The amount of negative press this received nearly cancels out all the positive news from Quantum's release barely a month ago. It's such a shame that the years of hard work and effort on the dev teams are being overshadowed by such a ridiculous marketing mistake. For a browser that is one of the last big proponents of a privacy-centered, user-first web, these kinds of mistakes can't happen... period. Now it's nearly back to the starting line on re-gaining user trust again.
>The amount of negative press this received nearly cancels out all the positive news from Quantum's release barely a month ago.
I call complete and total BS on this. I may not be on the EFF echo-chamber, and I agree they handled this poorly, but this absolutely does not concern me after hearing the way th add-on behaved. They made a mistake in communications and behavior that should have been expected, but as they said, it did zero data collection and performance impact. It was a screw-up they have fixed via process.
If people are so upset at Firefox for a mostly innocuous mess-up that was quickly caled out and clarified/fixed in the future, that they would dump Firefox for the hero of privacy Chrome, they are very foolish in my opinion.
I agree completely. I'm not leaving Firefox over this. They made a silly mistake, with no sinister motivations (can't confidently say the same about any other major browser)
It's a good example of the outrage culture we live in, and have incentivized on social media, being taken very seriously when it reality the issues have very little real affect on peoples lives...
Firefox handled a mess up very well. The extension was always opt-in and never extracted any data. It came from a trusted source regardless via another layer of opt-in experiment beta testing.
Yes it wasn't cool they chose poor language and didn't fully consider the implications of installing a 'fun' experiment. But lets keep our shirts on.
Quantum has been more than rewarding and this minor PR issue is hardly deterring me from using Firefox... especially compared with Chrome being built by the biggest ad company in the world.
I think my issue is that everything about this plugin — from the marketing tie-in, to the rollout, to the effects of the plugin itself once activated — all indicate a complete breakdown of core values.
Creating a plugin that modifies content on your screen and injects HTTP headers is egregious enough (just look at the response Comcast got for doing it), but doing it for a TV show tie-in? How did that idea even make it through one round of approvals, much less land on every Firefox user’s machine?
Users trust web browsers to deliver the exact content that was requested — that’s why we have gpg signatures, hashsums, and HTTPS. It’s arguably a core tenet of the web. IMO the reaction of the tech community can only be expected in response to such a deep violation of trust.
There are plenty of people who don't care about the santicity of delivered web content, as can be seen by the popularity of things such as the cloud-to-butt extension. And I am sure that the die hard Mr robot fans that are the target audience for this ARG wouldn't have seen anything wrong with that extension.
As you said, the real issue here is the terrible decision to push this to everyone.
It is pretty outrageous to have one's computer and information be at the mercy of every software developer out there who thinks it's their divine right to collect information about you and how you use their product, to force install software on your computer and generally treat you - the customer - with contempt.
So yes, people will be outraged.
We're sick of being taken advantage of by dishonest companies and individuals because the US privacy laws are a complete joke.
Here's another perspective - I am not coming to Firefox over this.
After literally years of struggle with Chrome and Firefox I finally switched to Safari (recently I switched to iPhone so on mobile too) and yes for personal browsing, on a Mac, this is really better than any other browser out there and Quantum felt as good. No, I don't have benchmarking scores, but I am speaking from an end user point of view.
I was a lifetime Firefox user - started browsing on it when I bought my first laptop in 2007 and never touched anything else until Pocket happened and after testing Quantum for a few days I was so happy that the Firefox is back. I don't think so. I guess I will sit this one out. It's not an isolated incident. They have been doing it constantly since Pocket.
Yes, I use this extension. Update etc aren't as smooth in Chrome/FF but I haven't faced any major issue. GitHub issues section is quite active and there are helpful users.
Indeed. I get that people are upset about this, and might even switch to Pale Moon/Waterfox/what have you, but those that switched to Chrome? Whatever your reasons for switching are, privacy really cannot be it.
>> updates have been known to re-enable it if you turn it off ... But it doesn’t matter - you’re going to re-enable it on the next update.
> It's surprising how ... trustworthy Chrome is in this regard. My default search engine is set to DDG and through countless updates Chrome has never once attempted to reset it to Google.
Even though Chrome has every incentive to break privacy settings, even though Chrome has every incentive to revert the default search engine to Google, they don't.
In its default configuration Chrome's sync service uses transport-only encryption, not end-to-end, so that Google can read all your history, cookies, and so on. Their privacy policy [0] allows Google to mine this data for its own purposes. I would wager a very, very small proportion of Chrome's userbase manually enables the end-to-end sync encryption option buried in the settings; even technically-minded friends I've told about this are usually surprised.
So Chrome's privacy settings are already broken by default, in nearly the worst way they could be.
>> [Firefox] updates have been known to re-enable it if you turn it off ... But it doesn’t matter - you’re going to re-enable it on the next update.
You can choose to opt out of Chrome's phoning home in the privacy settings and they haven't tried to revert those settings in an update (and given their track record, I have no reason to believe they will try to surreptitiously change the settings in a future release)
> If “Include history from Chrome and other apps in your Web & App Activity” is checked on the Web & App Activity controls page, Google also uses your synchronized browsing data to provide personalized Google products and services to you.
That's the default, isn't it? So no, not only anonymized and in aggregate. And either way, your compylete raw browsing data is sitting there on Google's servers and associated with your account.
they do this becuase I set up end to end for my parents and they lost the password. they never want to use encryption again. the default to user-friendliness which is not a bad thing.
I don't remember that too precisely anymore, but are you sure that you're not thinking of the identifier? It used to be pretty cryptic by itself. Now they use the e-mail address as identifier.
Because that would be absolutely nuclear for Chrome's PR. There are a handful of places where Chrome needs to shine and then they obviously watch out for those more. The depths of the codebase look much the contrary.
With Firefox, the entire codebase has to shine, because someone will find it and hold Mozilla to a far higher standard. A bug in the update process that resets search engines is then only one of many things that they're supposed to watch out for.
It’s very sad that they reset some privacy preferences on updates. It can be explained by incompetence or bad faith, but coming from Mozilla I'd rather assume incompetence.
This is one more anti-privacy move from Mozilla in a series of such moves.
I am now using Safari and have to keep an eye on the family computer to see what crap Mozilla decides to install next.
The nice thing about ethical organisations is that you can have peace of mind and don't have to worry about how they're going to screw you when their marketing department runs amok. Because of cliqz, the annoying telemetry (aka spyware) and this incident, I don't trust Mozilla any more.
Moving to Chrome would indeed be silly, bit it doesn't mean things are rosy.
> It definitely sucks, but I don't see how it was anti-privacy at all.
It definitely increased the attack surface area[1] with no upside for 99.9%[2] of Firefox users.
1. It's a juicy target: an addon that can modify the content of any page a user visits? It doesn't take much of an imagination to think of how this could be subverted.
2. My conservertive guess of the fraction of Fx users not interested in Mr Robot easter eggs; I probably ought to add a couple more "9"s
That's Mozilla taking another step down a very slippery slope. "It didn't hurt anyone" doesn't excuse ethical or moral wrongs. Given Mozilla's stated commitments to privacy and integrity, their choice here violated them.
This move is a complete slap-to-the-face for everything that Mozilla and Firefox supposedly stands for, and would be heartbreaking for the developers to hear that this is going on in the wake of all the work around "Quantum" and everything else they've won with recently.
But really, this Mr Robot news went no further than an article on The Verge (I presume it even got there?). More importantly, those that care are able to think critically of the situation and don't really have anywhere better to go.
Do any of them have a decent chance of success? Or are they doomed to struggle to copy chromes features. Doomed to break because no one tests against them?
If your goal is utmost privacy like many of these projects are providing, you're already going to expect and experience some breakages regardless.
Any browser is going to struggle against the top two behemoths, so I'm not sure why exactly that would be an argument to just accept it and continue using products by companies that have lost your trust. Are end users supposed to compromise their ethics just because web developers aren't in the habit of testing against their browser of choice yet? That just seems like an awfully 'silicon-valley-centric' view of the world.
What does this "success" thing have to do with ditching a product that had violated your trust anyway? Are businesses in most other industries viewed this way? Am I expected to stop buying food from local producers just because the big-box food suppliers are more ubiquitous?
To me, all that matters is sustainability, and IceCat has been going strong for 12 years, PaleMoon has been consistently developed for 8 years, and Waterfox for 6 years. So that's enough for me to at least give them a shot.
Although not a FF derivative, I've been using Vivaldi for a while and do enjoy it. I hate not supporting an OSS browser though, but found even with the performance improvement in FF57, it still didn't compare to a Chromium based browser like Vivaldi. It's got a decently large userbase and could be a viable alternative.
It is very difficult to take Brave seriously given how very shady its fundraising (the entire premise of brave is that they can capitalize on selling your attention) was and how historically dishonest Eich has been about using his money for socio-political, anti-libertarian activism.
It's quite a disservice to Palemoon and Waterfox to include such an anti-user project as Brave.
Eich did everything he could to conceal that his libertarian image was a facade and in fact he was a social authoritarian.
Once it came out he was actively using his money on political campaigns designed to try and further empower and justify the state to decide what relationships between consenting adults was forbidden, he had a rather hard time being taken seriously in this area.
I'm not sure why someone who's actively and monetarily supported politicians saying homosexuals should have to register in a special registry parallel to the sex offender registry is being taken seriously in the privacy arena. Privacy is not something that can be decomposed as an asset to purchase. Every person who doesn't have it leaks information about the people they interact with, and that undermines privacy for everyone.
Hey, Dave. I’m not sure why you thought I was a libertarian. I haven’t identified as such since the ‘80s. As for Buchanan in the ‘90s, I don’t support everything he said - I was most supportive of his economic nationalism.
Did you ever support a politician (say, Obama) only to find they said something you disavowed? Sam Yagan of okcupid did. I disavow Buchanan’s unconstitutional AIDS registry, and probably other proposals he has made.
As for “social authoritarian”, California regulates and licenses marriage via family law, as do all states. I come from an older generation of allies who supported Mark Leno et al. when they labored over, passed, and amended to full positive-rights equivalence with marriage, CA’s Domestic Partner Law (https://en.m.wikipedia.org/wiki/Domestic_partnership_in_Cali...). This was considered just and sufficient, until it was not — and then anyone who questioned the revolutionary tactics used to cast former allies as haters and bigots became a hater too.
I dissent from all such revolutionary tactics and agendas. I agree with dissenting LGBTQ scholars of note on this point re marriage equality, e.g., Camille Paglia. (I don’t agree with those scholars on everything, of course. Same as with most people, including politicians I’ve supported in the past.)
Now the shoe is on the other foot. Marriage equality is law and I’m an officer of a corporation with a genuinely diverse roster of employees. I am committed to the fullest definition of inclusivity, which covers right wingers as well as left, libertarians and non-libertarians. For you to gin up a case that I pretended to be a libertarian is silly (I never pretended that).
But worse, if you judge Brave by a past and too-narrow slice of my opinions, you are doing what haters who boycott Apple because of Tim Cook do. It is your right, of course, but it looks like consequentialism (end justifies means) or really just Who/Whom ax-grinding. I hope you will use Brave in view of what we are trying to do, as a group of people who share a cause and set of beliefs, whatever our other or past causes and beliefs.
I actually supported Brave in spite of your history. We've talked on Mastodon.social about it. I am always a fan of humans being complex and redemption being contextual.
