I think they are feeling betrayed by Mozilla, and that they are saying language like "We all love the web" and "Internet for people" inspires feelings.
Adds are annoying yes, but they are only bad for your privacy if they track and profile you. Adds allow for free stuff and they can be done the right way. Granted this is becoming more and more rare so I understand your standard association of adds with distrust. The adds you refer to are non tracking (please tell me if I'm wrong though) and will slowly be replaced by sites you visit (often).
How do they abuse your privacy without tracking? Of course if they didn't abuse your time and attention they wouldn't make sense. But someone has to be paying Firefox's development, and it is not you. I'll take that last part back if you contribute to Mozilla. Hey, maybe it's an idea for a donation: make a 5$ Firefox without adds. I'd pay. To bad part goes to Google that way.
The irony is that people pay, just not to the right place. Every unnecessarily-bloated download tears through data plans and costs people money to their ISP that never makes it to the provider.
I want plain-text ads that provide just as much revenue to web sites but without obnoxious experiences and fat downloads.
This is going to put me in weird company but I really don't see why metered billing is such a terrible thing. Most other utilities are pay-for-amount-used. And as a bonus, this creates an incentive for developers (via customer pressure) to not use insane amounts of data.
It is because data, unlike water or electricity, isn't a finite resource.
Your electricity bill includes the generation in the power plant and the transmission over the power lines.
When it comes to Internet access, you're paying for the transmission (bandwidth), but there isn't a "packet generation plant" that you should have to pay for.
Also, data caps mean people will use less data, meaning using less bandwidth, meaning ISPs will have less of an incentive to upgrade their already ancient infrastructure. It would be giving them more money to use less of what they provide.
The opposite is true: ads must be paid for, which makes products and services more expensive.
Ads are a convoluted, inefficient form of wealth redistribution; whether that's "good" or "bad" depends on the specific circumstances.
For example, we might (simplistically) say it's "good" when we receive something paid for by ad revenue, but the burden of paying for (e.g. by price increases) and being subjected to those ads is carried by others. For example, if we tune in to a radio station, listen to a song, and tune out before some ad for a product we don't use.
We could say it's "bad" when the opposite happens, for example if we pay higher fees for shopping on Amazon, which then get spent on advertising Prime Video which we don't use.
No. Firefox was too big for my old phone and I switched to palemoon when firefox stopped allowing unsigned plugins on my desktop. I've been using habit browser on my phone. I don't really trust it at all so I give it minimal permissions and try not to do any browsing on my phone I don't expect to be tracked or monitored. It's fast and customizable and has a built in adblocker so I've been fairly happy with it. I've tried a lot of different mobile browsers. I haven't really found any I liked. They all kinda suck in one way or another. I was really hoping something from F-Droid would be appealing to use but they were all disappointing. The state of mobile browsers in general is kind of abysmal.
I hate the fact that Firefox increasingly makes me jump through all sorts of hoops to find all the hidden options to turn off their various spyware attempts. Its the Win10 of browsers...
Yeah, its so intuitive for the average person to type: about:config in address bar and scroll through hundreds of oddly named parameters to turn off spyware.
Comments like yours are illustrative of a certain mindset. When you encounter the complexity of domains you are not intimately familiar with (court system, law, finance, etc), and those complexities are designed specifically to make it hard for you to protect yourself, I'm sure you are just as understanding as you are now.
> It's right in the main browser settings, under the Privacy and Security section where one would expect settings like this to be
If you asked me "where would you go to change settings to prevent the browser from violating your privacy and infringing on your security?", then, yes, I would go to "Privacy and Security". If, however, you asked me "what would you expect to find under 'Privacy and Security'?", my answer would be that that's where I would go to protect myself from malicious websites, not from malicious browsers.
(I know that 'malicious' is quite, and almost certainly too, strong here, but the point is that I think, and am explicitly encouraged to think, of Mozilla as being on my side against the sites I visit, and I don't think it's natural to expect that I will start thinking of how I need to protect myself from Mozilla to use their products in the way that I, rather than they, intend.)
Errr... is "dom.enable_performance" really a privacy setting?
Doing someone online searching now, not seeing an explanation for it. There is one other HN post though, also mentioning it in a privacy context, but not further info either. :/
There almost certainly is not a way to invisibly install add-ons, unless you are part of Mozilla, and, you know, making Firefox. If paranoia is your thing, it might be worth considering that Mozilla can do anything it wants inside Firefox core, all of it is "invisible" to you.
And this is the point where even the most Mozilla-supporting users move away. For me, this is it, I’m going to Chromium.
Fuck this shit, in the past months we had CliqZ https://news.ycombinator.com/item?id=15421708, we had Mozilla adding new telemetry, we had Mozilla force-enable toolkit.telemetry.enabled, we had Mozilla say that, if you download Nightly, that is considered opt-in to tracking, we had Mozilla put Google Analytics into the Addons menu (because it’s loaded from addons.mozilla.org: https://github.com/mozilla/addons-frontend/issues/2785 ), and we had Mozilla say that, if we don’t trust Google, we shouldn’t use Firefox.
Regarding telemetry, take a look at the settings in about:config. There are several toolkit.telemetry.Ping settings which are set to true by default. In the spirit of charity I'm going to assume that those phone home pings - on startup, shutdown, update - are not enabled unless telemetry is enabled. But I have not checked...
Disabled Encrypted Media Extensions (EME)
Disabled Web Runtime (deprecated as of 2015)
Removed Pocket
Removed Telemetry
Removed data collection
Removed startup profiling
Allow running of all 64-Bit NPAPI plugins
Allow running of unsigned extensions
Removal of Sponsored Tiles on New Tab Page
Addition of Duplicate Tab option
Locale selector in about:preferences > General
How exactly? Whether they push out code to you by just changing the binary or by installing an extension makes no difference. In fact, pushing it out as an extension, means they actually have less control over your browser, because are bound to the restrictions that extensions have.
Every browser vendor has this control over you when you use their browser. Some have even more, because they don't even need to tell you about it when they're closed-source.
Looks like it's a promo for Mr Robot, which is really not ok.
> What's happening?
Are you a fan of Mr Robot? Are you trying to solve one of the many puzzles that the Mr Robot team has built? You’re on the right track. Firefox and Mr Robot have collaborated on a shared experience to further your immersion into the Mr Robot universe, also known as an Alternate Reality Game (ARG). The effects you’re seeing are a part of this shared experience.[0]
EDIT: looking at this[1] comment, perhaps it's not a promo?
> No changes will be made to Firefox unless you have opted in to this Alternate Reality Game.
Also, from the same page for those that appreciate irony:
> One of the 10 guiding principles of Mozilla's mission is that individuals' security and privacy on the internet are fundamental and must not be treated as optional. The more people know about what information they are sharing online, the more they can protect their privacy.
I hardly think it's a lie. My browser contains no trace of anything related to Looking Glass, even though I'm opted into Shield Studies. It seems to affect some people but not others. Definitely something that should be fixed in the core mechanism of how these things are downloaded by your browser if there are cases where it can happen without user intervention, but it doesn't seem to be intentional to download extensions without the user's consent.
Mozilla has injected malicious-looking advertisement executable software into my process without my permission and then lied about it. I have no idea what this software is, what it does, or whether it is proprietary or free. I opted into nothing.
Really poor choice of words here from mozilla. "The changes that already happened will not make changes to your firefox unless you enable them to", in other words the changes already happened and are just waiting to be activated.
Something was installed on my system without my permission, from a vendor that I chose specifically because they promise not to do things like that.
To put it another way - if I discovered a rootkit sitting in the ~/Downloads directory on my Mac, that would be a problem. If the entity that surreptitiously placed it there said that I shouldn't worry about it because it hadn't been run, I wouldn't be inclined to trust them.
That lack of permissions make this illegal IMO. CFAA in USA and CMA in UK both make unauthorised access and unauthorised modification of a computer a crime.
I've used FF since before it was FF, and I've installeded it on umpteen other people's computers; strongly advocating for it. Since they sacked that guy for not conforming to a specific liberal ideology they seem to have gone batshit crazy ... what happened? Was he their main privacy advocate or something?
ToS terms that aren’t either expected by the user, or explained in plain text without having to click through anything, are considered null and void in the EU.
By that definition, this would be unallowed modification of the computer of the user, and fall under the various hacking acts.
The more interesting thing is that this has also been rolled out to german government computers, which mostly used to use Firefox, but due to previous troubles with CliqZ and the Google Analytics in the addon menus, have already moved on to other browsers.
>ToS terms that aren’t either expected by the user, or explained in plain text without having to click through anything, are considered null and void in the EU.
You mean like the TOS and EULA you agree to when you install the browser? That would qualify as "expected by the user" and "explained in plain text" both.
Correct, those ToS and EULA are considered invalid, if they contain unexpected agreements, such as "your firstborn belongs to us", or "we can install whatever software we want on your system".
It seems to be developed by Mozilla employees, which is less terrible than allowing actual third-party addons, and it's disabled by default, but still - pretty distasteful.
