520 comments

[ 2.5 ms ] story [ 318 ms ] thread
Says the site that only offers one big button "accept" to its cookies :( :( There's no "Nope".

Edit: Weird, some people seem to have received more options than me. For me there was just one option to accept (Zustimmen) and nothing else. Everything was in German but I read German anyway. I was on mobile though, perhaps this is why? I can't see it again because I already pressed it.

A practice (pay or accept cookies) which was actually ruled in breach with GDPR but many German sites seem to do this somehow.

I agree with the criticism on Firefox but this is very hypocritical. Heise used to be a good company. I even used to subscribe to C'T and iX.

> A practice (pay or accept cookies) which was actually ruled in breach with GDPR but many German sites seem to do this somehow.

Our Data Protection Agencies ruled it okay. There was a recent court case that called it into question again, so we’ll see how things develop.

FWIW, my normal blockers manage to block the heise.de pay-or-track banner, different from, e.g. golem.

what data protection agencies?
I used the wrong word, it’s authorities. The German word is "Datenschutzaufsichtsbehörde"
This is why scrabble is such a popular game in Germany :)
But even then, it's a bit hypocritical writing an article slamming firefox for this at least allegedly privacy-sensitive adtracking. While requiring readers to consent to tracking from your however many ad partners :P
(comment deleted)
These dark patterns will prevail. However, I honestly expect their reasoning to be "every single user reading heise.de should have a cookie banner blocking enabled in their Ad Blocker". Also, I think you can accept it for free when you click "Einstellungen", this is not golem.de.
> Also, I think you can accept it for free when you click "Einstellungen"

No, this part is mandatory:

> Datenverarbeitungen von Werbeanbietern einschl. personalisierter Werbung mit Profilbildung [Zustimmung erforderlich für kostenfreie Nutzung]

they will not prevail, unless we collectively let them do so. they are already probably in breach of GDPR, and I don't see the EU backing down on this stuff.
Collectively? More people have no idea what the GSPR even is, what cookies are, what the question even means, and just randomly click a button.

The only way to get some collective action from 99.999% of web users, would be to get multiple high profile media personalities to endlessly, repeatedly tweet about it... along with a catchy jingle.

Users would still have no idea about anything privacy related, but maybe 10% would do as commanded by their idols.

Having only "accept all" and say "configure", or even a highlighted "accept all" and a very small or even just unhighlighted "deny all" is against GDPR. IIRC:

- choices presented must have the same visual weight (e.g for buttons)

- there must be no default choice preselected (e.g for radio/toggles)

- the fallback when no choice is made (e.g a dismissal or a "failure to display" a.k.a bug or nag blocker) must be equivalent to deny all

Instead we get this mess because enforcement requires litigation from users and these companies make just enough to claim "oh we thought it was Ok plus we go through a off the shelf pluggable third party so not on us" plausible deniability.

from https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELE...

> If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.

> Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.

from https://www.edpb.europa.eu/sites/default/files/files/file1/e...:

> Example 6a: A website provider puts into place a script that will block content from being visible except for a request to accept cookies and the information about which cookies are being set and for what purposes data will be processed. There is no possibility to access the content without clicking on the “Accept cookies” button. Since the data subject is not presented with a genuine choice, its consent is not freely given.

> 41. This does not constitute valid consent, as the provision of the service relies on the data subject clicking the “Accept cookies” button. It is not presented with a genuine choice.

> The use of pre-ticked opt-in boxes is invalid under the GDPR. Silence or inactivity on the part of the data subject, as well as merely proceeding with a service cannot be regarded as an active indication of choice.

> In the digital context, many services need personal data to function, hence, data subjects receive multiple consent requests that need answers through clicks and swipes every day. This may result in a certain degree of click fatigue: when encountered too many times, the actual warning effect of consent mechanisms is diminishing.

> This results in a situation where consent questions are no longer read. This is a particular risk to data subjects, as, typically, consent is asked for actions that are in principle unlawful without their consent. The GDPR places upon controllers the obligation to develop ways to tackle this issue

I get a different banner - it's a huge square with a wall of German text that I can't understand. There are three buttons, also in German, and I have no idea which button to press. Guess I won't be reading the article.
My current process for "modal asking any consent when I just jumped in the page and don’t have any certainty there is something there I am looking for" is

- does reader view toggle works? if yes, consult, end here

- am I really looking for some information that might be there? if "no I just clicked a link from somewhere on the internet", then end here

- still here? Hey, what about looking at the DOM, if the information looked for is not a simple small segment of text, there are good chances a few CSS/HTML tweak will reveal this. Got it? end here, though you might consider to automate this process with Greasemonkey if this domain often fall in your research.

- no luck so far? It’s ok, you know Internet is vast, there are plenty of other page to visit. WTF are you doing here anyway, don’t you have a job, hobbies and people to cherish? And what about a small walk, you look like you need some fresh air, you know?

So how do we turn it off?

Found it. Go to settings, type privacy into the search box. The last item under "Firefox Data Collection and Use" is a check box labelled "Allow websites to perform privacy-preserving ad measurement".

It was already unchecked on mine when I looked just now.

Yeah on desktop. On mobile it's a lot harder. It's still turned on and you have to use a workaround to enable about: config because they don't bother to make this option visible in settings.
> and you have to use a workaround to enable about: config

I know of no workaround short of installing from the Beta or Nightly channel.

chrome://geckoview/content/config.xhtml

source: https://connect.mozilla.org/t5/ideas/firefox-for-android-abo...

Yeah apparently you can use that to set: general.aboutConfig.enable to true

And then you can go to the normal about:config and set dom.private-attribution.submission.enabled to false

Only then is PPA actually off (apparently, I did not manage to test this yet but someone did confirm the default setting is true). Not cool. Especially because Mozilla provides instructions for the desktop version on their site but doesn't even mention the mobile version at all.

I can access the about:config page on mobile, but I can't seem to find a relevant option. Maybe it's already disabled for the Fennec app from F-Droid?
On mobile you probably want to try Fennec and/or Mull, both Firefox forks, compatible with FF addons and available on F-Droid.
Do we know why they blocked about:config on mobile? It doesn't make any sense at all...
It worked for me, no issues. I am on version 128.0 (Build #2016030615)
I had to go through some Gecko thing first like others mentioned, quite odd. Supposedly the setting to adjust is in there too, but I have no idea what applies here
Doesn't work for me

128.0 (Build #2016030615)

Wonder why this is even an issue.

I recently started using Firefox again, because of all the madness around Chrome and the change of how add-ons (mainly uBlock and similar) would work.

And it felt kinda good, i actually thought that Firefox was different and a part of "the good guys", now it doesn't feel that way anymore. Sigh.

I don't know of any "good guys" whatsoever that ever managed to build and maintain a browser. Anyone?

Maybe one day we'll have a usable FOSS browser but I doubt it (the companies will fight tooth and nail against it including legal means, buying out companies, blocking content for them, etc.).

I think the guys that built WebKit originally (Konqueror) are kinda good guys. I still sponsor KDE with a monthly donation <3 But the browser wasn't really kept up, I don't think they had the money for it. It lives on in Safari though.
on firefox mobile:

open chrome://geckoview/content/config.xhtml, set general.aboutConfig.enable to true

open about:config, set dom.private-attribution.submission.enabled to false

Wow, thanks for this and the parent post.
What's the difference with setting

    dom.private-attribution.submission.enabled 
to false in the gekoview?
Probably none, I didn't know it was also there. I just compiled what worked for me after scrolling through a few other posts.
Thanks a lot for this tip. I don't know how one is supposed to find this setting.
On MacOS that checkbox is in a separate section called "Website Advertising Preferences".
Interestingly the option has a link to an explanation on how it works. Which was handy as I couldn't get past the German cookie dialogue on the original article.

I guess the question is whether the aggregation services can be persuaded by clever attribute manipulation to give the ad site a near unique report for a user across many sites.

<https://support.mozilla.org/en-US/kb/privacy-preserving-attr...>

<https://datatracker.ietf.org/doc/html/draft-ietf-ppm-dap>

<https://github.com/mozilla/explainers/tree/main/ppa-experime...>

[flagged]
> when instead jail time for spying like the perverts they are is what should have happened.

Can you elaborate? Please?

Spyware is illegal. Jail all CEOs, managers, engineers that worked on spying features at google, ms, etc

They are repleaceble and next gen will not dare to spy on users.

Fines are stupid and don't work anyway.

This is in full compliance with the democratic process, judicial tradition, etc so I'm not ranting, instead it is that we have been so removed by the idea of punishing the actual people that do actual crimes just because they work in megacorps that any suggestion to do so sounds like a commie rant.

The CTO of Mozilla just posted on /r/firefox about this:

https://old.reddit.com/r/firefox/comments/1e43w7v/a_word_abo...

I think this line is very important:

> First, in the absence of alternatives, there are enormous economic incentives for advertisers to try to bypass these countermeasures, leading to a perpetual arms race that we may not win.

It's very likely that this arms race will lead to DRM in web publications and video feeds (which Google is already experimenting with).

I will begrudgingly admit he has a point here. In a few years I imagine almost all sites will refuse to serve anything without WEI, and the "open" web will be the preserve of a few hobbyists. Annoyingly you'll still need to use a compromised browser (or worse, app) to do anything with your bank, etc.
It will be something like WEI or sites will just be a giant blob served via WebASM.
(comment deleted)
> the "open" web will be the preserve of a few hobbyists.

And maybe that will be the Web healing. If all the value extraction moves elsewhere, we might finally have a sane web of hypertext documents again.

Unless that is labeled the new darkweb and blocked by the firewalls of ISPs and govs.

I hope enough mainstream things remain on the open web for it to be unrealistic to fully block.

Maybe, but I suspect it will be more like trying to access Usenet now.

I dunno. Considering the balkanization of the web maybe I should get in to ham radio or something.

Yes, the kneejerk reaction against FF here isn't really thinking things through. Mozilla has to walk this tight rope since ad companies own the web already.

Realistically, the best outcome at this point is that enough users are willing to send enough data to advertisers so they allow the open web to continue.

The alternative is that sites will eventually only work in Chrome or Safari on limited, locked down platforms (read: no Linux support at all).

DRM on a website = no search engine can scan the website = no users = the DRM website dies.
Which is why it hasn't rolled out yet. Once this is solved, you bet your ass they will start rolling it out.
google is the owner of the DRM verification system, they add exception for google robots, website only appears on google, kills other search engines in the process
If the DRM is coming from Google, I'm sure they'll take that into consideration when designing it. Feels ripe for an anti-trust lawsuit, but IANAL so who knows.
With that logic, wouldn't Widevine DRM already be ripe for an antitrust lawsuit? Genuine question.
When I wrote the comment I was imagining Google using the tech as a moat to stop other search engines from indexing DRM protected content. I guess if they shared it and "all" search engines could index the content, it would probably be fine? I'm guessing that's why Widevine is "fine".