Then I read about BAT. Your business plan soured me.
I'm very sorry that I missed ended your politics Brendan. Sincerely. O obviously misinterpreted what you said. But that changes very little, and I've already spoke at length about what it doesn't change elsewhere in this thread.
> I come from an older generation of allies who supported Mark Leno et al. when they labored over, passed, and amended to full positive-rights equivalence with marriage, CA’s Domestic Partner Law [...] This was considered just and sufficient, until it was not
Oh, please, no, it wasn't by, well, almost anyone. Most LGBTQ advocates and allies never considered it “just and sufficient”, they (at best) considered it at best a distasteful compromise that was better than the pre-existing state and at worst a capitulation to those who wanted to give religious groups a veto over he definition of civil marriage which ignored the enduring lesson of the struggle for civil rights that separate institutions are inherently unequal nnyour and entrenched in law the othering of LGBTQ people and thir families and relationships.
The idea that there was ever a consensus, either in society or among LGBTQ advocates and allies, that the separate institution of domestic partnership was “just and sufficient” is rewriting history.
You may not be familiar, but in previous decades, Mark Simpson, Michel Foucault, and many other gay writers were against "gay marriage", often expliciltly arguing it was an embourgeoisement to be rejected.
Andrew Sullivan and others (with lots of documentary and eyewitness evidence) have written about how they had to move the consensus even among gay people toward marriage equality when it was far away. http://www.slate.com/articles/news_and_politics/politics/201...
I can believe Leno said that, but I am also quite aware that it was a very small minority opinion even among supporters of the legislation.
I'll also note that Leno isn't quoted as saying anything like that in the article you cite to support that Leno said it, though.
> You may not be familiar, but in previous decades, Mark Simpson, Michel Foucault, and many other gay writers were against "gay marriage", often expliciltly arguing it was an embourgeoisement to be rejected.
You are misrepresenting Foucault, who did not argue against (or for, it just simply wasn't a controversy he addressed) equality in marriage but that the limitations (irrespective of sexual preference of the partners) of socially acceptable and institutionalized relationships to only marriage and family-by-descent ought to be lifted and additional forms of relationship recognized and valorized.
Neither did Simpson come from the radical, anti-embourgeoisement, angle you suggest, instead simply buying into the (historically inaccurate) religious right story about the origin of civil marriage and the pro-state-establishment-of-religion argument of the religious right that would give the religious right veto power over the civil definition of religion. That's certainly a viewpoint that exists—and which AFAICT Simpson still holds—but it wasn't a dominant one among LGBTQ activists and allies anytime in the 1999-2011 history of the establishment and expansion of California's Domestic Partnership system. Not even when aggregated with people who did take the radical position you identify, even though neither Simpson nor Foucault are among them.
> Andrew Sullivan and others (with lots of documentary and eyewitness evidence) have written about how they had to move the consensus even among gay people toward marriage equality when it was far away.
I'm not sure why you are pointing to an Slate article that is simply a reprint of one of Sullivan's 1989 articles laying out a conservative case for gay marriage to support your contention that Sullivan and others still had to move the consensus of LGBTQ advocates and allies to support marriage sometime after the time in 2011 when California harmonized domestic partnership with marriage so that the two arguably differed in name only.
Sullivan was certainly important in moving the needle in terms of what people thought was reasonable to set as a near term goal and how they sought to sell it (whether he really shifted the ground on the long-term goal, or just made it seem less quixotic and pie-in-the-sky might be a debate), but he did that well before the time you are referencing.
You spin a fine tale, but it seems to be entirely historical revisionism backed with red herring links and name dropping.
Pretending marriage equality was always on deck when Leno et al. were working on domestic partnership is the spin here. Either the advocates of the previous decade's reform were not telling the truth (and Obama was strategically lying when he too endorsed civil unions but rejected marriage equality), or they meant what they said at the time. You can't have it both ways.
Again the revolutionary (full Alinsky) playbook is evident: down the memory hole with the past; lie (to self and others, doesn't matter) about goals, promising no further; then go further the minute you get it and isolate and demonize anyone who objects. No thanks.
> Pretending marriage equality was always on deck when Leno et al. were working on domestic partnership is the spin here
I'm not sure what you mean by “on deck”. If you mean tactically attainable, yes, there was a wide view even among advocates and allies that it was not. DP was a tactical advance, on that there was broad consensus (though, ironically, the anti-embourgeoisement radicals you point to support this weren't part of it, as they generally viewed marriage as an archaic social institution not to be sought or imitated, but to be eliminated.)
But your claim wasn't about what was viewed as politically pragmatic, but about DP status being seen by advocates and allies generally as “just and sufficient”, rather than unjust and insufficient because it was separate, but at least better than the status quo ante because it was—to the extent possible for the state alone—formally equal.
> and Obama was strategically lying when he too endorsed civil unions but rejected marriage equality
Disagreeing with a movements aspirations isn't a lie. Now, whether Obama was a secret supporter tactically lying to placate opponents, a moderate opponent of the goals of the movement telling the truth, or a stronger opponent telling tscticsl lies to get support of the movement while not alienating it's opponents is...well, completely irrelevant to whether the movement itself saw civil unions as “jist and sufficient” rather than merely a lesser injustice than the status quo ante.
> Either the advocates of the previous decade's reform were not telling the truth [...] or they meant what they said at the time.
You are conflating LGBTQ advocates with the politicians who were (or, in Obama's case, were not) involved in reforms. Those may be overlapping groups, but they aren't the same groups.
Now, if all you meant to say was that you identified with the narrow, political establishment group that endorsed civil unions as the end goal rather than the mainstream of LGBTQ advocates and allies at the time who openly called for marriage equality as the goal but accepted formally equal unions as a tactical advance, that's defensible. But it's not at all defensible to claim that the movement saw civil unions as “just and sufficient”, that was overtly never the case, whatever a handful of politicians trying to balance between the movement and conflicting groups might have said (and, who knows, might have even believed it when they said it.)
It's pretty wild how far into this we are given that Eich wants to present himself as somehow pro-LGBT for Prop8 support.
Perhaps it has been lost to the sands of time, but it seems curious that this didn't come up as a publicly stated defense while the Mozilla board was contemplating what to do with their total PR disaster out of a corporate office.
Your decisions are your own. But trying to suggest that donating for CA's prop-8 was in fact a pro-LGBT act is simply not going work well here. Please stop insulting our collective intelligence suggesting this.
If you've changed your mind, or have reasons, or whatever? Great. But trying to suggest that in fact you were a better advocate and steward of LGBT rights while (perhaps unintentionally, perhaps deliberately) suggesting everyone else was wrong in what they wanted? No.
You could also just say, "I have changed my mind" or "I have decided this issue is less important to me now" or even maybe, "I thought I was doing the right thing, but in hindsight I chose a bad strategy." A million other phrases that own your actions and don't project onto others.
> trying to suggest that donating for CA's prop-8 was in fact a pro-LGBT act...
I suggested no such thing. I said explicitly I was sticking to a previous bargain. Hate on that if you must, but don’t put words in my mouth.
At this point you have misread so many declarative statements I’ve made here that I am going to let you have the last word, if you like. But no, I never suggested that. It seems to me you are engaging in faulty logic to cast what I wrote in an either/or. Stopping here.
The current ad-tech ecosystem is a complete disaster, and Eich's vision for replacing it is, I think, genius.
Leverage properties of cryptography to build a browsing experience which respects privacy but retains opt-in ad relevance and anonymous metrics, and further leverage developments in cryptoeconomics to balance the requirements of user <-> publisher <-> advertiser in a properly-designed content generation and consumption ecosystem.
I find the whole idea elegant, ambitious and pragmatic.
What specifically do you find anti-user about Brave?
> The current ad-tech ecosystem is a complete disaster, and Eich's vision for replacing it is, I think, genius.
Eich's SALE of positioning his company as a gateway to all online advertising while spinning this as "pro-privacy" is indeed genius.
His actual vision of the product and the positioning of Brave as a controlling arbiter over all ads (and thus, as a central collection and monitoring point for data around ad consumption) is quite dystopian.
Nothing about logging our ad views to a publicly inspectable blockchain is in the interests of privacy. All it does is offer Eich's company an opportunity to make yet another skeezy ad platform with a new series of buzzwords. It will not be more difficult to game than any other browser, but it will sound impressive and current and gain ad buys.
And I submit that the inevitability of the ad network is itself a questionable notion when a more direct service economy is not only historically how things were done. That model faded as broadcast technology outpaced other IT, but as other IT caught up we've been seeing a return to direct-to-customer service models and these are outperforming ad models in some media markets.
It is not inherently a "blockchain" idea to sell off your time as ads in order to pay for your browser, and other folks are at least pretending to align their business model with user interests while building an information and attention economy (e.g., Steem)
Please read the white paper at attentiontoken.org. We do not dream of monopolizing the browser market, of course.
Apollo phase of the roadmap will have multiple clients supporting BAT, with as much endpoint (client and site/creator/user, hard KYC issues here due to centralized fiat currencies and governments) logic moved on chain as we can given future Ethereum scaling and anonymity support. Web standards for particular innovations as apps join the platform and gain enough scale.
May be you don't have any sensitive info being accessed day in and day out but some of us do. And we trust firefox with it. I panicked when I saw the add-on because I use the same browser for trading as well.
On the other hand, I was in the process of moving over to using Firefox as my main browser, and this has me reconsidering that decision. Chrome is far from perfect (and chances are I'll move to Firefox or some fork anyway because the main process in Chrome keeps seemingly pegging one core [constant 20-25% CPU usage]), but they haven't made the obvious mistakes Firefox has (adding Pocket to the default browser, the handling of this extension) and I generally feel it stays more out of your way (probably a personal dislike of mine, but I wasn't fond of opening Add-on settings and it presenting a list of suggested stuff to install).
I may seem naïve but I'm kind of constantly surprised that people take this attitude with open source. Nothing is stopping one of these people from building FF from source and having exact total control over how it behaves. Instead they farm that part out and then get upset when this group of people who have alleviated you of that work make a mistake? It's just extreme entitlement.
>Nothing is stopping one of these people from building FF from source and having exact total control over how it behaves.
Yeah, but since it doesn't have an entire dev team committed to it, the fork dies and/or you're using an out of date browser with all sorts of security vulnerabilities and incompatibilities. Some attempts with actual resources behind them:
Cyberfox - dead
PCXFirefox - latest merge was FF 53. Using outdated plugins (e.g. Sumatra PDF from 2014!)
Waterfox - dead
Pale Moon - Still alive. Removes a host of features (e.g. Accessibility and Parental Controls) in the name of performance, yet performs horribly in benchmarks. Slow to adopt new features.
Besides, who's going to use these? A tiny fraction of the population consisting of people reading this thread and threads like it? Who cares?
So yeah, you _could_ "just" fork FF, but it won't get you anywhere. And why the hell am I doing this? I have much better things to do with my time than maintain my own damn web browser. I am constantly amazed at comments like this which are so obtuse as to be comical.
I'm amazed by people who act like using someone's software product is like some kind of sacrifice or something.
My point is that, if you (not a dev team) don't like something you (again, not a dev team) can build it from source to do exactly what you want. Firefox is OSS, most of the popular extensions are OSS. That's the whole point of the thing.