> So Mozilla lets advertisers push extensions to your browser?
Of course not.
Mozilla can install extensions if you have "shield studies" enabled. They use extensions it to run UI studies and things like that. I think you have to opt-in to each study individually if you want to be part of it. Enabling the studies in your settings only means "notify me when there's a new study I can participate in".
That sounds like "no they haven't pushed an unsolicited advert at all ... except to people who offered to be in a development program, who they've pushed an unsolicited advert to" ...
I was talking about advertisers running code in your browser. I think you have to opt-in to participate in one of the studies, so that's not happening without your consent.
It looks like Firefox auto-installs the studies though if you've enabled the feature. But it only activates the individual extensions for the studies once you've opted in to participate.
The extensions themselves need to be approved by a bunch of people at mozilla (at least for the normal studies). So I guess nothing bad can happen until you click "participate" or whatever they call it.
Still, I would also consider the notification itself to be an ad. This was obviously a bad idea and I don't want anyone to think I'm defending it. I guess they've chosen to abuse their shield studies for this because it's the only way for them to send notifications to the browser, but that's no excuse. I have the studies disabled anyway but now I'm not even going to consider ever turning them on.
I never knowingly opted in to anything and found both the "Studies" section and the "pug-experience" study turned on just now in about:studies. I don't know if it really is meant to be opt-in, but it certainly didn't seem like they've done it correctly.
I did not recall agreeing to opt-in for the studies and there it is under Privacy & Security as checked.
I have the pug experience study active and I don't recall the browser asking about it.
From the studies about page linked from about:studies...
"When a study is available, you will automatically be enrolled if you meet the criteria. There will be occasions where we might prompt you for participation first."
Just saw also that if you opt-in for the "Allow Firefox Developer Edition to send technical and interaction data to Mozilla" then it automatically checks the studies checkbox for you. I would wonder if I checked the allow sharing at some point in the past, or during installation, with no mention of the studies option. So it was presumed to opt me into the studies automatically.
But it appears from the link thread that there was no individual opt-in to this particular study, done for what appears to be the purposes of advertising. Clearly it's not as bad as what I first thought it to be, but still sounds fishy.
Seems kind of like it is part of an ARG. I can't say I'm totally against something like that; Mozilla's gotta make money somehow, and as long as it's not selling out user privacy it's a better tradeoff than Chrome.
I think the the term “non-profit” is more about how an organization spends the money, rather than how they make it. Non profits and charities definitely bring in money through channels other than donations...
I merely challenge the notion that a nonprofit -- which proudly tumpets its benevolence and non-profitness -- should get a free pass for covertly installing advertising arrangements, just because they need to "make money".
Their charter and marketing is all about defending the internet from the companies doing shady things to make money, so they can't have their cake and eat it.
There is a difference between a non-profit and a non-for-profit (most health insurance companies are the later; go try and figure that out).
Firefox gets most of its donations from corporate sponsors. That's why the default search and switched back and fourth between Yahoo and Google; it's all about the amount of money they contribute for that. I'm not sure, but Pocket might be another example.
User contributions are actually pretty low. They don't go out and request them though like NPR or Wikipedia.
You're confusing mozilla foundation and mozilla corporation here. The default search with google and yahoo is not donations for the foundation but a commercial contract with the corporation.
I'm not sure mozilla even gets a significant amount of donations compared to their commercial contracts.
While I agree with you on that, your previous comment was simply wrong. Non-profits are very much allowed to just "take money" (legal restrictions aside, but for-profit businesses also have legal restrictions). They're not allowed to take that money and distribute it to shareholders as profit.
That would be a valid complaint if this was an advertising arrangment, rather than one where if you watch the TV show, you learn that you can activate a firefox addon to participate in an small AR game that changes your normal web experience into a Mr Robot style web experience for the duration.
The addon itself does not advertise for Mr. Robot, Mr. Robot advertises for this addon.
Sure, but why install it on random people's installs, even in some sort of disabled state? Viewers should be called on to install it themselves. I'd be cool with, say, an about: page that makes it easy for users to discover it, but pre-installing the addon in people's browser's seems a bit much.
I'd charitably call it "Augmented Memory", but it's definitely not "Augmented Reality".
And I'd hardly call it a game, just a parasitic advertising gimmick that slows and bloats the browser. It just injects a bunch of JavaScript code, DOM elements and CSS effects into every tab.
There's really no game there, and it's pretentious to call it an "Alternate Reality Game", which is defined as "intense player involvement with a story that takes place in real time and evolves according to players' responses":
This extension just wraps all occurrences of a set of keywords (now including "fuck") in a span with some css animations and a tooltip that links to their web page.
But in terms of memory usage, CPU and battery consumption, it's not that small, either.
It injects a blob of CSS and some JavaScript into every tab, then it does a regular expression search of every text node on each page, filtering out everything but paragraphs, then for each occurrence of a keyword in the text, it creates a new text node to split the current text node, then inserts a new span element between them, containing its own text node, then it creates an additional tooltip element containing six text nodes, five br elements, and one anchor element linking to https://support.mozilla.org/kb/lookingglass , and it also configures css class names to associate all those new nodes it created with the blob of css styling and animations that it injected.
This extension isn't the best example of their technology for Mozilla to be promoting and distributing, if they're really serious about delivering a fast memory efficient browser.
Non-profit orgs are such due to legal designations that give them favorable tax treatment. In return they promise to organize and operate only to fulfill a charitable mission. The mission of Mr. Robot (content sniffing) has nothing to do with the charitable mission of Mozilla, "Our mission is to ensure the Internet is a global public resource, open and accessible to all."
The charitable mission of mozilla ended with their deal with google in 2004.
Let's not forget that mozilla had frozen 15 millions dollars because of the IRS audit related to this deal and mozilla status, ending up settling outside of court for 1.5 millions.
This is a very common misconception about non-profits that is not true.
The details depend on local laws, but generally a non-profit only means that the owner of the non-profit can't take the all of the actual profit (money) directly out of the non-profit via dividends.
Things like non-profits must be focused public good or they can't pay high (or any) salaries are urban legends that have no basis in reality.
That's not a misconception I share. I understand Mozilla can and should make money to further its mission.
But unlike a for-profit, making money isn't the mission of Mozilla. So needing to make money can't be used as a justification for doing naughty things against the public good.
Making money may not be the mission of the mozilla foundation, but it is the mission of the mozilla corporation fully owned by the mozilla foundation.
And money it makes, in the hundred of millions, for serving its users to the worst known worldwide privacy offender, collecting and profiling user to sell advertising.
The "good" non profit charity foundation is governing the "evil" for profit corporation giving away users to the worst opponent of the mission of the charity. Quite a contradiction in this.
They also have limits on political speech. The IRS gives them breaks. One of the big misunderstandings/myths is that a church cannot support a political candidate.
Some people cry "free speech violation" but they can endorse a candidate, they just need to give up their tax privileges. This is why the ACLU is split into two parts. One you can donate to and get tax dedications for, but the other is their lobbying arm, and therefore cannot allow tax deductions for their donors.
"non-profit" isn't a magical incantation that means they can run with a revenue deficit forever though. They have expenses and there has to be enough revenue coming in to cover those expenses, or they will go out of business. That's true for any business, whether it's for-profit or non-profit.
Mozilla foundation (the non profit) set up Mozilla Corporation (the for profit raking in hundreds of millions of dollars) when the IRS investigated the foundation about tax fraud.
I believe the idea is that Mr. Robot fans use Firefox to participate in the ARG, not that Firefox users suddenly start watching Mr. Robot. So if anything I'd expect that Mozilla pays Mr. Robot for this.
Not to mention the great amount of money they've wasted in certain previous frivolous, doomed projects, like Firefox OS - great idea, by the way, to make your "native" app platform the most power hungry, slowest of them all, and then market the OS only for pairing it with low end devices sold to third worlders - because third worlders totally need slow software running on the hardware they can barely afford - it's not as if they were people, with real world needs, just like us, and not lab rats. For a company that prides itself on its open values.. that's really treating people with contempt.
> Looks like it's a promo for Mr Robot, which is really not ok.
From what I've heard (I work for Mozilla), this is promo for Firefox. As I just wrote elsewhere in this thread: I believe the idea is that Mr. Robot fans use Firefox to participate in the ARG, not that Firefox users suddenly start watching Mr. Robot. So if anything I'd expect that Mozilla pays Mr. Robot for this.
Google is among the worst privacy offender there is and mozilla has been sending their users towards then in return for a small share of the google mega profits.
So much for the advertised protection of user privacy.
If it was a promo, it would be a real bad promo. I did not watch Mr Robot and that quote did not made me aware of it until people started referencing it here.
The extension is for shield study, when you install Firefox for the first time it asks if you want to take part in it (it is enabled by default though)
Mr Robot is a tv show repeatedly showing how you can pwn other people computer by pushing seemingly innocuous code.
It has been praised for its technical accuracy, basically the show warns us about exactly what mozilla did as this could be exploited to hack into computers.