But like I said, I'm not a lawyer and have no idea what I'm talking about.

It would be if antitrust regulators were not asleep.
Which is one of the main reasons why it’s such a problem that the search engine with an overwhelming market share also owns the browser with overwhelming market share and is also the largest online ad company. Not to mention they pay billions each year to the other browsers. Google has a huge amount of control over every part of this.
You’ll notice that Google search now shows excerpts from things you can’t actually see visiting the site (paywalled news, paywalled scientific articles). The age of “show us exactly what users see or get downranked into oblivion” is long gone, sadly.
> leading to a perpetual arms race that we may not win

So we're not even going to try.

This is an attempt to try. You don't win my being an immovable wall going against the biggest corporations. If the W3C manages to create a system that satisfies advertisers while preserving our privacy, that's how you win. There isn't a future where advertising will just disappear. I'm just being pragmatic here, as a user of ad blockers for 15 years.
Most advertisers will not be satisfied with that. The real question is if regulators will be and therefore can use this as a reason to clamp down on advertisers. If so this might work, but I am skeptical. And either way it was wrong of Mozilla to sneak this in as opt-out.
(comment deleted)
I can see the economic argument, but I am not sure that I buy it. W3C could push this as a standard, but surely anything that is privacy preserving will by its very definition provide less data for advertisement targeting, no? With less data, the targeting is likely to be worse in terms of advertisement efficiency. Thus, the economic incentive even in an ideal situation as with a W3C standard will be pushing any advertiser to "betray" the system and fall back on the very arms race that Mozilla is arguing that they are trying to avoid, no?

At best, politicians could jump on the "solution", but then why are Mozilla not already lobbying in that case? Why is the first party they are reaching out to the wolf in this drama?

Regardless, Mozilla has lost me at this point as a user. This being opt-out is inexcusable and I will find ways to gravitate away from them as I should not need my poor package maintainers to be paranoid with their upstream code in the same way they have to be with Chrome in order to protect us from developer abuse like this. Will try Mull on mobile now, hopefully it is viable, and see how I solve the desktop situation when I can find the time.

It's not an attempt to try, it's reputation management. There is no 'anonymization' of data, because the advertising companies Mozilla is selling your data to now have almost 20 years of profiling that can effectively identify people through "anonymous" results. This has been known for years. Mozilla knows. They don't care.
An immovable wall is exactly what is needed to confront big corporations when they behave abusively (and intrusive profiling is an example of this). 'Pragmatism' here is just acquiescence in creeping surrender. Look what advertising has already done to the web and privacy.
What's already happening is that websites are Si ply dropping support for Firefox.
Except being uncompromising is exactly how free software won. And compromising on EME DRM did not make websites using that DRM any less restricted to popular platforms. Compromise is not a winning move when what you are fighting against is fundamentally unacceptable.
Which will lead to counter moves by alterative browsers and websites and Google risking the loss of browser market share. If you think this is unthinkable, just look back at Microsoft's dominance of the browser market twenty years ago. Exactly like Google is doing they were pushing through all sorts of user hostile stuff via internet explorer. Before Chrome came along, Firefox was one of the few holdouts against them. Internet explorer users were dealing with all sorts of crap. Popups, popunders, all sorts of viruses, cross site scripting attacks, etc. Mostly that was just a mix of poorly designed features but there was also MS trying to get into search and advertising and they were trying to abuse their defacto monopoly to do that.
I don’t disagree with you in principle, but this history is not quite right. IIRC the IE6 team was shut down. Basically only Mozilla and Apple were building browsers at scale until Chrome came along.

I might be misremembering?

Yes, you are definitely missing a decade here. The internet explorer/edge team was shut down long after Google grabbed most of the market share.

Chrome was launched 2008; Safari had its first release in 2003. And I was using the early Phoenix builds (later the name change to Firefox happened) in 2001. The version of internet explorer around the time Chrome launched was v7. IE 6 was already old news by then. And IE 8 launched soon after the Chrome launch. 9, 10, and 11 followed. And then the switch to Edge happened; which was a complete rewrite of their browser engine. Only in 2020, MS announced switching to Chromium. So, that's about 12 years of MS trying to hold on before they finally gave up.

How will an alternative browser get people to use it when major sites all make it impossible to use a non-Chromium browser?
Yes, that line is important.

This has happened before. Remember the critique against Encrypted Media Extensions (https://en.wikipedia.org/wiki/Encrypted_Media_Extensions): Oh no, DRM in the browser! But remember that web video used to require Adobe Flash for the longest time, and even after a decade of HTML5 video, sites were still clinging onto Adobe Flash (and later also Microsoft Silverlight) for what turned out to be DRM purposes. At the time, these plagued proprietary blobs were not going anywhere. Except, after EME had widely supplanted this last holdout usecase, they were quietly allowed to die. The result is that we have much smaller-scoped proprietary blobs in the form of content delivery modules with a lot fewer bugs and portability issues.

The situation with Flash and Silverlight was better than the situation currently is with EME. Before, you could implement a standard-compliant open source web browser, you just may not be able to view certain non-web embeds. Now, web browsers need permission from Google to view certain kinds of web content, and they can't be open source.
I agree with the other commenter.

The current situation is worse.

EME requires that the browser ship with a DRM library like Widevine.

Flash used an industry standard plugin model and could work in any browser.

This move does not stop the arms race. Non-anonymous data is still better for the ad industry. Why give that up?
Because browsers can clamp down on The non-anon data streams when there’s a working alternative.
(comment deleted)
Wait aren't browsers already trying to implement anti-tracking measures? Are you saying Mozilla has been holding back improving anti-tracking for the benefit of advertisers until now? Now that is evil
> Wait aren't browsers already trying to implement anti-tracking measures?

Yes, and trackers are investing large sums of money into breaking those measures.

If you give advertisers a lawful non-user-threatening way to measure their ads performance, a lot of that money may disappear.

(Or it may not, or it may disappear either way. That one market is crazy and I know almost nothing about it. But the claim that the money may disappear is valid, and you have to provide a valid counter-claim if you want to contest it. Calling it evil doesn't cut it.)

But this is exactly what I wrote that I don't believe in my initial comment. There'll always be more money in more intrusive tracking. Why would they give that up? Surely Mozilla is selling out to advertisers based on something more substantive than "we hope that advertisers won't keep taking a mile if we give an inch"?
And that DRM will likely come anyway and restric users of niche browsers like Firefox and operatings systems no matter what Mozilla does - just look how EME implementations and Websites using it treat Linux users not to mention non-x86/ARM architectures. So best is to push back now while we still can instead of giving them an inch.
> doing something about [the massive web of surveillance] is a primary reason many of us are at Mozilla

> we consider modal consent dialogs to be a user-hostile distraction from better defaults, and do not believe such an experience would have been an improvement here.

You know what's user-hostile? Doing things without the user's knowledge or consent. The new tab page of Firefox after an update often advertises features of the release Mozilla sees important (their VPN offering, Firefox on mobile, etc.). This time the new tab page told me nothing about this change. Communicating it to me was "free" and they still actively refused to do it.

"Doing something" about surveillance starts with transparency but if Mozilla's leadership doesn't see this as important they have no place leading such a company. Mozilla doesn't seem to wrap its head around the fact that their users use Firefox because they don't want the same kind of shady tactics Google or Microsoft keep pulling, they don't want their browser control to be handed over to some guy in a board room who needs a PR team to give a lengthy non-answer to the problem.

I see a lot of words spent on why they came up with this technology but barely a mention about the biggest issue here especially from a company that presents itself as a champion of user rights: they pushed the change in the dead of night and took an actively hostile decision in the users' names by enabling a clearly controversial setting without any warning or communication.

> we should have communicated more on this one

This kind of PR speak for "we actively kept it hidden" is the best way to alienate the users who investigated and chose this browser for a reason.

Thats just it, that they are doing this in a somewhat quiet manner is a sign that they know how this would go down.
(comment deleted)
Interesting comment here: https://old.reddit.com/r/firefox/comments/1e43w7v/a_word_abo...

If you have telemetry disabled, this feature is also disabled, even though that isn't represented in the UI and looks like it's turned on.

It's not good that it exists and is on by default, but if you have already opted out of telemetry previously, you're opted out of this too.

Oh my... not exactly reassuring.
This phrase in particular:

> I’ll do my best to address [your questions], though I’ve got a busy week so it might take me a bit.

That means: I'll answer the easy ones, and ignore the hard ones, or ask the legal team to come up with some weasel words.

"The devil is in the details, and not everything that claims to be privacy-preserving actually is"

Yeah, like Mozilla.

This is not the first time they silently added tracking and avertisement. The toggle with "firefox shares basic telemetry with the adcompany Adjust" has been there activated by default since a while (among other stuff). This is just more tracking from them, while claiming to defend privacy. Another day, another scandal.

> It’s clear in retrospect that we should have communicated more on this one

What isn’t clear, in retrospect or otherwise, is why companies/apps/services need to keep learning this lesson. The user outcry was utterly predictable from even before the first web article was out. The fact that no one with decision power at Mozilla saw it coming is worrying: either they have zero understanding of people’s concerns for privacy or they don’t care. Neither is good.

Especially since this is very similar to what happened with Cliqz and that there likely are many at Mozilla who were around when that happened too. And the Cliqz scandal hurt Mozilla's market share a lot in Germany.
> The fact that no one with decision power at Mozilla saw it coming is worrying: either they have zero understanding of people’s concerns for privacy or they don’t care.

Or the third option: they feel the tradeoff of HN & co's criticism style is not a big deal in the end. Criticism of Mozilla in general is very warranted right now, but the way(s) in which everyone is doing so just feels very out of touch with the actual situation. ;P

They're - by their own words - trying to do something in a privacy preserving way because the ad industry is not going away. They might fuck it up at first, and that's why it's an experiment. It's also possible to disable it, it's not like you're trapped in it.

This thread in general feels like it leaves Mozilla no room to experiment or find any form of growth. People want them to be "just a browser" but then also expect them to be stewards of the web - and then cry foul when they actually try to find a setup that fits into the current model of the web.

> It's also possible to disable it, it's not like you're trapped in it.

Or so they say, in order to make people be OK with it. They might play the waiting game and in a year or two will make the setting not do anything and still collect / send data, hoping that by that time people have forgotten.

There is so much hypothetical-borderline-conspiracy-theory packed in to this single comment that I cannot find a charitable response.

I'd be fine to continue the discussion if you can find a way to engage without assuming that the people who build one of the last checks on the open internet are somehow trying to maliciously invade your privacy.

