106 comments

[ 4.9 ms ] story [ 187 ms ] thread
A 700+point related post from yesterday that was flagged as a dupe because another with 80 points had been posted previously:

https://news.ycombinator.com/item?id=28783381

I think it's interestingly different from that other HN thread (and its dupe). This story is about this consent dialog [0] -- particularly the sneaky "not now" in the top corner -- that weren't mentioned at all in the (mozilla.org) article submission. I think most HN'ers aren't even aware of it (or at least I can't find any specific comments about it -- in fact I read multiple comments where I believe HN'ers misunderstood the dark pattern, thinking Firefox had automatically opted them in, when more likely they clicked the wrong option. ("Customize in settings", instead of "Not now")).

[0] https://regmedia.co.uk/2021/10/07/suggest.jpg

Does a serious alternative to Firefox exist? I mean an alternative that is what Firefox purports to be? I'm ready to make the switch. Been with Mozilla since Pheonix, but the user hostility has become too much.
(comment deleted)
I know some get annoyed with this answer but if you look into what the Brave team is doing they have a lot of really interesting projects in the works. I've had a great experience with Brave.
Brave being webkit, it's not an alternative.
>Brave being webkit, it's not an alternative.

Brave is Blink not webkit - Blink has been developed by Google, Facebook, Microsoft, Intel and many others. It is the standard for web rendering just as linux is for web hosting. There is nothing wrong with open standards.

It's not as open as one would think. The corporations have too much control over it that if someone forks it, they will be left behind. Check how syncing was disabled in chromium recently.
>if someone forks it, they will be left behind

Is gecko any different in this regard? That is how forking works.

>The corporations have too much control over it

Blink seems better in this regard, it has received major contributions from just about every major tech company out there diversifying its control. Gecko has been primarily just mozilla (especially these days since it only represents about 3% of the market).

The fact you state blink is a standard is everything that is wrong with browser monoculture.

It's like we didn't learn anything from IE6.

Also blink is just a fork of webkit.

>everything that is wrong with browser monoculture

What exactly is wrong with open standards? Would you say linux creates a hosting monoculture? That's just ridiculous. Blink has been contributed to by just about every major tech company, that isn't a monoculture thats how open standards work.

Blink isn't a standard, it's an implementation of multiple standards.

An implementation cannot be a standard since a standard describes what a implementation needs to do while a implementation will need to both decide what parts of standards to implement and how to implement them and will do many things that are not described in standards. There are many behaviors, bugs and implementation details of Blink that should not and cannot be part of a standard.

As soon as a implementation becomes a standard we get ossification and implementation bugs in the standard as the only way to conform to the standard is the exact original implementation.

Besides all that while Blink has contributors from many individuals and companies it is clear that google steers the ship.

The web standards were built on the idea that multiple independent implementations were crucial, and it is a required step for a proposal to become a standard.

Linux isn't a standard either, the standard in that case would be POSIX and linux is "Mostly POSIX-compliant".

> What exactly is wrong with open standards?

Nothing, but Blink isn't one.

> Would you say linux creates a hosting monoculture?

Yes, obviously. The GNU/Linux hegemony is a pet peeve of mine, especially because it breeds this absurd "well the most common implementation does X, so screw everyone else" mindset that needlessly hinders alternatives.

They also have a search engine that's good enough most of the time.
Personal opinion:

There is an entire economy and ecosystem based on rewarding sinister web design. The complexity and resources involved in keeping pace with contemporary garbage while qualifying simply as a functional browser is too vast. So much that I suspect it's all downhill from here. I don't believe we'll ever see an all around user-friendly, privacy respecting, well designed, functional browser. I'd delight in being wrong here, but sincerely doubt it.

> There is an entire economy and ecosystem based on rewarding sinister web design. The complexity and resources involved in keeping pace with contemporary garbage while qualifying simply as a functional browser is too vast.

Yeah, HTML standards have basically evolved into a kind of regulatory capture that protects Google's browser. Even Microsoft found them too difficult to implement and meet user expectations.

> I don't believe we'll ever see an all around user-friendly, privacy respecting, well designed, functional browser. I'd delight in being wrong here, but sincerely doubt it.

At least if we rely on market incentives. I suppose we might see one if it's regulated into existence (e.g. European regulators forcing Google, Microsoft, etc. to provide browsers that respect privacy and provide functional extension capability for ad blockers and the like).