Out of literally all the software vendors I know, including the one I'm working for, Mozilla is the one I'd have least expected to allow such a thing. I'm very surprised (Negatively, needless to say)
Mozilla has been going downhill very fast since Brendan Eich was removed as CEO. There was some controversy at the time and it made sense why he was removed, but it seems clear now that Mozilla took the wrong choice in removing him as it seems he was keeping the ship on course. Now it is floundering from numerous sides.
I think Mozilla should look into getting him back before they all end up losing their jobs.
Why? They allowed proprietary extensions (e.g. Flash) from the start. I don't like it, but I don't see how it represents a loss of their way. Mozilla was never GNU.
Big difference between an extension and being integrated into the browser. It's directly analogous to the difference between your OS being closed source and your OS being able to run closed source programs. The former is a liability; the latter is an ability that you grant to users to use the system the way they want.
I don't like EME either, but not implementing it would've killed any chance of regaining users: "Oh look, Firefox Quantum looks awesome, I should try it. ... Never mind, it doesn't play Netflix".
Implemeting it, but disabling it by default was a good choice. People will have to consciously click "I accept DRM" to use it, which might get them to read more about what it is and ultimately raise awareness about how terrible it is.
Yea, but they lost me today. EME annoyed me, and I took note of it, but I didn't leave over it. But now I feel like Looking Glass is the straw that broke the camel's back.
The world doesn't need another browser that sacrifices principles for market share. Chrome, IE, and Safari are perfectly good browsers for that. What I wanted was a browser (and software in general) that promotes security, privacy, open standards, and open source. You can accuse me of misinterpreting the situation, but that's what I thought Firefox was 10 years ago. It's not what Firefox is today. It's turned into just another organization that's optimizing for the continuation of the organization over it's own founding principles.
I was concerned for a minute. Then I remembered that this is the browser vendor that constantly spouts it's privacy bonafides yet on a monthly basis "partners" with companies like Pocket to install unwanted addons and functionality and has Google Analytics on their settings pages.
The acquisition was two years after the integration. The referenced comment says nothing about tracking being removed, only referencing a "special deal" whatever that means.
You are trying to muddy the waters here. Even if I were to accept your (wrong) explanations, they still don't jive with the image Mozilla is trying to project.
Staying bitter for two years is one thing, but it took me a few minutes to refresh actual details about what happened. The initial integration raised privacy concerns but mainly by being unclear. Since then things have steadily improved, like Pocket updating their privacy policy. https://venturebeat.com/2015/06/09/mozilla-responds-to-firef... There was a long discussion on the Mozilla Governance board that clarified a lot of things, including the legal department affirming that users were not automatically bound by Pocket's ToS. https://lwn.net/Articles/650869/ And eventually they bought Pocket. So while Mozilla isn't perfect, privacy is a real priority for them, and when they do mess up, they put a lot of time and effort into mitigation.
I don't think there is a basis for discussion here if you can't acknowledge that the mere installation of 3rd party addons & use of GA is a breach of trust.
Mozilla can't stop doing crap like this. I love the engineering behind it and thr tech but I don't want any of your shenanigans. This makes me affraid to update.
The Mr. Robot series centers around the theme of online privacy and security. One of the 10 guiding principles of Mozilla's mission is that individuals' security and privacy on the internet are fundamental and must not be treated as optional. The more people know about what information they are sharing online, the more they can protect their privacy.
...which you've done by installing a fishy-looking addon without our permission and making us less likely to trust you?
Apparently the addon is installed anyway, it just doesn't "change anything in Firefox" if not opted-in. I have to wonder why install it at all if it's not to be used.
Mozilla really needs to be more transparent about this kind of stuff.
Apparently it's getting loaded anyway for some people that say they had "Studies" disabled and/or "Studies" itself became re-enabled.
The whole idea of slipping paid advertorial content into what are billed as "research" kind of gives the lie to this whole thing and is why I never turn these on in any product. Which is also why it's now "opt-out" by default, and why it will eventually not be an option at all. It's all for our own good, you see.
I can confirm this most certainly did not happen in my case and, from other comments, there seem to be a number of us who did not opt in to this "study."
enabled by default. The settings that I've changed from the default are shown in bold. These aren't bold. Those are the defaults. Everybody can check.
That means that the user must actively take steps to disable them, if he knows that they exist and where he can disable them.
Every time the user creates a new profile, and most probably also when he "refreshes" an old one, he has by default the studies allowed.
It's even worse in other aspects: through the UI the "Allow Firefox to install and run studies" can be unchecked but it doesn't change the value of "experiments.enabled" to false in about:config.
Apparently the "experiments" allow Mozilla to install the "experimental" extensions to any user, without him knowing. And these extensions are invisible in the GUI! Even if the user goes to the about:config and sets extensions.ui.experiment.hidden to false, it will be automatically set to true again.
Why should the "previews of potential new features" in the form of the extensions be hidden from the user, and even if the user "unhides" them be automatically hidden again?
Are you sure that's what those config options do? I tried looking them up, but they don't seem to be listed in Mozilla's config documentation: http://kb.mozillazine.org/About:config_entries
According to the Wiki page I linked in my previous comment, global settings shouldn't even matter in this case; since each SHIELD study must be opted into on an individual basis. (Or at least, that's how it's _supposed_ to work.)
Edit: Looks like the wiki was updated to state that some studies can be opt-out rather than opt-in. This also seems in-line with the documentation for SHIELD, which has a section on opt-out studies: https://normandy.readthedocs.io/en/latest/user/actions/opt-o...
"opt-out-study: Install a Study Add-on Without Prompting
The opt-out-study action installs an add-on, typically one that implements a feature experiment by changing Firefox and measuring how it affects the user."
They are obviously the topic of:
app.shield.optoutstudies.enabled=true
That I mentioned.
I see a lot of commenters trying to excuse them. The problem is, people allowed the "studies" because Mozilla claimed that they are "measuring" whatever "to make Firefox better." They never told anybody that they are selling the "studies" functionality which silently installs ("opt-out" not opt in!) to the advertisers.
I don't know how anybody can defend such an approach.
Well, this is very troubling; it's installed in my browser. Not only did I not get prompted, I never volunteered for being in any studies. I'm running Firefox on Linux, but I installed it from Mozilla, and not the package manager.
I just installed FF on my mom's new desktop yesterday, noticed this crap while installing ublock origin. Definitely didn't opt in to anything. Made me wonder whether I'd accidentally downloaded some malware from a look-alike site, instead of official Firefox.
Firefox Studies aren't new, and aren't opt-out by default. They're opt-in per study, in fact. The code to run them comes with Firefox, that's it. All this HN link is is someone asking what the add-on is, not proclaiming it did anything.
In my Firefox 52.5.1 under a current CentOS 7, there is no about:studies. Either "studies" has been newly removed (Firefox updated yesterday, I think?) or about:studies is new or Firefox Studies has been included by default after the 52 series. Perhaps its just me, but I still think of post-52 Firefox as "new".
It's nonetheless not obvious to me why you were downvoted; I don't know if someone else was annoyed at your definition of "new" or whether there were other dubious claims in your comment. Perhaps privacy advocates are just too exhausted and cranky to explain themselves again.
Just as another data point, I'm on 56.0, and while the option is there, it is default not enabled. So, it looks like something changed in the move to Quantum.
about:studies->Preferences shows "Allow Firefox to install and run studies" is enabled on my copy of Firefox 57.0.2(OSX). I don't remember opting in at install time, was it hidden behind some innocuous-sounding checkbox?
"messed up", like they messed up by re-adding Pocket to toolbars a few months back.
Do Mozilla have no QC, or is it purposeful?
All these "but it's only an add-on [we foisted on you]", should just be a bullet point on the upgrade screen "we'd like it if you used this".
This is Microsoft level "customer" control, where they just ignore any chance the customer doesn't want something changing and go ahead, it's being treated now as Mozilla's browser not the users.
> If you clicked on the link about shield studies you'd see it says they're opt in, did you not getting prompted about it?
No, I had Firefox test pilot with `Video Min` addon, I was not prompted about he `Looking Glass` I removed all addons from Mozilla and their test pilot yesterday. There is only one thing that keeps me away from moving to Brave browser https://github.com/brave/browser-laptop/issues/3101
I hope they fix it soon so I can drop Firefox and their "mission". This is second time my Firefox got infected by Mozilla and their addons. A month ago my PC at work got infected with "Firefox Pioneer" https://news.ycombinator.com/item?id=15648179
Firefox Pioneer is literally a spy and tracking addon:
>Pioneer is an opt-in program that allows collection of richer data from Firefox.
Not surprised to see your comment being downvoted...HN has such a double standard when it comes to certain brands/vendors.
Windows 10 sends telemetry by default? Microsoft is literally Satan incarnate! BURN THEM AT THE STAKE!!!
Firefox installs crapware addons without user permissions and signs them up to participate in "studies"? Shhhhh...it probably only an innocent bug, nothing to see here, move along now.
I remember this prompt (sending Mozilla crash/performance data) and disabled it a long time ago, and I don't have the add-on currently.