The days of Mozilla having earned the benefit of the doubt are long gone for most people.

The person you replied to made a reasonable point and your response reads as defensive and dismissive. Do you have an interest in Mozilla we should know about?

Eh, I don’t think my comment is defensive. I also could’ve just ignored the comment.

I explained to them that I’m open to discussing but there’s nothing to be gained when the comment starts off in conspiracy theory. It’s an open source project, people will 100% notice if they tried to do what the parent comment is suggesting.

It certainly reads defensively.

> It’s an open source project, people will 100% notice if they tried to do what the parent comment is suggesting.

No-one thinks they'll lie about it. They'd announce it quietly just like this change, letting the fuss blow over. The average user would never even realise and Firefox would continue on its journey towards user hostility.

You’re certainly welcome to read it however you’d like.

OP specifically said “make the setting do nothing while still collecting the data”. I don’t know about you, but a setting that acts like that would be akin to lying.

The comment chain is pretty clear here IMO.

> OP specifically said “make the setting do nothing while still collecting the data”. I don’t know about you, but a setting that acts like that would be akin to lying.

Well, that is what Firefox did here. They created a new feature, defaulted it to on, in direct contradiction to user choices. We know this because this Web Site Advertising feature defaults to on even where the user has the strictest level of tracking protection enabled and even when the DNT option is selected. Even so, Mozilla has decided that this form of tracking is not covered by those clear signals of user intent.

So why not believe that Mozilla will do this again. Deprecate existing tracking choices and enable Web Site Advertising tracking for everyone. Like this change, it would be announced and decried and ultimately used by the majority of users who don't follow browser changelogs.

What will happen is that privacy advocates like me will recommend not to use Firefox, as it's functionally equivalant to Chrome is this respect and far less supported, and Firefox will continue to die.

This pains me as a former contributor and advocate, but it's almost inevitable now unless a privacy-focused non-profit can fork Firefox and leave Mozilla to it's decline. I would even pay for a Firefox fork, but I will never donate to or purchase again from Mozilla.

> Well, that is what Firefox did here.

No, let's be very clear here: what Mozilla/Firefox did here was default users in to a setting without good notice on how to opt out.

This is different from what was said in this thread, which is making the setting do nothing while still collecting the data. If you disable the setting/opt out, then the data isn't being collected.

> No, let's be very clear here: what Mozilla/Firefox did here was default users in to a setting without good notice on how to opt out.

That's a framing so charitable to Mozilla that it is untrue. Again, do you have an interest you should be declaring in this conversation?

> This is different from what was said in this thread, which is making the setting do nothing while still collecting the data.

No, it's not. It ignores the Strict Tracking Protection and DNT settings and opts in users to tracking. It's absolutely identical to possibility posited by the other commenter.

For all your pontificating above about other people's comments, it seems the only person commenting in bad faith is you.

I don't see how it's conspiracy theory. Firefox has done exactly this over and over again. (The latest example that annoyed me: browser.proton.enabled =false)

As a user of Firefox, I feel like I'm in a constant battle with Mozilla/FF to disable every new bad idea they have. Every time I'm forced into a surprise update I didn't ask for/try_to_install, something gets worse. This isn't an unusual state for commercial software, but Firefox is supposed to try to not be commercial.

Firefox is dependent on Google for ages, that should tell you all you need to know about "conspiracies".

I am not interested in a discussion with a person who gives the benefit of the doubt of a company who has clearly not only made a Faustian deal but is now looking to expand partnership with the people that nobody wants tracking their machines and activities.

Because as we both know, in the entire history of humanity there were NEVER any conspiracies when there is money to be made, right? Wink wink.

Well, no, that doesn’t tell us anything about conspiracies. That’s just Mozilla getting money from Google. You can argue that it’s problematic from the stance of Google using Firefox to argue they don’t hold a monopoly - and I’d agree with you there.

That deal with Google isn’t enough to leap to the conspiracy theory here though. The ad industry isn’t going away, Mozilla seems to want to try to make it work for all parties.

If you want to let perfect be the enemy of good, though, go for it. shrug

> That’s just Mozilla getting money from Google.

“That’s just politicians getting money from financial criminals.”

“That’s just police getting money from organized violence.”

“This is fine.”

You're new to the internet and bigtech, huh? If not, what rock have you been living under?
If Firefox was the last check on the open internet, Librewolf wouldn't have to exist.
They don't need to. Defaults are retained by the majority of users, who will never know about this change.
> This thread in general feels like it leaves Mozilla no room to experiment or find any form of growth.

Mozilla is welcome to experiment. The issue here is:

- The default opts the client in instead of the client making that choice to be a Guinea pig in the experiment

- I get emails almost weekly that amount to Mozilla playing the role of internet privacy police. They *are* well aware of the rights and wrongs. Are they going to call out themselves?

- As for growth? How about paid pro-privacy email hosting? And a suite of applications (a la Google docs)? Advertising might not be going away but there are still opportunities that align with Mozilla's ideals and brand... And they're too busy being hypocritical internet police???

> The default opts the client in instead of the client making that choice to be a Guinea pig in the experiment

I think this is a reasonable critique, even if I personally don't find it a big deal. If it's privacy preserving, I don't necessarily give a shit if it's defaulted on - especially if there's a way to disable it.

(IMO, defaulting it on and then widely announcing how to disable it is what they should have done, and their bungled communications on this is biting them)

> I get emails almost weekly that amount to Mozilla playing the role of internet privacy police. They are* well aware of the rights and wrongs. Are they going to call out themselves?*

Why would they call themselves out here...? They have stated, very bluntly, that they are trying to do something in a privacy preserving way. They are acting in line with their stated intentions/role/etc.

> As for growth? How about paid pro-privacy email hosting? And a suite of applications (a la Google docs)? Advertising might not be going away but there are still opportunities that align with Mozilla's ideals and brand... And they're too busy being hypocritical internet police???

Those are wholly separate business ventures, whereas dealing with the advertising behemoth is an unfortunate part of the browser ecosystem today. Someone, somewhere, is going to have to contend with this - and Mozilla is somewhat uniquely positioned to explore here.

If you think Apple or Google are going to do it without perverse incentives, then I don't know what to tell you.

We all lost our minds when Google tried to pull their privacy-preserving Federated Learning of Cohorts thing. I expect an even bigger outcry when Firefox, whose entire brand and reason for existence is privacy, quietly tries to do the same thing.
I think the worst part of the funding equation is that had Mozilla stayed on mission and invested it's Google fees wisely, Firefox development could have been indefinitely funded.

Instead, we have had Mozilla sprawling in numerous directions secondary to the browser and failing in nearly all of them.

That is the problem, people want to run a modern corporation with its tentacles always reaching and growing instead of focusing on a core business proposition that they can win at.

If you dont grow at double digit percentages year of year, are you even trying?

Mozilla Corporation was a mistake.
[flagged]
That is incredibly reductive and entirely misses the scope of the issue. It isn’t just HN. In case you’ve missed it, the article is not an HN page but a separate website. The comment I replied to linked to Reddit. It’s all over Mastodon. I’ve seen other blogs and publications commenting on it too.

Yes, of course a large number of people won’t talk about this in six weeks, let alone six months. On the other hand you’ll have ex-hardcore fans complaining about it for over six years. I still see people talking about the Mr Robot debacle and the other crap Mozilla has pulled to this day. If anything, Mozilla is more susceptible to this backlash than the average tech company. Regular computer users don’t give a rat’s ass about Firefox. The people Mozilla needs to convince are exactly the ones they keep alienating.

This bunch of nerds creates software, including for the web, and sometimes there's an option to test it on Firefox or not. Nerds also recommend browsers to friends and family.

HN is also not the only bunch of nerds like that.

If this were, say, Adobe, I’d agree with you. HN as a community doesn’t have much clout in the design or video space.

This is Mozilla we’re talking about, though. HN is exactly the sort of audience they need on their side. That bunch of nerds is the same group they relied upon to evangelise for them during the IE era.

Mozilla might just have decided that that's no longer the case: that their funding from Google does not depend on nerds advocating for the browser. That is either they came to the conclusion that Google will continue to fund them even if the market share continues to fall or they have decided that the end is inevitable and are just trying to milk the cow for all that she's got.
This comment shows such a lack of context of the history of Firefox that I wonder if it's trolling?

Firefox exists and reached its peak because of the people that idealogically cared about the Web and interoperable,security, privacy, etc who contributed to and advocated for Firefox.

Firefox market share is going down.

One reason is that the people who would be promoting Firefox aren't.

Personally I feel mostly ashamed to admit I'm using Firefox. In theory Firefox is great. In practice they coming up with new ways to treat their core user base badly.

> One reason is that the people who would be promoting Firefox aren't.

Individual promotion of Firefox worked very well when the browser(s) it was trying to displace were effectively frozen in time.

Chrome (et al) and Safari are not those browsers. The average user isn't going to get a markedly different experience by switching to Firefox.

That is because Mozilla has consistently moved Firefox in the direction of a Chrome clone.

When Firefox started is was not a copy of existing browsers. There is no reason it would have to be now. But they have rejected their core users. So now the only option left is a Chrome clone because that is what people are used to.

Even if it was a credible idea, how exactly do you think that Firefox - the browser that the minute anything changes, the internet blows up over - would significantly alter their product in a way to differentiate themselves from Chrome?

This isn’t even getting into base level stuff like available engineering resources, or the scenarios where the other vendors often control or have deals to give them favorable distribution on platforms.

This isn’t the IE6 era. It’s a significantly different and harder problem.

For one, not throwing out their only differentiated advantage versus Chrome. For two, not taking the option that removes user control and customization whenever there is an option to do so. They could have been the privacy-focused browser, but it is still full of crap like this and various bits of undisclosed telemetry.

There would be value in being the only browser to actually stop when users tell them no. But they seem incapable of listening.

> They could have been the privacy-focused browser

I don't see how trying to find a privacy-preserving way of dealing with the ad conundrum makes them not a privacy-focused browser/company.

You'd need to otherwise cite something re: undisclosed telemetry, considering the project is open source... so I'm not sure how exactly it'd be undisclosed.

> Even if it was a credible idea, how exactly do you think that Firefox - the browser that the minute anything changes, the internet blows up over - would significantly alter their product in a way to differentiate themselves from Chrome?

You're presenting it as though any change would be met with hostility, but the alternative is that they're only met with hostility because they keep making changes that hurt the users. A little while ago they announced that they were working on properly supporting vertical tabs and tab groups; that wasn't met with any hostility. Of course, in the same announcement they said they were planning to dumb down the rest of the interface even more, which was. But the point stands; they can get a positive reaction by making changes their users actually like, they just don't do that as often as they do the other thing.