Well... A few years ago I did the same journey, abandoning Firefox for something else. There's several stable and serious browsers out there.

After looking for weeks I created a list of categories... And it depends on what are you willing to sacrifice:

Just want a plain browser, without logins, synchronization, without ANY external connections etc:

Ungoogled-chromium (Windows, Linux...) and Bromite (Android).

Don't care about full web compatibility or speed but keep your privacy under control:

Waterfox Classic and Palemoon (Windows and Linux).

Don't care about Open Source vs Closed Source licensing (but still preserve some privacy):

Vivaldi (the most customizable Chromium-based browser out there but the UI even after several improvements feels a bit slower than other browsers).

Don't care about privacy... Then it's quite easy:

Edge, Chrome, Opera.

If you are into cryptocurrencies or need a nice browser with decent adblocking on iOS: Brave.

I decided to use Vivaldi since I like to personalize the looks of my browser quite a lot.

The best recommendation is to try everything for a while and settle with the one you feel most comfortable.

All these forks will die because even firefox, a well organised OSS project is struggling

That leaves Edge, Chrome, Opera and Vivaldi

Because you even mentioned them, I don't think you understand the question. Let me rephrase it: who will develop, and have a sustainable business model for a new browser engine and break Chromium's monoculture, other than Firefox?

>> firefox, a well organised OSS project

I see no proof of this.

>> is struggling

Money-wise, no. Management-wise, hell-to-the-yes.

Every time I see Mozilla mentioned on HN, I get sad how badly they screwed things :(
Vivaldi only has a small team. They said in 2016 they only needed five million users to turn a profit (They generate income based on search engine referrals).

Another downside to Vivaldi is they don’t push out many releases meaning that their security is likely lagging behind. My assumption on this is their custom UI takes a while to build after a new release.

Edge and Chrome both push out timely security updates.

EDIT: Typo.

who cares? They are still Chrome, whether they live or die, the course of the web platform is still unaffected
Don't care about full web compatibility or speed but keep your privacy under control

Dillo, NetSurf.

They are fine if you mostly use sites like HN and other mostly-static content, maybe with some forms interaction. Those are HTML4-ish "document web" browsers. There's also all the text-based ones that those who want to send an even stronger message about how much they hate the "modern web" can use.

I really appreciate your comment. Of that list, Vivaldi seemed like the best option for me (even If proprietary...), but on mobile I noticed page loading lag that happened with Firefox on Android in the early days. So I'm still searching... :/
I wish. Gecko is open source, so there's no technical reason another non-Chromium browser couldn't be created (which I think is important for the web ecosystem, avoiding browser monoculture, etc.). I suspect that no one has really done it because it would be a terrible uphill battle and there's no direct revenue to be had. Browser money comes from ad/search partnerships, which require a strong existing userbase, or just the userbase itself in the case of something like Chrome.
There are several active Firefox forks like LibreWolf and Waterfox
I plan to give LibreWolf a try.
Have you heard of Chrome. It's made by Google, the company behind the most popular search engine. It's fast and has lots of features. It's got pretty popular over the last several years. I recommend checking it out.
> It's made by Google, the company behind the most popular search engine.

Google's abuse of their search dominance to push their way into browsers is a compelling reason to boycott it.

I don't think it's wrong for a business to advertise other products / services it offers on its web properties. Google wanted to get the word out so where better than on their homepage.
> I mean an alternative that is what Firefox purports to be?

To privacy and functionality thow shalt count. Not to infunctionality, nor tracking.

Google is Right Out.

Google respects your privacy and Chrome tends to have more features than Firefox.
> Google respects your privacy

Do you work there? I see no other way you could possibly think this.

If not, do you have a source you can provide?

> Chrome tends to have more features than Firefox

This is true. Some features, I have no use for, some are outside of standards and thus lead to the same issue as years ago with IE, and some fall under both.

Admittedly, me having no use for some doesn't mean they don't have value for other people. It's the standard extend and extinguishing that worries me.

And yes, a standard that only one company can hit may as well be extinguished.

>If not, do you have a source you can provide?

Unironically read Google's privacy policy page.

https://policies.google.com/privacy?hl=en-US

Blow by blow breakdown time I guess. I skip portions of the policy here and there.