Often these days I disable every "Help us with information" box, both on close/commercial software and even open source software. I mean I'd like the help the community, but I really no longer like submitting any type of tracking information or even debugging information. Everyone is already clamoring for my data, and I guess it's more of a mentality of I don't want to give it away for free. They already get so much for free.
I'll still file a bug report on bugzillas and compile stack traces on faults. But I want to do it myself, explicitly.
The add-on tests whether specific words can be detected on sites; the current list has nice picks like "revolution" and "privacy". Of course, this is only a test, but in the future Firefox might look for specific terms in the pages you load and do specific things based on them.
> This would be a major blunder and showing that the merge into production process is lacking a lot.
It's one flag, an entirely non-critical one at that, to either install this add-on hidden or not. It's not a major blunder to forget this once out of a few hundred times and it most definitely does not in any fucking way show that "the merge into production process is lacking a lot".
Absolutely no one would have minded, and there's no reason to either, if this would have been installed hidden.
You need to get the fuck down from those clouds and think about reality. Your comments are getting more ridiculous by the minute.
Running FF58. I don't have it either. I also don't agree to stuff unknowingly. It's clearly spelled out in the settings under privacy that you can agree to this stuff. Nothing I've seen suggests this isn't happening. People are saying things but no one is backing up any accusations with any proof yet.
Mozilla is a company that has a long track record of dedication to openness and the free and open internet
True, and that's why I never stopped and recommending Firefox since I first installed Phoenix. That said, they're already installing and enabling Cliqz by default (for some users), and that's no bug. So it's not absurd that people might assume this isn't either. Reputation is hard to gain and easy to lose.
Automatically sending URLs visited of random German Firefox users to a German company (CliqZ) owned by a publishing, advertisement and tracking company (Burda): https://news.ycombinator.com/item?id=15421708
Mozilla forcefully enabling toolkit.telemetry.enabled in Nightly and Developer versions, and, upon being asked, saying that "below the download link is a text telling you that by downloading these, you opt-in to telemetry".
Benefit of the doubt is over, it’s time to get the pitchforks out.
I'm not happy with how this rolled out, and I'm not here to justify it.
I wasn't involved in its development, so I can't speak to its origin or the decision to use Shield for distribution, but
I can gather feedback and answer technical questions about Firefox and the add-on.
Having issues with your extra? Beginning with Firefox 57 (in discharge), just additional items manufactured utilizing WebExtensions APIs, the new innovation for Firefox expansions will work.
In the Preferences, scroll down to "Data Collection and Use", and disable everything.
I know that you only need to need to turn off "install and run studies", but this has now cost Mozilla all telemetry data from me, and I encourage everyone to do the same.
I've switched to Waterfox, because of things like this (including the Cliqz issues). I'm all for Mozilla making money and trying things, the problem is the way in which they do it. They fail to respect the users enough to communicate things, and have not been behaving like a user-friendly transparent company for some time now. I was a big enough fan to regularly donate and urge friends to do the same, but something has gone wrong inside the company.
And this is exactly what I'm going to do, switch to a simple browser, in my personal computers. If they programmed firefox to be capable of doing thinks like this, then definitely I cannot trust them anymore.
I checked out FF for the zillionth time the other week after the Quantum release hoping to love it, but the deep Pocket integration was just too offputting. Turning it off requires some Googling. There were other irritating commercial things too. It’s a shame. FF is probably the most important open source project in the world and it’s a shame they do stuff like this. I’m still on Chrome :(
I cant help but feel mozilla bought pocket because they wanted to justify the included adware nature of it as a first and foremost priority, after all the supposed logic of including it was all about reducing costs for mozilla..
Yep, that button was really annoying. And the Pocket thing on the home screen, too. And the fact that I had to Google to figure out how to disable it.
If you must know why, I don't want promos for particular web properties in my browser. I find Pocket to be annoying conceptually (a service to help you carry around all the things you didn't and won't read—eww, no, no thank you), and I don't want to look at it every day. I don't want to have to Google to figure out how to disable it. I don't want my browser to come with nonsense I need to disable.
> You mean the single button that does literally nothing until and unless you click on it?
This must be the kind of mentality that leads people at FF to do silly things like mentioned on this thread, or having "just one button" for their acquired web property. That's the opposite of how great product minds think. Great product people think "how can I REMOVE this button?" Not "how can I get away with having it?"
Add a couple more buttons and hey, you've got a toolbar going.
Why can't they just make a web browser that's... just a web browser? Chrome has never had buttons to email pages with gmail, record videos onto YouTube, share pages on G+ etc.
I've been seeing the YouTube logo inverted recently. I wonder if this has something to do with it. If so. I'm done with Firefox. I've used it since it was Netscape in 1996. Enough is enough.
Just coming up to speed, apologies for the potentially obvious questions.
1. Can you explain what you mean by "unknown Mozilla developers?" Unknown to whom?
2. Can you provide more detail on what specific configuration changes are reverted when opening the add-ons window? That sounds like a fairly serious bug.
3. What is the specific "this" you're trying to "properly disable?" You shouldn't have to dive into things like lockpref.
Mozilla (and other browser vendors) have the ability to push updates to their browsers outside of the normal release cadence. In many cases, these updates are distributed as add-ons, as they're cleanly separated from the rest of the browser internals, but that's just an implementation detail. If you visit about:support in Firefox, you should see a table of "Firefox Features," which are exactly that. Their source lives at: https://hg.mozilla.org/mozilla-unified/file/tip/browser/exte...
For example, we used a system add-on to control the gradual roll-out of multiprocess Firefox, and the New Tab page is also implemented as an add-on called "activity-stream."
I'll try to answer in the parent's place, since I've been watching this issue.
> Can you explain what you mean by "unknown Mozilla developers?" Unknown to whom?
Unknown in the sense that this extension wasn't documented at all, there was no Bugzilla issue for it and it's not clear whether it was properly vetted by QA. Whether you argue that this kind of silent push updates is good or bad, I think they aren't tested as well as in-browser functionality. This is a necessary consequence of "let's try it and revert if something breaks or people complain".
More so, a rolled back Shield study will be invisible to the users, so any problems will be impossible to debug. This is made worse by the fact that most, if not all Shield studies are opt-out, so the user won't be notified.
> Can you provide more detail on what specific configuration changes are reverted when opening the add-ons window? That sounds like a fairly serious bug.
> What is the specific "this" you're trying to "properly disable?" You shouldn't have to dive into things like lockpref.
People have reported that extensions.ui.experiment.hidden reverts after viewing the add-ons list. I haven't tried it myself, but you can find details in that Reddit thread.
Others have noticed that the Shield studies checkbox sometimes (possibly on version bumps) reverts to enabled. I can't overstate how bad this is; it's basically cheating the users' trust. Lately, Mozilla has been doing some pretty nasty things for an organization that takes pride in caring about the privacy of its users.
Are you aware of the complaints regarding Windows telemetry? Edge, for example, sends full browsing history to Microsoft by default. Should Mozilla follow suit? Because that's exactly what Pioneer does and, while it's not opt-out yet, Firefox advertises enabling it.
As for the rest of the system add-ons, they're either poorly documented (if they are at all), poorly named ("Presentation"), or seem concerning from a privacy point of view (e.g. Activity Stream, Follow-on Search Telemetry, Photon onboarding, Presentation, Web Compat Reporter).
For anyone curious, Presentation seems to be an implementation of a proposed Web API that allows browsers to find and talk to devices in their neighbourhood. Does that include location/proximity beacons like this old proposal https://hacks.mozilla.org/2013/06/the-proximity-api/ ? Do users really want Firefox to tell advertisers where they're shopping? That's the same kind of "experience improvement" that the spyware of yore used to bring.
Why should Pocket be an add-on with superpowers? There was quite a bit of backlash over it a while ago, but Mozilla didn't budge, and some employees actually spread misinformation (not to say "lied"). And actually none of my system add-ons seems to be providing any important functionality (if you disregard the new tab page, for which I haven't seen yet a privacy policy). Looking at Shield studies ( https://www.jeffersonscher.com/sumo/shield.php ), it's even worse: most are surveys, advertisements, asking the user to enable Pioneer (i.e. send full browsing history to Mozilla).
The comment about the visibility of the add-on (Bugzilla, QA process, documentation, etc.) is well taken, as are those regarding the naming of system add-ons, Pioneer, etc.
I've got an intercontinental flight coming up soon, and I'll do some grepping around to try to understand the prefs mentioned. If someone else beats me to it and posts a specific set of steps to reproduce a pref flip on those, I'd appreciate it.
I can confirm that extensions.ui.experiment.hidden gets reset to true on Nightly after opening about:addons. It seems to have no effect, though it might have if one uses lockPref.
> Mozilla developers can distribute addons to users without their knowledge
I think for most people this is the stickiest point. Other commenters have said things along the lines of, "well if you trust their browser you should be able to trust their add-ons" and I do, mostly, trust their add-on here... but I really don't like how it slipped into my Add-Ons without telling me. For every other Add-On I have to click an explicit blue button, so I know what's in and what's out.