Mozilla has done a pretty good job of championing open standards, open source, user freedom, and all the stuff that people complain about on HN as if they weren't squarely first world problems. You outsource the upkeep of this incredibly complicated software to them and for the most part they do a great job. The level of vitriol about all of this just illustrates the whole "from-zero-to-death-threat" thing that has happened with everything in modern life.
I'm saying that they give you something awesome. They mainly do a pretty good job of championing some of the things that you care about. They made a mistake and they seem to understand everyone's displeasure with it. The end...or get off your ass and do something about it rather than just complaining about how the people giving you the awesome free thing hurt your fee-fee's.
I never would have guessed. Browsing this thread and writing this comment in my sparkling brand new Waterfox 56.
> Pale Moon - Still alive [...] Slow to adopt new features
Slow or reluctant by design. A fork from way back before FF started dismantling its UI. Many new 'features' will never be adopted by Pale Moon.
> The amount of negative press this received nearly cancels out all the positive news from Quantum's release barely a month ago.
Which is silly, IMO. What did this addon actually do, besides be installed without user consent? If this article is correct, the addon was installed automatically but was not 'activated'. Seems like a fuss over nothing, to me, but somebody correct me if I have the details wrong.
It's not what the extension did or did-not do, it's the fact that Mozilla was originally a champion of privacy, open-source, and free software. The entire purpose of this browser was to escape the corporate bullshit of Netscape/AOL.
I switched from Chrome to the latest Firefox browser due to the awesome work the team has done on bringing it into the future. Then I find out that it comes pre-loaded with Pocket and this dumb ass game extension for a TV show promotion? Are you joking?! Fool me once...at least you can expect the level of integration you get within Google/Chrome.
This was completely incongruent with the ethos of Mozilla and Firefox. That is why this is a big deal. It's a huge slap in the face to those of us who choose to use this software because we know it WON'T do things like this.
The extension is open source and free software, and did not violate your privacy. The bad thing about it was that it was unclear that it was so, which really indeed is bad communication, but let's not pretend that Mozilla is not a champion of privacy, open source and free software. It's just that they're not perfect, which is a shame, but that's it.
Ethical software development needs to be taught in schools, because the level of discourse here is dismaying.
It is NOT ok to force install marketing/advertising content on somebody's conputer. Not ok, can you understand that?
It does not matter if the content is open source, who developed it or where or how it was announced.
And in this matter they HAVE to be perfect. It's not hard. Someone should sign off on features and block any silly marketing or advertising stunts. Not rocket science.
When perfection means not collecting information about one's customers without their permission, that's a very low bar to pass...
One needs to invest significant design & development time in order to be "less than perfect" by adding tracking. Perfection would be easily within reach if corporate greed and lack of morals wouldn't be fighting it every step of the way.
Pocket can be disabled by setting extensions.pocket.enabled to false.
Mozilla has admitted the promotion extension was a mistake and is removing it. I cannot remember the last time this sort of episode ever occurred with Firefox, it should be passable as a one-off.
> It is so unlike Mozilla to introduce something like that, I ran a virus scan and checked what programs had been installed recently -- I assumed it had been put there in the same way that IE users used to get the Ask Toolbar installed.
> It says a lot about Mozilla when they decide to bundle fad features like these after spending years stripping existing features out of Firefox. During their effort to dumb-down Firefox, it was common to hear that removing those features didn't matter, as they should be provided by extensions instead. Apparently that cheap excuse is ignored when the feature when it is convenient to do so.
> Worst of all, there has been almost no communication on this. I subscribe to Planet Mozilla and read everything that seems interesting to me, and I still didn't know this was coming.
> They bundele it because they get payed for it. Same story with the new suggested site advertising. The alarming thing is that this way Mozilla is loosing it's independency.
> I didn't know I ever had to read the fine print with anything from Mozilla, and it turns out I was wrong.
(These are remarkably similar to the criticisms leveled against the current situation)
There's no need to disable it since nothing happens until you click the button. Removing the button itself is as simple as right-clicking it and clicking on the (only) available option: Remove from Address Bar.
"there's no need to remove the crapware bundled with [pick one: Android, Windows, Ubuntu] since nothing happens until you click the button. Removing the button itself is as simple as [opening the Settings, opening Control Panel, apt-get remove]." mozilla is in a seriously bad spot if it's lowering itself to the level of Acer, HP & co bundling crapware to the brim.
The point is that Mozilla prides themselves on transparency, but the name of the config option was "extensions.pug.lookingglass" -- meaningless buzz words with no reference to Mr. Robot -- and the description was just "MY REALITY IS DIFFERENT THAN YOURS" -- an enigmatic Alice in Wonderland quote.
It's actively trying to be opaque. That's the opposite of transparency.
Curious adventurous people install the test build because they want to try out new features and extensions. Those are the users who are most likely to know about and use "about:config". The config option and description of the plugin are mysterious and enigmatic, which tempts your curiosity into turning it on to see what it does, because you presumably trust that Mozilla wouldn't distribute just any old extension that didn't have a purpose other than scanning and modifying the content of every web page, inserting dynamic content adjacent to keywords, and advertising a TV show.
If being opaque is pretty much required, then Firefox is absolutely the wrong context for that extension, whose whole point is transparency.
It's not that it displays an ad, it's that it IS an ad.
Not only that, but it also parasitically hooks in and wastes resources (memory, cpu time, battery life) in each and every tab visiting each and every web page.
That's yet another reason it's totally inappropriate in the context of Firefox, which is trying to dig itself out of the hole of being slow and bloated.
> If being opaque is pretty much required, then Firefox is absolutely the wrong context for that extension, whose whole point is transparency.
Fair point.
> It's not that it displays an ad, it's that it IS an ad.
If it's an add, it's the most well-hidden ad in history, since you need to find both a hidden preference to turn it on and a specific and non-documented website to let it display anything.
> Not only that, but it also parasitically hooks in and wastes resources (memory, cpu time, battery life) in each and every tab visiting each and every web page.
Advertisement or not, it is software created for the purpose of marketing, increasing brand awareness/engagement.
More importantly, it is software that has nothing to do with improving FireFox, collecting telemetry, error reports, running tests, experimental features, or anything else the Shield Studies program is ostensibly to be used for.
> More importantly, it is software that has nothing to do with improving FireFox, collecting telemetry, error reports, running tests, experimental features, or anything else the Shield Studies program is ostensibly to be used for.
I agree that delivering it through Shield was not a good idea.
Yet in spite of how well hidden it was (or rather, because of), we're now all talking about Mr. Robot, somehow. Funny how that works!
> No, it doesn't [parasitically hook in and waste resources]. [...] since you need [...] a specific and non-documented website to let it display anything
Yes it does hook into and waste resources and potentially display ads on ALL web pages.
The extension literally injects ads for Mr. Robot in the form of popup tooltips with links on every web page that contains certain keywords. And it also wastes memory, CPU time and battery life for web pages not containing those keywords.
How much more like parasitic adware does it have be before you can see that it walks and quacks like a duck, because its intended purpose is to advertise a television show?
>It injects a blob of CSS and some JavaScript into every tab, then it does a regular expression search of every text node on each page, filtering out everything but paragraphs, then for each occurrence of a keyword in the text, it creates a new text node to split the current text node, then inserts a new span element between them, containing its own text node, then it creates an additional tooltip element containing six text nodes, five br elements, and one anchor element linking to https://support.mozilla.org/kb/lookingglass , and it also configures css class names to associate all those new nodes it created with the blob of css styling and animations that it injected.
If you wanted to develop your own malicious adware like Superfish that injects your own ads into every web page, this code and the browser hijacking techniques it uses would be an excellent starting point.
It being installed without user consent is pretty shitty, but this whole time I was under the impression that it was enabled by default, which is insane.
If it wasn't in fact enabled, it's still dumb, but to me a misstep in respecting the user and not a complete breach of trust.
Its existence is fine, in fact I wouldn't even mind seeing more collaborations of its kind.
The problem is that auto-deploying marketing software (inert or not) over a channel expressly described as being a tool for development, debugging, and testing, is a breach of trust, and/or an indicator of massive process failure within the Mozilla organization.
The point is that they make a browser. I don't want anyone installing random stuff for a TV show into the program I use to access the internet without my consent.
> This experiment also includes the data collection tool Cliqz uses to build its recommendation engine. Users who receive a version of Firefox with Cliqz will have their browsing activity sent to Cliqz servers, including the URLs of pages they visit.
> Cliqz uses several techniques to attempt to remove sensitive information from this browsing data before it is sent from Firefox. Cliqz does not build browsing profiles for individual users and discards the user’s IP address once the data is collected. Cliqz’s code is available for public review and a description of these techniques can be found here.
Retrofitting something into a definition does not help anyone. We have more precision available than calling it "spyware" can deliver, so argue around that. If you think their anonymisation techniques are faulty or you have reason to believe that Cliqz will violate the law by collecting personal data, then bring that forth.
It's unfortunate, I agree; but it's the principle of the matter.
This was the company who extolls privacy, openness, and attracts (among others) the sort of people who are uneasy at competing browsers shipped by advertising companies, or old-guard software shops pivoting into more profitable ways to leverage their installbase. This was the company who branded, then re-branded themselves as champions of a more people-conscious web. The exact company who should've known better.
Even their apology, though probably sincere, has a tinge of corporate, marketing wishwash. Maybe it's just the title, but a "We Messed Up" would've been punchier without being vulgar, instead of this bury-the-headline-style "Update on..." crap all too familiar from security vulnerabilities.
>Which is silly, IMO. What did this addon actually do, besides be installed without user consent?
1) Demonstrated that Mozilla has the ability to silently push addons without any kind of notification to the user that their browser behavior has been patched.
2) Demonstrated (allegedly) that there are privacy and security related preferences in Firefox that are reverting themselves to less-safe defaults without user interaction, aka Microsoft preferences.
3) Demonstrated Mozilla's marketing department lacks the good sense to respect these capabilities for the loaded gun they are
It's not about what they did, it's about what they could do. Mozilla doesn't need these tools, and these tools are dangerous. Why did they make them? Why shouldn't we ask Mozilla to remove them?
> 3) Demonstrated Mozilla's marketing department lacks the good sense to respect these capabilities for the loaded gun they are
This is the most critical issue, by far. Apparently nobody ran this by any reasonable person or went through any reasonable review process before shipping it.
They may have some naive people running things. when you have millions of people running your software stuff like this tends to blow up. I personally don't see it as a huge issue of a breach of trust but I don't fault people for being mad about it.
This is nowhere near the level of naiveté that google had when they had a real name policy for some of their services that outed dissidents, LGBTQ people, and other marginalized people. Not even the same ballpark. If Mozilla really wanted to do something nefarious or bad they could have added things into the codebase directly instead of as an adjunct. I still trust Mozilla personally and I believe they are a net benefit to the internet.
>Demonstrated that Mozilla has the ability to silently push addons without any kind of notification to the user that their browser behavior has been patched.
If you allow firefox updates they can silently push any code on to your machine, right?
yes, and most people have grudgingly accepted the semi-weekly FF updates in order to receive the latest security updates... to hijack that update contract to push a marketing agenda is counter productive
Updates are under public view, and users can trust that this process is hard to infiltrate. Silent addon-installations in the background, which appearently can be even pinpointed to specific usergroups, are not. Mozilla can anytime do anything on your system, without anyone watching them, and people just learned the hard way about it.
