21 votes

Firefox just installed two addons into my browser without consent... again

Here is what just happened to me:
Firefox installed two addons - fxmonitor@mozilla.org.xpi and telemetry-coverage-bug1487578@mozilla.org into my browser silently, even though I've explicitly turned all the telemetry off.
This have happened before, and Mozilla apologized for it, however it seems that they learned nothing and are willing to do so again.
There goes the last scrap of my trust into Firefox. I suggest you check your browsers too.

39 comments

  1. [12]
    Comment deleted by author
    Link
    1. [6]
      cfabbro
      (edited )
      Link Parent
      Yep. It appears you're correct. Sources: Firefox Monitor: https://blog.mozilla.org/futurereleases/2018/06/25/testing-firefox-monitor-a-new-security-tool/ Have I Been Pwned API integration:...

      Yep. It appears you're correct. Sources:

      Firefox Monitor:
      https://blog.mozilla.org/futurereleases/2018/06/25/testing-firefox-monitor-a-new-security-tool/

      Visitors to the Firefox Monitor website will be able to check (by entering an email address) to see if their accounts were included in known data breaches, with details on sites and other sources of breaches and the types of personal data exposed in each breach. The site will offer recommendations on what to do in the case of a data breach, and how to help secure all accounts. We are also considering a service to notify people when new breaches include their personal data.

      Have I Been Pwned API integration:
      https://blog.mozilla.org/security/2018/06/25/scanning-breached-accounts-k-anonymity/

      To mitigate these risks, Mozilla is working with Troy Hunt – creator and maintainer of HIBP – to use new hash range query API endpoints for breached account data in the Firefox Monitor project.

      Hash range queries add k-Anonymity to the data that Mozilla exchanges with HIBP. Data with k-Anonymity protects individuals who are the subjects of the data from re-identification while preserving the utility of the data.

      When a user submits their email address to Firefox Monitor, it hashes the plaintext value and sends the first 6 characters to the HIBP API

      Telemetry on/off check:
      https://blog.mozilla.org/data/2018/08/20/effectively-measuring-search-in-firefox/

      However, an unknown portion of our users do not report telemetry for a variety of reasons. This means we may not have data that is representative of our entire population. For example, some enterprise builds are preconfigured to not send telemetry and some users manually opt-out of telemetry collection. We believe the large majority of clients do send telemetry but currently have no way of measuring this.

      To address this, we will measure Telemetry Coverage, which is the percentage of all Firefox users who report telemetry. The Telemetry Coverage measurement will sample a portion of all Firefox clients and report whether telemetry is enabled. This measurement will not include a client identifier and will not be associated with our standard telemetry.

      20 votes
      1. [4]
        Crespyl
        Link Parent
        I get where they're coming from, but that really sounds like And I can see where that might be taken negatively, even if it's pretty small in the grand scheme of things.

        I get where they're coming from, but that really sounds like

        We didn't get telemetry from you, because you disabled telemetry, so we'll just go ahead and add some more telemetry.

        And I can see where that might be taken negatively, even if it's pretty small in the grand scheme of things.

        19 votes
        1. cfabbro
          Link Parent
          Yeah, it's effectively backdoor telemetry (just one query and hopefully non-repeating, but even still). so I can see why some people might be upset by it. However I suspect this is one of those...

          Yeah, it's effectively backdoor telemetry (just one query and hopefully non-repeating, but even still). so I can see why some people might be upset by it. However I suspect this is one of those "better to beg forgiveness" situations where if they had had to ask all their users for permission to query the telemetry status it wouldn't have netted them a complete or even remotely accurate view of what % of users actually have it disabled.

          14 votes
        2. [2]
          s4b3r6
          Link Parent
          True, but as usual, for those users who get concerned, they added a config value. Create toolkit.telemetry.coverage.opt-out as a boolean, with a value of true.

          True, but as usual, for those users who get concerned, they added a config value.