In today's landscape, Add-Ons have massive potential as security threats. For instance, would a savvy user who is security-aware (most users on HN, I assume) install an Add-On like Gmail Checker Plus[0]? Without digging in, it's hard to be 100% certain what this Add-On is and isn't doing with my Gmail content (I have no reason to assume anything nefarious, it's just an example). My browser Add-Ons should be off-limits to any sort of tampering without my permission, as well should be my bookmarks and auto-fill info. If I broke into your house and changed your bedsheets, you'd rightly be creeped out... nothing was stolen, new bedsheets don't affect you in any significant way, but it's still wrong and weird and hurts trust.
I think this was a very bad move, because Mozilla installed adware in all of its browsers. The fact that it was installed through an add on, though, seems irrelevant. Mozilla developers can distribute arbitrary code to all users because they write the browser. The add on just makes this particular bit of code user visible.
> Unknown Mozilla developers can distribute addons to users without their permission
"In related news, unknown website developers can distribute programs and run them in your browser. Additionally, it's been determined that browsers sometimes download changed versions of themselves without your permission. Worst of all, we've determined that sometimes the program you download and run yourself on your computer does stuff it didn't say it would do!"
In all seriousness, I understand this is an important issue, and needs to be addressed, but we've obviously gotten to the point as a society recently where no news can't be played up for hype by pundits and commentators for their own benefit (and probably without realizing they are doing it in a lot of cases).
The whole way this is being presented (by many here, not to pick on the parent) as a new chunk of the sky falling is what I find really troublesome. No, chicken littles, the sky isn't falling, but there is some interesting shit going on up there that deserves a look.
I fail to see how getting half the people frothing at the mouth and the other half downplaying it just to try to keep some sanity in the discussion helps for a good outcome.
> "In related news, unknown website developers can distribute programs and run them in your browser. Additionally, it's been determined that browsers sometimes download changed versions of themselves without your permission. Worst of all, we've determined that sometimes the program you download and run yourself on your computer does stuff it didn't say it would do!"
No they can't, despite mozilla removing the option to prevent this, I have an extension preventing website to run code in my browser without my permission. it happens to be one of the most popular firefox extension: noscript. (also umatrix and request policy).
No the browsers do not download changed version of themselves, they do not have the administrative permissions required to install programs on my box. I get my update from the official distro repository on my terms.
I do not download and run programs, they come from the distro repository. This is a matter of trusting the package maintainers but up until now this has served many people well.
It seems you guessed wrong and it does not work the same for everybody, some of us have chosen to take the extra step required for this kind of misadventure to be unlikely.
> No they can't, despite mozilla removing the option to prevent this, I have an extension preventing website to run code in my browser without my permission. it happens to be one of the most popular firefox extension: noscript. (also umatrix and request policy).
You've conflated third party javascript with javascript in general. You can turn off javascript entirely, but unless you do so, that website is generally able to ship javascript to you as included scripts from the same domain or in a script section or inline with attribute handlers.
> No the browsers do not download changed version of themselves, they do not have the administrative permissions required to install programs on my box. I get my update from the official distro repository on my terms.
Yes, they very often do. Currently, they generally ask if you want to restart using the new version and give you that choice, but they are often downloading newer versions of themselves ahead of time to speed up this process.
Whether they have permissions depends entirely how you installed the application. If it wasn't installed globally, user permissions are all that is needed.
> I do not download and run programs, they come from the distro repository. This is a matter of trusting the package maintainers but up until now this has served many people well.
Good! I hope you've also never ever piped wget output to a shell for some application's quick installer. I also hope you've never installed any programming language module through that language's package manager and not your distro's package system, because those are notoriously bad at making sure there's not holes through which bad stuff can happen either.
Regardless, it's possible that the package you downloaded, no matter the source, can do something other than stated.
> It seems you guessed wrong and it does not work the same for everybody, some of us have chosen to take the extra step required for this kind of misadventure to be unlikely.
Actually, I don't think I guessed wrong because I wasn't guessing anything, and I never said it works the same for everybody. I believe, since I was careful to qualify my statements, that each is easily proven correct, and I've done so.
536 comments
[ 831 ms ] story [ 6695 ms ] threadIt scared the hell out of me! Are these guys losing their minds?
It was reported as a bug and the response thus far is indeed underwhelming for such a severe issue: https://bugzilla.mozilla.org/show_bug.cgi?id=1424977
Yes
And this is the company we are supposed to trust? Because right now I feel like I trust Google more, and that's a lot to say.
https://www.mozilla.org/en-US/
https://www.mozilla.org/en-US/internet-health/
http://repo.xposed.info/module/de.defim.apk.unbelovedhosts
I want plain-text ads that provide just as much revenue to web sites but without obnoxious experiences and fat downloads.
Only in third internet world countries like the US... Elsewhere, we don't have limited data plans.
Also, data caps mean people will use less data, meaning using less bandwidth, meaning ISPs will have less of an incentive to upgrade their already ancient infrastructure. It would be giving them more money to use less of what they provide.
The opposite is true: ads must be paid for, which makes products and services more expensive.
Ads are a convoluted, inefficient form of wealth redistribution; whether that's "good" or "bad" depends on the specific circumstances.
For example, we might (simplistically) say it's "good" when we receive something paid for by ad revenue, but the burden of paying for (e.g. by price increases) and being subjected to those ads is carried by others. For example, if we tune in to a radio station, listen to a song, and tune out before some ad for a product we don't use.
We could say it's "bad" when the opposite happens, for example if we pay higher fees for shopping on Amazon, which then get spent on advertising Prime Video which we don't use.
Comments like yours are illustrative of a certain mindset. When you encounter the complexity of domains you are not intimately familiar with (court system, law, finance, etc), and those complexities are designed specifically to make it hard for you to protect yourself, I'm sure you are just as understanding as you are now.
It's right in the main browser settings, under the Privacy and Security section where one would expect settings like this to be
If you asked me "where would you go to change settings to prevent the browser from violating your privacy and infringing on your security?", then, yes, I would go to "Privacy and Security". If, however, you asked me "what would you expect to find under 'Privacy and Security'?", my answer would be that that's where I would go to protect myself from malicious websites, not from malicious browsers.
(I know that 'malicious' is quite, and almost certainly too, strong here, but the point is that I think, and am explicitly encouraged to think, of Mozilla as being on my side against the sites I visit, and I don't think it's natural to expect that I will start thinking of how I need to protect myself from Mozilla to use their products in the way that I, rather than they, intend.)
Doing someone online searching now, not seeing an explanation for it. There is one other HN post though, also mentioning it in a privacy context, but not further info either. :/
I also recommend waterfox instead of firefox.
[1]: https://addons.mozilla.org/en-US/firefox/addon/privacy-setti... [2]: https://www.waterfoxproject.org/
Fuck this shit, in the past months we had CliqZ https://news.ycombinator.com/item?id=15421708, we had Mozilla adding new telemetry, we had Mozilla force-enable toolkit.telemetry.enabled, we had Mozilla say that, if you download Nightly, that is considered opt-in to tracking, we had Mozilla put Google Analytics into the Addons menu (because it’s loaded from addons.mozilla.org: https://github.com/mozilla/addons-frontend/issues/2785 ), and we had Mozilla say that, if we don’t trust Google, we shouldn’t use Firefox.
Fuck this.
I was using firefox because I don't trust google. ;(
Features
[1]: https://www.waterfoxproject.org/Every browser vendor has this control over you when you use their browser. Some have even more, because they don't even need to tell you about it when they're closed-source.
> What's happening? Are you a fan of Mr Robot? Are you trying to solve one of the many puzzles that the Mr Robot team has built? You’re on the right track. Firefox and Mr Robot have collaborated on a shared experience to further your immersion into the Mr Robot universe, also known as an Alternate Reality Game (ARG). The effects you’re seeing are a part of this shared experience.[0]
EDIT: looking at this[1] comment, perhaps it's not a promo?
[0]: https://support.mozilla.org/en-US/kb/lookingglass [1]: https://www.reddit.com/r/firefox/comments/7jh9rv/what_is_loo...
> No changes will be made to Firefox unless you have opted in to this Alternate Reality Game.
Also, from the same page for those that appreciate irony:
> One of the 10 guiding principles of Mozilla's mission is that individuals' security and privacy on the internet are fundamental and must not be treated as optional. The more people know about what information they are sharing online, the more they can protect their privacy.
How does it not occur to them that this is a clear lie?
Mozilla has injected malicious-looking advertisement executable software into my process without my permission and then lied about it. I have no idea what this software is, what it does, or whether it is proprietary or free. I opted into nothing.
This is a huge, huge mistake by Mozilla.
That can't possibly be true. I had it installed, and I'm on my work machine using Firefox Developer Edition. I didn't opt in to any ARG.
To put it another way - if I discovered a rootkit sitting in the ~/Downloads directory on my Mac, that would be a problem. If the entity that surreptitiously placed it there said that I shouldn't worry about it because it hadn't been run, I wouldn't be inclined to trust them.