> We also collect the content you create, upload, or receive from others when using our services. This includes things like email you write and receive, photos and videos you save, docs and spreadsheets you create, and comments you make on YouTube videos.

So first up. User created data, this seems necessary ofc. Lower down, it says emails aren't used for advertising, but says nothing about using them for tracking.

> We collect information about the apps, browsers, and devices you use to access Google services, which helps us provide features like automatic product updates and dimming your screen if your battery runs low.

> The information we collect includes unique identifiers, browser type and settings, device type and settings, operating system, mobile network information including carrier name and phone number, and application version number. We also collect information about the interaction of your apps, browsers, and devices with our services, including IP address, crash reports, system activity, and the date, time, and referrer URL of your request.

We totally need to have your device information on hour servers so we can checks notes provide automatic screen dimming! Yup! Can't do that on device!

And then there's the sheer amount of other information they collect in this paragraph, especially the phone number, and "unique identifiers" - which have proven to pretty much always be trackable back to an individual if someone care's to look.

Pretty much the only thing here which doesn't violate privacy is the last sentence.

> We collect this information when a Google service on your device contacts our servers — for example, when you install an app from the Play Store or when a service checks for automatic updates.

Hm, that seems pretty frequent but whatever I guess. Maybe this is just with Android?

> If you’re using an Android device with Google apps, your device periodically contacts Google servers to provide information about your device and connection to our services. This information includes things like your device type, carrier name, crash reports, and which apps you've installed.

Nope, that gets it's own section. Oh, and look they get every. single. app. installed - regardless of it's from Play Store.

> We collect information about your activity in our services, which we use to do things like recommend a YouTube video you might like. The activity information we collect may include:

    Terms you search for
    Videos you watch
    Views and interactions with content and ads
    Voice and audio information when you use audio features
    Purchase activity
    People with whom you communicate or share content
    Activity on third-party sites and apps that use our services
    Chrome browsing history you’ve synced with your Google Account
> If you use our services to make and receive calls or send and receive messages, we may collect call and message log information like your phone number, calling-party number, receiving-party number, forwarding numbers, sender and recipient email address, time and date of calls and messages, duration of calls, routing information, and types and volumes of calls and messages.

Most of this seems reasonable, but "Activity on third-party sites and apps that use our services" boils down to "We take whatever we want if the domain isn't ours".

> We collect information about your location when you use our services, which helps us offer features like driving directions for your weekend getaway or showtimes for movies playing near you.

This is one of the few that has actual functionality requirements to collect, but the degree to which it is collected is problematic.

Also, this information is effectively PII, but last time I checked can be shared with "Unique Identifiers" as anonymized information.

Skipping the ...

I mentioned this on another post:

The Tor Browser without Tor. It’s Firefox with all the “extras” stripped away.

The instructions on how to do so are easy to find on the web. It also supports all the same add-ons/plugins.

I’m wondering if Vivaldi is a good option?
LibreWolf is a fork of Firefox that removes telemetry, Pocket, and other unwanted stuff. You can use a copy of your existing Firefox profile, but be sure to go through LibreWolf's settings as its defaults err on the side of privacy and may be different than what you already have set up.
The dark pattern in one image:

https://regmedia.co.uk/2021/10/07/suggest.jpg

I and I think many others chose "Customize in settings" -- but the actual opt-out is that hard-to-see, third button in small print. We didn't "get opted-in automatically" -- it's this dialog we "opted in" with.

I would choose that button particularly because the "not now" button sounds like it would prompt us again in the future. It really doesn't sound like an opt-out.
I don’t even remember seeing this image. It was enabled on three separate machines.
Oh my, that is absolutely fiendish. I had to check the image a couple times before I found 'not now' in the corner.
Geez, why doesn't Mozilla simply ask for donations if it needs money for development. Imagine if all free open source projects operated this way. Advertising on computers is a virus. Just when you think you have it eliminated or under control, someone starts spreading it again.
It might make the majority of people lose trust in them, even if they were doing it for the right reasons and were actually going to use the money for the right purposes. People just associate that kind of behavior with scams and poorly run organizations.
So what happens when you press customize? From looking at a relevant changeset[1], it seems that only Allow enables the ads (setting suggest.quicksuggest.sponsored), while Customize does not (and the comments specifically says the user remains opted out). The related bug is marked as confidential[2].

