For advertising, Firefox now collects user data by default

> The fact that no one with decision power at Mozilla saw it coming is worrying: either they have zero understanding of people’s concerns for privacy or they don’t care.

Or the third option: they feel the tradeoff of HN & co's criticism style is not a big deal in the end. Criticism of Mozilla in general is very warranted right now, but the way(s) in which everyone is doing so just feels very out of touch with the actual situation. ;P

They're - by their own words - trying to do something in a privacy preserving way because the ad industry is not going away. They might fuck it up at first, and that's why it's an experiment. It's also possible to disable it, it's not like you're trapped in it.

This thread in general feels like it leaves Mozilla no room to experiment or find any form of growth. People want them to be "just a browser" but then also expect them to be stewards of the web - and then cry foul when they actually try to find a setup that fits into the current model of the web.

What isn’t clear, in retrospect or otherwise, is why companies/apps/services need to keep learning this lesson.

They are trying to find a funding model that makes them independent from Google.

- Building a fast, privacy-oriented browser that keeps up with web standards and fixes security bugs takes people, organisation and therefore money. Yes, much more than that CEO salary.

- No one wants to buy for a browser.

- No one wants to pay a subscription fee for a browser.

So you are left with ads. Mozilla is trying to find a balance there between privacy and ads with a clearing house approach. People who hate ads out of principle scream. How should browser development be funded?

Who's to say this "my bad, we'll do better next time" isn't part of the playbook?

Lets be honest, the number of HNish folks running Firefox is insignificant, compared to number of people using Firefox because their friends recommended it. So even if lets say 1% of the users(HN and similar folks) perform an outcry and go ahead disabling it, the other 99% of the people will still be a huge moat of data. These strategies(though I am willing to give Mozilla the benefit of doubt), had been played out many times, "ops we did this ... emergency update to fix it ... we are releasing this now officially, agree to our terms if you want to continue ... you can always opt-out ... slow boiling frog metaphore ... this is now permanent with the option to disable is gone and forgotten about".

it's a classic abuse tactic: if you ask first, people will cry out and if you then do it, it'll be considered escalation on your part. so instead you do it first, and if possible, do something worse to begin with, and then when there's outcry, you take a small step back, claim to be the reasonable one, and then later on push the rest of the way.

Honestly, having worked at companies that made unpopular product decisions (nothing like this, but still every company puts its foot in its mouth sometimes), it can be surprisingly non-obvious what gets people bothered and what doesn't.

We always see the decisions that blow up, but we dont notice the thousands of decisions nobody cares about. Sometimes it really does look like just another minor feature request at coding time.

They don't care. It is not the first time, always the same excuse and blame the user to not be intelligent enough to understand (this is what communicated more means in their broken by profit minds).

What isn’t clear, in retrospect or otherwise, is why companies/apps/services need to keep learning this lesson.

Please. This is never about learning and better communication. This is universal corporate English for: "you got us, but we really don't give a flying ef and we will fulfill our goals step by step - no matter what you say".

Acting stupid and being uninformed, clueless, incompetent CTO/CEO/CXX is less prone to lawsuits than admitting intent of harm.

Especially since this is very similar to what happened with Cliqz and that there likely are many at Mozilla who were around when that happened too. And the Cliqz scandal hurt Mozilla's market share a lot in Germany.

Companies know this but they don't care because there are rarely any consequences that cannot easily be mitigated with cheap PR tactics. Even now you are responding to a PR statement that is trying to reframe the issue as users simply not understanding what Mozilla is doing when in reality Mozilla knows full well that this goes agains the explicit wishes of a large part of their userbase but have chosen to enable this anyway. This isn't a communitcation issue. This is a fundamental "who does Mozilla serve" issue.

It’s clear in retrospect that we should have communicated more on this one

Oh maaaaaaaaaaaan do I despise hearing variations on this "non-pology."

It's never "Wow, we fucked up by doing something harmful to you." It's always, "My bad, I failed to explain exactly why you're wrong to think this is harming you. I take total responsibility for not explaining why this is actually good for you. I'll try again."

DRM on a website = no search engine can scan the website = no users = the DRM website dies.

leading to a perpetual arms race that we may not win

So we're not even going to try.

I will begrudgingly admit he has a point here. In a few years I imagine almost all sites will refuse to serve anything without WEI, and the "open" web will be the preserve of a few hobbyists. Annoyingly you'll still need to use a compromised browser (or worse, app) to do anything with your bank, etc.