People used to have a dozen different instances of IE6 open. It was a pain to switch between them and it made your computer run slow. Firefox had tabs. And it had AdBlock. Those were things people wanted.

But these days, Chrome is plenty good enough for most people. Even if Firefox had a perfect privacy story and focused on their core users’ every whim, I don’t think their market share would grow.

Well then they need to close up shop or think of something else, because adding more ad tracking isn't a feature to anyone but predatory advertisers, and they will only keep paying you if users keep showing up.
For what it’s worth, I agree. Adding more tracking definitely isn’t going to help. But I don’t think there are any easy solutions. I definitely don’t envy the people in charge of Firefox’s product strategy.
> When Firefox started is was not a copy of existing browsers.

IIRC, when Firefox started, it was very similar to the full Mozilla Suite with some features removed (which is not surprising, since it started as a Mozilla Suite derivative and they shared a lot of code). It has a long lineage going back to the old-school Netscape Navigator.

> Or the third option: they feel the tradeoff of HN & co's criticism style is not a big deal in the end.

That’s the second option: they don’t care.

> This thread in general feels like it leaves Mozilla no room to experiment

If you you’re going to experiment with something that’s going to cause this amount of backlash (and my criticism is that they didn’t take the obvious reaction into account), you show a dialog on first run that tells you what the feature is, perhaps include a “Learn More” link, and have an option to accept or deny. You can even have the former as the default. And do it in your betas first.

Would that still cause some backlash? Possibly. But it would’ve been significantly milder and you would have seen a lot more defence of Mozilla for not doing without asking.

Mozilla in particular is frequently pulling crap like this and getting flak for it. They have to constantly apologise and back track. After a while you’d expect they learned something.

> Mozilla in particular is frequently pulling crap like this and getting flak for it. They have to constantly apologise and back track. After a while you’d expect they learned something.

Well, they learned: they fuck up, backtrack & apologize (it is free, no real impact, so no worries), and life goes on.

> no real impact

Apart from a market share that is continuously tending towards zero.

That hasn't impacted their salaries so far though, especially that of the leadership.
Which is all that matters, in Google's schema of things.
Learning implies a future where you don't keep doing the same thing.
> the ad industry is not going away

That's the start of full blown stockholm syndrome.

No data is ever fully anonymous, don't pretend otherwise. So no data should be send at all.

What you call Stockholm syndrome, I call reality. ;P

This is an area that we are stuck contending with. Legal solutions are needed here but that path is mired by complex and powerful lobbying. If Mozilla can push for a more private or more protective - even if not fully private or fully protective - then I’d like to see where it goes.

Or they could just not do this shit. Completely refuse to help your enemies. Actually support their users.
Firefox has 3% market share. Completely refusing to engage with your enemies only works when you have the actual guns to back that attitude up.

If you refuse to engage with the ad industry they just ignore you. Oh and the company that owns a large part of the world's ad industry and owns the browser that has 65% market share also pays like 90% of your bills.

I mean, what's step two of your glorious plan to charge fists raised into battle?

Maybe they would have a better market share if they weren't constantly pulling this shit every two or three years...
I know it feels right to say that. But really, do you think the majority of people who switched from Firefox to Chrome did it because FF did not address their privacy concerns? Seems ridiculous. However bad FF is, Chrome is much worse.

It seems far more likely that the remaining 3% are the few people who care, and therefore, "pulling this shit" did not cause the current market share.

Which means the people who care about privacy are their CORE market. You do not offend your core market. I’m not a business expert but c’mon.

I’m willing to put up with slowness and incompatability when I feel like firefox is on my side. Now? I’m going back to Safari.

As if… Firefox’s popularity and then decline stems from consumer perceptions of functionality and general availability (i.e. marketing)
Firefox playing their game makes Firefox completely redundant. The advertisers get your data either way, so why not use Chrome?

Firefox compromising heralds its own irrelevance.

> The advertisers get your data either way, so why not use Chrome?

You might believe that the advertisers get less of your data if you use Firefox.

Similarly: you might be less likely to have your house burgled if there are locks on the doors and a burglar alarm, even though people with those things still get burgled sometimes. You might be less cold outdoors in winter if you wear a parka, even though it's still cold. You might be less bored if you buy/rent/stream some interesting books, music and movies, even though having those doesn't guarantee never being bored. You might be less likely to lose your next chess game if you practice tactics and learn openings, even though you'll still lose if you play Magnus Carlsen. You might be less likely to have a heart attack or stroke if you take those antihypertensives the doctor prescribed you, even though those are still tragically things that can happen to anyone. Etc., etc., etc.

Very few things are absolute and perfect. It's usually a matter of "less" versus "more".

This latest thing gives advertisers more information about me than they would have if Firefox didn't do it. (Unless I turn it off, which in fact I have done.) It doesn't give them very much information about me. I'm pretty sure they would get much more information about me if I switched to using Chrome (e.g., because Firefox supports better adblockers).

For the avoidance of doubt, I do think Mozilla should have made more noise about what they were doing, I do think there's a repeated pattern of them putting things into Firefox that their users don't really want and hoping no one will notice[1], I do think that says something bad about how Mozilla is run, and I would be happier if the Firefox project were run by people less inclined to do such things. But none of that means that you might as well use Chrome instead of Firefox, if you happen to value the things that Firefox still does better than Chrome.

[1] Actually, I think they know perfectly well that some users will notice, and they've decided it's overall better PR to do the thing quietly, wait for people to complain, and then say "oh, whoops, we should have been more open about this, we're so sorry and will totally not do the same thing again in six months".

> You might believe that the advertisers get less of your data if you use Firefox.

Shortly as Chrome implements Privacy Sandbox, both Chrome and Firefox will support the same levels of advertising tracking. For Chrome, this is a privacy upgrade of sorts, but for Firefox, this is a definite downgrade.

As Firefox converges on Chrome in this area, the privacy advantage evaporates.

Does Chrome do anything equivalent to Firefox's "Enhanced Tracking Protection"?

Chrome forces extensions to use "Manifest v3" rather than "v2", which cripples some ad-blockers; in particular, the full version of uBlock Origin will run on Firefox but not on Chrome. (I'm not sure of the details about the v2->v3 migration; maybe that isn't universally true yet. If not, it will be soon.)

"Reduces" and "evaporates" are not the same thing. I see the case for the former, not for the latter.

I dont believe that, and have no reason to believe that at this point. Any browser that makes me monitor their changes for privacy destruction is basically just chrome with more steps.
Actually it's the other way around. As long as Firefox only has a negligible market share, advertisers are not going to care about it enough to work around Firefox-exclusive tracking protection forever. Regulators are also not going to be concerned that Firefox makes certain business models harder because it is insignificant.
> Or the third option: they feel the tradeoff of HN & co's criticism style is not a big deal in the end.

Well, right now, with their dwindling market cap, I feel like their only userbase is HN & co's type of user.

They repeatedly failed to increase their user base with non privacy conscious adjacent communities. So antagonizing the ONLY folks that go through the trouble of installing a non default browser to have a worse user experience seems like a big brain moment.

I wonder what the market share in that segment is? From my experience, startup types almost exclusively use Chrome or Safari. Firefox doesn't even register with most devs.
It seems somewhat questionable whether or not it is possible to sustain something as complex as Firefox based on users like us. There might not be enough, or enough people willing to pay.

They’d be really screwed if Google didn’t give them a good deal. Somewhat wondering if Google just keeps them around to stave off the appearance of being a monopoly.

The web seems to have gotten pretty unsustainable in general. Might consider upgrading to Lynx or something like that.

> It seems somewhat questionable whether or not it is possible to sustain something as complex as Firefox based on users like us.

I have this crazy theory that Firefox could be completely sustained by users willing to pay for it.

I mean... Mozilla Co definitely couldn't be sustained by users money only, but Firefox could.

The only path I can see for a healthy web (if this is even possible right now) is to completely liberate Firefox from Mozilla's shackles and mismanagement. A free and open-source browser should be treated more like a public good, such as a Linux distribution, than a money-making machine.

>Somewhat wondering if Google just keeps them around to stave off the appearance of being a monopoly.

No shit.

> trying to do something in a privacy preserving way because the ad industry is not going away

they're bending for the ad industry because they want their money. they could also just keep blocking their tracking and call it a day.

They introduced quite a bit of privacy aware of measures, quite effective ones, so pretending they are stupid is not really beleivable.

> the ad industry is not going away

But users do. Let them have a great faking love affair with the ad industry.

> People ... expect them to be stewards of the web

Do people really expect that? I'm glad they're part of whatwg etc., but I'd much prefer they just made a good browser instead of tooting their own horns about how much good they're doing for society. In the end I think society would have been better off if they'd just focus on good tech like Gecko/Servo and Rust and not bothered with all their side stuff.

or y'know make it _opt in_ instead of making basically hiding it so if you don't know, you're just gonna be part of the experiment
Who's to say this "my bad, we'll do better next time" isn't part of the playbook?
This.

I've seen enough of:

Step 1 - outrageous move Step 2 - apologize, progressively pull back Step 3 - people spread word they made it better Step 4 - stick to still outrageous but comparatively better "middle" move

To really give it any excuse anymore. And so have you. If "Unity" tells you nothing... I'd like that rock, please, I'll need it to survive the incoming 4 years of social media.

Now you've learned how parliamentary politics function.
That would be the “or they don’t care” part.
Once you start assuming that every apology is fake and in bad faith, the world quickly goes to shit.

I'm not saying its impossible for apologies to be in bad faith, just that if it becomes impossible to apologize and move on after making a mistake, it becomes impossible to do anything productive.

Not real apologies, like from people — just corporate apologies, like from paid-for stooges.

Society will not collapse if we start holding these monsters to account; the opposite.

Holding corporations (or anyone) to account requires having some way for them to rectify their past sins.

Otherwise this is just vengence. If you never forgive there is no rational reason for corporations (or anyone) to stop doing whatever objectionable things they are doing, since it would already be a sunk cost.

it's a classic abuse tactic: if you ask first, people will cry out and if you then do it, it'll be considered escalation on your part. so instead you do it first, and if possible, do something worse to begin with, and then when there's outcry, you take a small step back, claim to be the reasonable one, and then later on push the rest of the way.
> What isn’t clear, in retrospect or otherwise, is why companies/apps/services need to keep learning this lesson.

They are trying to find a funding model that makes them independent from Google.

- Building a fast, privacy-oriented browser that keeps up with web standards and fixes security bugs takes people, organisation and therefore money. Yes, much more than that CEO salary.

- No one wants to buy for a browser.

- No one wants to pay a subscription fee for a browser.

So you are left with ads. Mozilla is trying to find a balance there between privacy and ads with a clearing house approach. People who hate ads out of principle scream. How should browser development be funded?

> How should browser development be funded?