          Create toolkit.telemetry.coverage.opt-out as a boolean, with a value of true.

          7 votes
          1. 666
            Link Parent
            For users who get concerned I recommend this: https://github.com/ghacksuserjs/ghacks-user.js/ It's a template user.js file for Firefox you can customize to disable all telemetry options, even...

            For users who get concerned I recommend this: https://github.com/ghacksuserjs/ghacks-user.js/

            It's a template user.js file for Firefox you can customize to disable all telemetry options, even those hidden from the UI. It also includes other useful settings for security and privacy.

            6 votes
      2. s4b3r6
        Link Parent
        More information from the bugzilla entry, on Telemetry Coverage.

        More information from the bugzilla entry, on Telemetry Coverage.

        Overall this is a pretty typical system add-on update. It is a legacy extension, and only runs for 1% of users, but you can make yourself be in that 1% using the attached script (which can be run in the Browser Console).

        There should not be any UUID or other identifying info sent along with this payload, and note that it goes to a different endpoint than regular Telemetry.

        The only other thing to test here is that this extension has a special boolean opt-out pref: "toolkit.telemetry.coverage.opt-out". This pref does not exist by default and must be created, if set to true then the extension should not send a payload as above for users in the 1% sample (such as the Telemetry client ID above will be)

        6 votes
    2. [4]
      unknown user
      Link Parent
      They don't handle these things well. I don't think anybody in their right mind thinks that Mozilla is after their users' private data, but the way they do these things gives out an image of...

      They don't handle these things well. I don't think anybody in their right mind thinks that Mozilla is after their users' private data, but the way they do these things gives out an image of sloppines.

      Also, I want my browser like my Emacs: it should not communicate with anybody unless I openly ask it to do so. That needs not be malicious behaviour, but still that's rather insecure, IMHO. But admittedly I don't know much about security.

      13 votes
      1. [2]
        spctrvl
        Link Parent
        You could always go straight to the source and use emacs as your browser!

        You could always go straight to the source and use emacs as your browser!

        4 votes
        1. unknown user
          Link Parent
          I do :) Well, kind of. When I click a link in Emacs, it asks me "Browse with EWW? (y or n)". If I answer n, it opens it in Firefox. If y, it opens it in EWW. But before all this, when I follow a...

          I do :) Well, kind of. When I click a link in Emacs, it asks me "Browse with EWW? (y or n)". If I answer n, it opens it in Firefox. If y, it opens it in EWW. But before all this, when I follow a link, my browse-url function matches the URL against a set of regexps and may do something else instead of asking the above question: if it's a github link which has a diff, it downloads it as a tmp folder and opens it in diff mode. If it's from the Github raw url, it's downloaded to /tmp and opened in the appropriate mdoe. If it's a youtube link, it opens it with mpv. If it's a PDF, an Elisp file, or an image, or some other file I've added a function for (I have a macro for this) it's again downloaded in the /tmp folder and opened with the appropriate emacs mode. This may seem like an overkill, but it's quite useful, as I read my feeds and emails in Emacs, I click lots of links within it, and this sort of setup skips many middle steps. These days I don't use EWW all that much. But when programming I try to use it as much as I practically can for looking up online documentation and divine intervention (i.e. StackExchange stuff). You can check out how that work here.

          I guess this comment (mine, not the one I'm responding to) should be tagged off-topic.

          10 votes
      2. NeoTheFox
        Link Parent
        I agree, I don't think that Mozilla did what they've done in bad faith, but I also don't want this kind of stuff to happen to my browser.

        I agree, I don't think that Mozilla did what they've done in bad faith, but I also don't want this kind of stuff to happen to my browser.

        4 votes
    3. NeoTheFox
      Link Parent
      I don't think that it's an overreaction, especially with a drastic change of attitude that Mozilla seemingly made after the Looking Glass fiasco. They've made the exact same thing again, but this...