This move does not stop the arms race. Non-anonymous data is still better for the ad industry. Why give that up?

Which will lead to counter moves by alterative browsers and websites and Google risking the loss of browser market share. If you think this is unthinkable, just look back at Microsoft's dominance of the browser market twenty years ago. Exactly like Google is doing they were pushing through all sorts of user hostile stuff via internet explorer. Before Chrome came along, Firefox was one of the few holdouts against them. Internet explorer users were dealing with all sorts of crap. Popups, popunders, all sorts of viruses, cross site scripting attacks, etc. Mostly that was just a mix of poorly designed features but there was also MS trying to get into search and advertising and they were trying to abuse their defacto monopoly to do that.

Yes, that line is important.

This has happened before. Remember the critique against Encrypted Media Extensions (https://en.wikipedia.org/wiki/Encrypted_Media_Extensions): Oh no, DRM in the browser! But remember that web video used to require Adobe Flash for the longest time, and even after a decade of HTML5 video, sites were still clinging onto Adobe Flash (and later also Microsoft Silverlight) for what turned out to be DRM purposes. At the time, these plagued proprietary blobs were not going anywhere. Except, after EME had widely supplanted this last holdout usecase, they were quietly allowed to die. The result is that we have much smaller-scoped proprietary blobs in the form of content delivery modules with a lot fewer bugs and portability issues.

And that DRM will likely come anyway and restric users of niche browsers like Firefox and operatings systems no matter what Mozilla does - just look how EME implementations and Websites using it treat Linux users not to mention non-x86/ARM architectures. So best is to push back now while we still can instead of giving them an inch.

This was already tried with the Do Not Track header. Websites simply ignore it. They don't want an easy way to get the user's preference. Because they know that most users would set it to decline tracking. Sites would rather annoy every visitor for the chance that they click 'accept'.

What!? What’s the benefit of this from a site’s POV? Your technical solution is completely out of touch with real goals and incentives.

they are doing something wrong but are trying to cover it up

That's what most of folks says in this sub-tree

I imagine Meta like this because most of their tracking is done behind a Facebook login anyway, and it reduces the fidelity of Google ads.

Thats just it, that they are doing this in a somewhat quiet manner is a sign that they know how this would go down.

The Mozilla CEO would be very unlikely to receive a positive reception.

This phrase in particular:

I’ll do my best to address [your questions], though I’ve got a busy week so it might take me a bit.

That means: I'll answer the easy ones, and ignore the hard ones, or ask the legal team to come up with some weasel words.

Legal: “it’s forbidden to target ads at specific users”

Done.

We don't necessarily need the ad industry to work out the practicalities if we simply do away with the whole ad industry. We could quite easily outlaw receiving payments from a third party in exchange for displaying information to your users.

Full liability for secondary harms caused by the leak of data that wasn’t directly required to provide a service to those same end users. Selling of data to third parties doesn’t transfer this liability but expands it to include any leaks or misuse coming from the entities the data is sold to. No statute of limitations.

So if company X sells data to company Y and then Y sells to company Z then company X has full liability for leaks or misuse from all entities in the chain.

No more free credit monitoring. Banks, credit card companies, and end users get to directly sue these companies. May not completely solve it but you can try to make it so expensive to mine data you don’t truly need that it ends the whole industry.

I am sure there are holes in this but we can at least try to kill the data brokers and bad actors.

I think legal protections can effectively safeguard user data

If I walk outside I'm bombarded by ads. Almost all websites have been tailored to include ads and hide information. You're tracked on all devices you touch.

Vaguely referencing more laws or larger government doesn't mean anything. We're not talking about all problems but a specific one. There is an obvious imbalance between the power and information an individual consumer can use to shield themselves from activities by companies that are detrimental to them. We are also not expected to test our own food for toxins.

More platitudes and soundbites doesn't have to be the answer to all problems.

We can, but, as OP noted, the change is only temporary, while political change is harder, but also tends to last longer. I still remember when pihole worked on most things. These days it is just a part of adblocking approach for me.

tldr: Some of us are tired of fiddling with things where were we shouldn't have to.

<< More laws and larger governments doesn't have to be the answer to all problems.

If market participants can't behave ( and they clearly can't help themselves ), it is the only real answer.

<< If consumers care enough they'll change their usage, if they don't change their usage they likely don't care enough.