> 1) Demonstrated that Mozilla has the ability to silently push addons without any kind of notification to the user that their browser behavior has been patched.
Wait, did someone assume that Mozilla didn't have this ability? How did people think that they got security updates?
> 2) Demonstrated (allegedly) that there are privacy and security related preferences in Firefox that are reverting themselves to less-safe defaults without user interaction, aka Microsoft preferences.
If that's the case, it's a bug. Bugs happen. Regardless, doesn't seem happen
> 3) Demonstrated Mozilla's marketing department lacks the good sense to respect these capabilities for the loaded gun they are
Fair enough, to some extent.
> It's not about what they did, it's about what they could do. Mozilla doesn't need these tools, and these tools are dangerous. Why did they make them? Why shouldn't we ask Mozilla to remove them?
Wait, what? Why does Mozilla have tools to distribute code? Because Mozilla uses it regularly to fix issues. This has been the case since Firefox 1.0, I assume.
Why does Mozilla have tools that handles and/or updates and/or forgets preferences? Because preferences can't be handled anywhere else, since they are preferences for Mozilla tools. I haven't heard of preferences being force-changed until now, with the exception of fighting malware and switching stuff from experimental to mainstream. But, yeah, bugs happen.
Why does Mozilla have a marketing department? I assume that's not a real question.
>Wait, did someone assume that Mozilla didn't have this ability? How did people think that they got security updates?
Via an updater that pops up a little window showing you Mozilla is installing stuff, or via an apt-get/yum/whatever command. Point is, it is (and should be) visible when Mozilla is pushing code.
> Wait, did someone assume that Mozilla didn't have this ability? How did people think that they got security updates?
The difference is that in one case the updates are released following a public process, with bugzilla entries, proper review and engineering practices, while in the other case it's pushed with no oversight, secretly, by some guy in marketing. It's like Google Tab Manager in your browser. Browsers are too sensitive, too central in people's lives nowadays to allow such things.
It was activated, but not activated-activated (in that the addon gracefully decided to not do anything). But obviously we can't delegate that decision to the addons, that's why the addons pane exists after all.
Which begs the question: if you had to do something to activate it anyway, why abuse the "studies" sidechannel to install something that is deactivated, when you could just as well prompt to install it when it's meant to be activated?
The "studies" sidechannel is the ideal place to distribute a deactivated plugin if you want curious people to activate because they want to test out new features. People subscribe to the studies sidechannel BECAUSE they want to try out new features, and those people tend to know about and use about:config, so it's likely many people will enable it, to see what it does.
You're right that "studies" is designed for distributing/testing experimental features, among other development and debugging uses.
I'd dispute any characterization of LookingGlass as a FireFox feature though, and feel very strongly that using Studies to distribute marketing software (inert or not) was an entirely inappropriate use of the tool.
Mozilla being willing to use Studies (or having a process that allows for it to be used) in this way means that, although I was fine with the extra telemetry, debugging, a/b testing, etc., I cannot trust Studies to be used strictly for development related things.
How did it break user trust? I mean, I see that some people are unhappy, and I can't say that this stuff was thoroughly thought out, but this was an add-on whose only effect on user's computer was... nothing, by design, unless you opted-in.
If mozilla is willing to ship adware in their browser, how can i continue to trust them? the fact that this advertisment was innocuous is totally irrelevant, the problem is that there's nobody in the chain between marketing and product release that had the sense to say "hey, that's a terrible idea, we shouldn't do that to our users".
Neither of which should have been included in the core browser (even though I quite liked hello, and have been using appear.in, it's more stable cousin, for years now)
How can that possibly be a downside? If they had made money, people would be even more up in arms. If anything, this reinforces the “Easter egg” intent of the extension; it serves no other purpose.
I have switched back to Firefox after years on Chrome due to Quantum, and could not be more pleased with the switch so far. This is disappointing, but doesn't really affect my decision
Firefox still crashes or freezes for me.. (Arch 6gb ram) -- I want to be able to use it, but chrome seems to work better and longer. I do like tree-style tabs, but I can't have my browser crashing or freezing when I'm working. Time is money. I also noticed that some of the dev tools stuff doesn't catch as much as google chrome does... I couldn't solve an issue because some vue errors weren't showing at all.. open it up and chrome and the console lit up.
Albeit I'm more of a backend guy so debugging in chrome/firefox isn't my forte, but I can usually gather enough data from dev tools to fix things.
I fully understand and empathize with the reaction that has happened and now that Mozilla (my employer) has a statement apologizing and committing to a public post-mortem (which I fully support) to the folks who are raising issues with the timing and sequence of events leading up to the response itself since Friday (I won't comment on the incident itself, since that's the job of the post-mortem) I wanted to mention one thing that may help add some human perspective:
Mozilla is a distributed organization and was on the last day of its in-person, week-long, bi-yearly all-hands meeting in Austin on Friday when this started. At the time, and through large parts of Saturday, many Mozillians were in last-minute meetings, airports, in the air, or on the road, and were all concluding a week's worth of meetings where everyone was getting face time with collaborators and hashing out in person what we're doing for the next 6 months.
I was not involved, but you can imagine that when trying to decide what to do in response to something like this that many people need to coordinate. So it was a bit of a perfect storm of having tired humans, many of whom were in and out of internet access, etc.
edit: I fully understand the frustrated replies -- as I mentioned I personally feel that the reaction by the community to what happened was justified -- I wrote this not to comment on what happened (as noted in the post, Mozilla has publicly committed to a post-mortem) but wanted to provide this info about this unfolding when a lot of people were traveling, etc. I was happy and thankful to see this posted today and our rollback of the add-on over the weekend and hope that the follow-ups planned help us learn and move forward in a way that the community supports.
Maybe Mozilla needs to part ways with the people that are pushing for marketing and advertising stunts like this or cliqz and put in charge people that care about open source, privacy and the open web and are also willing to fight for them.
Then it wouldn't matter that everyone was in an airplane, because stupid proposals wouldn't be accepted in the first place.
It would also be nice if the CEO or CTO would chime in, having an official reply by marketing makes it look like marketing is calling the shots.
The criticism that is taken serious the least is the uninformed.
1) this was not an ad
2) Cliqz is not an advertising stunt. If there's ever a way to dismantle search engines monopolies it has to have support from a browser.
I think this is a big fuck-up by Mozilla but I agree that some of the reactions are a bit over-emphatic. Actually I hope that this big backlash means that Mozilla is less likely than others to try something like that in the future. I personally don't plan on changing web browser and I hope Moz won't suffer too much for this mistake (if only because I love Rust).
That being said your reply and others before make me a tad uneasy because you seem to say that it's possible for a small team of, I guess, mostly marketing people can sneak an extension into a Firefox release "under the radar". Are you telling me that if I have some access to the Mozilla repos I can wait for one of this "bi-yearly" meetings and get questionable changes into the next release? A web browser is a critical piece of software, you shouldn't be able to push a novelty extension (regardless of intent) willy-nilly.
I think adding a new default extension in Firefox should go through tons of scrutiny and code review. And if that was the case I can't imagine that nobody would've raised a big red flag along the way saying "wait guys, are we sure we really want to do this?"
No I wasn't saying that at all, and wasn't commenting on anything having to do with the roll out of the change, etc.
Also the stated goal from here by the folks working on remediations for the post mortem is this can't happen again so hopefully what is shared at that time will help alleviate concerns.
>you can imagine that when trying to decide what to do in response to something like this that many people need to have their feedback taken into account before any statements are made or actions taken.
If only such care was put into deciding whether or not to ship adware in your browser, maybe you guys wouldn't have this problem.
"perfect storm" is an overused cliché that needs to die. It suggests a confluence of extreme events that when occurring singly wouldn't do (much) damage but when occurring collectively overwhelm you by amplifying the overall severity.
If you have bi-yearly meetups. This is not unforeseen. In fact, it's quite predictable.
Lots of orgs have a no-realeases-before-the-weekend policy because stuff that happens Friday doesn't get fixed until Monday.
"and were all concluding a week's worth of meetings where everyone was getting face time with collaborators and hashing out in person what we're doing for the next 6 months."
Yeah, maybe you should concentrate on the week ahead.
Mozilla is 10% share (and going down) on desktop, near 0% on mobile/tablet.
We must have an alternative to Google, Microsoft and Apple.
All the heads who were responsible for this gaff should be let go and go to Google/Microsoft/Apple, they will do well there with like minded suits.
Mr Robot is a very activist show. It's entertainment, sure, but it's also attempting to send a message to it's viewers. Mozilla is attempting to push the same message. Aside from this misstep, what's wrong with that?
The extension is essentially just an advertisement for Mr. Robot, which has a big budget. Presumably they pay for their other advertising, and pay their employees to develop their own web sites, whose URLs are built into the extension, and which receive special treatment by sending a custom header in each request.
The obvious problems with how the extension was distributed and described aside, I think Mozilla still deserves to be paid for developing and especially distributing such advertisements, because it has cost them time, resources and reputation.
Pre-installing a plug-in in the development build is a service that many people would pay for -- please install my bitcoin mining extension (and don't forget to enable its configuration flag "extensions.pug.lookingglass.super.awesome.download.accelerator"), it needs a lot of testing!
How much does Google (or whoever) pay to be the default search engine, and how much is automatically installing an extension in the test build worth?
If the Mr. Robot show is sincerely activist, they should be happy to pay Mozilla what it's worth for Mr. Robot to benefit from such special treatment. Especially if it was their idea to distribute and describe it the problematic way it was. At least Mr. Robot could barter in kind, by doing an episode all about the virtues of Mozilla, with a flashing download link at the bottom of the screen? ;)
Mr Robot does "product placement" for Firefox when it shows the main characters using it as their web browser. The ARG also markets Firefox because the fans wanting to play the game must use Firefox to do so.
I do agree that pushing this extension to everyone is a horrible idea though.
I just think it's gauche. I don't want to hear about the TV shows that you're a fan of in your software. Keep that stuff at home. I know that's subjective and probably seems miserable.
But actually I realised that I do think there is something wrong with pop culture references. They’re inside jokes. They exclude people who don’t watch the same things as you. They reinforce the tech bubble and frustrate people who don’t understand.
I read a comment by someone who’s lecturer was confusing them by talking about the master theorem as the doctor theorem because he liked Doctor Who! The poor guy was embarrassed because he didn’t get it.
They’re also just dull! Wow you watch that same TV show as me? Wow incredible. How wacky are we.
All those references are very old, and none of them were made in an attempt to market anything. They aren't ads. They're minor tokens of genuine appreciation people added to the tools they wrote.
Outside of the man thing, and it was promptly fixed when found to interfere with usage, those things are passive things that one have to know the source for to pick up on.
This "extension" would be actively modifying pages based on triggers, behavior more akin to malware.
Well that explains why i found their initial show ad off putting, and likely why i have found the valley "way" less and less appealing. Activism of that sort rarely bring anything more than hot air and bad blood.
(Somewhat off-topic, but Mr. Robot as an ''activist'' show is heavily steeped in irony. Not only is the show a huge cash cow for a massive corporation, but much of the second season is focused around the main characters realizing this whole cyber-socialist revolution thing isn't what it was cracked up to be. There's also insanity, violence, and heavy drug use, and things become more abstract and more insane as the show progresses. It's very dark and somewhat disturbing. Good television, but not sure that's a message Mozilla really wants to align with?)