      I don't think that it's an overreaction, especially with a drastic change of attitude that Mozilla seemingly made after the Looking Glass fiasco. They've made the exact same thing again, but this time this wasn't even an opt-in, and it wasn't even mentioned by browser - data collection, silent, without concent, purposely hidden. I think it should tell something when first a corporation feels like it has to apologize for having a silently installed addon that asks if it could start working, and then pushed another two addons that are hidden and ready to send data the moment they are installed. I don't think that this qualifies as transparent, and I also don't think that any company that tells us that it cares about privacy should pull stuff like this on its users. The fact that they can push any addon to your browser at any time is bad enough, but it could only be made worse if its used twice for data collection already.

      5 votes
  2. [5]
    dblohm7
    Link
    For those of you who don't know, I'm a Mozilla employee. Disclaimer: I have opinions on the "telemetry coverage" topic. No, I am not going to share them. No, I do not have the authority, nor the...

    For those of you who don't know, I'm a Mozilla employee.

    Disclaimer: I have opinions on the "telemetry coverage" topic. No, I am not going to share them. No, I do not have the authority, nor the influence, to change how this is being done, so please save your breath.

    Having said that, I do see some misinformation being spread in this thread that I'd like to clear up. To do so, I'm going to have to give a bit of background on the architecture of Firefox, as well as how updates work:

    Firefox Architecture

    (This is not 100% correct, but is "correct enough" for the purposes of this discussion.)

    What we refer to as "Firefox" consists of two layers: the lower layer is binary machine code, while the upper layer is interpreted code (HTML, CSS, JavaScript, and some other non-standard stuff). The lower level is only updated when we bump version numbers. The upper layer can be updated dynamically, however.

    Now that you know this, here are two types of dynamic updates that Mozilla pushes out to Firefox:

    System (aka "Go Faster") add-ons

    It takes a lot of work to cut a new set of Firefox binaries from a particular revision in our source tree, for the purposes of deploying to release. Dot-releases (aka "Chemspills" in Mozilla parlance) for serious issues often take place at shitty times, and our release managers and QA people get roped into pulling all-nighters or working weekends to get those builds ready to push out ASAP. Because of the amount of work involved, we don't like to push out dot releases unless there is a serious issue that needs to be fixed.

    We eventually concluded that there are some parts of the Firefox product that can be updated incrementally and out of band (namely, the upper layer of interpreted code that I mentioned previously) from the normal six week cadence of browser releases. This allows us to push out new features, enable/disable features, and in general do any kind of maintenance or update that falls outside the scope of requiring new binaries.

    These updates are called "system add-ons," but they really should be thought of as mid-release-cycle updates to the browser. Perhaps use of the term "add-ons" was poor naming, because they really are components that provide dynamic updates to that upper layer of Firefox code. They really should be considered to be part of the browser.

    Hypothetical scenario: Let's say that a feature that we rolled out on release day is interacting badly with antivirus software and nobody saw it coming during beta (yes, this happens ALL THE TIME). Back in the day, we would have had to cut a chemspill release to disable that feature. Now, we can simply push out a system addon that flips the pref to disable that problematic feature. We can deliver that fix faster (and thus affect fewer users) and with less effort by using a system addon than if we had to go through the whole rigamarole of a chemspill release.

    SHIELD studies.

    Shield studies are essentially a subset of system addons that are specifically devoted to A/B tests. Like most other modern, data-driven, large-scale software, small percentages of the release population are selected to test prototypes of new features. These studies can be disabled in the "Privacy & Security" section of preferences via the "Allow Nightly to install and run studies" checkbox.

    The Mr. Robot / Looking Glass debacle and the aforementioned apology

    The TL;DR of this was that Mozilla had been doing cross-promotion with the Mr. Robot TV show. Our marketing team decided to pull a stunt where, during the season 3 finale, they deployed a Mr. Robot game into Firefox (that remained inert unless explicitly enabled by the user) called "Looking Glass." Looking Glass was deployed using SHIELD, which was obviously above and beyond the intended use case for SHIELD. Many users were upset, and frankly most Mozillians were too. There was not enough process in place to prevent our update technologies from being abused.

