I get the concerns about conflict of interest, but I can get behind the CEO's point that their expertise in the space helps them to build better defenses.
I think Mozilla's heart was in the right place here, but pretty disappointing that they didn't vet their partner more thoroughly than what some GMU grad students were able to uncover.
Also makes me wonder what other shady connections fellow services might have, waiting to be uncovered. Looking at you, popular podcast sponsor, DeleteMe!
... pretty disappointing that they didn't vet their partner more thoroughly
Kinda like partnering with Google while promoting Firefox as the "privacy browser".
I assume you're referring to the default search engine deal? What influence does that have on Firefox's privacy features? How does it make Firefox not a "privacy browser"?
Kinda skews their incentives heavily when that deal represents a large chunk of their revenue
Why would it? Harvesting data is not even Google's entire revenue, and Google would be phenomenally stupid to mess with Firefox, because if that would get out it's major anti-trust headaches waiting to happen.
What specifically did this influence, or is likely to be influenced? What specifically is made worse by this?
There's always these vague accusations, but never any specifics.
By default, Firefox makes it real easy to uniquely identify and track you, refuses to block ads and apparently, don't care much about marketshare. Wonder why?
Details are readily available if you know how to search.
Any browser makes it easy to track you because that's how the web works and it's hard to fully prevent without significantly affecting compatibility and/or feature set. Firefox does have some "Enhanced Tracking Protection" features for this though. And (extensively) changing the content of webpages by default would be inappropriate for a mainstream browser; it's not their job to curate what you see, and this includes ads (for starters, it's not so easy to even classify what an "ad" is).
These are just more vague accusations, and just as unencumbered by any evidence as your previous vague accusations were.
Go here and see for yourself: https://coveryourtracks.eff.org
And that is because of Googles influence on Firefox, how?
You are not engaging with anything I said. I asked for evidence of Google's control over Firefox beyond "they have a search engine deal", and you seem unwilling or unable to provide it. Therefore I can only assume it does not exist and are simply making spurious claims for which no evidence exists.
Almost all their revenue comes from Goggle and you demand evidence that this influences them? How could it do otherwise?
The lack of default privacy and ad blocking in Firefox is the evidence.
The fact that Google continues to pay even as Firefox marketshare shrinks to irrelevance is evidence.
The more pertinent question for potential users is evidence that it does not influence tbem. By any reasonable measure, default Firefox is not "the privacy browser".
it's not their job to curate what you see
In this case why does the browser have a pop-up blocker? Or why does it warn about potentially malicious websites (via SafeBrowsing)?
If it's not their job to curate what you see then it should show you the raw unfiltered badness of the web and let you deal with it yourself.
What a boring "gotcha". By that measure a browser should also allow any HTTPS certificate, self-signed or expired, and any other invalid certificate, and allow unrestricted unlimited access to all storage and all features. Oh no, that would be idiotic... Just as silly as conflating not implementing a technical feature or basic safety protections with "curation".
Hey your email provider also shouldn't do curation either, then why does it have a spam filter?!?! Checkmate atheists!
I'm curious about where you draw the line between basic safety features/spam filtering and "curation" and the reasons behind that.
Ad blockers just use a list of known malicious URLs/domains/CSS selectors and use that to block/hide elements.
This is identical to Safe Browsing (preventing loading of known malicious domains) which you seem to be fine with and don't see as "curation".
What influence does that have on Firefox's privacy?
Don't you mean on your, the user's, privacy?
Well, more like "Firefox's privacy features". I'll edit to clarify.
Puzzling they chose to partner with Onerep when Kanary was part of Mozilla's incubator and is just a fundamentally stellar service.
Can you share more?
In terms of the incubator, looks like it was replaced with Mozilla Ventures:
https://builders.mozilla.community/ https://builders.mozilla.community/old/alumni.html
With respect to Kanary, I have my entire family the platform and it's drastically reduced the amount of garbage (figurative) that comes through our door. Needed help with something non-standard the CEO personally took care of things while learning more about our specific use case.
Second the recommendation for Kanary. Formerly had a lot of inbound spam, has seriously cut it.
"Puzzling" is a good description of just about every business decision Mozilla has made over at least the last decade.