Yes, in a capitalist system, money comes from somewhere, and there's no ethical consumption. It's possible for that to happen and Mr. Robot to still carry strong anti-capitalist, anti-1%, pro-digital freedom messaging.
> It's possible for that to happen and Mr. Robot to still carry strong anti-capitalist, anti-1%, pro-digital freedom messaging.
What? I must admit that I haven't watched the third season yet, but the aftermath of the "revolution" shown in the second is a perfect rebuttal to the idiotic anti-capitalist ideals of the main heroes. When I started watching, I was afraid that it would turn into a typical "occupy something" propaganda, but it turned out much more intelligent and thoroughly implemented jab at it's own characters.
> as part of this relationship, we developed an unpaid collaboration to engage our users and viewers of the show in a new way
I'm almost more annoyed it was unpaid, and they integrated a gimmick for a television show into the browser to be 'engaging' to users. That leads me to believe they're really out of touch with their core audience.
That's fairly typical corp speak and it's a surefire way to discredit everything else you're about to say. I really don't get why companies keep doing this, it's not as if their audience is entirely dumb.
I mean, Mr Robot probably wouldn't use Microsoft Edge. Probably some hacky shit I never heard of, but Firefox seems like an appropriate choice to drive an anti-billion-dollar-corp-controlled-internet message. I don't have a problem with it, really.
The addon seems harmless, too, but sends the opposite message and I don't understand why their marketing and security teams didn't sit down to discuss this and immediately come to the conclusion that it's a horrible idea.
Firefox/Mozilla claims to be pro Net Neutrality, yet they pull this stunt running a promotion for a Comcast owned TV show, one of the biggest anti-NN lobbyists.
Yeah, it can be interpreted in a few different ways.
Sometimes places say "we weren't paid anything" in an attempt to pretend it was out of the goodness of their hearts (or similar)... when in fact they were receiving benefits of some other kind. Just not directly money.
Note - Corruption often seems to work like this too, as "payment in services" (eg kickbacks, etc) instead of money can be harder to track.
So, when places say they did something and didn't get paid for it... I also (personally) find it's best to double check if they received services/benefits instead which they'd not mentioning. Just in case.
It gets a lot of screen time. I believe there was one scene in which Tor was used as a browser. The main characters all use Firefox on a number of occasions, in all three seasons.
it promotes firefox to viewers of the show about online privacy... the viewers are probably more receptive than most to changing over to a more privacy oriented browser.
> Even when turned on no user data was collected or shared.
This is disingenuous at best.
The extension (when enabled) injects an extra HTTP header into your browser's requests to 3 specific sites[1], (at least) one of which appears to be operated by NBC Universal.
Are we really supposed to believe that _all_ of the servers handling these "special" requests were set up without any kind of logging enabled? That NBC Universal wasn't tracking how many times each page was loaded? And from which IP addresses? And when?
Mozilla needs to clarify what they meant by "user data" and "collected" here. Seems like they're trying to hide the fact that your data WAS collected -- by a 3rd party, which is perhaps worse.
In any case, the claim that "no user data was collected or shared" is suspect.
Users who enabled the extension and visited NBC Universal's site (and others) were sending extra HTTP header data to the server, data that identified them as a Firefox user, of a specific version, who had a particular extension installed -- that's how the "engagement" worked.
Do you think the server(s) that handled these types of "special" requests were configured to specifically _not_ log the incoming traffic or extra headers?
Do you think that NBC Universal would spend the resources to build an elaborate[1] ARG focused on digital "engagement" with fans, form a relationship with Mozilla to promote the show and ARG to Firefox users, but also specifically _not_ collect data about those users?
I wonder how many people who were under the same impression can admit they were wrong, and of those, how many are able to tone down their outrage to the level warranted by the communication issue.
Outrage is really hard to dial back, even in the face of new information - I know it is for me. I guess that's an interesting corollary for many of the events we see happening in these polarised times.
I hope this post mortem includes insight into how the bug tracker is being handled. We've now seen with Cliqz and Looking Glass that there are certain members of the Mozilla team that have no qualms with making controversial tickets private and locking/deleting comments in public tickets. That's not a behavior that fosters trust in a community that is in dire need of it.
There's something to be said for firm moderation in public forums, but there's a point at which it starts to look like evasion and shutting down discourse rather than making forward progress and winning hearts and minds.
I hold Mozilla to a very high standard of openness, transparency, user rights, and technical competence; something they've invited (and indeed earned) in the past, and they need (and, I hope, still want) to be called to account when they fall short of that standard.
It's hard to forgive. I believe that ethical branding exists, and Mozilla was able to create an emotional relationship with many people, that's why this issue hurts deep for many.
When I can't uninstall the Google Plus app from my Nexus 5 I get mad, when Apple put that U2 album on every iPhone I laughed, but this was different, it was disappointing, I feel the same vibes when I do an Ubuntu fresh install and see those Amazon links, but this is even more unexpected, I just can't believe it when I read it, for me, it can be told as a joke on when Mozilla lost his principles, I just can't see it as a silly marketing decision, sorry.
For the people who also get emotional, I encourage to think in all the good stuff that Mozilla did, and try to forgive this big conceptual mistake, but don't try to forget about it.
Note: My English isn't the best and I'm from my phone.
I had this 'relationship' with Mozilla until the Pocket and Cliqz(?) debacles. Either one of these I'd have shrugged off as a misstep, but having done both kind of squandered the goodwill.
And now with this too I think the only way to get me 'back' (and probably many others) is not just just some words and promises, but an explanation as to why they keep doing this kind of stuff, and some concrete solutions to keep it from happening (firing one or more higher-ups?).
I'm rather skeptical that they will actually 'change their processes', but I really hope they do.
While it might seem overblown, I'm even more inclined to stick with Chrome because at least that's a known 'evil', and do any sensitive stuff in Safari. I don't want it to be that way, but it do.
I'm subscribed to the RSS feed and I think there are clues in the posts over the last couple of years to explain why Mozilla feels so fake nowadays. Here are some choice quotes (FWIW I use Firefox on Desktop and Android pretty much exclusively, I think the product is great but the marketing is terrible):
"I have never worked for a company with so many middle managers."
"Full of corporate middle managers with not much to do. Expect many meetings with product managers, engineering managers, project managers, strategy managers, with one developer to solve simple problems."
"Management is rotten to the core. The company is very top heavy with some 30 executives that travel the world first class to have meetings in lavish places but in the end nothing comes from it."
"Cut the corporate bs at the top and empower the people doing actual work to drive where the company goes."
"Company vision and mission is feel-good therapy for the upper inner-circle. The company is bleeding talent and the core business is imploding."
There's some really good technical work still coming out of the org, Rust, Servo, and the various pieces of Quantum have me more excited about software than I have been in a while; but the increasing number of non-technical missteps are making it hard to support the company as a whole.
> Instead of giving users the choice to install this add-on, we initially pushed an update to Firefox that installed the “Looking Glass” add-on for English speaking users. This add-on was installed and set to ‘OFF’ and made no changes in the user experience unless it was explicitly turned on by a user, but it was added.
Why was this done over asking the user to install the add-on themselves? Given relatively few people were going to use this, why push it to every English speaking user? It's not like enabling an extension or installing one is much different in terms of UX but allowing the former is much more intrusive for everyone not interested in "Looking Glass".
From a security perspective asking users to install specific extensions is pretty poor behaviour to encourage. Just yesterday I had to stop my girlfriend from installing a dodgy extension from a 'just install this one extension to view this content' site.
Not to say that Mozilla's decision was the right one but there's a lot of factors to consider.
These kinds of things usually happen due to people being so focused on their project at hand, that they become unable to see how the experience would be for people not involved in the project. You can see this happening all the time if you work in a semi-large organisation.
You are certainly right, that implies money is not directly involved.
Assuming no other non-monetary favours (in which case this apology would be pretty disingenuous), I don't think spending resources on a marketing campaign for a TV show the majority of the users do not care about for free is a good and responsible thing to do as a non profit. Not to mention the circumventing the end user part.
I believe there must be something like a monetary reward, or a reward worth money, or Mozilla was insane to do this. Volunteer advertising seems like a strange position for Mozilla.
I really doubt money had much to do with this. It was meant to feature into a broader cross-promotional, privacy-themed campaign between Mr. Robot and Firefox, that exposed the latter to the former's viewing audience.
So this is coming from the Chief Marketing Officer...!? If this was a marketing/advertising related debacle, then the buck stops with him.
Either he approved this (which shows privacy isn't on his list of concerns), or he doesn't know what his marketing department is doing (which doesn't speak volumes about his leadership).
Interesting that no other Chief Officer is writing the letter.
What really surprised me about all this, is that apparently not a single person involved in shipping the extension had any concerns about that whole "install it for everyone, oh, and it shouldn't show in list of extensions either" (it did, but that was a bug - it wasn't supposed to).
It would seem to imply either that there are very few people involved in that decision - which is strange, because, given the privacy and security implications of this kind of stuff, this is exactly the sort of thing where you get formal sign-offs, probably including legal. Or that there were many people, but none of them cared - which doesn't speak well of Mozilla's internal priorities...
> apparently not a single person involved in shipping the extension had any concerns
You don't know this for a fact, do you? A lot of discussion goes on at companies that we don't always know about before a decision is made by someone holding a more senior position.
This is also the same person who wrote a defensive non-apology on the evening of the initial publicity, so it seems like they owe us an explanation of why they were wrong then that's missing here.
If he was really getting pushed in front of the bus, the apology would be from the CEO (I think it should have been here, for something as serious as a loss of trust) and the CMO wouldn't work there anymore. :)
"We took immediate actions to correct this" - no you didn't, you immediately tried to justify it!
You made an indefensible mistake and then tried to defend it. Totally inadequate for anyone in a CxO position and the only reasonable response is to step down imo.
Aside from the publicity side, what irks me more about this statement is the "we will change some processes because of this" part.
IMO, this is not a process-related problem. The fact that you have a way to install software on my computer without user feedback or the user's consent plus the possibility to hide that installation (read: backdoor) isn't due to a process.
It displays a fundamental misunderstanding of what users expect of you. This neatly ties in with the pocket integration, as it basically is the same issue - only then, we knew about it.
Edit: Yes, I know, backdoor is a harsh word for something non-targeted, but considering what potentially could happen, a process change doesn't fix this.
Also, the moment we have to pick each FF update apart for hidden extensions is the moment FF has lost its reason to exist, as far as I'm concerned.
The initial response published by Gizmodo neither apologizes nor says the plugin will be removed:
> “Firefox worked with the Mr. Robot team to create a custom experience that would surprise and delight fans of the show and our users. It’s especially important to call out that this collaboration does not compromise our principles or values regarding privacy. The experience does not collect or share any data,” Jascha Kaykas-Wolff, chief marketing officer of Mozilla, said in a statement to Gizmodo. “The experience was kept under wraps to be introduced at the conclusion of the season of Mr. Robot. We gave Mr. Robot fans a unique mystery to solve to deepen their connection and engagement with the show and is only available in Firefox.”
This new apology -- from the same person! -- now claims that their values were compromised, but it doesn't say so in a way that acknowledges that they previously felt differently, or explains what caused them to change their mind, which leaves it feeling dishonest.
I'm happy to see an apology, but there are further steps they could take. I just did a clean install of Firefox and unless I somehow messed that up, it looks like user studies are enabled by default. Someone correct me if I'm wrong here, as I didn't expect that to be the case.