    The apology was about misusing the SHIELD platform to deliver content that had nothing to do with A/B tests. It is not correct to interpret that apology as, "we will never push out dynamic updates to Firefox ever again."

    41 votes
    1. [2]
      cfabbro
      (edited )
      Link Parent
      I was hoping you would pop in here and clear things up for everyone... I was even tempted to @ mention you earlier but didn't want to pressure you in to responding, especially if you didn't want...

      I was hoping you would pop in here and clear things up for everyone... I was even tempted to @ mention you earlier but didn't want to pressure you in to responding, especially if you didn't want to get involved in the issue at all. Thanks for the detailed synopsis. :)

      12 votes
      1. dblohm7
        Link Parent
        Thanks for not pressuring me, I really appreciate it. I was originally going to stay out of this but I changed my mind when I saw that the record needed correcting.

        Thanks for not pressuring me, I really appreciate it. I was originally going to stay out of this but I changed my mind when I saw that the record needed correcting.

        10 votes
    2. [2]
      cos
      Link Parent
      Wow, thanks for the incredibly detailed write-up! The solution to this problem seems simple: why not rename "system add-ons" to "rolling updates" or something similar? I realize you have little...

      Wow, thanks for the incredibly detailed write-up! The solution to this problem seems simple: why not rename "system add-ons" to "rolling updates" or something similar? I realize you have little power to change these things, but has there been any discussion around this?

      Also, a tad off-topic, but what kind of work do you do at Mozilla? What do you enjoy most?

      3 votes
      1. dblohm7
        Link Parent
        I agree. We actually had a discussion on our internal Slack about this on Friday evening, but whether anybody will actually do anything about that, I don't know. I am a lead software engineer...

        The solution to this problem seems simple: why not rename "system add-ons" to "rolling updates" or something similar? I realize you have little power to change these things, but has there been any discussion around this?

        I agree. We actually had a discussion on our internal Slack about this on Friday evening, but whether anybody will actually do anything about that, I don't know.

        Also, a tad off-topic, but what kind of work do you do at Mozilla?

        I am a lead software engineer working on the "Content Isolation and Platform Integration" team: Mozilla-speak for sandboxing and other stuff that deals with code specific to our supported desktop platforms.

        For better or worse, I am considered to be the "Windows guy," so I deal with a lot of esoteric low-level Windows stuff that nobody else knows how to do. Right now I'm working on stopping third parties from injecting their DLLs into our processes.

        5 votes
  3. [13]
    NeoTheFox
    Link
    So apparently it's their push to collect data on how many people are using Firefox with telemetry off. I just want to stress their apology after the LookingGlass incident:

    So apparently it's their push to collect data on how many people are using Firefox with telemetry off. I just want to stress their apology after the LookingGlass incident:

    We’re sorry for the confusion and for letting down members of our community. While there was no intention or mechanism to collect or share your data or private information and The Looking Glass was an opt-in and user activated promotion, we should have given users the choice to install this add-on.

    8 votes
    1. [9]
      hungariantoast
      Link Parent
      This is an entirely different issue than the "Looking Glass" incident. This seems like an overreaction to be honest. It's obvious that nothing identifiable is transmitted and they were open about...

      This have happened before, and Mozilla apologized for it, however it seems that they learned nothing and are willing to do so again.

      This is an entirely different issue than the "Looking Glass" incident.

      There goes the last scrap of my trust into Firefox. I suggest you check your browsers too.

      This seems like an overreaction to be honest. It's obvious that nothing identifiable is transmitted and they were open about the implementation of this feature.

      The title of this post makes it sound like Mozilla has repeated the past incident, when really they've just added a new feature to the browser.