People complain about the Google search deal and I get why, but I've been using the browser since back when it was called Phoenix, and at this point I'm pretty sure the Google deal is the only reason it's still alive. The engineering is still solid; its stewardship seems anything but.
pretty disappointing that they didn't vet their partner more thoroughly than what some GMU grad students were able to uncover
What did it take for them to uncover it?
Generally speaking, GMU grad students may have have more time and plenty of expertise. When those grad students leave school and get jobs at Mozilla, they may be too busy to go down rabbit holes looking for long shots.
Co-founder DeleteMe here. Been building and delivering privacy tools and chatting on HN for 15 years. Happy to answer questions but please easy on unfounded accusations :)
Also makes me wonder what other shady connections fellow services might have, waiting to be uncovered.
This is why it's so important to require disclosure of beneficial owners for all companies. The world is filled with people that will poison you just so they can sell you an antidote, or, better yet, life long treatment.
All the existing databroker remover tools are flawed because they make use of manual labor to remove you from sites, primarily done by people in third world countries.
We @ https://redact.dev are working on a pure software mechanism for doing these optouts directly from your own device. We already have full mass deletions for over 40 social media and utilitys.
I really dislike the trend of making everything a subscription service. I can imagine a niche market that wants to continuously delete content older than an arbitrary window but isn't this the sort of service that most users would need only need sporadically?
The pricing seems to implicitly acknowledge this: $35/m billed monthly vs $8/m billed annually! Would you really expect anyone to intentionally renew monthly? I can't argue that people forgetting to unsubscribe pays the bills, but as a business model it leaves a bad taste.
Data brokers are like the hydra, one goes down and another 2 new ones pop up. It's a lot of work to keep on top of deletions if you want privacy.
Not really. There's a fairly small and stable number of companies that actually collect and resell information about you. There is also about a zillion ephemeral web front ends that republish this data, however. I suspect this is done for a reason, but a bit of sleuthing quickly reveals who the big players are.
These "data removal" services spend a lot of effort going after the frontends, which is pretty self-serving: they can show the customer that there's something new to remove every single month or quarter, so you have to keep paying forever.
What else could they do? They're working within a system that the government designed, and the government always designs things to keep people running on the hamster wheel.
Request deletion from backend brokers? Many have some mechanisms for opt-out, either in general or for people in specific states (e.g., California).
OK so if Optery reports 330 removals, how many removals did they actually have to do on their end? A hundred? Thirty? Ten? Why should we care? If you pay a man to remove the snow from your driveway, would you be upset if he used a plow rather than a shovel?
Wouldn't you be upset if you paid him hourly so he used a spoon and went slowly enough that snow accumulates faster than he'll ever clear your driveway ?
Parent's argument is that current approach leads to an endless cat and mouse game the user ends up paying, when there would be ways to end it faster and cheaper.
Yes but how is that the fault of removal services? They can't do anything to stop the usual suspects from filing for a fresh corporation from Delaware each week.
That makes it a weirder proposition to me.
Does that mean the user keeps paying just to have someone somewhere do "something" ?
And that, even if fundamentally it can't solve the sutiation, can't prove it's even improving in any specific ways (telling you it removes hundreds of instances doesn't tell you how many have been added in the meantime), and they also have no incentives to be too zealous as the numbers in the reports would be going down and the motivation to subscribe also diminish.
Ps: perhaps the way out of this is to make it a non profit that provides jobs to people in need, and have the subscription a recurring donation ?
I don’t necessarily doubt you, but do you have any source for this, or in general any information on the landscape of data brokers?
It’s hard to imagine what the situation actually looks like behind the scenes.
This explains some trends where posts are being edited on Reddit with nonsense then deleted. Personally, I think this kind of behavior makes the web poorer as a knowledge base. Yes you have a right to do it with your own content, but doing it at scale makes the internet a less useful tool and it makes me a bit sad since the scrapers will already have the data anyway.
Hopefully it just makes sites remove the ability to edit or delete things once they've been published. Especially forums where things have been referenced by other things.
As much as I routinely fine-tune and fix up a comment after initially writing, I will happily go back to the old days before such ability became common, in trade for the sanity of references that don't disappear or change meaning after the fact. The typos don't hurt as much as the swiss cheese and schitzo conversations.
Personally I think we need the ability to delete more, not less.