Or.. options for consumers are limited, which affects what they do. In all seriousness, streaming execs seemed to admit the ads simply bring more money for them so they don't care if non-ad version is profitable. It is not enough.

My household dropped Netflix and Prime over their silliness. We currently still have Disney until they get too greedy. And that is just streaming. Regular net is soooo much worse without a way to scrub the ads away.

More laws and larger governments doesn't have to be the answer to all problems

More laws and larger governments are generally undesirable (for obvious reasons) but saying that we shouldn't make any laws at all is throwing the baby out of the bathwater.

If you're thoughtful and deliberate about how you write your legislation, you can have a disproportionately positive impact with a very small amount of additional weight.

For instance, instead of trying to enumerate every single way that data could be leaked and forbid that (see: HIPAA), you should just make the end state (PII in the hands of someone the user didn't explicitly authorize it to be in) illegal and mandate a fine per unit of information (e.g. 1% of the median US salary for SSN) to every entity in the leak chain (because a chain of custody for personal information is just about mandatory at this point).

Details will vary, but this general approach is vastly better than the crazy laws we have in other areas that attempt to "enumerate badness" in the intermediate rather than the end state.

> Anyone bothered enough by advertising

I don't particularly have an issue with advertising itself. If adverts get on my nerves on a product or page I just leave, as you suggest: problem solved.

The actual issue is the stalky tracking of me throughout my life that is currently inseparable from the advertising. I can't just walk away from that: it happens behind my back, it has happened before I get the chance to walk away.

> can stop using whatever product has been ruined by ads

Which will not stop the stalky behaviour of the ad industry. They'll still track me if I happen to click the wrong thing, or track me through my connections to other people. I suppose I could walk away from life and become a hermit, but that would be just a little extreme.

> or find ways to remove the advertising.

Which is, while I do take part, an ultimately fruitless task. Every block we make for the stalky behaviour, be it technical or legislative (other than outright banning the tracking of personal data except with explicit opt-in without exceptions, and properly enforcing punishments for breaking the ban), they'll find a way around. Removing it is not a long term solution, it is a war or attrition where we have to have our guard up all the time and they only have to get lucky, or just be particularly sneaky, every now and again.

> More laws and larger governments doesn't have to be the answer to all problems.

This has often been said by companies and their shills. Oddly, they are all in favour of extra laws and government reach when it is, for example, to protect what they consider to be their intellectual property.

One of the things which the FSF did right was the GPL

And the GPL is dying. Every year fewer projects are maintained under the GPL standard. Violations abound anyway. The MIT License and other permissive licenses; or commercially restrictive licenses like the SSPL, are the new go-to; because the GPL didn’t think about SaaS or “Tivoization” until it was too late.

I was with you until secureboot.

At least on my Debian I retain full control using the shim and my own enrolled keys. So seems less an issue with the technology but perhaps with how some vendors (that are already locking you in anyway) use secureboot?

from https://wiki.debian.org/SecureBoot

> Shim then becomes the root of trust for all the other distro-provided UEFI programs. It embeds a further distro-specific CA key that is itself used for as a trust root for signing further programs (e.g. Linux, GRUB, fwupdate). This allows for a clean delegation of trust - the distros are then responsible for signing the rest of their packages. Shim itself should ideally not need to be updated very often, reducing the workload on the central auditing and CA teams.

I have a feeling that is most people out there.

I observed a friend of mine click on a malicious ad link recently in front of me when driving a presentation for a community meeting. It was shown as an overlay for a seemingly harmless site I found. In my home with a pihole I didn't see any of the ads.

I felt terrible that I was partially responsible for her clicking it. This knowledge and habit of ad-blocking and secure computer usage takes factors of time, effort, and money to learn, and not everyone is going to, or is capable of, devoting what's needed.

You may not see the ads in that content, but your data will still be collected and sold. This is where we lack fundamental protections.

People forget that the reason we have all of these "free" services is because of ads and that's coming from someone who hates ads.

People forget that before ad-supported "free" services took over we had community-run actually free services.

The internet does not need ads.

It's just weird that ladybird is picking ideological hills to die on, such as "no gender neutral pronouns"[1]

[1] https://github.com/SerenityOS/serenity/pull/6814

How so?

Absolutely true, but how do you expect that to happen or come about?

In the same manner through which legal protection for various other matters have come about. By raising awareness, sharing thoughts and solutions, and organizing.

Maybe it's time to move away from whole html/css/js, http and browsers?