One of the most common Mozilla complaints I see on the web is that you cannot fund Firefox development directly. People want to give money to it, but cannot.

Which makes sense, I guess. Anecdotally, Mozilla is by far the company I know with the most vocal users that get completely ignored.

Come now, let us be realistic, no one and nothing funds browser development other than advertisement:

https://ladybird.org/#sponsors

That is provably false. Safari isn’t funded by advertising, neither is Orion, or LibreWolf, or any number of other smaller open-source browsers.
According to news stories, Apple received $20 billion dollars in 2022 from Google to make Google the default search in Safari.

https://www.theverge.com/2024/5/2/24147007/google-paid-apple...

Which is easy money that Apple uses for the company as a whole. They don’t make Safari because of Google’s money nor is it likely they would stop developing it if that money was no longer paid.
None of those appear to be advertising companies.
If there is one single piece of software I will post a recurring fee for, it's a web browser. Look at Kagi and Orion for example (I pay for both).

It's like email. You need to get people over the mental hump. But then if you offer a good product, buyers will be happy they got over it.

https://foundation.mozilla.org/en/donate/

Here you go! Insert credit card here.

Except that it's well-known fact that none of your donations for the foundation ever go anywhere near Firefox itself, since Firefox is spun off as their commercial sector to accept Google's money
that doesn't pay for Firefox...
I donate to them as well, but donating broadly to the Mozilla foundation isn't the same as selling the web browser in exchange for money.
Mozilla has tried experiment after experiment to try to earn money. Let's try forcing Pocket down people's throats. Let's automatically install Mr Robot. You know what people will love? Full-page ads for a VPN! No one has seen enough VPN ads!

The one funding model they haven't experimented with at all is actually asking people to pay for Firefox. Donations or subscription, they haven't even tried it once.

And yet people will over and over again insist that that would never work. Doesn't that strike you as odd? They're willing to flail about trying thing after thing after thing that their users hate and yell about and they end up having to pull back, they're willing to burn credibility over and over again, but the one funding model that their users keep telling them they want they refuse to even try on the grounds it would never work.

At one point Mozilla was literally selling a VPN subscription. That point is now - you can go buy one today. https://support.mozilla.org/en-US/kb/what-mozilla-vpn-and-ho...

You can even donate money today: https://foundation.mozilla.org/en/donate/ From memory, Mozilla's spent years trying to get donations through asking people nicely and in relatively unobtrusive ways in-browser for years. You can even give monthly - a subscription, if you will.

Not only have they tried both donations and subscriptions, but their efforts have been resoundingly ignored. To the point where you are far from the first person to fault them for supposedly choosing to not do what they demonstrably do.

Perhaps people suggest that donations and subscriptions don't work well or reliably because there's history showing that.

> At one point Mozilla was literally selling a VPN subscription. That point is now - you can go buy one today.

I don't want a VPN. And I don't want to pay money to a Mozilla VPN of which some unspecified percentage will actually get used to pay for Firefox development (with the rest actually paying for the VPN). I honestly feel my money does more harm than good paying for the VPN because it creates a false impression of where the demand is.

I don't want a subscription to an unrelated service, I want a subscription to Firefox. I want my money to go into a stream that unambiguously shows my support for the single Mozilla project that I care about.

> You can even donate money today

That money will not (and I believe cannot) go to Firefox. As presently structured the corporation does all Firefox development, and the corporation cannot receive money from the foundation, so donations to Mozilla do nothing for Firefox.

> Not only have they tried both donations and subscriptions, but their efforts have been resoundingly ignored.

Not ignored, for the reasons stated above they haven't actually done what you say they've done.

> asking people to pay for Firefox

I do expect that's the next step at Mozilla - locking features behind paywall with some premium plan. Cloud sync probably will fall into that basket. And if that eventually won't work - they'll surely announce it's time to "sunset".

Personally, I think that's what they should've been doing all along. If it doesn't work at this point, it's because it's too late, and they've already burned enough of their credibility that people don't want to give them money anymore.
>And yet people will over and over again insist that that would never work.

Because it won't. And there is mountains of data to back it up. People will not pay if they don't have to.

Some people will, for sure, but to get those some people to carry the weight of "all the people" is totally untenable.

Besides, Chrome is "free".

It doesn't have to pay for the entire Mozilla organization, it just has to bring in more money than the random other stuff they've tried. That's not a very high bar to cross.
At the same time, even a tiny bit of friction is enough to get people over the mental hump of paying for something.

They could easily gate off certain features behind a paid build, so either you pay or compile it yourself from source. Downstream packagers could of course do whatever they want (eg Debian). However, it creates a minor amount of friction for a relatively large fraction of the user base, and moreover sets the baseline expectation that this is not really "free as in beer", even though it remains "free as in freedom".

See also: Sublime Text, which, despite being closed-source, is 100% free-as-in-beer to use in perpetuity, and yet somehow they make enough money To not only continue development, but even start developing other products (Sublime Merge), even as their brand recognition wanes and their competitive advantage shrinks.

> And yet people will over and over again insist that that would never work. Doesn't that strike you as odd?

Not really. Perhaps they know enough about this that they believe it wouldn't work. How much would you pay for Firefox per year? How many people would pay that figure?

If they wanted independence from google they'd cut overhead instead of raising the CEO salary year after year.
Lets be honest, the number of HNish folks running Firefox is insignificant, compared to number of people using Firefox because their friends recommended it. So even if lets say 1% of the users(HN and similar folks) perform an outcry and go ahead disabling it, the other 99% of the people will still be a huge moat of data. These strategies(though I am willing to give Mozilla the benefit of doubt), had been played out many times, "ops we did this ... emergency update to fix it ... we are releasing this now officially, agree to our terms if you want to continue ... you can always opt-out ... slow boiling frog metaphore ... this is now permanent with the option to disable is gone and forgotten about".
Y tho? I run firefox and chromium side by side all day to isolate personal from work and chromium crashes constantly on a 64GB machine. Chrome uses so much more memory.
Honestly, having worked at companies that made unpopular product decisions (nothing like this, but still every company puts its foot in its mouth sometimes), it can be surprisingly non-obvious what gets people bothered and what doesn't.

We always see the decisions that blow up, but we dont notice the thousands of decisions nobody cares about. Sometimes it really does look like just another minor feature request at coding time.

> it can be surprisingly non-obvious what gets people bothered and what doesn't.

Agreed in general, disagreed in the specific Mozilla case. They’re an internet-related company where “privacy” is one of the stated core goals, yet they’ve stuck their foot in their mouth so often they could open a shoe shop. Failing to see this one is at best incompetence.

Acting stupid and being uninformed, clueless, incompetent CTO/CEO/CXX is less prone to lawsuits than admitting intent of harm.
They don't care. It is not the first time, always the same excuse and blame the user to not be intelligent enough to understand (this is what communicated more means in their broken by profit minds).
> this is what communicated more means in their broken by profit minds

"We should have communicated more" seems like a passive-aggressive way of saying "Oh, you poor simpletons... We should have talked slower, used more, simple words, and been more persuasive. We failed to properly explain why you're wrong. If only we did that, you'd more readily accept what we're giving you."

> What isn’t clear, in retrospect or otherwise, is why companies/apps/services need to keep learning this lesson.

Please. This is never about learning and better communication. This is universal corporate English for: "you got us, but we really don't give a flying ef and we will fulfill our goals step by step - no matter what you say".

Companies know this but they don't care because there are rarely any consequences that cannot easily be mitigated with cheap PR tactics. Even now you are responding to a PR statement that is trying to reframe the issue as users simply not understanding what Mozilla is doing when in reality Mozilla knows full well that this goes agains the explicit wishes of a large part of their userbase but have chosen to enable this anyway. This isn't a communitcation issue. This is a fundamental "who does Mozilla serve" issue.
> It’s clear in retrospect that we should have communicated more on this one

Oh maaaaaaaaaaaan do I despise hearing variations on this "non-pology."

It's never "Wow, we fucked up by doing something harmful to you." It's always, "My bad, I failed to explain exactly why you're wrong to think this is harming you. I take total responsibility for not explaining why this is actually good for you. I'll try again."

> What isn’t clear, in retrospect or otherwise, is why companies/apps/services need to keep learning this lesson. The user outcry was utterly predictable from even before the first web article was out.

One possibility is they knew there would be an outcry but estimated that the loss in user support because of it would be limited enough that the upside of having the majority of users with the setting left on wins.

> Most users just accept the defaults they’re given, and framing the issue as one of individual responsibility is a great way to mollify savvy users while ensuring that most peoples’ privacy remains compromised. Cookie banners are a good example of where this thinking ends up.

The problem we currently have with cookie banners is thanks to the browser vendors not caring about it.

An API could exist which a page can query, where the user has already pre-selected how they want to deal with cookies. For example reject all but the essential ones, reject none at all, reject some, according to certain criteria.

Even more, the browser could check if the page is adhering to the user's expectations, and if it doesn't, block it for a period of time, like a week or a month, and publish the fact that they ignored the user's wishes.

Possibly also give the user a signed document which claims that this page did not respect the user's privacy expectations, so that the user can use it in court.

These should be solvable problems.

What!? What’s the benefit of this from a site’s POV? Your technical solution is completely out of touch with real goals and incentives.
He's talking about cookie banners. The issue with cookie banners are the dark patterns, but the end-goal is to obtain permission from the user to set cookies.

This requirement to constantly ask the user while using these dark patterns is what makes normal people just give up and "accept".

If the page is expected to ask the browser which preferences the user has set regarding the cookies, then this problem is gone, because the page no longer is expected to ask a person via a popup.

This was already tried with the Do Not Track header. Websites simply ignore it. They don't want an easy way to get the user's preference. Because they know that most users would set it to decline tracking. Sites would rather annoy every visitor for the chance that they click 'accept'.
Users also don't want to pay to access content.

So I guess that both the user and the site can't get what they want and we should scrap the internet.

This is unrelated. Paywalling != tracking.

If it wouldn't work, then I'd see no ads in my paper-based iX subscription, yet it is full of ads even though I'm paying for that paper.

But the paper has the benefit that the ads I see there don't collect information on me. This is what I want the internet to be.

Ads OK, but no tracking of me if I don't want it (which I express via cookies when in a browser).

Also, you should note how greedy these companies are that they show you the paywall after you have consented to the cookies in order to read the article. No hint on that accepting the cookies is only useful if you also have a subscription. When you can't read the article, they don't revert the setting of the cookies, but just pretend that they gave you access to the article and keep the cookies around for days or years.

> This is unrelated

It's not. Tracking leads to better targeting which leads to higher conversion ratios and overall higher "Cost Per 1000 Impressions" (CPM).

If you simply do "contextual" targeting, so targeting based on the page content, your CPM will go down and and the publisher will lose money.