Yes, I do see the irony of writing that here. :'(
The problem with the wholesale deletion of comments is that it also affects other people. For example if we have a back-and-forth constructive conversation here and one of us deletes all comments, then the value of the other person's comments are diminished, and sometimes even incomprehensible.
It's pretty clear you're putting something in the public when you're commenting on HN; this isn't a surprise and nothing is done surreptitiously. If you contribute to a debate in some TV discussion programme then you can't have that deleted later either.
And there are options without wholesale deletion: specific comments can be deleted or edited for specific reasons, and your account can be "soft-deleted" by changing your username to something random.
If you want to have more ephemeral temporary conversations then that's fair! But HN is not the right platform for that, IMHO.
A good compromise in the meantime would be the Internet Archive. A lot of useful data is preserved there.
This made me curious about archivist ethics: https://www2.archivists.org/statements/saa-core-values-state...
Privacy: Archivists recognize that privacy is an inherent fundamental right and sanctioned by law. They establish procedures and policies to protect the interests of the donors, individuals, groups, and organizations whose public and private lives and activities are documented in archival holdings. As appropriate and mandated by law, archivists place access restrictions on collections to ensure that privacy and confidentiality are maintained, particularly for individuals and groups who have had no voice or role in collections’ creation, retention, or public use. Archivists should maintain transparency when placing these restrictions, documenting why and for how long they will be enacted. Archivists promote the respectful use of culturally sensitive materials in their care by encouraging researchers to consult with those represented by records, recognizing that privacy has both legal and cultural dimensions. Archivists respect all users’ rights to privacy by maintaining the confidentiality of their research and protecting any personal information collected about the users in accordance with their institutions’ policies.
Those are mostly in response to reddit's API changes. By editing the comments before deletion, the archives also get wiped and it takes a bit more effort for reddit to restore deleted comments behind users' backs.
Yes, it makes the web poorer as a knowledge base, but it's in response to companies like reddit ruining the internet by baiting in users, changing the agreement and then trying to keep the content that was written under the previous agreements.
that's not actually a flaw
a real flaw is that companies in this niche are actually centralizing data to re-sell while adding a new line in the dataset that says "wanted to remove their data footprints"
In other words, would you describe your site as the Gillette razor attachment mechanism of online data deletion?
Many databrokers make it very difficult to remove your info, on purpose, of course. That is why the legit removal providers have to rely on manual labor for some. I'd love to see it fully automated, but I'll believe it when I see it. Last I checked, Optery was removing 325+. Best of luck-- you have a long way to go.
Edit: this looks like a totally different service. Mass deletion of old posts is one thing, removing PII from data brokers is another.
I suspect that vetting this kind of partnership needs someone who is ferociously knowledgeable, principled, and skeptical. Not someone who's mainly looking at it from a business development or career angle.
Now the aftermath could use a fighter, looking for how they could legally disassemble the entire racket. Not only because it's arguably on-mission, but more importantly because Mozilla has a reputation to redeem on this now.
(For example, no matter how that party has squeaked by wrt consumers, maybe there's a new angle in their dealings with Mozilla, such as a different kind of fraud. And Mozilla is much more able to pursue the matter than most individuals would be.)
Pursue what? God knows they should pursue building a browser. It’s a simple concept, it doesn’t need ChatGPT-set-to-dramatic words.
Building a browser is harder than posting puff pieces about privacy. Mozilla has sadly strayed away from being a browser company into being some PR company that happens to make minor changes to a browser once in a blue moon.
Agreed, a lot of the behavior looks like that. But if we ask why we want them to build a browser, would you agree that privacy+security+freedom+democracy online are the main reasons we have?
If so, then would you say much of their current messaging has the right idea?
Would you also say that we've seen genuine progress (and also regression resistance) in that direction with the browser?
Personally, I'd say yes to all those. Two things that I don't understand are what one executive was getting paid, and some of their decisions during that executive's tenure, for a long time.
One guess is that some people were letting it be run like a tech company, and furthermore a tech company coasting along in some ways without being very effective. And that would have to be multiple people, since everyone answers to someone. If that guess were accurate, then not only do you have to ask the watchers why that was allowed to happen, and figure out how to fix that, but you also have to look for cascading effects within the organization from that having gone on.