I've used FF since before it was FF, and I've installeded it on umpteen other people's computers; strongly advocating for it. Since they sacked that guy for not conforming to a specific liberal ideology they seem to have gone batshit crazy ... what happened? Was he their main privacy advocate or something?
By that definition, this would be unallowed modification of the computer of the user, and fall under the various hacking acts.
The more interesting thing is that this has also been rolled out to german government computers, which mostly used to use Firefox, but due to previous troubles with CliqZ and the Google Analytics in the addon menus, have already moved on to other browsers.
You mean like the TOS and EULA you agree to when you install the browser? That would qualify as "expected by the user" and "explained in plain text" both.
Of course not.
Mozilla can install extensions if you have "shield studies" enabled. They use extensions it to run UI studies and things like that. I think you have to opt-in to each study individually if you want to be part of it. Enabling the studies in your settings only means "notify me when there's a new study I can participate in".
See https://support.mozilla.org/en-US/kb/shield and https://wiki.mozilla.org/Firefox/Shield/Shield_Studies
Now they have partnered with Mr Robot to use the same feature to offer some sort of "Alternate Reality Game".
It looks like Firefox auto-installs the studies though if you've enabled the feature. But it only activates the individual extensions for the studies once you've opted in to participate.
The extensions themselves need to be approved by a bunch of people at mozilla (at least for the normal studies). So I guess nothing bad can happen until you click "participate" or whatever they call it.
Still, I would also consider the notification itself to be an ad. This was obviously a bad idea and I don't want anyone to think I'm defending it. I guess they've chosen to abuse their shield studies for this because it's the only way for them to send notifications to the browser, but that's no excuse. I have the studies disabled anyway but now I'm not even going to consider ever turning them on.
I have the pug experience study active and I don't recall the browser asking about it.
From the studies about page linked from about:studies...
"When a study is available, you will automatically be enrolled if you meet the criteria. There will be occasions where we might prompt you for participation first."
Just saw also that if you opt-in for the "Allow Firefox Developer Edition to send technical and interaction data to Mozilla" then it automatically checks the studies checkbox for you. I would wonder if I checked the allow sharing at some point in the past, or during installation, with no mention of the studies option. So it was presumed to opt me into the studies automatically.
They're a nonprofit; they're not allowed to just "make money". And, they already take donations.
Tax-exempt non-profit (especially charity) status is very much about both how money is made and how it is distributed/spent.
I merely challenge the notion that a nonprofit -- which proudly tumpets its benevolence and non-profitness -- should get a free pass for covertly installing advertising arrangements, just because they need to "make money".
Their charter and marketing is all about defending the internet from the companies doing shady things to make money, so they can't have their cake and eat it.
Firefox gets most of its donations from corporate sponsors. That's why the default search and switched back and fourth between Yahoo and Google; it's all about the amount of money they contribute for that. I'm not sure, but Pocket might be another example.
User contributions are actually pretty low. They don't go out and request them though like NPR or Wikipedia.
I'm not sure mozilla even gets a significant amount of donations compared to their commercial contracts.
The addon itself does not advertise for Mr. Robot, Mr. Robot advertises for this addon.
https://research.mozilla.org/mixed-reality/
I'd charitably call it "Augmented Memory", but it's definitely not "Augmented Reality".
And I'd hardly call it a game, just a parasitic advertising gimmick that slows and bloats the browser. It just injects a bunch of JavaScript code, DOM elements and CSS effects into every tab.
There's really no game there, and it's pretentious to call it an "Alternate Reality Game", which is defined as "intense player involvement with a story that takes place in real time and evolves according to players' responses":
https://en.wikipedia.org/wiki/Alternate_reality_game
This extension just wraps all occurrences of a set of keywords (now including "fuck") in a span with some css animations and a tooltip that links to their web page.
https://github.com/gregglind/addon-wr/commit/da464ac8f1c3b08...
But in terms of memory usage, CPU and battery consumption, it's not that small, either.
It injects a blob of CSS and some JavaScript into every tab, then it does a regular expression search of every text node on each page, filtering out everything but paragraphs, then for each occurrence of a keyword in the text, it creates a new text node to split the current text node, then inserts a new span element between them, containing its own text node, then it creates an additional tooltip element containing six text nodes, five br elements, and one anchor element linking to https://support.mozilla.org/kb/lookingglass , and it also configures css class names to associate all those new nodes it created with the blob of css styling and animations that it injected.
This extension isn't the best example of their technology for Mozilla to be promoting and distributing, if they're really serious about delivering a fast memory efficient browser.
That's not a misconception I share. I understand Mozilla can and should make money to further its mission.
But unlike a for-profit, making money isn't the mission of Mozilla. So needing to make money can't be used as a justification for doing naughty things against the public good.
And money it makes, in the hundred of millions, for serving its users to the worst known worldwide privacy offender, collecting and profiling user to sell advertising.
The "good" non profit charity foundation is governing the "evil" for profit corporation giving away users to the worst opponent of the mission of the charity. Quite a contradiction in this.
Some people cry "free speech violation" but they can endorse a candidate, they just need to give up their tax privileges. This is why the ACLU is split into two parts. One you can donate to and get tax dedications for, but the other is their lobbying arm, and therefore cannot allow tax deductions for their donors.
Still better than everything else
The whole partnership with google to put its search engine as default is about enabling google to profile firefox users and shows them ads.
Actually they do not. their revenue is at an all time high despite the market share reaching an all time low.
https://www.cnet.com/news/mozilla-revenue-jump-fuels-its-fir... https://www.computerworld.com/article/3240008/web-browsers/m... https://www.ghacks.net/2017/12/02/mozillas-revenue-increased...
From what I've heard (I work for Mozilla), this is promo for Firefox. As I just wrote elsewhere in this thread: I believe the idea is that Mr. Robot fans use Firefox to participate in the ARG, not that Firefox users suddenly start watching Mr. Robot. So if anything I'd expect that Mozilla pays Mr. Robot for this.
The irony is that Mr. Robot is owned by Universal, a subsidiary of Comcast. So much for that commitment to net neutrality.
So much for the advertised protection of user privacy.
The extension is for shield study, when you install Firefox for the first time it asks if you want to take part in it (it is enabled by default though)
It has been praised for its technical accuracy, basically the show warns us about exactly what mozilla did as this could be exploited to hack into computers.
I think Mozilla should look into getting him back before they all end up losing their jobs.
The world doesn't need another browser that sacrifices principles for market share. Chrome, IE, and Safari are perfectly good browsers for that. What I wanted was a browser (and software in general) that promotes security, privacy, open standards, and open source. You can accuse me of misinterpreting the situation, but that's what I thought Firefox was 10 years ago. It's not what Firefox is today. It's turned into just another organization that's optimizing for the continuation of the organization over it's own founding principles.
You are trying to muddy the waters here. Even if I were to accept your (wrong) explanations, they still don't jive with the image Mozilla is trying to project.
Sounds like taking a shower without getting wet. I see you silently dropped the Pocket thing, then?
https://www.reddit.com/r/firefox/comments/7jvm2t/this_lookin...
Will they stop doing it? Of course not. I can't recall any time that this company has changed course in response to outcry.
The Mr. Robot series centers around the theme of online privacy and security. One of the 10 guiding principles of Mozilla's mission is that individuals' security and privacy on the internet are fundamental and must not be treated as optional. The more people know about what information they are sharing online, the more they can protect their privacy.
...which you've done by installing a fishy-looking addon without our permission and making us less likely to trust you?
Well-done, Mozilla.
Mozilla really needs to be more transparent about this kind of stuff.
The whole idea of slipping paid advertorial content into what are billed as "research" kind of gives the lie to this whole thing and is why I never turn these on in any product. Which is also why it's now "opt-out" by default, and why it will eventually not be an option at all. It's all for our own good, you see.
> Participation in an individual study is opt-in
Source: https://wiki.mozilla.org/Firefox/Shield/Shield_Studies
If that didn't happen in this case, then I suspect it's probably a bug.
Wrong, as far as I see: Looking in my about:config, I see
enabled by default. The settings that I've changed from the default are shown in bold. These aren't bold. Those are the defaults. Everybody can check.That means that the user must actively take steps to disable them, if he knows that they exist and where he can disable them.
Every time the user creates a new profile, and most probably also when he "refreshes" an old one, he has by default the studies allowed.
It's even worse in other aspects: through the UI the "Allow Firefox to install and run studies" can be unchecked but it doesn't change the value of "experiments.enabled" to false in about:config.
Apparently the "experiments" allow Mozilla to install the "experimental" extensions to any user, without him knowing. And these extensions are invisible in the GUI! Even if the user goes to the about:config and sets extensions.ui.experiment.hidden to false, it will be automatically set to true again.
It all seems sneaky and deliberately obtuse.
Whereas studies collect usage data.
According to the Wiki page I linked in my previous comment, global settings shouldn't even matter in this case; since each SHIELD study must be opted into on an individual basis. (Or at least, that's how it's _supposed_ to work.)