They should absolutely not be running any sort of user studies on people who may not be aware it is being done, which is going to be the case with the current setup. The only way it sits right in my mind is if user studies are opt-in instead of opt out.
This is especially ridiculous as their marketing is focused on respecting privacy. An apology is nice, but changing this setting would go a long way towards proving that.
I believe that is a strong part of the current outrage: people did not realize that this existed and was turned on. Since actual studies would collect actual user data (unlike this now), the fact that it surprises people suggests that they did not obtain meaningful consent for their data collection.
At least from a quick search, I could not find good documentation what studies do exactly to avoid or properly handle personal data, it's possible that they do a very good job of that. (Suggestion to Mozilla: talk about these details at least after the study is done, show what you found. Hopefully: More tech-content to publish, less questions, less ugly surprises)
"We didn’t think hard enough about how our actions would affect the community, and we’re sorry for letting you down."
Yes, I know, Mozilla. I've been telling you this for 18 years now, and you still don't listen. I've called annoying, an unfair critic, and an asshole, and yet I've been RIGHT every time. And I've taken the time to tell you this for years because I CARE. That's why I spent years as a bug triager, a teacher to new triagers, a community member, a community news site publisher, and potential employee. And it's why I gave up on you about 3 years ago.
Mozilla has always had a tone-deafness about criticism pertaining to it's public perception, and I have absolutely no reason to believe it will change. An idea takes hold, and people who suggest that maybe it might be perceived in a different light are ignored and shut out. Mozilla can't learn from its mistakes, and it's very sad, because they're not mistakes that are costly to avoid.
This "apology" is written by the CMO. Why is the CMO writing this apology? Why didn't it come from the CEO or the COO, the people actually responsible for shipping the product?
Why does the marketing department have the power to force install things on my computer? What the hell is the technical leadership doing at this company?
What the hell is the data protection officer doing? I hope they have one at least.
What's really the big deal? It was sent out disabled. They didn't get payed for it. It's like if devs snuck in an Easter egg for their favorite show in a video game.
Everyone keeps calling this the "end if Mozilla" and all that, I think people are overreacting juuussstttt a bunch.
Chill out, put down your pitchforks, and keep the flag disabled.
I'm a big a firefox fanboy as the next guy. But they didn't send it out disabled. I never opted into studies but the plugin was enabled on my browser. If mozilla wants to retain users who value privacy, they need to put their money where their mouth is and not sell them out for ARG $$.
I'm not the only one, and this apology doesn't admit to that. Therefore it's as good as, if not worse than, no apology. Definitely considering switching back to chrome.
The installed Looking Glass add-on was enabled, but it didn't do anything unless the user manually set an about:config flag to enable the add-on's functionality.
To regain my confidence mozilla would have to release a real audit log about how this happened. Because to me it looks like some Hollywood executive is close to someone high up at mozilla, and that individual at Mozilla shoved an update straight past QA, something which is unacceptable in such a security critical piece of software.
Look I get it, companies make mistakes. Quantum was amazing. A lot of Mozilla work is amazing. But now I know this is something I can expect from Mozilla, and not from Google chrome.
The fuck it is. Mozilla, champion of the free web goes corporate, the first action after their force-fed update ('for your own good') is to start pushing this sort of thing? Significance of trial balloons should not be underestimated.
I see your point. But large tech organisations commit these faux pas/atrocities (depending on your point of view) all the time, regardless of their relationship with profit. I think the reason they happen at all and the shrill tenor of the associated backlash come from the same place though - a kind of echo chamber insularity.
For me the motivator is the fact that they cost me a couple of hours in lost time due to their botched upgrade. This last episode is just icing on the cake and illustrates how completely out of touch Mozilla is with the users that make up their core.
It's roughly on par with Apple pissing all over the designers and animators and movie makers that were their lifeblood in the pre-Ipod days. Only in Mozilla's case they don't have an Ipod.
I hold Mozilla to a much higher standard than other large tech organizations.
This particular incident shows either massive process failure (allowing marketing to auto-deploy code without sufficient review), or that no one in the review process recognized the issues with using development and debugging tools to push marketing software.
Either version is (yet another) blow to the trust I want to have in an organization that I still care very deeply about.
I don't have access to the private bug myself, but I can try to reason about it.
I believe that at this point, opening up this bug would do exclusively harm and no good to anyone.
There's nothing I can imagine in the bug to be of value to our understanding of the situation.
If the people working on it were oblivious to what they are doing, then it would just look plain stupid from hindsight 20/20.
If the people working on it were aware and hoped that no one will raise a fuss, then it'll look even worse for them.
The important fact is that Mozilla reacted, and that the leadership does have access to this bug. Whoever was involved is probably currently involved in debriefing what has happened there and that bug is part of it.
I hope it'll be open at some point, but I'd hate if access to the bug resulted in a witch hunt and public shaming of that person/people which, as we all know, the Internet is great at.
We know that our leadership reacted and we know that they recognize what has happened. I'm not asking you to trust them, obviously that has to be regained and the process is painfully slow, but I do ask you to give them time. The emotional reaction is short-termed. I hope that this incident will have a long term positive consequences to our project.
Of course, a witch hunt does no good to anyone and to my mind, it's a mistake (albeit a bad one).
My issue is that the public bug was closed off early. In future, perhaps the Mozilla team might take it into account that communication might be smoother if they keep things more transparent.
I'm a massive fan of Mozilla. In fact, I'm trying to get more folks in my org to use it instead of Chrome (it's a hell of a lot more stable, and the Chrome team tends to break our web apps frequently). I largely trust Mozilla far more than the Google team, and this unfortunate episode, for me at least, just made me mad because it was such a major cock-up that it was entirely unexpected.
Well, even though their marketing team did break the user trust, I am not moving to other browsers. For simple reason that I owe more to Firefox than to other browsers.
I am sticking with Firefox unless they stoop lower than the other competitors.
Though I liked the backlash over this. Good to keep Mozilla on toes. I'd rather show tough love to Mozilla than accept 'grim' and move to other browsers.
As a huge Mr. Robot fan, but one who realizes how niche the show is (the ratings have substantially dropped year after year), I’m embarrassed that Mozilla sullied its reputation for such a small promo — at least U2 was a huge band most people have heard of when Apple pushed their music onto users. The controversy makes Mr. Robot look pretty bad too, even though AFAIK, Firefox (unlike Amazon’s Echo) never was prominently mentioned on the show.
One gotsta make them dollars, right? I am not aware of their financial status but I'm fairly certain that Quantum development would have burnt a substantial hole in their Pocket.
Mozilla bought Pocket. It would be extremely surprising if they turned their back on shipping it by default. However it's so easy to disable that this is a non issue.
Imagine you download an update for a video game. In the settings is a new oddly-labeled toggle that, when enabled, changes a few sprites as an homage to a popular celebrity.
This button was meant to be hidden by default, but was accidentally shown to 5% of their userbase. The developers later apologised that the wording spooked their customers, some of whom were aware that certain malicious game mods also gave opaque additions to the settings page, and removed the change thereafter.
Exactly. GP is not using an apt comparison. For many people, the primary reason to use Firefox is privacy. They made a massive faux pas against their primary selling point and people are upset.
Would you consider switching a product if the main reason you liked a product came into question? I think any rational person would.
It would be easier for me to use Chrome. All of my coworkers use Chrome. Before Quantum, Chrome had better performance [1]. Chrome is everywhere. I have to test my web apps on Chrome regardless of whether it is my primary browser or not.
I'm not saying I'm leaving Firefox, but I am going to reevaluate which browser I choose. Mozilla lost a lot of trust from me and I am going to reevaluate how I interact with their products.
If supported, mainstream, and clean of spyware are the three boxes you are trying to check and you still feel Firefox checks them, great. But, now is as good of a time as any to reevaluate why you are using a browser and if the browser really meets what you are looking for.
I wholeheartedly disagree. It is a security issue, privacy issue, as well as many other types of issues.
Installing an extension without my permission is a privacy issue. It doesn't matter what that extension does. It doesn't matter if that extension is literally just an icon on a tray or if it literal spyware. It doesn't matter if it was ever enabled. You can't claim to be privacy conscious and then do something like that.
This is outrage for the sake of outrage. What I don't understand is why people are going with it.
There is a clear, palpable difference between an update that adds "literally just an icon" and one that adds spyware. The former has literally zero things to do with privacy. The latter is spyware.
We can agree to disagree then. I think your opinion is reasonable and I can understand where you are coming from.
To me personally, however, this is a very bad smell. They have shown that they will push unrelated code as a Shield Study. This faux pas was signed off by a Firefox Product Manager, Data Steward, Legal, QA, Release Management, AMO review and a member of the core Shield Team [1]. If none of these members realized it was a bad idea, I have lost all faith in their product development. If it wasn't signed off by those members, there is a major red flag about who has the ability to add these types of things and/or their processes.
Either marketing has too much say, they have poor processes, or they are totally out of touch with their user base. These all raise red flags for me. I can't feel confident knowing that there is no spyware in my browser.
Mike Conley a Mozilla dev commented on the bug ticket, "I am also curious about this. I have been asking around, and have not yet found a single Firefox peer that was involved with this in either implementation or review."[2] Everything about this was handled incredibly poorly. I will wait for the postmortem, but currently I don't have a lot of faith in Mozilla or their processes.
There is no link, implied or otherwise, between allowing a harmless, off-by-default, accidentally visible extension and "spyware in my browser". This extension wasn't just harmless for your privacy, but it was intentionally, specifically harmless.
Yes, it does highlight that Mozilla isn't a perfect, flawless entity that never makes mistakes, but the process protected your interests exactly the way it was designed to do and you already knew that anyway.
If the issue is that Mozilla sometimes pushes imperfect code, why is everyone harping about this absolutely harmless instance and not, say, one of the hundreds of actually meaningful security vulnerabilities? Why are people fixated on this totally arbitrary and counterproductive metric of the fact it showed up under the "extensions" header, rather than a metric of whether it has literally anything to do with the interest you're trying to protect?
If you only want to run code written by perfect entities, fine, go ahead. But you shouldn't have been using Firefox in the first place, and you certainly shouldn't be making unsupported moral claims about them for not hitting impossible standards.
We really need a fork of Firefox with all the garbage removed, including the ability for Mozilla's marketroids to push things at us remotely. (Also "telemetry", DRM, Pocket, spam on the new tab page, etc.)
A browser should just be a tool which answers to the user. I want my browser to be like a pair of pliers or a bicycle, neither of which have relationships with television shows. I think Iceweasel was essentially this, until the Debian project abandoned the effort.
Optimizing for benchmarks only gets you so far, and often a change that benchmarks well can actually hurt performance in the real world, so telemetry is vitally important for judging real-world performance. Since Google is pretty comfortable with adding telemetry, they have excellent data and deep insights into the performance (and hardware compatibility, and network reliability, etc.) problems that occur in the real world, and can design Chrome to meet those needs. Mozilla is unwilling to telemetrize All The Things, but in order to stay competitive they need to understand the problem-space at least as well as their competition, and so you see them tying themselves in knots trying to walk the line between privacy and useful telemetry.
A fork of Firefox fixes none of the issues at hand. At best it gives a couple hundred users some obscure name to proudly flaunt when they are asked what browser they use.
Mozilla is what's important, not Firefox. And Mozilla needs to be fixed.