Mozilla has gone all-in on talk (or "messaging") and but very little action. In some cases I would say they are actually giving people a false sense of security because despite all the claims, Firefox in its default configuration isn't actually great privacy-wise (for starters, default-on telemetry is in direct breach of the GDPR).
Mozilla could massively help non-technical people regain privacy by shipping Firefox with actually private defaults and uBlock Origin built-in (they've got the infrastructure to download Pocket on first run, so they can do the same for uBlock), but doing would actually mean "doing something" and put them at risk (I'd expect the Google money to stop the second this is released, meaning they'd need to actually start operating a real business with a real business model), where as merely writing puff pieces is safe as it doesn't really hurt anyone.
I like this comment, and I'll pitch in my two cents on it.
Suppose Joe Salesman sells your friend Al a used car and it turns out they got a bad deal, the car was a lemon. What lesson should be learned from this?
a) This was an honest mistake. We expect this kind of variance in used vehicles, and the market works out kinks. I should feel comfortable buying a used car from Joe, should the need arise.
b) The information that this car was a lemon was available to Joe, who did not share it with Al because Joe thought Al was a sucker. I am better at diagnosing cars than Al, (or better at reading people), and I should feel wary about buying cars from Joe.
c) Joe only sells lemons, his business model is to rip people off, and there's no way to get a good deal on a used car from Joe. I should look elsewhere to buy a car.
d) This describes the business model of all used car salesmen, I should not buy a used car from a business that sells used cars.
e) This describes all business models when there is information symmetry between buyer and seller. I should not buy anything whose utility I cannot bound from below. (I need a warranty or similar arrangement from the seller).
There are obviously other options here, this is just to illustrate the spectrum of assumed adversariality. There was an article on HN recently declaring that salesman were more likely to get ripped off. I think this is because salesmen tend to think the answer to this question is (b) because salesmen exclusively interact with people who think that the answer is either (a),(b), or (c).
It's not just salesmen, actually. I think the phenomenon is equally well represented in people with business degrees. The core belief of an MBA is that you can subvert the regulatory structure, and people's psychology, to get them to give you more money for the thing than it costs you to make the thing. That's after all, where MBA income comes from. I think this comes much more naturally to people who think that the answer to the question above is (b).
I think by and large, whenever you hear that their company decided to purchase anything at all (but particular some sort of service), your instinct is that the purchaser was a gullible idiot, and that things would obviously work much better if no one was allowed to buy anything.
Personally, I do not think that ferocious skepticism is necessary to solve this problem. I think that it is much more cheaply and easily solved by having a moratorium on buying shit. Mozilla does not, EVER, need to be a customer.
Mozilla does not, EVER, need to be a customer.
Does Mozilla still need to be the seller or partner in deals with commercial entities (e.g., Mozilla getting paid to be the default search engine or LLM within the browser UI)?
If so, would ferocious skepticism within Mozilla be appropriate in vetting and monitoring those deals?
No
This. If they can go after the guy for fraudulent misrepresentation or something, I'd be on the sidelines cheering every jab, maybe contributing if there's a legal "attack the stalker companies" fund.
If company A creates a problem that company B is paid to solve, then company B benefits when company A is able to make the problem bigger. Therefore Company A and company B both have a vested interest in the problem continuing to be problematic. Both are in a symbiotic relationship that allows them to both extract a profit while providing no net benefit to society.
This is rent-seeking (https://en.wikipedia.org/wiki/Rent-seeking). Rent-seeking is an economic drag and ethically indefensible.
Regulation is how this problem gets solved and it's the only way it gets solved.
There was an article on HN recently about government agencies (but also applied to private companies) that are setup to solve problem X and often evolve to, not necessarily causing it, but making it harder to solve.
If it's the one I'm thinking of: the title was about government, but all of the examples in the article were private firms with profit motives. The author implied that government must work the same way as industry, but that's a huge assumption.
The article had no examples of public agencies perpetuating the problems they set out to solve.
It's because the article and website is stupid, and is trying to make you believe public agencies are ineffective on principle.
Public agencies don't exist because of profit. They exists because of government mandate.
Also the website states it's just a single PHD that claims "I created Effectiviology to provide people with research-based information about psychology and philosophy they can use.", but it's in reality owned by 'Super Privacy Service LTD' according to https://www.whois.com/whois/effectiviology.com.