      16 votes
      1. [6]
        NeoTheFox
        Link Parent
        Yes, I agree that it is different - the Looking Glass addon had to ask for your permission before working. These ones don't. No they were not open about that, since I've only stumbled across these...

        This is an entirely different issue than the "Looking Glass" incident.

        Yes, I agree that it is different - the Looking Glass addon had to ask for your permission before working. These ones don't.

        This seems like an overreaction to be honest. It's obvious that nothing identifiable is transmitted and they were open about the implementation of this feature.

        No they were not open about that, since I've only stumbled across these by accident. I suggest you think this over - two data-collection addons were installed silently in the background on a privacy-oriented browser. And they do the exact thing that the browser had been told not to do - send telemetry to Mozilla about your telemetry status. And, of course along with this data useragent, ip address and other stuff is leaked as soon as the request is made to Mozilla servers.

        2 votes
        1. [2]
          hungariantoast
          Link Parent
          I could be a smart ass and say they're open about everything that happens in the browser, because the source code is available to review, but they actually published an article talking about this...

          No they were not open about that, since I've only stumbled across these by accident.

          I could be a smart ass and say they're open about everything that happens in the browser, because the source code is available to review, but they actually published an article talking about this feature implementation and what it does, plus, you're more than capable of turning off telemetry coverage as a user.

          I suggest you think this over

          I thought this over plenty before I wrote my comment. I do not endorse these kinds of features light-heartedly in the programs I use, I would prefer that they were not implemented, but I am not going to overreact to the implementation of these features by proclaiming my loss of trust towards Mozilla publicly, for something that adds no more privacy violation than the auto-update feature. Have you disabled the auto-update feature in your build of Firefox on your machine? If not, the only extra info they are receiving by the "telemetry coverage" feature is whether or not you have turned telemetry off in the other settings of the options page.

          If this is a striking issue for you, then I would encourage you to turn off the telemetry coverage feature, which as I read, only affects 1% of users.

          Also, had this feature been implemented as yet another item you had to manually disable in the options menu, rather than as a hidden addon, would you still be this upset over it?

          9 votes
          1. NeoTheFox
            Link Parent
            Yes I have, all Linux installations that are installed via package manager have update checking disabled, and they are updated via the package manager and built on my distro servers. Welp, I am...

            Have you disabled the auto-update feature in your build of Firefox on your machine? If not, the only extra info they are receiving by the "telemetry coverage" feature is whether or not you have turned telemetry off in the other settings of the options page.

            Yes I have, all Linux installations that are installed via package manager have update checking disabled, and they are updated via the package manager and built on my distro servers.

            If this is a striking issue for you, then I would encourage you to turn off the telemetry coverage feature, which as I read, only affects 1% of users.

            Welp, I am the 1% now

            Also, had this feature been implemented as yet another item you had to manually disable in the options menu, rather than as a hidden addon, would you still be this upset over it?

            I wouldn't - that would be honest and transparent, exactly as Mozilla wants to appear and I trusted it to be.

            3 votes
        2. [3]
          s4b3r6
          Link Parent
          This is content of the ping that Telemetry Coverage fires off: const payload = { "appVersion": Services.appinfo.version, "appUpdateChannel": UpdateUtils.getUpdateChannel(false), "osName":...

          And, of course along with this data useragent, ip address and other stuff is leaked as soon as the request is made to Mozilla servers.

          This is content of the ping that Telemetry Coverage fires off:

            const payload = {
              "appVersion": Services.appinfo.version,
              "appUpdateChannel": UpdateUtils.getUpdateChannel(false),
              "osName": Services.appinfo.OS,
              "osVersion": Services.sysinfo.getProperty("version"),
              "telemetryEnabled": enabled | 0
            };
          

          (As well as a generated UUID, as ingesting data requires that).

          Now, this is admittedly more than just telemetryEnabled, and there has been some concern raised about that by the developer lead, though they did sign off for now.

