We've looked into the Ant Video Player and found that it does send information about websites users visit in order to power its ranking feature displayed for each website, and also includes a unique identifier in this communication. While this does not violate our policies, we do require it to be disclosed in the privacy policy and the add-on's description. We have contacted the developer and asked them to correct this.
The developer has been in communication with us and says that they destroy all user-identifiable information from their logs, and that their privacy policy and add-on description will be updated to reflect that. They'll also show a notice about this on their first-run website.
Additionally, the AntRank feature that uses this tracking can be disabled.
Add-ons publicly available in our gallery have been reviewed for security problems, and add-ons that aren't marked as experimental have been fully reviewed for a range of other issues as described in our hosting policies. Because developers set their own privacy policies and can update them any time, it is more difficult for us to review them for compliance with their own rules. We encourage users to always read an add-on's privacy policy if one is provided and to use the Report Abuse link if anything suspicious is noticed.
Private Browsing Mode is for browsing without storing information on your computer. It has nothing to do with websites tracking you; that's what the Do Not Track feature is. We do require that add-ons respect Private Browsing Mode, and our privacy team is working on a recommendation (not a requirement) that add-ons also honor the user's Do Not Track preferences.
As the person who implemented Private Browsing describes:
Private Browsing aims to help you make sure that your web browsing activities don't leave any trace on your own computer. It is very important to note that Private Browsing is not a tool to keep you anonymous from websites or your ISP, or for example protect you from all kinds of spyware applications which use sophisticated techniques to intercept your online traffic. Private Browsing is only about making sure that Firefox doesn't store any data which can be used to trace your online activities, no more, no less.
Not everyone has the same values as you. There's nothing inherently wrong with not caring if somebody knows where you surf, and being interested in the recommendations that their tool can provide.
Disclosure is good. Homogeneity and coercion are bad.
Exactly. From what I can tell, there's not much difference between the information ant is collecting and that that's regularly sent back to Google from Chrome, except that the latter is likely even more invasive.
The very last thing we need is for the government to put more regulation on the Internet. The only thing that's kept their heavy hands from destroying things so far, is that they're also incompetent with technical issues.
I'm fine with reasonable regulation. When you have an oligopoly controlling the infrastructure, having regulations that say they can't sell preferential access to that infrastructure to other oligopolies is a good thing. The key metric of what's good for the consumer is competition, not regulation. Regulation that stifles competition is bad. Regulation that protects it is good. Regulation itself is simply a tool, and it's moral worth lies in how it's used.
Not necessarily. There's no point in using regulation to preserve competition between buggy whip manufacturers. Creative destruction puts an end to many industries. And in some cases, its death throes can easily look like a market failure rather than market success.
In the end, who decides if it's a buggy whip industry? And who decides if a corporation is an oligopoly? Remember, it's likely that in any mature, regulated industry, the regulators are probably industry insiders themselves (see "Regulatory Capture", https://secure.wikimedia.org/wikipedia/en/wiki/Regulatory_ca... ).
Your original post struck a very anti-net neutrality tone. My point was that government regulation in that area, as well as others, can protect both consumers and innovation. If we let any company merge with any other, we would soon have monopolies that stifle competition and gouge consumers.
Not all regulation is bad, just like not all effects of slavish adherence to free market ideals are good. The free market is good in aggregate, but there are many cases where government intervention is beneficial.
Very well, I suppose some people might want to be tracked like a bunch of cattle. In the event that someone does want to do this, then they should have to opt-in. The default should not be opt-out for something as invasive as this.
If Apple were caught doing this, there would be a hearing in front of congress.
"This add-on has been preliminarily reviewed by Mozilla."
What that entails:
"When performing a preliminary review, editors will review the source code for security issues and major policy violations, but will not install the add-on to test functionality in most cases. Preliminary review will be granted unless a security vulnerability or major policy violation is discovered."
Extensions marked 'experimental' are not fully reviewed. Which is why they probably left this plugin marked as 'experimental'.
You can't blame the users since they are installing from a Mozilla page and trusting the brand. I hope this triggers a review of those procedures at Mozilla, since I would consider sending back every site you visit a 'major policy violation'. Very scary.
Edit: they may also want to change the 'experimental' policy and set a time limit to how long an extension can remain experimental, and not list them in the default directory unless users (more advanced users) specifically seek out experimental extensions
I'm not sure if this is still the case, but you used to have to make an account and log in to actually install an experimental add on. There was also a clear warning as well.
I definitely agree with setting a time limit, if feasible.
Edit: Further code browsing points to the "rank" feature. They rank all URLs that are http/https and the host isn't "localhost". I'm guessing, but if you turn of ranking in the preferences, it will stop logging your page views.
The files I've looked at have been authored by many different people. (Seed, Zak, RigoNet, Camille, Dmitriy, Dima Sidorchenko, etc.) I don't think Dima is solely responsible for this. The company that had this written should be responsible.