Don't trust this source.
Were these private firms funded by the government?
Finally found it:
Article: https://effectiviology.com/shirky-principle/
HN discussion: https://news.ycombinator.com/item?id=39491863
I also apply the Shirky principle at larger scale when solutions have become an industry, e.g pharmaceutical industry.
But that blog post was wrong an ill informed.
Protection racket...
I used OneRep for a few years and it did what it advertised, but that's certainly shady as hell and I'm glad I stopped using their service.
Are there any more trustworthy alternatives? data brokers are scum.
For an alternative, take a look at Optery (YC W22). We've been flagging the situation at OneRep for years and put a statement out following the Krebs article (link below). We launched to the public as a Show HN in 2021 and as a Launch HN in 2022. Full disclosure, I'm one of the Optery founders.
https://www.optery.com/optery-statement-following-investigat...
What do you think about Kanary?
Obviously I'm biased so I think Optery is better, but here are two un-biased reviews written by the lead analyst for security at PCMag.com:
https://www.pcmag.com/reviews/optery
https://www.pcmag.com/reviews/the-kanary
Here's another well-researched and unbiased review:
https://blog.infostruction.com/2023/08/12/privacy-powerhouse...
Why don't you ask Google to remove pages, while you wait for the perpetrators to honor your page removal requests? I believe Google recently added tools to make this possible.
Optery hasn't addressed that yet, but right now starts at the source (the data brokers), and then submits removal requests to Google directly via their Outdated Content Removal Tool. Here's now it works: https://www.optery.com/optery-and-googles-content-removal-to...
I would only trust a tool for sending mass opt-out requests to every company that I've interacted with if it was free and open source. Even with good intentions, commerce becomes yet another tracking instrument.
Not possible. Open source code doesn't have limited power of attorney. Data brokers would also read its code and thwart whatever logic it uses to fill out forms.
You have power of attorney for yourself. Open source tools can run on your own systems and represent you.
If the open source software interacts with the data brokers as you, then how would it do that without giving up even more of your personal information? Services like Optery also lose the ability to remove your information from a data broker if you have a direct account with them. So you better hope that open source maintainer doesn't lose interest after a while, since if they do, you'll be permanently doomed to logging into hundreds of broker sites each year to refresh your opt-out.
Exactly. What we really need is a public, open list of all tracker companies that anyone can contribute to (like adblock lists). What we do with that list is up to us and our governments.
I thought people were being ridiculous when they were angry at mozilla for bundling with Pocket. After this, maybe the slope was more slippery than I thought.
How would this situation indicate a slippery slope of decision-making? Mozilla didn't know about OneRep's CEO's history; nobody did until Krebs uncovered it.
Their earlier statement said they were aware of the CEO's history but were assured that part of his life was behind him. From that statement on March 15: “We were aware of the past affiliations with the entities named in the article and were assured they had ended prior to our work together,” the statement reads. “We’re now looking into this further. We will always put the privacy and security of our customers first and will provide updates as needed.”
https://krebsonsecurity.com/2024/03/ceo-of-data-privacy-comp...
It goes back many years before Kreb’s wrote about it. Optery has a nice write up of the situation here:
https://www.optery.com/optery-statement-following-investigat...
Wow, this kind of companies should be nuked. I cannot wait the EU to notice this problem.
At least as scary are the companies (company?) who allow you to do a facial recognition search over the entire crawlable web.
Yep.
I definetely wouldn't want Mozilla to support people-search organizations, but I also wonder if that's really happening here.
I have to believe the expertise gained in people-sesarch would be exactly the expertise one needs to remove people from the roles used by those organizations.
The real question is whether or not there is data brokerage out of Onerep.
This seems like a triumph of optics over substance...
It's not just experience, the guy is still invested in a company that does the Bad Stuff. He's playing both angles.
I've had to make the hard acceptance that privacy is absolutely irrevocably dead. Anyone with power or money can now find out not only anything about you but likely even more than you know or realize about yourself. Who has time to do a through documented introspection of every aspect of their own life and actions regularly. Along with every possible connection that this also leads to? No one.
Unless there is massive senate/house/pres unification on absolutely crushing the endless disgusting behavior of spying on people to diminish them and enrich yourself is made illegal WITH CONSEQUENCES. Nothing will change. This will never happen because the US gov is the both the biggest customer and purveyor of these services.