We want our browsers to work. Without telemetry, they simply won't be able to find and solve bugs and crashes effectively.
Without crash reporting and other basic telemetry, it's basically impossible to know how prevalent certain bugs and configurations... which is of the utmost important for making a browser which actually works.
Not "e.g. after a crash", "only after a crash". That's about the only kind of telemetry you can get on a "prompt on each occurrence" basis like that. Just monitoring crashes is not nearly enough to create a competitive browser. Performance bugs, many of which are specific to older systems mostly used by people who can't be expected to file bugs in Bugzilla, cannot be reliably caught without some kind of telemetry.
These discussions with responses from Mozilla employees demonstrate that hasn't always been the case (I'm not 100% sure the add-on settings tracking is opt-in at this point, it appears to have been fixed to follow the 'Do Not Track' setting) and show a bit more of the mindset of the company. They want to have their cake and eat it too.
My intention was to warn that Mozilla's use of the term 'Telemetry' as a feature does not cover all of their data collection, and to point to official examples demonstrating the mindset of the Mozilla developers for a higher-level perspective. As you have repeated, the one (primary) aspect of of Firefox's data collection that you mentioned (dubbed Telemetry, which I initially confused in context of OP's comment as intending to include all data collection) is documented on your link as opt-in. Props for that, but there are other aspects. (I am also going to verify it must indeed be enabled manually during a default install.)
Per OP: The last thing I want is my browser to 'phone home' when it feels like it.
I may be wrong, but my understading is that "Google Analytics in the add-on settings" has been improved only to _opt-out_ rather than being required in the past.
Also, per their website SHIELD Studies seem to have a global opt-in followed by a per-study opt-in/out setting. Unfortunately the wording seems a bit wishy-washy and there are anecdotes on this discussion claiming this specific "study"/marketing opportunity did install and run something (at the very least: to skip enabling itself) without purposeful opt-in. There is a lot of confusion here. https://support.mozilla.org/en-US/kb/shield
(Reply after actually double-checking, also heavily edited)
I just went to getfirefox.com, ran the download, and this URL was displayed within tab 2 next to the 'Welcome to Firefox' tab (unfortunately I didn't record which tab was given initial focus) when Firefox started for the first time:
Effective September 28, 2017 [...] Firefox by default shares [...] Interaction data [...] Technical data
Since the page you linked was "Last edited 3 years ago" I'm going to specifically contradict what you re-emphasized as fact by stating: telemetry, the feature, has been changed to currently (Sep 2017-present [as of Dec 2017]) be _opt-out_, unless the development of ancient feature capital-T Telemetry somehow still exists separately from contemporary lowercase-t telemetry (per this link also referencing the telemetry documentation).
This conversation/investigation/out-of-date documentation reinforces what I see as a very recent trend where Mozilla/Firefox is heading in the wrong direction, basically spending/burning the political capital/trust they've earned while (perhaps unintentionally) deceiving even their most technically adept defenders. I would love to investigate how this approach took root; how it was finally given the official green light; and how its ongoing escalation has affected rank-and-file Mozilla developers, supporters, and the various categories of users. In my opinion, the "spirit of Mozilla" is changing ever so slightly (eerily similar to Google's pro-marketing turn away from "don't be evil" culminating in merging of all collected data). My biggest beef with this is that Mozilla has pushed its public branding further laying claim to protecting privacy, but this could be tempered somewhat with a comparison to Signal's inclination toward practicality rather than perfection.
I would be interested to hear how you feel after doubling down on this, since it appears to have indeed changed from opt-out to opt-in without your knowledge. Further, if you did not originally opt-in on install long ago I would be curious to hear what the current value of the setting is now. (Was a previous non-opt-in "default" updated to the new non-opt-out "default" at any point? I hope not!) It goes without saying that you should feel no obligation to invest the time to respond, especially to these last unnecessarily detailed and specific interests.
What really bugs me is that I had a perfectly good Firefox until a few scant weeks ago when Mozilla decided to force-feed me an upgrade to new browser tech that I didn't ask for, screwed me six different ways at once in the middle of a project where I fairly critically depended on an extension that suddenly stopped working that had just about half the notes of a project in it and then, to add insult to injury push their own add-ons down my throat that I didn't ask for.
For someone who has stood by Mozilla over the last decade or so and who never switched to Chrome you can't begin to imagine how pissed off I am. User trust is earned bit-by-bit, you can lose it all in a day. Ask Lenovo how that sort of thing works.
> (...) where I fairly critically depended on an extension that suddenly stopped working (...)
We communicated about the old addons deprecation for over a year. I'm sorry the news didn't reach you, but we tried.
If it didn't reach to you in time for a year, I doubt we could have done anything more to not make it sudden for you.
> User trust is earned bit-by-bit, you can lose it all in a day.
I know the add-ons would stop working, that's why I had a perfectly good FF 52 running which was supposed not to upgrade. The fact that it did (on all three of my machines, no less) caused me no end of annoyance. Fortunately I've managed to fix it, at the cost of lots of lost time in the middle of a time critical job.
As I wrote elsewhere in this thread, neither do I, chances are that Ubuntu did the upgrade but after I downgraded FF to 52.5 again it did it once more.
So there is really something weird going on there. But it's end of the year and I have a ton of work to do not related to debugging browser issues so it will have to wait until I have some spare time.
But thank you for caring, it really means a lot to me.
Oh, btw: backwards compatibility is a thing that most users appreciate.
That went into a separate directory (~/ff/) with a symlink from /usr/bin/firefox to /myhome/ff/firefox/firefox
After that I locked down all access to mozilla domains to make sure it would not do anything funny again.
I'm not sure where that 'channel' link you put there lives, I assume that's one of the about:config settings?
Possibly it somehow managed to use the settings from the original browser installed with Ubuntu rather than the ones that it came with. That would at least explain the weird upgrade behavior.
edit: located the 'channel' setting it's app.update.channel and it is set to simply 'esr'. But I have no idea what it was in the past, this is a completely fresh installation in my homedir.
Thank you for all your time, I have to go to sleep now.
At the risk of sounding like a Linux snob, there is a right way and a wrong way to do package management in Linux. Installing binaries into your home directory then linking them to a system directory isn't the right way, unless it absolutely can't be avoided. Not surprised this happened -- use the package management system that comes with your distribution, especially if you have special requirements on maintaining certain versions.
While you're technically right :), it's pretty common for people to discover this the hard way.
It sounds like jacquesm's hit that point, unfortunately at a time critical spot. Probably won't happen twice though. :)
Thinking about this a bit more, it almost sounds like the Ubuntu supplied Firefox (in the base system) was updated to v57, and likely overwrote the /usr/bin/firefox link.
If that's the case, then the manually downloaded v52 ESR is probably still in /myhome/ff/firefox/firefox.
jacquesm, when you have time to check... see if you can launch the version in /myhome/ff/firefox/firefox directly (instead of using the /usr/bin/firefox link). It'd be interesting to see which version is in there. :)
I realise the timeline is a bit confusing by now but here is the complete sequence:
- install Ubuntu
- remove OS supplied Firefox package
- install Firefox ESR
- have a 'surprise upgrade'
- re-install Firefox ESR
- have another 'surprise upgrade'
- install Firefox ESR in my homedir
- symlink it from /usr/bin
So now if it pulls any other tricks I can restore the symlink and call it a day, but for now it looks as if that last move did the trick because since I did that (and dropped all FF domains in through /etc/hosts) it has not done any more upgrades, though there is a chance that it attempted to do that.
The one saving grace in the whole story is that at least the plug-ins that got forcibly removed/disabled had their data survive the whole ordeal.
I did that after the whole thing went South in the first place. So yes, obviously that's not the way to do things by default. But it's a useful way to override package management and auto-upgrade trickery. Worst case now if it happens again (which I really hope it will not) I have to restore one symlink.
> I doubt we could have done anything more to not make it sudden for you.
It should have been a new-window snippet. Depending on users to read blogs is living by hope. They should have put the news in their faces, unavoidably.
Did you really not know the "force-feed" browser upgrade was coming, and that add-ons were going to break? We've been talking about it on HN for a like a year before it happened.
They also had to do it at some point, XUL was a dead-end.
That's one thing the Firefox ESR is designed to mitigate. If sequential automatic upgrades weren't quite up your alley, this might have been the right solution for you at the time.
Which I had installed, which happily upgraded to FF 57. (I still don't get how that happened the first time, it could have been Ubuntu doing the upgrade, it could have been FF itself but I don't have time to dig this out and I'm not even sure if it is something I'll be able to prove one way or the other.)
I've gone so far now as to drop any mozilla.org domains through DNS hacks to make sure this never ever happens again, because after I downgraded it the first time it happily immediately updated back to 57 in spite of having all auto-update settings switched to off.
Back to 52.5 it is for me. No more tricks like that. Which is sad because if there is a critical security vulnerability in this browser I'm likely not going to notice immediately.
Pushed out silently as part of a mechanism designed to beta-test new browser features. Per their own documentation the extension is supposed to target 1-2% of the install base and pop up asking permission to continue.
This is basically Microsoft using Windows Update to install a desktop icon promoting the latest season of The Voice.
> This is basically Microsoft using Windows Update to install...
Asphalt 8, Candy Crush, Keeper (also, see this[0]).
These are the three[1] apps that I had to remove from a laptop purchased last month. They weren't a part of the OEM install, they came with the updates after the system was up and running. Bad example.
It's documented that Shield studies can be run without prompt for the individual study, no need to assume otherwise. People primarily worried about their privacy should have been worried about the study feature in cases where they'd actually run studies collecting data, not here.
what I am not happy with mozilla is the 'internal review'. Firefox is opensourced, Mozilla is non-profit. Although there must be something need be keep in private, I don't think the review process falls into that category. In fact, Mozilla, why don't take the opportunity to make yourself more transparent?
Well, that was a complaint about the issue from the start. As soon as the red flags started to get attention on Bugzilla, the "bug" about this was marked "private/internal only".
I actually want Mozilla to succeed -- to be clear.
But there are reasons I use Firefox -- the extensions, as is also the case with many others.
And I find a bit of irony in a "worthless" extension being force-fed to us, the month after stable kills off its, well... "stable" of now "legacy" extensions.
An as for Mr. Robot, since that's the topic of the extension of in question, I imagine he wants, for his browser, to "have it his way."
Security, yeah. But not loss of his ability to filter, "firewall", or even -- gasp -- spoof, what gets sent up and down. Or what his user agent chooses to do with it.
So, less "cross-branding", and more API updates and enhancements, please.
I've been following the conversation for the last couple days and I think I may have a solution.
I have been working on a program to block telemetry tracking at the OS level. It's called PrivacyWall, and it was originally meant to stop unwanted data collection by Windows 10. I built this to be a solution to block unwanted data collection by companies that sellout their customers to advertisers instead of putting their users first. It is more powerful than an Adblocker because it operates at the OS system and is able to block tracking by Windows programs and the Windows 10 operating system. I just added support to block Firefox tracking with the telemetry urls that Looking Glass is sending data to.
I haven't been able to work on it for the last 3 months because I was trapped by the hurricane in Puerto Rico without power, internet, water.
I'm making it available for free for non-commercial use. PrivacyWall blocks a list of known Firefox, Chrome, and Edge telemetry urls and Windows 10 telemetry urls when you turn it on. You can also turn it off easily through the task tray. After you install PrivacyWall, no program on your computer will be able to send data to those urls anymore behind your back.