Edit: Looks like the wiki was updated to state that some studies can be opt-out rather than opt-in. This also seems in-line with the documentation for SHIELD, which has a section on opt-out studies: https://normandy.readthedocs.io/en/latest/user/actions/opt-o...
https://normandy.readthedocs.io/en/latest/user/actions/opt-o...
"opt-out-study: Install a Study Add-on Without Prompting
The opt-out-study action installs an add-on, typically one that implements a feature experiment by changing Firefox and measuring how it affects the user."
They are obviously the topic of:
app.shield.optoutstudies.enabled=true
That I mentioned.
I see a lot of commenters trying to excuse them. The problem is, people allowed the "studies" because Mozilla claimed that they are "measuring" whatever "to make Firefox better." They never told anybody that they are selling the "studies" functionality which silently installs ("opt-out" not opt in!) to the advertisers.
I don't know how anybody can defend such an approach.
It's nonetheless not obvious to me why you were downvoted; I don't know if someone else was annoyed at your definition of "new" or whether there were other dubious claims in your comment. Perhaps privacy advocates are just too exhausted and cranky to explain themselves again.
> Participation in an individual study is opt-in
Though I do see some people now claiming the addon got installed without them opting in. Probably a bug of some kind.
Do Mozilla have no QC, or is it purposeful?
All these "but it's only an add-on [we foisted on you]", should just be a bullet point on the upgrade screen "we'd like it if you used this".
This is Microsoft level "customer" control, where they just ignore any chance the customer doesn't want something changing and go ahead, it's being treated now as Mozilla's browser not the users.
Anyways, I've taken the opportunity to opt-out of Firefox.
No, I had Firefox test pilot with `Video Min` addon, I was not prompted about he `Looking Glass` I removed all addons from Mozilla and their test pilot yesterday. There is only one thing that keeps me away from moving to Brave browser https://github.com/brave/browser-laptop/issues/3101
I hope they fix it soon so I can drop Firefox and their "mission". This is second time my Firefox got infected by Mozilla and their addons. A month ago my PC at work got infected with "Firefox Pioneer" https://news.ycombinator.com/item?id=15648179
Firefox Pioneer is literally a spy and tracking addon:
>Pioneer is an opt-in program that allows collection of richer data from Firefox.
I did not install it.
Windows 10 sends telemetry by default? Microsoft is literally Satan incarnate! BURN THEM AT THE STAKE!!!
Firefox installs crapware addons without user permissions and signs them up to participate in "studies"? Shhhhh...it probably only an innocent bug, nothing to see here, move along now.
Adding my me-too because I was fully convinced this was user error until I saw it myself. The opt-in is busted.
Often these days I disable every "Help us with information" box, both on close/commercial software and even open source software. I mean I'd like the help the community, but I really no longer like submitting any type of tracking information or even debugging information. Everyone is already clamoring for my data, and I guess it's more of a mentality of I don't want to give it away for free. They already get so much for free.
I'll still file a bug report on bugzillas and compile stack traces on faults. But I want to do it myself, explicitly.
I guess that sounds slightly better than "Firefox and Universal Cable Productions".. oh wait..
At least it's an authentic immersion into the world of dubious computer ethics.
> Excited to share the launch of @mozilla @firefox Tiles program, the first of our user-enhancing programs
It's not really "computer ethics" but rather, just "ethics".
The Extension actually does nothing, but invert (make them upside down) a few words on specific sites.
It's an experiment called "PUG ARG" to check whether page contents sniffing works. Its page doesn't reference any Bugzilla issue or Wiki page, while https://wiki.mozilla.org/Firefox/Shield/Shield_Studies/Queue doesn't list it.
The source code references https://support.mozilla.org/kb/lookingglass, which (as of now) only says "test - 12817".
The add-on tests whether specific words can be detected on sites; the current list has nice picks like "revolution" and "privacy". Of course, this is only a test, but in the future Firefox might look for specific terms in the pages you load and do specific things based on them.
The other thing it's doing is to send an extra header to three specific sites: https://github.com/gregglind/addon-wr/blob/da464ac8f1c3b0894.... I suppose the words and the domain are a reference to the Mr. Robot series.
The add-on describes itself as an "Augmented Reality Game Experience" and was made by a certain "PUG Experience Group": https://github.com/gregglind/addon-wr/blob/da464ac8f1c3b0894....
Of course, Shield Studies are supposed to be a way of making "more informed product decisions based on actual user needs".
https://www.reddit.com/r/firefox/comments/7jh9rv/what_is_loo...
Could not think of anything worse a web browser could do.
Do they change political arguments on pages in the future to see how I react in a user study?
Signed Mr. Guinea Pig
It's possible: https://blog.mozilla.org/blog/2017/08/08/mozilla-information...
You can't "sniff" what is already yours to begin with.
Luckily this is intended and seems to be a paid for marketing/advertising scheme
It's one flag, an entirely non-critical one at that, to either install this add-on hidden or not. It's not a major blunder to forget this once out of a few hundred times and it most definitely does not in any fucking way show that "the merge into production process is lacking a lot".
Absolutely no one would have minded, and there's no reason to either, if this would have been installed hidden.
You need to get the fuck down from those clouds and think about reality. Your comments are getting more ridiculous by the minute.
This is clearly an abuse of a development/testing/telemetry tool to deliver an advertisement.
Trust is hard to win and easily lost.
Sure `alert("FFFUUU WHY U NO WORK");` keeps you entertained for 5 minutes while you debug a problem but when that accidentally gets to prod...
Why are these turned on automatically? Plus, I turned mine off, and now they're back on again, with this looking junk installed.
What the heck Mozilla? What happened to caring about the users? We definitely can't trust Mozilla anymore.
[0] https://news.ycombinator.com/item?id=15880565
I've been very loyal to mozilla over all these years but this really is not ok. If they keep doing shit like this I'll switch to a fork.
Edit: I have FF Studies disabled under about:preferences#privacy. I guess that is the reason why it is not installed on my machine.
The support thread links to https://support.mozilla.org/en-US/kb/lookingglass.
That page says, in a clearly delineated box,
> No changes will be made to Firefox unless you have opted in to this Alternate Reality Game.
PLEASE EXPLAIN THIS INCONSISTENCY.
That doesn't make it OK, but it would make me look at them with suspicion instead of hostility.
hey look, a voice of reason!
seriously. Mozilla is a company that has a long track record of dedication to openness and the free and open internet
this isnt Google, facebook, etc
let's all take a step back and give them a little benefit of the doubt here, until we get some facts on what happened.
for everyone else...
WANT TO JOIN THE MOB? I'VE GOT YOU COVERED! COME ON DOWN TO GR3YH47'S PITCHFORK EMPORIUM!
I GOT 'EM ALL! SETTING UP SHOP IN HACKERNEWS MEANS BIG SALES!
CHEAP TRADITIONAL FORKS! ON SALE!
Traditional ---E
Left Handed 3---
Fancy ---{
DEFECTIVE CLEARANCE ARE EVEN LOWER!
---F
---L
---e
NEW IN STOCK. DIRECTLY FROM LICHTENSTEIN. EUROPEAN MODELS!
---€
---£
*some assembly required
True, and that's why I never stopped and recommending Firefox since I first installed Phoenix. That said, they're already installing and enabling Cliqz by default (for some users), and that's no bug. So it's not absurd that people might assume this isn't either. Reputation is hard to gain and easy to lose.
Except for:
Google Analytics being used on the Firefox Addons menu – solved by adding, in grey text on grey background, a tiny "Privacy Policy" link: https://github.com/mozilla/addons-frontend/issues/2785
Automatically sending URLs visited of random German Firefox users to a German company (CliqZ) owned by a publishing, advertisement and tracking company (Burda): https://news.ycombinator.com/item?id=15421708
Mozilla forcefully enabling toolkit.telemetry.enabled in Nightly and Developer versions, and, upon being asked, saying that "below the download link is a text telling you that by downloading these, you opt-in to telemetry".
Benefit of the doubt is over, it’s time to get the pitchforks out.
>hey look, a voice of reason!
Where's official statement saying it's a bug and it will be disabled ASAP? All I see is Mozilla workers here trying to justity the "bug".
I wasn't involved in its development, so I can't speak to its origin or the decision to use Shield for distribution, but I can gather feedback and answer technical questions about Firefox and the add-on.
I know that you only need to need to turn off "install and run studies", but this has now cost Mozilla all telemetry data from me, and I encourage everyone to do the same.
http://qutebrowser.org/
You mean the single button that does literally nothing until and unless you click on it?
If you must know why, I don't want promos for particular web properties in my browser. I find Pocket to be annoying conceptually (a service to help you carry around all the things you didn't and won't read—eww, no, no thank you), and I don't want to look at it every day. I don't want to have to Google to figure out how to disable it. I don't want my browser to come with nonsense I need to disable.
> You mean the single button that does literally nothing until and unless you click on it?