Let's build something that is Ad resistant from the start. Something that uses native technologies.

Edit: We need something that does not need backing of large corporations or huge funding to access the web.

Internet was always simple. We have become over dependent on browsers and http stack.

Ladybird more than doubled their js performane in five months between january and may and are now about 2x as slow as Safari: https://x.com/awesomekling/status/1790098727081836697

Things are progressing faster than you'd think.

Slow is the price we'll have to pay. Just like how VPNs slow down your connection

Or, if one dreams for a moment, if slower becomes the norm, web apps will have to become less complicated. Fast seems to just enable more and more ad tech

Maybe Ladybird can be a good reason to convince the "public" to switch away from Windows in the near future

They want to be able to run more websites well before they invite the unwashed masses from windows XD

I mean for a long while even the GNU project provided Windows builds for Icecat browser. Probably to much Stallman grumbling.

EDIT : Actually they still update it. Last version is 115.

"that’s the only way I can convince the public to switch."

It is not ready, to be a public browser.

It's already too hard to convince public to switch from chrome to another chromium browser or firefox and you're talking about switching to browser that is at least several years away from feature parity

I appreciate Ladybird's initiative. But if they work with Servo, Ladybird can build the browser and Servo can focus on the engine. Also we can avoid C++ nightmare. Everybody wins.

Isn't Servo a new rendering engine for Firefox? How does it fix all of Firefox's problems, that are not engine limitations?

You can make a free web browser from Firefox's current engine just as easily as from Servo, I would fund the person who does that.

Is there any reason to believe that the Servo project will produce a full independent browser, rather than a browser engine as their website states? The only likely outcome is that it be used in Firefox...

Do we know why they blocked about:config on mobile? It doesn't make any sense at all...

I recently started using Firefox again, because of all the madness around Chrome and the change of how add-ons (mainly uBlock and similar) would work.

And it felt kinda good, i actually thought that Firefox was different and a part of "the good guys", now it doesn't feel that way anymore. Sigh.

On mobile you probably want to try Fennec and/or Mull, both Firefox forks, compatible with FF addons and available on F-Droid.

chrome://geckoview/content/config.xhtml

source: https://connect.mozilla.org/t5/ideas/firefox-for-android-abo...

I can access the about:config page on mobile, but I can't seem to find a relevant option. Maybe it's already disabled for the Fennec app from F-Droid?

and you have to use a workaround to enable about: config

I know of no workaround short of installing from the Beta or Nightly channel.

What's the difference with setting

    dom.private-attribution.submission.enabled 

Wow, thanks for this and the parent post.

Thanks a lot for this tip. I don't know how one is supposed to find this setting.

they will not prevail, unless we collectively let them do so. they are already probably in breach of GDPR, and I don't see the EU backing down on this stuff.

i stopped reading golem because of this. what a shit

Also, I think you can accept it for free when you click "Einstellungen"

No, this part is mandatory:

Datenverarbeitungen von Werbeanbietern einschl. personalisierter Werbung mit Profilbildung [Zustimmung erforderlich für kostenfreie Nutzung]

what data protection agencies?

But even then, it's a bit hypocritical writing an article slamming firefox for this at least allegedly privacy-sensitive adtracking. While requiring readers to consent to tracking from your however many ad partners :P

Whether you agree or disagree with what the Mozilla foundation does, it seems fairly matter of fact to say that they are pursuing liberal policies and that posts from the leadership, like the couple below, employ a good bit of leftist rhetoric.

https://blog.mozilla.org/en/mozilla/first-steps-toward-lasti... https://blog.mozilla.org/en/mozilla/leadership/mozilla-racia...

Personally i'd rather judge people by the things they do (or fail to do), not who they are associated with.

Maybe they mean this statement, however I don't see why their proposed changes are radical.

[1] https://blog.mozilla.org/en/mozilla/we-need-more-than-deplat...

There is no auto-update mechanism. Might not seem like a big deal, but IMO it is, especially on Windows where you're recommended to rely on 3rd party client to update the browser for you. You've now added a middle man, and since the binaries are not signed... well there's no guarantee you aren't downloading a malicious binary.

To me, this seems like a plus. If you want users to update, provide them with something worth updating to. This tracking suddenly being enabled for a ton of users is the very result of automatic updates.

You know perfectly well that point 1 is completely irrelevant in the world of open-source.