> Also, you should note how greedy these companies are that they show you the paywall after you have consented to the cookies in order to read the article

Depends on the company. News media publishers use the same system but are usually barely profitable if at all.

> Also, you should note how greedy these companies are that they show you the paywall after you have consented to the cookies in order to read the article. No hint on that accepting the cookies is only useful if you also have a subscription. When you can't read the article, they don't revert the setting of the cookies, but just pretend that they gave you access to the article and keep the cookies around for days or years.

The EU Court of Law decided that offering a subscription or mandate for cookies to be enabled is not legal as an offer. So the transactional nature you propose is currently not allowed. What is allowed is a grey area which has yet to be explored.

Older folks might remember that there were a lot of people willing to make content free, just out of personal enthusiasm, and that this content was actually a lot higher quality than that pumped out by capitalist motivation.

So, actually, users and sites both had what they wanted, just not corporations.

I agree and these people still exist.

However not all content can be produced this way, news or sports coverage would be an example.

You get faster and better news coverage from random people on social media than news corporations these days.
Although I agree that news media quality is not always great (really depends from one publisher to another), I would not really qualify random people on Twitter as "news coverage".
Especially given how likely it is that bots are or will soon be rampant.
There are unpaid sites without ads.
This could easily be enforced now. I don't get how it isn't.
It is enforced, courts just work very slowly. Courts have already started interpreting the DNT header as GDPR-compliant opt-out that websites must follow.
DNT was before the GDPR. The landscape has changed considerably since then and a standardized opt out signal being enforced is not out of the question.
Wow, that really was a wall of text.

Is it just me that sometimes get the feeling that when companies have to explain them selves with this amoubt of text, they actually know that they are doing something wrong but are trying to cover it up by these long and unnecessary explanations?

> they are doing something wrong but are trying to cover it up

That's what most of folks says in this sub-tree

First there's a justification based on current anti-tracking system being bypassed:

> "there are enormous economic incentives for advertisers to try to bypass these countermeasures"

Then:

> We’ve been collaborating with Meta on this

Given Meta's track record with scooping up just about any personal data they can find, it's pretty obvious that this is just going to be yet another datapoint in Meta's collection.

I imagine Meta like this because most of their tracking is done behind a Facebook login anyway, and it reduces the fidelity of Google ads.
TL;DR: sorry, we're not sorry. we will go ahead with it and explain it to you better why it's a good thing in your interest.
What is really concerning (and enlightening) is that it is the CTO that's posting, and not the CEO.

It shows that the topic is merely now considered as a technical point, rather than a principal-based one.

The Mozilla CEO would be very unlikely to receive a positive reception.
That's just the most brain dead rot I've read in a while.

Mozilla is a joke nowadays.

Wow. This represents a profound misunderstanding of the advertising industry.

Data is their edge. It's how they compete with each other.

The privacy "arms race" isn't just between the browser vendors and the trackers, it's also between tracker a and tracker b.

Giving them a new data point (no matter how """privacy preserving""" it is) is just that, another data point. It's not going to make them give up on the others.

To be honest, I would have used a different approach and browsers would very well be capable to give erroneous data and contaminate data from tracking users. This would be going on the offensive, and I don't believe there are any legal barriers that prevent users from "ad fraud".

I don't believe in cooperation with an industry that has shown no remorse with tracking users at all. That will not be successful. Advertisers will employ this and still track. And it is possible to not get tracked and deliver false data, even today.

Maybe I'm cynical, but the rationale given seems extremely naive. There's nothing stopping advertisers from using this new attribution mechanism and tracking users as much as possible. In fact that's probably exactly what they'll do since it's likely that not every browser will support this kind of attribution.

The arms race will continue as it does today, but advertisers will have yet another avenue to exploit in the form of the attribution API.

It shows that their interest is in a "sustainable ad-driven economy model with privacy deemed acceptable by Mozilla", and an "agent of the user".

I suppose it shows who's paying Mozilla.

>But how does the PPA actually work? There is an aggregation server between the advertising provider and the users or their data, which anonymizes the information from the individual app browsers. Only then does it make the data available to the participating advertising customers.
Question is, how do we know that? What proof do we have of that?
The article links to Mozilla’s press release / blog entry about the acquisition of Anonym [0]. It’s pretty dystopian reading. The last three paragraphs and the summary of Anonym are more worrying than anything else I’ve read on this so far:

> This acquisition marks a significant step in addressing the urgent need for privacy-preserving advertising solutions. By combining Mozilla’s scale and trusted reputation with Anonym’s cutting-edge technology, we can enhance user privacy and advertising effectiveness, leveling the playing field for all stakeholders.

I can only interpret this as the urgent need is money, and wants to sell its "scale and trusted reputation". Mozilla has been down this road before. It was not good for them.

> Anonym was founded with two core beliefs: First, that people have a fundamental right to privacy in online interactions and second, that digital advertising is critical for the sustainability of free content, services and experiences. Mozilla and Anonym share the belief that advanced technologies can enable relevant and measurable advertising while still preserving user privacy.

This is some pretty weak wording for a press release. The economics of the situation are that advertising will always trump privacy. Researchers have successfully de-anonymized anonymised data sets, including medical records. Why would these data be any different?

> As we integrate Anonym into the Mozilla family, we are excited about the possibilities this partnership brings. While Anonym will continue to serve its customer base, together, we are poised to lead the industry toward a future where privacy and effective advertising go hand in hand, supporting a free and open internet.

Anonym’s customers are advertisers, right? The same people who for decades poured money into eroding that free and open internet that we had…

> About Anonym: Anonym was founded in 2022 by former Meta executives Brad Smallwood and Graham Mudd. The company was backed by Griffin Gaming Partners, Norwest Venture Partners, Heracles Capital as well as a number of strategic individual investors.

Well, it seems Anonym, Smallwood and Mudd had a nice piece about them written in the Wall Street Journal [1]. From the second paragraph:

> Graham Mudd and Brad Smallwood each spent more than a decade building Meta’s advertising system, which allowed the company to offer granular data about how ad campaigns worked with individual users, often by tracking their web and mobile activity.

[0] https://blog.mozilla.org/en/mozilla/mozilla-anonym-raising-t...

[1] https://archive.is/17c0f#selection-5751.0-5751.246

> Mozilla has been down this road before. It was not good for them.

Yes, this is Cliqz all over again and that scandal cost them most of their German userbase.

And which browser are using the German now ?
Chrome, which meant Mozilla managed to scare people away from their own browser into a using a browser which respects user privacy even less. Great job there Mozilla!
> Chrome, which meant Mozilla managed to scare people away from their own browser into a using a browser which puts less PR focus on claiming to respect user privacy. Great job there Mozilla!

FTFY. Both browsers have been pretty bad for privacy for a long time and are more than happy to exfiltrate your data to the respective operators without your consent.

I would say, average user is using Microsoft Edge(whatever that comes default with their OS) on their desktops and a combo of Chrome/Samsung/Safari on the mobile.

While Chrome adverts and fearmongering campaigns are now everywhere and people seem to be taking interest in Chrome, but Edge is probably the most common, as I see it literally everywhere(including public service office facilities).

The whole acquiring Anonym thing is almost guaranteed to go wrong. Either Mozilla just wasted a lot of money buying the company as it fails to be profitable or privacy will be eroded as Mozilla starts profiting from ad sales.

The companies buying ads aren't keen on privacy, at least not if it comes at the cost of optimizing sales, so I don't see anyone but small "do good" niche companies would buy into what Anonym is selling. Alternatively Mozilla will make money and start relaxing privacy restriction in order to extract even greater profits. I don't see them stopping half-way. The Mozilla leadership has again and again shown that they do not understand their user base.

Firefox is a great browser, but so it all Chromium based browsers. Mozilla apparently never considered why someone might stick with or switch to Firefox, when Chrome, Edge, Safari and other browsers do the exact same thing, sometimes perhaps better. I really want to ask the Mozilla CTO and upper management what they think their product is, because I got a in increasing hunch that Firefox isn't the first thing that would come across their lips.

Personally, right now the only reason I'm not switching to something like Vivaldi is my desire to ensure that rendering engines beyond Blink is represented in statistics.

So where can I donate to Ladybird browser development?

Before anyone tries to respond with it. It is https://donorbox.org/ladybird

They really need to start adding windows as a build target at some near point in the future. As a webdev, that’s the only way I can convince the public to switch.
I mean for a long while even the GNU project provided Windows builds for Icecat browser. Probably to much Stallman grumbling.

EDIT : Actually they still update it. Last version is 115.

First time I hear about Icecat browser. It seems like something that should be much more known!
Because of the whole culture of GNU/FSF/Stallman, it can be a little funky at times. It has been a while but I think it still comes bundled with LibreJS, an addon that checks every Java script for Libre licensing. And yes it can be disabled.

I get it and I like the idea but it does make for a difficult up front experience.

"that’s the only way I can convince the public to switch."

It is not ready, to be a public browser.

Maybe Ladybird can be a good reason to convince the "public" to switch away from Windows in the near future
That would be a great day. Unfortunately the culture of Linux is still too much walled garden, not in the Apple-like commercial sense, but in the tech culture kind of way. We need a way to embrace the public without losing what makes Linux great (to hack it to your own specifications)
It's already too hard to convince public to switch from chrome to another chromium browser or firefox and you're talking about switching to browser that is at least several years away from feature parity
(comment deleted)
They want to be able to run more websites well before they invite the unwashed masses from windows XD
I don’t disagree :)
it would be very silly for them to add windows support
Why Ladybird? Why not Servo?
I appreciate Ladybird's initiative. But if they work with Servo, Ladybird can build the browser and Servo can focus on the engine. Also we can avoid C++ nightmare. Everybody wins.
Ladybird seems to have more momentum and be further along in development in my testing of visiting random websites. This may or may not have something to do with developer velocity of each language, genuinely I don't know but I think it's worth considering.

Regardless, from what I've gathered, Ladybird is going to ship of theseus their way into memory safety. It's not announced what the C++ replacement language will be, but they are working towards that.

Ladybird is all about the engine. It's progressing faster than servo
In what way? Rendering pages CSS compatibility? I tried servo on Windows and it worked, not so much for Ladybird - granted, I wasn't feeling up to task of compiling it for Windows.
Ladybird doesn't support Windows yet because most developers use Linux or macOS. Ladybird has been progressing faster when it comes to CSS rendering and JavaScript support.
For the user, C++ won't be a nightmare.
Isn't Servo a new rendering engine for Firefox? How does it fix all of Firefox's problems, that are not engine limitations?

You can make a free web browser from Firefox's current engine just as easily as from Servo, I would fund the person who does that.