Incidentally, here[3] is an interesting list of settings relating to the address bar that may or may not be documented elsewhere.

[1] https://hg.mozilla.org/releases/mozilla-beta/rev/6348c24c98c...

[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1693126 I may be remembering this wrong, but most bugs on bugzilla are open to the public, this one isn't, presumably because they weren't interested in public discussion

[2] https://hg.mozilla.org/integration/autoland/rev/d3de5eaaaa15

I'm not sure how long this message has been here, but Firefox does have this note on it's website[1]:

> We haven't quite hit our mark. We've received feedback that it's difficult to figure out which Firefox experience you've got enabled. We are hard at work to address this and continue to improve the feature.

[1] https://support.mozilla.org/en-US/kb/navigate-web-faster-fir...

(comment deleted)
Every 6 months or so, Mozilla's marketing team tries something that is clearly, obviously NOT wanted by Joe & Jane Random User, then quickly posts an "oopsie, who could've known, we'll do better!" blog update.

Tiring, and so easily avoidable.

> Unfortunately, all major browsers now use a combined address and search bar. So, if you’re typing in the address of a sensitive website to go directly there, your keystrokes as you type will be sent to your default search engine and your search engine may be able to determine the website address you’re typing in manually.

That's why it's a good idea to split the search box in the Firefox settings. Ctrl-l takes you to the address bar which doesn't load any remote data, and ctrl-k takes you to the search box on the right, which does send keystrokes to the search engine.

Settings → Search → Add search bar in toolbar (check that box)

Also uncheck "Show search suggestions in address bar results"

Problem solved, for now.

Most if not all of the bundled search engines send the data over HTTPS and do not save what you type or assign it to your account. There is nothing to worry about.
> and do not save what you type

I think you are dreaming if you believe that.

Send a request to Google for all of your data. It won't be in there.
How do you know they don't feed it into an ML system before they delete it?

That lets them "not save it" while reaping the benefits of saving it.

If it's deleted, then why would you care? It no longer has anything to do with you.
If they have trained an ML system on it, they have acquired and exploited info about your private behaviour even if it is anonymized. So it is an invasion. The trope "not personally identifiable => not invasive" is self-serving and a non-sequitur and needs to die.
Why do you care that Google's improved one of their ML systems. Are you a competitor to them. It doesn't seem very nice to be against others improving their services.
A few years ago the NHS gave a load of confidential patient data to an insurance company to train their models. They claimed that it wasn't a problem because the data was deleted after training.

However, nobody knows (publicly) what kind of model it was. If they overfitted the data then when you ask for an insurance quote based on say, date of birth and postcode, the quote will be based on your actual medical details rather than on broader statistics. The result is no different from them having explicit access to your medical records before giving a quote, which is not permitted.

It is easy to build an ML system which for most queries provides the same answer as having access to the original data.

I have no interest in helping a trillion dollar company beyond the bare minimum to access the services I need. I’d rather they figure out how to improve their services with more ethical (and controllable!) privacy practices.
You are changing the subject. If they are observing my private behaviour without my consent, I don't care what they are doing with the info. I want them to stop no matter what they are doing with it.
I can't trust them to say that's all there is.
Maybe you should learn how to trust people / companies than always being paranoid.
As the saying goes, it's not paranoia if they really are out to get you.
Hint: For 99.9999% people "they" are not out to get you
If they are out to get everyone and you are part of everyone, then they are out to get you. It's just logic.
You cannot trust what a company says but you can trust what former or current employees of this company say. Companies are not some unfathomable alien life form, after all.
HTTPS says nothing about how trustworthy the end recipient is, just that only they will receive your data.
Then just use a service like Google who are public about using encryption between machines.
I use waterfox because I already hat enough of the firefox bullshit. But even there you now have to enable the search bar. And pressing tabulator when inside the address bar does no longer jump to the search bar but directly into the browser windows.

Dark patterns shit all over this. "Oh sure you can reenable the search bar, but go suck a dick if you used tabulator for switching to it"

You may also need/want to set keyword.enabled to false in about:config.
This is panic over nothing. There is no personally identifiable information being sent with your location, and the location is made to be imprecise.
How does that make this ok?
Because it's normal in marketing. Most web servers log your whole IP yet people don't freak out about that.
Today you've told us to use chrome, trust google, and that spyware is okay if it's "normal in marketing". Do you work for google, or are you full of shit takes today for another reason? You clearly don't get what made people like Firefox in the first place. You are so out of touch, it's painful.
Things are often a lot more boring than what some people who are paranoid about their privacy believe. These people have trouble trusting others not to do the most evil thing possible and the internet would simply not work if everyone was actually anonymous.
The opinion regarding firefox of one who would recommend Chrome is lower than dirt.
>it’s normal in marketing

There’s a reason NOT to do something if I’ve ever heard one.