          Slight concern that osVersion at least on Linux gives more information than we really need, but I've now signed off on the change for 61.* and 62.*, so this is live.


          The addon is also over at Mozilla's one-off repository, which is the reason it hasn't asked for an install.

          A one-off, is a backported update. That is, the addon disappears at your next update, but the featureset remains as a part of the browser.

          If you don't want to use it, then create the key:

          toolkit.telemetry.coverage.opt-out as a boolean, with a value of true, and the ping will never happen.

          8 votes
          1. [2]
            NeoTheFox
            Link Parent
            Too late for that, the data had already been collected.

            If you don't want to use it, then create the key

            Too late for that, the data had already been collected.

            1 vote
            1. s4b3r6
              Link Parent
              Had it? It installed for everyone, but only runs for 1% of users.

              Had it? It installed for everyone, but only runs for 1% of users.

              6 votes
      2. Soptik
        Link Parent
        Found on looking glass extension reviews page, 9 months ago: Emphasis mine

        Looking Glass incident

        Found on looking glass extension reviews page, 9 months ago:

        Oh great, and to think I was using firefox to avoid adware. At least chrome asks for permission.

        Mozilla stealth installing unwantedware... What's the next step? Installing the extensions without user knowledge (and without agreement) and omitting it from the list? Or maybe bundling blobs in the binaries itself?

        Well, looks like it is time for a browser upgrade.

        Emphasis mine

        2 votes
      3. Crespyl
        Link Parent
        I agree that this is a much smaller issue than the Looking Glass debacle, but it still leaves a pretty sour taste in my mouth when I think of people who have explicitly opted out of any telemetry,...

        I agree that this is a much smaller issue than the Looking Glass debacle, but it still leaves a pretty sour taste in my mouth when I think of people who have explicitly opted out of any telemetry, by whatever means they choose, being quietly fed yet another piece of tracking software via a browser and organization that we all really, really want to be able to trust completely.

        It's not a big deal by itself, but it feels ill-considered and in poor taste, particularly coming after the different but not entirely un-related Looking Glass.

        For myself, I opt in to using Nightly and all the various studies and telemetry, because I'm a developer myself and am interested in supporting the project and keeping an eye on how things are going, so this doesn't effect me directly. However I do care deeply about privacy and control, and when someone tells Mozilla that they don't wish to participate in any telemetry, I expect Mozilla to take that pretty seriously, and not just deploy more telemetry to follow up.

        It's just kind of disappointing.

        2 votes
    2. [3]
      tvfj
      (edited )
      Link Parent
      How does it even relate? Looking Glass was scary (i.e. looked like malware), immediately user visible, and served no purpose. These don't look like malware, require you to view them in...

      How does it even relate? Looking Glass was scary (i.e. looked like malware), immediately user visible, and served no purpose. These don't look like malware, require you to view them in about:debugging, and have obvious purposes.

      Them being visible in about:debugging is an intentional choice to keep things transparent. They could have easily hidden them, like everything else with an auto-updater does.

      9 votes
      1. [2]
        NeoTheFox
        Link Parent
        Exactly! It was scary and looked like malware because it had been installed through a backdoor in your browser without your concent, but at least you could see what is happening. Hiding this...

        Looking Glass was scary (looked like malware), immediately user visible, and served no purpose. These don't look like malware, require you to view them in about:debugging, and have obvious purposes.

        Exactly! It was scary and looked like malware because it had been installed through a backdoor in your browser without your concent, but at least you could see what is happening. Hiding this activity is not transparency, it's secrecy.

        Them being visible in about:debugging is an intentional choice to keep things transparent.

        It's exactly the opposite, only developers that are making addons at that moment ever visit that page, there is no reasonable expectation for a regular user to check that page regularly. And at this time when I'm writing this comment the addon in question is gone. So effectively Mozilla just installed an addon, snatched the data and then removed it to hide its tracks. Transparency would be at least a popup telling me that they are about to collect my data, or better yet, don't install anything into my browser behind my back without ever asking me about it.