Mozilla is basically the last place that even gives lip service to privacy and they are in bed with this guy. That is how hopeless the situation is.
Anyone with power or money
Data brokers post a lot of your PII on the clear web for free. It doesn't cost anything to find out someone's names, the address of every place they've lived, the names of their family members, etc.
Yeah but you provided no evidence, no reasoning, or anything else that might have elevated your comment above a mere guess. If you throw enough spaghetti at the wall, some will stick.
What a win for internet journalism.
@dang, why did this get delisted?
Talk about hedging your bets!
Svd Cfg DC as c
In the sprite of ad-block lists, I suggest we create an open list of all known companies that people can easily add to. Information about these shady-ass orgs should be divorced from enforcement against them.
Sure, let’s put the fox in charge of defending the hen house. He’s an expert on chickens and I’m sure he’s changed his ways!
We hire black hat hackers to help with computer security.
Why would you do that?
Because it's effective.
It sounds like you're hiring penetration testers. Why do you call them "black hat"?
How do you know the penetration testers you hired are not black hat hackers?
Is the implication that all pentesters are black hats until axiomatically proven otherwise? High bar.
A lot of the better pentesters/security consultants have “colourful” backgrounds.
Frank Abagnale is a good example https://youtu.be/vsMydMDi3rI
A fraudster who by all accounts continued fraud by making up a life story filled with largely fictional details (including that he worked with the FBI)? Some people are like George Santos and exaggerate constantly in addition to constructing wholesale false stories about themselves.
It’s fascinating how easy it is to fall prey to a fraudster when they claim they’ve gone legit. You’re probably better off believing they’re still a fraudster.
https://louisianavoice.com/2021/04/26/new-book-further-debun...
https://en.wikipedia.org/wiki/Frank_Abagnale#Relationship_wi...
That Wikipedia section makes it sound like his whole life story is just an elaborate work of fiction. I don't think that counts as fraud. It's more like santa claus and the deception fits in with his story. Is he doing any actual damage other than annoying the FBI?
"An old poacher makes the best gamekeeper."
quick note, after I almost did: Please don't feed the trolls: they're replying to every. single. reply. with more bait.
Good catch - I have noticed that Mozilla gets a lot of unjustified hate and criticism. Does Mozilla make mistakes? Yes. Does it do a lot of good? Yes. Does it deserve the abuse it gets online? Absolutely not.
Not Mozilla; the silly "hmm isn't it actually good he ran it? whats the difference between that and black hat hackers?", except its slow drip one at a time one sentence comments that don't acknowledge his interlocutor at all.
I really believe it's because deep down, people love the big shiny brand Google Chrome, yet they know it's kinda fucked. So when they see things like this, they are able to justify it in their minds that they made the right decision. Confirmation Bias?
Problem is, Mozilla is running in all directions at once like a headless chicken.
So we worry Firefox will die.
Just to be clear, I wasn't criticizing Mozilla. I think they did what they had to do, but it's unfortunate the skills can't be harnessed.
Fair advice.
Except the CEO still operates Nuwber. It's hard to believe he's learned from his mistake if he's still actively helming said mistake.
Yeah, I'm 100% for forgiving and giving people a second chance. It's no different than a black hat hacker becoming a security researcher.
But there is a clear conflict of interest if he is still actively engaging in the dubious behavior.
I think there's a distinction between criminal activity and the usual conflict of interest.
I wasn't saying he has learned from his mistake. I'm just saying he no doubt has expertise.
Couldn’t you make a similar argument about protection rackets? Their experience shaking down places for money helps them build better defenses against it, right?
You could, particularly since protection rackets actually do compete with each other. I wouldn't want to hire a criminal, but if someone did, they'd likely be effective.
Per TFA, the guy is literally running ads for Onerep on his people-search platforms. His "business" is pure unadulterated blackmail.
Or, his expertise from Onerep helps him build a better Nuwber.
I kind of agree, but there does need to be a baseline of trust, and that's rather difficult to give when they're operating both types of services at the same thing.
If it had been "I have worked on identity-selling services for 15 years, saw it wasn't a good thing, and now I'm trying to fix the problem" then okay, fair enough. This is something we can at least start with. but this doesn't seem to be that.