Ant.com collects non-personally-identifying information when you are visiting our site or using our software applications, this infomation made available typically from web browsers and servers. Some of the infomation type is: the Uniform Resource Locator (URL) of the web page from wich you came, the date and the time for each page you view, settings such as browser languages, etc.
Ant.com also collects infomation made public to us that can be considered personally identifyable, such as your internet protocol (IP) address. Ant.com does not use such information to identify its visitors and does not disclose such information.
"The web page from wich you came" is just the HTTP "Referer" field; almost every web site in existence collects that as a matter of course. To claim that it covers universal monitoring of all users' web traffic is obscene.
I'm also fairly sure that one can find personally "identifyable" information from URLs that go far beyond mere IP addresses.
Why is ant.com domain info privacy protected anyhow? Seems pretty fishy to me.
Are add-ons safe to install?
Unless clearly marked otherwise, add-ons available from this gallery have been checked and approved by Mozilla's team of editors and are safe to install. We recommend that you only install approved add-ons. If you wish to install unapproved add-ons or add-ons from third-party websites, use caution as these add-ons may harm your computer or violate your privacy. Learn more about our approval process
And thanks to Simon, I am having a hard enough time with my work and personal to do lists, testing all of my tools for their extranet behaviors is not something I look forward to adding to them...
Privacy policy or not - if it's purpose is to be a video downloader, but it tracks stuff when you are doing something other than video downloading - it's sneaky at best, however it's presented.
I have Little Snitch on my machine too, but I've set up a rule that allows my browser to make calls to port 80.
Are you saying you don't have a generic rule in place, and are instead using Little Snitch to approve calls to port 80 for every new domain you visit? If so, that'd certainly work, but it seems more than a little impractical.
> Are you saying you don't have a generic rule in place, and are instead using Little Snitch to approve calls to port 80 for every new domain you visit?
Yes. And I do the same with cookies.
I do allow connections (and cookies) permanently to "trusted sites", but that's the exception rather than the rule.
I've seen this before in an other smaller extension (I can't remember which) while I was studying how it worked, but fortunatly the code was commented.
Firefox extensions are just plain zip files, I wonder why he hasn't checked the code.
I'm not familiar with Mozilla's add-on policies. Is this an issue due to the user tracking? Or is it because the privacy policy didn't make it clear this was happening?
For individuals, e.g. blogs and the like; sure. Something which seems awfully like a company (it looks like they're trying to build a search engine); that's much dodgier to my mind.
Seems like an overreaction, imho. This is likely a case of poor Privacy Policy writing and general ineptitude, rather than deliberate evil.
From their feature list:
"Easy to use : when a video is detected, the download button becomes clickable." - i.e. our plugin sends all URLs to us for analysis, we respond telling the plugin whether to activate the button
"Integrated Traffic Rank indicator for all the sites you visit." - i.e. we need a way of measuring unique visits to everything
Still, interesting, and good on this guy for bringing it into the public eye.
While I usually follow "do not ascribe to malice that which is adequately explained by stupidity", I don't think this case is adequately explained by stupidity.
Chrome sends every keypress in the URL bar back too Google. http://www.google.com/chrome/intl/en/privacy.htmlWhen you type URLs or queries in the address bar, the letters you type are sent to your default search engine so the Suggest feature can automatically recommend terms or URLs you may be looking for.
"“Beware of spyware. If you can, use the Firefox browser.” - USA Today"
"Privacy and Security
Built with your security in mind, Firefox keeps your computer safe from malicious spyware by not loading harmful ActiveX controls. A comprehensive set of privacy tools keep your online activity your business."
---
While that's technically correct - Firefox couldn't (can't?) load ActiveX controls, therefore it could't load harmful ActiveX controls - the Firefox extensions system has permitted installation of executable code for a long time, if not since its inception. Since that's what ActiveX is, more or less, Firefox has never been any more secure in that respect than e.g. Internet Explorer.
Like Apple products, as Firefox becomes more popular (and therefore a jucier attack target) there will be more malware that targets it.
ActiveX hasn't worked that way for a long time. At least since XP SP2, released 2004. Possibly even before then - I'm not sure exactly what XP SP2 changed.
We've looked into the Ant Video Player and found that it does send information about websites users visit in order to power its ranking feature displayed for each website, and also includes a unique identifier in this communication. While this does not violate our policies, we do require it to be disclosed in the privacy policy and the add-on's description. We have contacted the developer and asked them to correct this.
The developer has been in communication with us and says that they destroy all user-identifiable information from their logs, and that their privacy policy and add-on description will be updated to reflect that. They'll also show a notice about this on their first-run website.
Additionally, the AntRank feature that uses this tracking can be disabled.
Add-ons publicly available in our gallery have been reviewed for security problems, and add-ons that aren't marked as experimental have been fully reviewed for a range of other issues as described in our hosting policies. Because developers set their own privacy policies and can update them any time, it is more difficult for us to review them for compliance with their own rules. We encourage users to always read an add-on's privacy policy if one is provided and to use the Report Abuse link if anything suspicious is noticed.