        3 votes
        1. tvfj
          Link Parent
          I meant Looking Glass itself looked like malware, not its delivery. It was titled "Looking Glass", with the description of "MY REALITY IS DIFFERENT THAN YOURS". It didn't describe what it was or...

          I meant Looking Glass itself looked like malware, not its delivery. It was titled "Looking Glass", with the description of "MY REALITY IS DIFFERENT THAN YOURS". It didn't describe what it was or what it was doing there, instead it used a tagline literally out of a hacker drama.

          Auto-installing looking glass was a mistake because it was a part of an ad campaign, and the targeted userbase would have installed it themselves. It served no purpose to Mozilla or Firefox's users, and it looked scary. Were it named "Firefox Looking Glass" with the description "Enable in about:config to take part in the Mr. Robot ARG" the headlines would have been very different.

          To clarify. Firefox performs studies, which collect non-user-identifiable data that is used to direct how Firefox is developed. They do not hide the fact that this happens, which would be trivial for them to do. They announce in great detail what they are doing. They publicly comment on what they are doing to clarify misconceptions. If that isn't something you are happy with, I'm sorry to say Firefox does not have the kind of privacy policy you're looking for.

          9 votes
  4. [2]
    hungariantoast
    Link
    Here's what OP is talking about (spoiler: it's nothing bad), since OP didn't post a source for their claim: https://blog.mozilla.org/data/2018/08/20/effectively-measuring-search-in-firefox/

    Here's what OP is talking about (spoiler: it's nothing bad), since OP didn't post a source for their claim:

    Telemetry Coverage

    Finally, we need better insight into our opt-out rates for telemetry. We use telemetry to ensure new features improve your user experience and to guide Mozilla’s business decisions. However, an unknown portion of our users do not report telemetry for a variety of reasons. This means we may not have data that is representative of our entire population. For example, some enterprise builds are preconfigured to not send telemetry and some users manually opt-out of telemetry collection. We believe the large majority of clients do send telemetry but currently have no way of measuring this.

    To address this, we will measure Telemetry Coverage, which is the percentage of all Firefox users who report telemetry. The Telemetry Coverage measurement will sample a portion of all Firefox clients and report whether telemetry is enabled. This measurement will not include a client identifier and will not be associated with our standard telemetry.

    As always, you’ll be able to find the full details about these measurements in public documentation for all telemetry collected within Firefox. And this data collection will go through our data review process to ensure we these approaches are appropriately vetted by our Data Stewards.

    We want to deliver a product that meets the needs and expectations of our users. We also want to make sure we can compete in a market where other companies treat data as a commodity. We don’t want or need all of the data that others collect, but data can help us deliver a better, faster product for our users while respecting their privacy, security, and choices.

    Marshall Erwin, Director of Trust & Security

    https://blog.mozilla.org/data/2018/08/20/effectively-measuring-search-in-firefox/

    8 votes
    1. NeoTheFox
      Link Parent
      Yeah, I knew nothing about what it was when I made the original post, but later I've found out and made a comment with their apology.

      Yeah, I knew nothing about what it was when I made the original post, but later I've found out and made a comment with their apology.

  5. [5]
    MacDolanFarms
    Link
    I think the point that is lost on a lot of people is that the problem is not what these do (which is fine and boring), but that they can install arbitrary code that runs without your permission.

    I think the point that is lost on a lot of people is that the problem is not what these do (which is fine and boring), but that they can install arbitrary code that runs without your permission.

    3 votes
    1. [3]
      tvfj
      Link Parent
      Every piece of software you use that has an auto-updater can install and run arbitrary code on your computer. So long as the maintainers have good security and you maintain trust in them, this...