Don't hold your breath. It takes ages to develop a browser that's as fast as Firefox. CSS and JS are no joke.
Slow is the price we'll have to pay. Just like how VPNs slow down your connection

Or, if one dreams for a moment, if slower becomes the norm, web apps will have to become less complicated. Fast seems to just enable more and more ad tech

Maybe it's time to move away from whole html/css/js, http and browsers?

Let's build something that is Ad resistant from the start. Something that uses native technologies.

Edit: We need something that does not need backing of large corporations or huge funding to access the web.

Internet was always simple. We have become over dependent on browsers and http stack.

have you got any suggestions?
HTML only (with forms). Client side css only. No JavaScript. No cookies.
That's not acceptable for 99.9% of the people, so they'll stay on their current browsers. An alternative must be attractive to succeed.
I don't feel the need to fix the whole world. Just my corner of it.

I would use it to read my rss feeds. I'm sure we could make Hacker News discussions work. My mastodon feed could probably work too. That's 90% of my browser usage right there.

Just imagine how pleasant it would be to browse and navigate. Would be so fast, so responsive.

I really like https://geminiprotocol.net/ but I think they went too far removing images, sounds, video, and forms.

This is where ideals meet ugly reality. Most people cherish convenience over everything else up until the externalities cannot be ignored.

Still a long way to go if that is to happen on the web.

Or just don't access any content that is funded by advertising. The nonprofit web still exists. But for all content that's not someone's spare time passion project, someone's gotta foot the bill.
Yes. However, different protocols can be used for different purposes, but will need to be FOSS as well as not overly complicated specifications.

Some older protocols such as IRC, NNTP, Gopher, and email (especially plain text email and not HTML email), is one thing to be usable.

There are also some newer protocols and file formats for some uses, e.g.: Gemini protocol/file-format, Scorpion protocol/file-format, Spartan protocol (which uses the same file format as Gemini, although with an extra link type), Nightfall Express (probably the simplest one, although this means that virtual hosting will not be avavilable), and perhaps some others.

(One thing I have read somewhere (I cannot find it now) is three rules for making such a "small web" protocol: (1) Don't make it a subset; (2) Don't make it compatible; (3) Make it better for everyone (authors, readers, programmers, etc). They also discussed separation of "document web" from "application web"; I agree with that too, although of course there is the consideration of how such a separation should be working. I have ideas about this, and I believe my own designs do follow these three rules better than Gemini and Spartan do.)

I had written my own list of what "small web" protocols/file-formats that I am aware of: scorpion://zzo38computer.org/smallweb.txt (which was originally posted to Usenet, although it has been updated since then) One way to access this file would be a command such as:

  echo 'R scorpion://zzo38computer.org/smallweb.txt' | nc zzo38computer.org 1517 | less
(If you have other mirrors of this document, perhaps with your own changes, you could tell me and I could add it to the list of mirrors.)

Another proposal is the following suggestion to make a "small web browser": gemini://xavi.privatedns.org/small-web-browser.gmi (the document I linked above describes how to access this file in case you don't know) I agree with some of the points made but disagree with others; I will comment about some of these points later. (However, you could use some of these ideas for the HTTP/HTML part of a multi-protocol browser.)

Comments about gemini://xavi.privatedns.org/small-web-browser.gmi :

I do not believe that just using this existing HTTP/HTML is the way to do it (and other people also agree with me about this), although it is one way to do it, and can be combined with others.

Such a "small web" browser could be designed to support multiple protocols and file formats. So, in addition to HTTP(S), also Gopher, Gemini, Spartan, Scorpion, Nex, local files, and possibly NNTP (although this would not be as good as a dedicated news reader software, it would at least allow to read articles from a NNTP server without needing to set up your dedicated NNTP client software; Lynx also supports NNTP).

> While I do think HTTP/1.1 is good enough for most tasks [...] there are several aspects that I do not particularly like: Cookies, User agent, Referer, Etag, Cross-origin requests

I do not like these features much either. HTTP/1.1 still is good enough for many tasks, although it is still messy in some ways and more complicated than it could be, although for the purpose of accessing services that use HTTP, it will be good enough for this purpose (which is what the article describes doing). (One feature of HTTP that I think is useful that Gemini, Spartan, and Gopher lack (but Scorpion does not lack) is Range requests, although that isn't that useful for a browser and is more useful for a download manager (including command-line programs such as curl). Multiple ranges in a single request seems an unnecessarily complexity to me, though.)

> Support a small subset of HTTP/1.1, supporting GET/POST, while effectively removing support for most HTTP headers.

Agree. (You could also suppport adding arbitrary extra headers by user configuration; e.g. the user could specify that they want to add a "Accept-Language" header or a "DNT" header or whatever other arbitrary headers they might want.)

> Support a subset of HTML5, so that embedded images, audio and video are possible.

Mostly agree. Embedded images would be useful to be able to switch on/off by the user; if off then they appear as links. Embedded audio/video is probably not useful at all; I would have <audio> and <video> commands to be displayed as a list of links (the audio/video can be viewed if you follow the links).

> Support modern CSS, possibly leaving deprecated or complex features out.

I would probably leave out most of the features, although you do not necessarily have to do so. However, important would be to allow disabling CSS (and ensure that "complying with the requirements above" (see below) means that it is guaranteed to work correctly if the user chooses to disable CSS).

> Support NO JavaScript at all, as JavaScript is one of the main sources of complexity behind a modern web browser, and is typically abused for user fingerprinting.

Agree.

> Mandate the use of TLS-encrypted connections.

Disagree. Encrypted and unencrypted connections are both useful (and the URI scheme would distinguish them; this allows end users to easily filter out any sites that do not support encryption from their local index).

> Allow integration with SOCKS5 proxies e.g.: Tor.

Agree, although in addition to this, it is also sometimes useful to be able to use local programs as proxies and to have the proxy to handle TLS (although there is some complication in handling client certificates when doing so).

> Provide passwordless authentication via client certificates, and always ask for user authorization beforehand.

Agree, with both parts. (Passwords might still be implemented too (although if you don't want to, then you don't have to); HTTP has a "Authorization" header for this purpose, and Scorpion also supports something similar (in addition to supporting client certificates if the connection is encrypted).) It will be necessary to ensure that the user can command the browser to log out at any time (both with passwords and with cli...

Ladybird more than doubled their js performane in five months between january and may and are now about 2x as slow as Safari: https://x.com/awesomekling/status/1790098727081836697

Things are progressing faster than you'd think.

First, that's uncompiled/jitted. Second: the 80/20 rule.
There are surely to be diminishing returns for sure. Ladybird is clearly improving this fast right now because the devs are picking the low hanging fruit. But we also don't need 100% parity before Ladybird usable. And when users pick it up then it begets more donations and more devs resources, which mean more improvement. So there is reason to be optimistic.
That plus a few of the team have been deeply involved in other browsers. This is nothing new for them.

Doesn't make it certain, but it is a good foundation to be working from.

Thanks. I just donated to Ladybird and Servo.

Here's the Servo link: https://servo.org/sponsorship/

Is there any reason to believe that the Servo project will produce a full independent browser, rather than a browser engine as their website states? The only likely outcome is that it be used in Firefox...
That would be wild to see. Mozilla drops servo to save costs, only to then later pick it up.
How would that solve the problem? Years down the road, if they actually finish their browser, what guarantee do you have against it being enshittified in some way? The only option I see is a project that exists to deshittify an open source browser.
So far the core idea is a sort of constitutional foundation to try and ensure it doesn't get absorbed into that think. Mind you, that was Mozilla 20 years ago.

Short term, deshittify Firefox. Mid term move to some like Lady bird. Long term, if Lady bird is corrupted, start on browser replacement number 2.

Alternatively, the hardest step of just walking away for heavy internet usage I guess.

What do you expect from a company indirectly owned and controlled by Google money?

I can't wait for Ladybird to get good, in a decade realistically, swimming against a massive current of Google pushing its unstandardised nonsense on Chrome, and web developers jumping on the bandwagon, making web standards more and more complex by the day so no one ever is able to catch up.

You can add to the dead internet theory the fact that the Web is now maliciously impossible to recreate and access from scratch if you are unable to compete with the billions Google spend to maintain their hegemony. Heck, even Microsoft found it was more efficient to join Google rather than to try and direct what they laughably call "an open standard." There is more competition to build reusable space rockets than in web browsers.

A sad day, and sadder days await us. Shame of Mozilla, and on the CTO trying to sell this feature as a good thing.

They aren't owned nor controlled by Google. And certainly not directly.

I presume you refer to the fact that most income of Mozilla comes from Google paying a fee to have their search be the default. While that is worrysome, it's not control nor ownership. Let alone direct control. At most it gives Google leverage.

The previous post said "indirectly" controls; maybe a misread?
> I can't wait for Ladybird to get good

I don't see that happening in a decade. What makes you so optimistic?

Firefox mobile also won't let me into about:config. So I guess that's the end.

Opera? Other recommendations?

Which OS are you using?
Firefox mobile is only on Android. The iOS version is a reskin, so it's not affected.
Elinks via Termux? /jk

For those that don't know, Elinks is a text only terminal browser.

Lol, nobody wants that.

Recommend Mull or something else sensible.

Edit: Whoopsy, oversaw your /jk

All good! That said I do like the genuine recommendation. Will look at that.
While the jokes is appreciated, I'm also half-serious in considering just using Links/Elinks or w3m and just use whatever is the default browser on my OS for those cases where I need to book ticket or do banking.

I'm sadly falling out of love with the web. So much fun and enjoyment have left the web in the past 20 years and I don't enjoy or to some extend even benefit from the modern hellscape of modern commercial web.

I already do this a lot on my desktop. Running on of the FSF approved distros, I have three layers of browsers.

1. Links/Elinks for most stuff.

2. If that doesn't work, Trisquel Abrowser which is a privacy focused fork of Firefox.

3. If that doesn't work, Vivaldi browser in a sabdvox to get that Chromium conpatatibility.

As mentioned elsewhere in this thread:

Go to: chrome://geckoview/content/config.xhtml then enable about:config after that dom.private-attribution.submission.enabled can be set to false.

If you need to do that much hacking around to plug a deliberate privacy hole, you might as well use another browser.
https://librewolf.net/

And fallback to Firefox when things don't work. Which is usually on sketchy websites, websites that have heavy bot protection and fingerprinting or ones that use gpu APIs.

A few criticisms of LibreWolf:

* There is no legal entity behind the project. Should anything ever happen with the project (it can happen, even if unlikely), there are no legal ramifications.

* The binaries aren't signed. Yes, code signing is a bit of a racket, but there is some merit in it.

* There is no auto-update mechanism. Might not seem like a big deal, but IMO it is, especially on Windows where you're recommended to rely on 3rd party client to update the browser for you. You've now added a middle man, and since the binaries are not signed... well there's no guarantee you aren't downloading a malicious binary.

