1. 26

Surprised to see this extension installed and visible in the Add-ons window in Firefox this morning. This GitHub issue has a screenshot of what it looks like. There is no link to any documentation or anything like that - the linked Reddit thread appears to be the only source of information on what it does and they figured it out by reverse engineering the addon.

  1. 11

    The Reddit thread linked in the GitHub issue is interesting:

    There are several scary things about this:

    • Unknown Mozilla developers can distribute addons to users without their permission
    • Mozilla developers can distribute addons to users without their knowledge
    • Mozilla developers themselves don’t realise the consequences of doing this
    • Experiments are not explicitly enabled by users
    • Opening the addons window reverts configuration changes which disable experiments
    • The only way to properly disable this requires fairly arcane knowledge Firefox preferences (lockpref(), which I’d never heard of until today)

    This all gives me a huge lack of confidence in the privacy and security of Firefox.

    1. 10

      I’m among those who got a shock when looking at my extensions, and found the same reddit thread outside of Lobste.rs. This is pretty bad, and I hope it gathers steam in Mozilla and they release an official statement soon. I’ve completely disabled shield for the time being, and likely will not re-enable.

      1. 5

        We shouldn’t have to manually disable anything to not have random information sent elsewhere.

        I expect better from the Mozilla Foundation, and consider this a violation of trust.

        1. 4

          I love what Mozilla has done with Firefox in general, but the past couple of years have been a good reminder that they are still a corporation that has bills to pay.

          This feels pretty similar to my disenchantment with Google growing up. It was always the “company that does good things for everyone” stuff but then I realised that it also… well it also is a corporation with its own business requirements.

          I guess a lot of this is more knock-on effects from societies basically run by market capitalism.

          1. 1

            I was just talking about this to someone the other day. Remember when in 2000 when Microsoft was evil and Google was the golden boy giving away services and generally just being awesome. Nowadays Google, Facebook, Uber and Amazon are evil, while Microsoft ports parts of bash to WIndows, adds a SSL client and server to WIndows, and gives everyone a free major version OS udpate, even pirates (For a limited time, and admittedly to an version with more telemetry). Has the world gone topsy turvy!?!

          2. 4

            There’s a Mozilla Support Thread on this as well.

            1. 4

              Hey all, some context on this. Shield studies are studies run by Mozilla to try new features in a random population (https://wiki.mozilla.org/Firefox/Shield/Shield_Studies). Here you can get some context on why and how, and it’s possible to see which ones are being executed and which ones are in the queue to be executed in the future (https://wiki.mozilla.org/Firefox/Shield/Shield_Studies/Queue). It’s also important to point that, even if you have the study installed, it doesn’t mean you’re sending data. Those studies usually only send data from 1%-2% of the population.

              Moreover, running this kind of studies is always optional. They can be disabled in about:preferences#privacy, unchecking the “Allow Firefox to install and run studies” checkbox. And it’s also possible to see more information about the studies in about:studies#shieldStudies.

              If you really, really, want to see what data is sent by Firefox (Telemetry data, health data, Shield studies data…), it’s possible to go to about:telemetry and filter by type, see archived pings, and the raw JSON that is sent.

              1. 10

                There are several main problems with this.

                1. Optional does not mean opt-out, it means opt-in. You want to collect data from loyal Mozilla fans, then by all means give them the ability to turn it ON.

                2. If #1 is unavoidable, don’t be unprofessional and don’t do mysterious things with the power that you grabbed from the opt-out default. “MY REALITY IS DIFFERENT THAN YOURS” is like one of the worst things you can put in the description that loyal unexpecting users will see.

                3. If #2 happens by accident, write an apology and clean up your act. The replies from Mozilla thus far have been “it’s shield studies”. This is so cold and tone-deaf. Tell us what you’re going to do to make it better and make sure we can still trust Firefox!

                1. 2

                  I agree with you, but tbh, I don’t understand the problem with sharing anonymous data that can help to improve a product you use every day. If users have to give explicit consent to share even the most basic data, Mozilla would never be able to understand how people use Firefox. Don’t misunderstand me, I really care about my privacy and I don’t want my data to be sold or used to show me ads, as other big companies do, but Mozilla’s policy on data privacy (https://www.mozilla.org/en-US/privacy/principles/) is very strict with that.

                2. 1

                  Also, about:studies shows which studies are ongoing, and a link to prefs to change this.