> Because it's normal in marketing

Just because some perverted minds consider something "normal" doesn't make it "normal" to me.

It's not about perversion. The data can be legitimately useful. It's normal because this same data was collected preinternet since they found it useful back then too.
Because it's normal in marketing

Doesn't make it right.

Most web servers log your whole IP yet people don't freak out about that

Because people are unaware of that, or its implications.

Much of Firefox's target market uses it because of the "normal in marketing" stuff it prevents
This isn't a web server, it's the browser. I expect web sites to spy on me, but not my own user agent!
A web browser is essentially a website itself. It already makes web requests to load stuff.
Is ought fallacy.

Just because it is normal in marketing does not make it okay. I am increasingly of the point that marketing, by itself, is not okay.

In my browser, it is certainly not okay. I attempt to practice memetic hygine, so I do not want to see ads. Not wanting to see ads, and having some actual privacy in the first place, is why I use Firefox.

>Is ought fallacy.

I am not trying to make a logical argument. That would require an agreement on a way to determine objectively whether something is okay or not. Unfortunately, humans are subjective beings. What they believe to be right and wrong is subjective.

>I am increasingly of the point that marketing, by itself, is not okay.

>I do not want to see ads.

You say this yet you end your post with marketing. You are adverting Firefox. Marketing happens everywhere and trying to escape all of it is a fool's errand.

It's kind of hyprocritical in the context of Mozilla's blog a couple of days ago where they said that the new opt-in idle detection API created by Google is enabling mass surveilance, meanwhile they're using dark patterns to get you to send your location to ad companies.
The dialog is an example of a dark pattern, with three options, one highlighted to encourage a reflex click, one in discouraging grey for customising settings, and sneaked in at top right, a small "Not now" link.

If there's anything navigating "modern software" for a few years has taught me, it's that you should expect to be treated like the product and "herded", so the most encouraging option is usually the worst one for you, and the least encouraging option is usually the best. This anti-conditioning has become so strong for me that I remember recently being confused upon seeing a page with only a huge green Download button, thinking "this can't be the real one, it feels too fake and obvious" when it was actually the real one. I wonder how many others will be gradually conditioned by these dark patterns to do the exact opposite of their original sinister intentions.

But this Firefox one definitely takes the desire to confuse to new heights --- it's probably the first time I've seen "not now" as an opt-out, and I'd more instinctively go for the grey.

This should be illegal. Or at least violate some level of software design standards.
It was enabled by default on my installation, which is extra surprising considering I have all forms of address bar and search suggestions disabled except browser history.
Mozilla repeatedly extolls Firefox as the safest, most privacy-respecting browser, but keeps carving away at their goodwill with little barbs like this. It's a very odd image strategy, all actual privacy arguments aside. There must be other ways to monetize than becoming the digital version of a used car salesman.
No one as any insider info of how this kind of things is going on inside Firefox corp?

I find it curious that privacy cautious OSS devs would not complain highly when asked to add shitty "feature" like that. And it is not the first one recently.

So, is it like in a big corp where an asshole management executive push down such decision from the top?

What typically happens is that this stuff gets forced from the managers from on high and some developers complain and ultimately leave since their morale compass is being violated and those that can stand it stay. Then whoever they hire and retain fits with this new culture and the entire morale compass is very quickly shifted. What management wants always goes in the end they just slowly expel all those that disagree to implement it one way or the other.
How long until we get an " unmozillad Firefox"? I really think that Firefox is a great project with the unfortunate attribute of having Mozilla attached to it. Mozilla really seems like a cannonical in the making (which itself is a Microsoft in the making)

I don't think I can trust IT-conglomerates in the making anymore.

Absolutely fucking disgusting. Something needs to be done to these greedy psychopathic fucks. I don't know what that would be, but something absolutely needs to be done.
Damn, I see more negative news from Firefox than Chrome lately…