>There is no auto-update mechanism. Might not seem like a big deal, but IMO it is, especially on Windows where you're recommended to rely on 3rd party client to update the browser for you. You've now added a middle man, and since the binaries are not signed... well there's no guarantee you aren't downloading a malicious binary.

To me, this seems like a plus. If you want users to update, provide them with something worth updating to. This tracking suddenly being enabled for a ton of users is the very result of automatic updates.

Also, for some software vendors, frequent/automatic upgrades are a great place to hide silent reconfiguration.

Mozilla has been repeatedly resetting "Always check if Firefox is your default browser" option to "yes" with upgrades. I don't see why "private-attribution submission enabled" wouldn't be reset in future in the same way.

As mentioned above, we aren't talking about Firefox's update mechanism here, but rather Librewolf's.

> Mozilla has been repeatedly resetting "Always check if Firefox is your default browser" option to "yes" with upgrades.

I'm sorry to say this, but this just seems to be misinformation.

I don't see that anywhere in the source code[1]? Anything I can find regarding prompting the user regarding the default browser is hidden behind an if guard to make sure the pref is `true` and not `false`.

The only scenarios I am aware of that will change the pref if the user has toggled one manually is the `_migrationUI`[2] function (as you can see, no changes relating to `browser.shell.checkDefaultBrowser`). Otherwise, untoggled prefs will be changed if the value in `firefox.js`[3] or `all.js`[4] is changed. As you can see, the last time the pref was modified was 2004.

[1] https://searchfox.org/mozilla-central/search?q=browser.shell...

[2] https://searchfox.org/mozilla-central/source/browser/compone...

[3] https://searchfox.org/mozilla-central/diff/94ff451885bb94679...

[4] https://searchfox.org/mozilla-central/source/modules/libpref...

But we're not talking about Firefox's update mechanism here, we're talking about Librewolf's. They are already the custodians of custom settings and making the choice for you, so it doesn't seem like a valid comparison here.

I would also say a web browser should be the one piece of software constantly updated due to the sheer volume of security patches issued every few weeks.

>But we're not talking about Firefox's update mechanism here, we're talking about Librewolf's.

Doesn't matter. I don't inherently trust any organization.

>They are already the custodians of custom settings and making the choice for you, so it doesn't seem like a valid comparison here.

I can make the choice to install software. I should be able to make the choice to upgrade it as I choose as well.

If I buy a chair from Crate+Barrel, I have given them the choice of designing and manufacturing that chair and all the decisions that went into it. But I do not give Crate+Barrel the choice of sneaking into my house and swapping it with some newer version of the chair that 51% of the population liked slightly better after 5 minutes of testing or that they think will make them more money somehow.

> I can make the choice to install software. I should be able to make the choice to upgrade it as I choose as well.

I think that's completely valid.

I was just assuming (maybe incorrectly?) we're talking about what should be happening in general (so what the experience for the layman should be). Now whether that applies to Librewolf is another story, but arguably it becoming fairly known, it should.

Side-note: In Waterfox, I've re-added the ability to disable auto-updating completely. I completely understand the want to manually update software.

Have you spent time with Waterfox as an alternative or have some thoughts when comparing against Librefox?

In app update prompts work for me, they have a TOS / Legal Entity it seems. They broke away from Startpage in recentish years.

Plenty of feature trade offs to compare though with Librefox.

Yes, I'm the developer of Waterfox :-)

> Plenty of feature trade offs to compare though with Librefox.

Yes, for sure. Definitively different goal alignments.

You know perfectly well that point 1 is completely irrelevant in the world of open-source.

A UK Ltd. is less transparent than Librewolf, an open-source project run by many volunteers without the incentive to make any money.

Point 3 is no longer true, the installer comes with the option to enable auto-update and on Linux, it also auto-updates, depending on distro, etc.

The risks you are talking about are not inherent to Librewolf, but to Linux and open-source, and thus are not legitimate criticisms of Librewolf.

> You know perfectly well that point 1 is completely irrelevant in the world of open-source.

Genuinely, why not? Open source projects go through ownership changes (as unlikely as they may be), social engineering, etc. In the unlikely chance something were to happen and anything malicious were to occur, what recourse is a user to have? And we are talking about a web browser here, which will be accessing peoples most sensitive data. I don't think this is an unreasonable stance.

> A UK Ltd. is less transparent than Librewolf, an open-source project run by many volunteers without the incentive to make any money.

Well this UK Ltd is still beholden to English law and UK GDPR. You could argue the merits and teeth that GDPR has, but I don't see why it's not a valid comparison? I can't just start processing personal data without complying with GDPR, for example.

> The risks you are talking about are not inherent to Librewolf, but to Linux and open-source, and thus are not legitimate criticisms of Librewolf.

Linux has the Linux foundation, which AFAIK is going to be beholden to California law? I don't see how that can't also be a criticism of Librewolf (and any OSS in a similar spot?).

> Point 3 is no longer true, the installer comes with the option to enable auto-update and on Linux, it also auto-updates, depending on distro, etc.

It seems to me to still true, because the installer is installing WinUpdater. Which, as it seems, is maintained by an individual developer?

> If you want LibreWolf to be automatically updated (recommended), you can choose to install the LibreWolf WinUpdater[1], which is included in the installer.

[1]: https://codeberg.org/ltguillaume/librewolf-winupdater

Installed it a couple days ago and it works great, haven’t had any problems yet. Nice to have it through Brew.
While the Wikimedia Foundation is often quoted as having cancer[1], I guess the Mozilla Foundation has Alzheimer's, constantly forgetting who they are and why they are here in the first place.

[1] https://en.wikipedia.org/wiki/User:Guy_Macon/Wikipedia_has_C...

And the scandals they have been involved in the past. Cliqz was another attempt by Mozilla to invest in privacy preserving technology (that time search, this time ads) where they did a stealth launch without user consent.
Just installed Chrome again. I loved everything about the idea behind Mozilla but the browser is quite not useable these days. Really sad.
How is your personal story related to the story? I don’t believe Chrome is better than Firefox on terms of ad tracking.
Out of the frying pan and into the fire. With regards to privacy and tracking Chrome/Chromium is so much worse than Firefox. Whether it be terrible defaults, exceptions which allow Google to see your system info, or an incognito mode which is a misnomer, Chrome just doesn't do privacy at all.

I can sympathise about general usability concerns but they don't really relate to the OP.

I personally run Ungoogled Chromium for anything that doesn't work in LibreWolf, which is fortunately not too much.

Do you guys like or trust Vivaldi?
I've been looking at it and they are fortunately very open about how they are funded (search engines and bookmarks). Opera was my browser of choice, back in the days of Presto, so I trust the Vivaldi CEO/CTO who also ran Opera. My main annoyance with Vivaldi is that it's Chromium based, I really don't like the idea of a monoculture of rendering engines.
vivaldi is not open source, they’re almost certainly more invasive than Mozilla.
> By offering sites a non-invasive alternative to cross-site tracking, we hope to achieve a significant reduction in this harmful practice across the web.

The value of words is leaving the web.

Firefox should integrate a tracker-blocker which blocks all ads which rely on executing Javascript as well as profiling-related 3rd-party code snippets, but leaves ad images which are integrated into the page, served exclusively by the owner of the page, and are based on the content offered by the page. Like magazine ads.

Everything else is just agreeing with the advertising industry on their idea that profile-building is fine.

These advertisers nowadays think they have they are entitled to everything, and Firefox just helped them.

By this logic wikipedia wouldn't be able to load any image
They could offer a deal to Toyota and tell them they're offering image-only ad space on all car-related pages. For example images with deals. Toyota would know from the referrer that the click came from Wikipedia.

All the other images are hosted by Wikipedia themselves and are not ad-related, so I don't see where's the issue here.

I'm just saying that the domain that hosts the page and the domain that hosts the image are often not the same. Wikipedia hosts the articles, wikimedia hosts the images.

If a browser wants to be strict about what it loads, most of the web would appear broken. Maybe google could have the weight to force such change, but no way could mozilla impose such a strict rule.

(comment deleted)
And there goes my trust in Firefox out the window...

Safari seems to be the only decent, privacy-focused browser left on the market.

Until the Ladybird arrives.

The fact that Apple killed any real third party extensions ended my use of Safari.
> Safari seems to be the only decent, privacy-focused browser left on the market.

Safari has Private Click Measurement: https://webkit.org/blog/11529/introducing-private-click-meas...

And AFAICT, Mozilla's implementation is technically superior?

This works by adding noise. Can't an attacker bypass it by boosting the signal? Assuming the attacker can create sybil advertisers/browsers, this should be totally doable:

1. Define some baseline set of M impressions with various ad identifiers and from various sybil advertisers.

2. For each target user, define some set of M marker impressions, also with various ad identifiers and from various and sybil advertisers.

3. Save all impressions (marker + baseline) on a bunch of sybil browsers to get above the reporting baseline with some probability.

4. If/when a target user visits a target website, request a conversion report for each ad/advertiser.

You now have a baseline signal (from the baseline ads/advertisers) and a marker signal (from the marker ads/advertisers). If this is one of your target users, you'd expect their "marker" signal signal to be stronger than the baseline.

Technical docs are here: https://github.com/patcg-individual-drafts/ipa/blob/main/IPA...

Might be worth opening an issue if you believe there's merit to the attack?

I can try. But I'm pretty sure what they're trying to do is fundamentally impossible without some kind of sybil protection.
Those docs look out of date and appear to be designed for "app" ecosystems. The latest proposal from Mozilla is https://docs.google.com/document/d/1QMHkAQ4JiuJkNcyGjAkOikPK...

And I'm now quite sure this system is insecure. Fundamentally, either:

1. There is some magical sybil protection: An attacker can only spend their own privacy budget without affecting the rest of the system.

2. The system can be saturated: An attacker can spend everyone's privacy budget.

3. The system is not private: An attacker can exceed the "safe" privacy budget by combining information from multiple sybils.

I assume it’s the MPC part that would need the Sybil protection?

Also, another assumption, but it’s that doc still builds upon the W3C proposal - would it not be worth raising as an issue in the repo? Seems to still be active.

If 1% of regular Firefox users just donated the equivalent of 10USD per year to mozilla, they would not have the need to find ...eyebrow-raising... ways to earn money.
On the other hand, people would be more inclined to donate money if they could trust Mozilla to value the privacy of their users, which is one of the biggest reasons people choose FF in the first place.
(comment deleted)
Only if they'd also spin off the browser from all the political activism and NGO cash grabbing, and let people choose themselves to which of the two their money goes.
0% of donations go towards financing the Firefox project. Donations to Mozilla are explicitly not used for Firefox, they say so in the donation page.