If you try it out and like it or hate it, please send me your feedback. Let me know if there are more urls I should add to the block list.
I have limited time to continue supporting this project. If anyone is interested in helping out, let me know.
They should have given the same treatment to Pocket and Hello: optional, manifests as an add-on, and possibly off-by-default for certain kinds of users. Instead we get value-adds baked directly into the broswer itself. I HATE this new age of corporate-oriented thinking, especially from a company that claims to reject those values.
pug-experience
Complete • My reality is different than yours
So, there was a Mozilla study, with almost the shame shady description, which DID run by default, at least for some users.
Are the Looking Glass add-on and this SHIELD study completely unrelated? Why do they share the same description? Why is Mozilla using these shady descriptions in the first place?
Probably I am just being paranoid, but Mozilla has done nothing to gain my trust, lately.
From what I understand, the add-on wrapper checks for a preference immediately on startup and only loads the WebExtension doing anything if it is set manually. It's enabled in the sense that the wrapper loads and shuts down again, it's disabled in the sense that none of its functionality actually runs.
I just wanna know what kind of idiot thought this was a good idea from the beginning.
I mean, I'm just a cybersecurity guy and a software engineer. I'm no PR person. But it doesn't take a PR expert to know that the world would eventually find out about an addon getting installed without permission and it would be a disaster.
My guess would be that a PR person did not think about the aspects that went wrong and was more enthusiastic about having a clean way of delivering this. Not much to do, it just appears, no need to tell people how to install an add-on, no issue since it doesn't do anything to people that don't turn it on. Privacy check passes, since it doesn't do anything that impacts privacy. (Which the first press responses focused on pointing out). Since it's supposed to be stealth (it's an ARG), only a small group is involved, hyped about bulding this cool thing.
Totally could have happened that way, totally missed something crucial at every single step that came back to bite them.
I'm talking about Mozilla using the Firefox 'addon' extensions mechanism to support an ad campaign, hence renaming the extension mechanism to 'ad-on' might make it more clear to users what Mozilla is using it for.
Because it was turned into an addon following the debacle, which was the correct move. If you're going to make jokes you could at least research the material?
A bit clearer than the initial empty press statements, but I guess we'll have to wait for the detailed post-mortems and changes to see how far their understanding for the various concerns goes. Not much detail here.
While unfortunate it is good that this happened. It will help some 'more creative' individuals in marketing feel the boundaries they didn't understand.
Comparing FF and Chrome security/privacy wise is ridiculous, I really don't understand that anybody tries to compare those two.
> We didn’t think hard enough about how our actions would affect the community
Which can be interpreted as "we didn't expect you to be such whiny bitches". I was hoping for something along the lines of "this breaks our principle <<Transparent community-based processes promote participation, accountability and trust.>> [1]". But PR seems to be more important than respecting principles.
This time it was a disabled marketing addon. Next time it might be something worse. Betraying your core principles is a serious red flag.
> Over the course of the year Firefox has enjoyed a growing relationship with the Mr. Robot television show
Why would anybody do something like this that installs unwanted software on millions of devices worldwide just to provide entertainment to a handful of fans of some television show most users, I suspect, haven't even heard about? I have difficulty believing that there was no payment; if there wasn't any payment, what exactly was Mozilla gaining from this?
They got screen time on the TV series and apparently some "sponsored by Firefox" metioning in the credits (?). So the whole "unpaid" thing is a bit misleading as they did get something in return (which has direct cash value).
I just hope this makes the outraged people quiet for a while. This is a clear apology and Mozilla seems to have learned the lesson. Let’s now show some love and support for this powerful open-source organization.
It seemed like a fair apology written by a non-tech person who may not understand the situation 100% and was given some bullets to write about.
We must forgive them and stop being so negative. They've made their apology. If _this specific_ thing happens again then I'll join you with some pitch forks.
To be so negative and full of hate isn't healthy for anyone.
> It seemed like a fair apology written by a non-tech person who may not understand the situation 100% and was given some bullets to write about.
In the context of the last big "good guys" entity in a sector where technical understanding is key, this might make it even worse. User trust is the single thing the browser ecosystem boils down to.
I don't think you're accurate in identifying hate as the catalyst for this issue -- I'd go with concern. And seeing one's concerns handled with such thoughtlessness does foster negativity.
We care because we know FF is the best mainstream pick when it comes to privacy and user rights, and seeing Mozilla go down that route reminds us that we're very easily screwed.
This apology from the CMO is only the start of what I hope to see.
What lesson they learn from this remains to be seen, based on what steps they take to prevent this happening again. The fact that any "lessons learned" from the Pocket debacle weren't enough to prevent this (IMO even more egregious) case doesn't speak very well to Mozilla managements ability to learn from their mistakes.
I hold Mozilla to a very high standard compared to pretty much any other tech organization, I care deeply about FireFox, Rust, Servo and the technical work Mozilla does, but they need to be held to account when they take actions that violate our shared values.
They never tried to hide this - they actually thought they were building some cute easter egg, without thinking about how people would react to a phishy-looking add-on getting installed in their browser without consent or notice.
Jascha Kaykas-Wolff should be fired. Marketing shouldn't be allowed to modify the shipping bits at all, even if the Chief Marketing Officer tells them to. Any and all product changes should go through engineering and tracked in bugzilla. The CMO can file a ticket in the open just like anybody else can.
This counts as a personal attack. Those aren't ok on HN and we ban accounts that do it, so please don't do it again. You may not owe better to whoever installed an extension in your browser but you do owe better to this community, if you want to comment here.
To me, the sad part is (based on what little you can find in public bugs) the Shield team seemed to be engaged in this, and didn't raise a flag that their platform of experiments was being co-opted to push out a game.
There's all the talk that Mozilla violated peoples privacy, and they're not wrong, but the larger loss, I think, is all the technical people who will turn off Shield and never come back to using it.
Fixed Firefox spelling and URL master (#43) @gregglind gregglind committed 4 days ago:
+ "description": "MY REALITY IS JUST DIFFERENT THAN YOURS.\n\nLooking Glass is a collaboration between Mozilla and the makers of Mr. Robot to provide a shared world experience. Are you a fan of Mr. Robot? If so, join the hunt for answers!\n\nParticipating in this shared world experience requires explicit user opt in. If you are not actively participating in the ARG (Augmented Reality Game) no modifications will be made to Firefox.\n\nhttps://support.mozilla.org/kb/lookingglass",
Sigh. Again [2], it's definitely not an "Augmented Reality Game". And it hardly qualifies as an "Alternate Reality Game", which is defined as "intense player involvement with a story that takes place in real time and evolves according to players' responses". [3] How does this extension affect the evolution of the TV show's plot? If there's not interactivity and feedback, it's Alternative Reality Static Content (aka Alternative Facts), not a game.
For what it's worth, we developed a TV show with Current TV called "Bar Karma" [4..7] along with a web site and mobile app, enabling viewers to collaboratively write, discuss and vote on the scripts of each episode. But as far as I can tell, that's not the point of this extension.
I totally understand that this was not okay, but at least Mozilla apologized and is in the process of making things right. To the best of my knowledge, Mozilla is not a greedy, power-hungry org that serves its own interests first.
Every company makes mistakes. Mozilla are really, really, really trying to actually make the web/society a better place, and they deserve support from anyone who actually cares about these things. I get that stuff like this isn't cool, but at least they are responsive.
We are as close as we have ever been to a complete corporate takeover of the web, and now is not the time for those of who support Mozilla to turn against them or each other.
I'm glad that Mozilla has responded in this way. My disappointment remains, however.
I am one of those not affected at all by the Looking Glass extension but still, my trust is Mozilla (which has been eroding as of late) has suffered greatly.
I am giving Mozilla exactly one more chance before uninstalling FF on ever device I have. In the meantime, I will no longer volunteer for ANY data collection.
Last chance, Mozilla.
But.... why? And what browser on gods earth are you going to switch to that has the same respect for privacy as Firefox (excluding poorly maintained FF forks).
It's a blip, one you where not affected by at all and in the scheme of things not major compared to other vendors. But hey, boo mozilla uninstall everything and use lynx/curl!
Mozilla as an organization and Firefox displayed their reckless disregard for my privacy. It would be foolish to dismiss it as just a blip.
If Mozilla cared about people trusting them with their privacy then they shouldn't have evicerated that trust by installing an extension (even switched off) behind their back.
They did this with Looking Glass, they did this with Pocket, and they did this with non-free WebRTC support. Three strikes and you're out!
Ok, so are you going to be using Edge or Chrome, and which of those respects your privacy more than Firefox.
No organisation is perfect and you have a right to be angry, but you're being a bit extreme IMO. It's much more nuanced than three strikes and you're out, and it's a shame to reduce it to that level.
None of those violated your privacy by any reasonable definition. Those three things did not provide any additional information about you to any third party (unless you opted in to using pocket).
WebRTC did violate your fundamental freedoms as defined by the FSF, but that's not a privacy violation.
Please explain how your privacy was actually meaningfully violated.
So what are you moving to if they fail your challenge? (I've asked myself this question, and apart from "try something exotic like Qutebrowser, prepared to move back if it doesn't work out" I don't see a better alternative personally)
I read some other news story on this today. Is there an actual apology yet? And if not, does it matter?
In my mind, no apology is better than a 'sorry you were upset' non-apology, but there are apologies that manage to seem genuine as well. As I write this I am reminded of the show 'The Orville's "apology tour"... I don't necessarily think an apology is needed or helpful.
Always interested in examples of corporate PR, whether negative, neutral-ish, or positive.
Edit: obviously I don't care enough(?) about the specifics of this instance... Hopefully it's also obvious that I appreciate the chance to evaluate the community's response to a favored company. Mozilla seems to be allowed quite a bit of leeway.
The first sentence reads: 'We didn’t think hard enough about how our actions would affect the community, and we’re sorry for letting you down.' So yes, they have apologised.
Thanks. Do you have time to expand on why this counts as a genuine apology to you (or not?).
Interesting to me that all it takes to count as an apology to some is the words 'we're sorry'.
I hope to find similar discussion(s) where an HN user practiced his hobby of rewriting corporate apologies. Also nice to have another example where initial response can be completely tone deaf with little consequence.
All you have to do is drop the word "sorry", it doesn't matter if the apology actually addressed any of the concerns that were raised.
FB was sorry for being "unclear". Mozilla is sorry for "the confusion" and for "letting down members of [the] community".
The headlines will read "[Company] apologizes for [event that triggered criticism]" and everyone will carry on as if the apology directly addressed that event. The lawyers and shareholders will breathe a sigh of relief, and the matter will soon be forgotten.
Thanks for another example, and the specifics of this one.
From what you've said it doesn't sound like anyone at Mozilla (specifically the Chief Marketing Officer representing the company) apologized for doing anything wrong. "letting down" comes closest for sure and may be enough for most.
abbasmehdi: Proper apologies have three parts: 1) What I did was wrong. 2) I’m sorry that I hurt you. 3) How do I make it better? It’s the third part that people tend to forget…. Apologize when you screw up and focus on other people, not on yourself.
>anon808: The most import part of that apology formula is missing, actually meaning it. Also if the answer to #3 is obvious (ie stop doing what your apologizing for) then one shouldn't have to ask.