A UK Ltd. is less transparent than Librewolf, an open-source project run by many volunteers without the incentive to make any money.

Point 3 is no longer true, the installer comes with the option to enable auto-update and on Linux, it also auto-updates, depending on distro, etc.

The risks you are talking about are not inherent to Librewolf, but to Linux and open-source, and thus are not legitimate criticisms of Librewolf.

Have you spent time with Waterfox as an alternative or have some thoughts when comparing against Librefox?

In app update prompts work for me, they have a TOS / Legal Entity it seems. They broke away from Startpage in recentish years.

Plenty of feature trade offs to compare though with Librefox.

That is because "Allow web sites to perform privacy-preserving ad measurement" doesn't have the word "advertising" in it. Granted the current phrasing a bit awkward and may have a certain degree of deliberateness behind it.

It seems the search matches on the text of the option, not the section text. The text of the option is "Allow websites to perform privacy-preserving ad measurement" and the search for me brings up the option (and of course anything else that matches) when I search for any of that.

How do you sync these settings across devices? I need such a thing, too.

While the jokes is appreciated, I'm also half-serious in considering just using Links/Elinks or w3m and just use whatever is the default browser on my OS for those cases where I need to book ticket or do banking.

I'm sadly falling out of love with the web. So much fun and enjoyment have left the web in the past 20 years and I don't enjoy or to some extend even benefit from the modern hellscape of modern commercial web.

Lol, nobody wants that.

Recommend Mull or something else sensible.

Edit: Whoopsy, oversaw your /jk

If you need to do that much hacking around to plug a deliberate privacy hole, you might as well use another browser.

Firefox mobile is only on Android. The iOS version is a reskin, so it's not affected.

Sorry folks but though i'm just speaking from personal experience, it's what I noticed time and time again. I've given Firefox multiple chances as my default browser over several years right up until maybe a year ago and the same problem presented itself across different laptops and FF versions (many after in those cases someone told me that FF was FINALLY fixed, oops). Were these laptops heavy duty models with serious CPU, GPU, RAM and etc power? Nope, but they shouldn't have to be for just running a browser.

Chrome on the other hand (and believe me I despise Google in so many different ways) has consistently been okay. Not great, but okay, and certainly better than Firefox. This while having the same browsing, tab and extension habits in both browsers.

With comments like my original above I've always seen a bunch of people come out with all sorts of caveats defending or justifying FF, but personal experience has consistently shown me differently.

There are a lot of people who still think of Firefox from 5 years ago. Whatever else you can say about Mozilla (and I have a lot to say about Mozilla) they have actually really improved performance to where I'm not convinced it's any worse than Chrome. Browsers are just doing more than they used to.

Firefox’s reputation got hit a decade or so ago by performance problems in popular extensions like AdBlock Plus, and it was common to see people mistake switching to a new browser as the reason for the speed up because the initial performance would be notably better before they loaded the new one up with extensions, too.

huh. Maybe I should try Brave again.

Those docs look out of date and appear to be designed for "app" ecosystems. The latest proposal from Mozilla is https://docs.google.com/document/d/1QMHkAQ4JiuJkNcyGjAkOikPK...

And I'm now quite sure this system is insecure. Fundamentally, either:

1. There is some magical sybil protection: An attacker can only spend their own privacy budget without affecting the rest of the system.

2. The system can be saturated: An attacker can spend everyone's privacy budget.

3. The system is not private: An attacker can exceed the "safe" privacy budget by combining information from multiple sybils.

I can try. But I'm pretty sure what they're trying to do is fundamentally impossible without some kind of sybil protection.

And which browser are using the German now ?

Mozilla CEO Salary was US$7 million in 2022. It's beyond taking the piss:

https://en.wikipedia.org/wiki/Mitchell_Baker#Negative_salary...

No idea how much the new CEO is being paid. Probably just as bad.

Safari also has attestation, as far as I know without user consent.

The previous post said "indirectly" controls; maybe a misread?

They could offer a deal to Toyota and tell them they're offering image-only ad space on all car-related pages. For example images with deals. Toyota would know from the referrer that the click came from Wikipedia.

All the other images are hosted by Wikipedia themselves and are not ad-related, so I don't see where's the issue here.

While it has had funding from some sources we don’t necessarily trust, it’s still entirely open source and the code has been combed through repeatedly.

When it comes to privacy apps, I’d place significantly more trust in something like that than literally anything closed source or unscrutinized to that degree.