This must be the kind of mentality that leads people at FF to do silly things like mentioned on this thread, or having "just one button" for their acquired web property. That's the opposite of how great product minds think. Great product people think "how can I REMOVE this button?" Not "how can I get away with having it?"
My main complaints are that it's not more useful, though with some tweaks, I've made it just that.
https://www.reddit.com/r/dredmorbius/comments/5x2sfx/pocket_...
https://pastebin.com/LjMA5Dms
It needs more help than just CSS, but that's a start.
Why can't they just make a web browser that's... just a web browser? Chrome has never had buttons to email pages with gmail, record videos onto YouTube, share pages on G+ etc.
* they can feed Chrome Sync data into their advertising databases.
* it means that they don't have to pay other browser vendors quite so much to make them the default search engine.
* they can take control over webstandards for their other profit-driven purpose.
* they can hinder the blocking of their ads.
Mozilla can't or chooses not to rely on any of these profit schemes, so they need other ways of making money.
* https://news.ycombinator.com/item?id=15921134
This is a link to the GitHub issue:
* https://github.com/gregglind/addon-wr/issues/36
There are several scary things about this:
- Unknown Mozilla developers can distribute addons to users without their permission
- Mozilla developers can distribute addons to users without their knowledge
- Mozilla developers themselves don't realise the consequences of doing this
- Experiments are not explicitly enabled by users
- Opening the addons window reverts configuration changes which disable experiments
- The only way to properly disable this requires fairly arcane knowledge Firefox preferences (lockpref(), which I'd never heard of until today)
1. Can you explain what you mean by "unknown Mozilla developers?" Unknown to whom?
2. Can you provide more detail on what specific configuration changes are reverted when opening the add-ons window? That sounds like a fairly serious bug.
3. What is the specific "this" you're trying to "properly disable?" You shouldn't have to dive into things like lockpref.
Mozilla (and other browser vendors) have the ability to push updates to their browsers outside of the normal release cadence. In many cases, these updates are distributed as add-ons, as they're cleanly separated from the rest of the browser internals, but that's just an implementation detail. If you visit about:support in Firefox, you should see a table of "Firefox Features," which are exactly that. Their source lives at: https://hg.mozilla.org/mozilla-unified/file/tip/browser/exte...
For example, we used a system add-on to control the gradual roll-out of multiprocess Firefox, and the New Tab page is also implemented as an add-on called "activity-stream."
> Can you explain what you mean by "unknown Mozilla developers?" Unknown to whom?
Unknown in the sense that this extension wasn't documented at all, there was no Bugzilla issue for it and it's not clear whether it was properly vetted by QA. Whether you argue that this kind of silent push updates is good or bad, I think they aren't tested as well as in-browser functionality. This is a necessary consequence of "let's try it and revert if something breaks or people complain".
More so, a rolled back Shield study will be invisible to the users, so any problems will be impossible to debug. This is made worse by the fact that most, if not all Shield studies are opt-out, so the user won't be notified.
> Can you provide more detail on what specific configuration changes are reverted when opening the add-ons window? That sounds like a fairly serious bug. > What is the specific "this" you're trying to "properly disable?" You shouldn't have to dive into things like lockpref.
People have reported that extensions.ui.experiment.hidden reverts after viewing the add-ons list. I haven't tried it myself, but you can find details in that Reddit thread.
Others have noticed that the Shield studies checkbox sometimes (possibly on version bumps) reverts to enabled. I can't overstate how bad this is; it's basically cheating the users' trust. Lately, Mozilla has been doing some pretty nasty things for an organization that takes pride in caring about the privacy of its users.
Are you aware of the complaints regarding Windows telemetry? Edge, for example, sends full browsing history to Microsoft by default. Should Mozilla follow suit? Because that's exactly what Pioneer does and, while it's not opt-out yet, Firefox advertises enabling it.
As for the rest of the system add-ons, they're either poorly documented (if they are at all), poorly named ("Presentation"), or seem concerning from a privacy point of view (e.g. Activity Stream, Follow-on Search Telemetry, Photon onboarding, Presentation, Web Compat Reporter).
For anyone curious, Presentation seems to be an implementation of a proposed Web API that allows browsers to find and talk to devices in their neighbourhood. Does that include location/proximity beacons like this old proposal https://hacks.mozilla.org/2013/06/the-proximity-api/ ? Do users really want Firefox to tell advertisers where they're shopping? That's the same kind of "experience improvement" that the spyware of yore used to bring.
Why should Pocket be an add-on with superpowers? There was quite a bit of backlash over it a while ago, but Mozilla didn't budge, and some employees actually spread misinformation (not to say "lied"). And actually none of my system add-ons seems to be providing any important functionality (if you disregard the new tab page, for which I haven't seen yet a privacy policy). Looking at Shield studies ( https://www.jeffersonscher.com/sumo/shield.php ), it's even worse: most are surveys, advertisements, asking the user to enable Pioneer (i.e. send full browsing history to Mozilla).
The comment about the visibility of the add-on (Bugzilla, QA process, documentation, etc.) is well taken, as are those regarding the naming of system add-ons, Pioneer, etc.
I've got an intercontinental flight coming up soon, and I'll do some grepping around to try to understand the prefs mentioned. If someone else beats me to it and posts a specific set of steps to reproduce a pref flip on those, I'd appreciate it.
I think for most people this is the stickiest point. Other commenters have said things along the lines of, "well if you trust their browser you should be able to trust their add-ons" and I do, mostly, trust their add-on here... but I really don't like how it slipped into my Add-Ons without telling me. For every other Add-On I have to click an explicit blue button, so I know what's in and what's out.
In today's landscape, Add-Ons have massive potential as security threats. For instance, would a savvy user who is security-aware (most users on HN, I assume) install an Add-On like Gmail Checker Plus[0]? Without digging in, it's hard to be 100% certain what this Add-On is and isn't doing with my Gmail content (I have no reason to assume anything nefarious, it's just an example). My browser Add-Ons should be off-limits to any sort of tampering without my permission, as well should be my bookmarks and auto-fill info. If I broke into your house and changed your bedsheets, you'd rightly be creeped out... nothing was stolen, new bedsheets don't affect you in any significant way, but it's still wrong and weird and hurts trust.
0. https://addons.mozilla.org/en-US/firefox/addon/checker-plus-...
"In related news, unknown website developers can distribute programs and run them in your browser. Additionally, it's been determined that browsers sometimes download changed versions of themselves without your permission. Worst of all, we've determined that sometimes the program you download and run yourself on your computer does stuff it didn't say it would do!"
In all seriousness, I understand this is an important issue, and needs to be addressed, but we've obviously gotten to the point as a society recently where no news can't be played up for hype by pundits and commentators for their own benefit (and probably without realizing they are doing it in a lot of cases).
The whole way this is being presented (by many here, not to pick on the parent) as a new chunk of the sky falling is what I find really troublesome. No, chicken littles, the sky isn't falling, but there is some interesting shit going on up there that deserves a look.
I fail to see how getting half the people frothing at the mouth and the other half downplaying it just to try to keep some sanity in the discussion helps for a good outcome.
No they can't, despite mozilla removing the option to prevent this, I have an extension preventing website to run code in my browser without my permission. it happens to be one of the most popular firefox extension: noscript. (also umatrix and request policy).
No the browsers do not download changed version of themselves, they do not have the administrative permissions required to install programs on my box. I get my update from the official distro repository on my terms.
I do not download and run programs, they come from the distro repository. This is a matter of trusting the package maintainers but up until now this has served many people well.
It seems you guessed wrong and it does not work the same for everybody, some of us have chosen to take the extra step required for this kind of misadventure to be unlikely.
You've conflated third party javascript with javascript in general. You can turn off javascript entirely, but unless you do so, that website is generally able to ship javascript to you as included scripts from the same domain or in a script section or inline with attribute handlers.
> No the browsers do not download changed version of themselves, they do not have the administrative permissions required to install programs on my box. I get my update from the official distro repository on my terms.
Yes, they very often do. Currently, they generally ask if you want to restart using the new version and give you that choice, but they are often downloading newer versions of themselves ahead of time to speed up this process.
Whether they have permissions depends entirely how you installed the application. If it wasn't installed globally, user permissions are all that is needed.
> I do not download and run programs, they come from the distro repository. This is a matter of trusting the package maintainers but up until now this has served many people well.
Good! I hope you've also never ever piped wget output to a shell for some application's quick installer. I also hope you've never installed any programming language module through that language's package manager and not your distro's package system, because those are notoriously bad at making sure there's not holes through which bad stuff can happen either.
Regardless, it's possible that the package you downloaded, no matter the source, can do something other than stated.
> It seems you guessed wrong and it does not work the same for everybody, some of us have chosen to take the extra step required for this kind of misadventure to be unlikely.
Actually, I don't think I guessed wrong because I wasn't guessing anything, and I never said it works the same for everybody. I believe, since I was careful to qualify my statements, that each is easily proven correct, and I've done so.
Maybe the government need to start sponsoring Mozilla so that they stop doing things like this.