonable to me. Obviously part of the inherent cost if not wanting to be tracked is going to be not having your raw user data included in evaluations of what people want.
> in this case you do not get to set it
Nothing's been decided yet. If this is something you want to advocate for, maybe consider suggesting that in the thread linked in the OP?
Attacks aside, the point is really that in this age of statistical machine learning we should be vigilant against even this sort of data collection. A leak is a leak. Ideally people can opt into providing just enough information for the statistics they want to participate in and no more; realistically, more is always collected.
You must be kidding me.
https://github.com/mozilla/addons-frontend/issues/2785
And now this :-(
I have been using Firefox since before it was called that. I develop my apps in it, even though most of my colleagues have switched to Chrome years ago. Even though it is (or was for a while) slower than Chrome for things like Canvas.
But I use because I believe in Free Software. But Mozilla keeps disappointing. DRM, bundled 3-rd party apps, analytics, tracking... It is just so very sad. :-(
Also, I have 17 add-ons installed (11 active). At present, of these 17, only 2 will continue working after November when the switch to WebExtensions is enforced.
Where to go from here?
Mozilla fought DRM until the very end and lost. If Firefox is to have any chance at remaining a mainstream browser it needs to support Netflix and the likes. You can't seriously blame them for this, because they are damned if they do and damned if they don't.
EME is implemented as unintrusively, securely and privately in Firefox as possible. No DRM is downloaded or run on your computer until you specifically consent to it, and the DRM components run in a sandbox.
Yes I can, and I will, because they sold out. They sold out their principles for the sake of market share. (And looking at their marked share, fat lot of good that did for them anyway.)
Excuse me, but did you support Mozilla with time/money?
> They sold out their principles for the sake of market share.
12% is still better than 1%, and the thing that mostly changed the landscape was the fact that mobile Internet heavily disfavors Mozilla (e.g. Android ships with Chrome, iPhone with Safari), and Google has a heavy advantage when it comes to advertising and engineering.
Yes, I have done. Thank you for the snark.
"It's as if the order to block/redirect the network request was silently ignored by the webRequest API, and this causes webext-based blockers to incorrectly and misleadingly report to users what is really happening internally."[1]
[1] https://github.com/mozilla/addons-frontend/issues/2785
There are probably security reasons why add-ons can't modify about:add-ons. Imagine an add-on that could hide itself by modifying that page.
Please don't spread FUD.
I really don't understand this of the user, while previous sentence he writes:
"but I will say that I believe Opt-in is pro-privacy, while Opt-out is anti-privacy."
Otherwise I might as well just use Chrome. Hopefully some PR guy will pour some water on this before it turns into a dumpster fire.
It's like describing to a spouse a system of sex with strangers that includes blindfolds and a hazmat suit. Such a system could be a great way for a person to learn more about their sexual tastes and improve coitus overall. If the spouse is anxious about the system, then all they have to do is find a problem with the hazmat suit that would endanger the...
Wait, spouse, you haven't even studied the system that I so carefully designed to protect you from the possibility of...
Spouse?
Has anyone seen my spouse?