      Every piece of software you use that has an auto-updater can install and run arbitrary code on your computer. So long as the maintainers have good security and you maintain trust in them, this isn't an issue. Given that browsers are literally built to download and execute arbitrary code from the internet, it's important to have a well-maintained and up-to-date browser to to keep that all secure.

      Mozilla is open source, transparent, and has operated on good faith for decades with the worst controversies paling in comparison to what their competition does and gets away with on a daily basis. So I choose to trust Mozilla by installing and running their browser and allowing it to auto-udate.

      It says a lot that Mozilla is held to such a standard that a story about Mozilla running basic telemetry in their browser is controversial when their biggest competitor by far, Google, is also the biggest violator of user privacy by far, and is taking steps to allow them to track near everyone on the internet by forcibly taking over web hosting with AMP.

      10 votes
      1. [2]
        MacDolanFarms
        Link Parent
        I don't use any software that auto-updates and installs arbitrary software (aside from Firefox). Any software with an auto-updater asks me if I want to enable it, and doesn't make me change some...

        Every piece of software you use that has an auto-updater can install and run arbitrary code on your computer. So long as the maintainers have good security and you maintain trust in them, this isn't an issue.

        I don't use any software that auto-updates and installs arbitrary software (aside from Firefox).

        Any software with an auto-updater asks me if I want to enable it, and doesn't make me change some obscure about:config flag to disable it. Forcing me do do that breaks my security model, where all of my software flows through my distro's repository maintainers who I do trust. I install software from there, and update it from there; the software does not get to download and run arbitrary code.

        Given that browsers are literally built to download and execute arbitrary code from the internet, it's important to have a well-maintained and up-to-date browser to to keep that all secure.

        Which I think is a bad thing. I disable JS for all but a few sites who I trust.

        It comes down to this: Trust should be opt-in, not opt-out. I don't automatically trust you, you build up trust over time by demonstrating you are trustworthy. In general, you're right; Mozilla is a decently trustworthy organization. Like I said in my original comment, the key word here is that they do these things "without your permission". If they asked me and I said yes, then that's all well and good. But don't assume I am okay with it.

        All it takes is a simple yes/no dialog. And here's the thing, most of the time when a program asks if it can connect telemetry, I say yes. My issue is not with the action, but simply that they do not ask my permission for the action.

        3 votes
        1. cfabbro
          (edited )
          Link Parent
          Opt-in for updates absolutely does not work for web browsers. That was the model they all essentially operated on for decades and it was not only a giant PITA for webdevs because of the insanely...

          Opt-in for updates absolutely does not work for web browsers. That was the model they all essentially operated on for decades and it was not only a giant PITA for webdevs because of the insanely slow version adoption rates that resulted in, requiring a ridiculous amount of custom workarounds in order to support out of date browsers, but it was also incredibly detrimental to the ecosystem of the net as a whole, both in terms of security and web standards progress. And those are precisely the reasons every major browser now features automatic update enabled by default and will likely never go back... nor should they IMO.

          7 votes
    2. SleepyGary
      Link Parent
      I feel like if this level of obfustication was being employed by Microsoft or Google the outrage would be more significant. The fact they are doing it like this, hidden extension with hidden opt...

      I feel like if this level of obfustication was being employed by Microsoft or Google the outrage would be more significant.

      The fact they are doing it like this, hidden extension with hidden opt out config value in the already less accessible advance settings is shady stuff and would expect better Mozilla.

      2 votes
  6. [3]
    zptc
    Link
    Do these show up in about:addons?

    Do these show up in about:addons?

    2 votes
    1. [2]
      NeoTheFox
      Link Parent
      You have to click on the gear icon on the top and then click "debug addons". They are hidden.

      You have to click on the gear icon on the top and then click "debug addons". They are hidden.

      3 votes
      1. zptc
        Link Parent
        Thanks. I don't have those two addons.

        Thanks. I don't have those two addons.

        1 vote