"Mozilla updates Firefox's Terms again after backlash" has been merged into this story.
-
Firefox adds terms of use 4 blog.mozilla.org
An update on our Terms of Use | The Mozilla Blog blog.mozilla.org via
SoapDog
11 days ago
Mozilla reverses course on its terms of use lwn.net via
thang
9 days ago
Mozilla updates Firefox's Terms again after backlash thehackernews.com via
ine
8 days ago
https://www.mozilla.org/en-US/about/legal/terms/firefox/
:)
That’s… wow. Thank you for highlighting that. I am seriously considering using something other than Firefox for the first time in… ever. Regardless of how one might choose to interpret that statement, it’s frightening that they would even write it. This is not the Mozilla I knew or want. I’d love to know what alternatives people might suggest that are more community focused and completely FOSS, ideally still non-Chromium.
Thankfully, the lawful base for data use is spelled out in their privacy policy:
https://www.mozilla.org/en-US/privacy/firefox/#lawful-bases
e.g. Browsing, Interaction and Search data are “Legitimate interest” and “Consent”-based.
Consent being the kind that I haven’t given, but I’m supposed to actively revoke? Until the next update?
That unfortunately seems to be the current usage of the term “consent” in the tech industry.
Fortunately, that’s not consent as the GDPR defines it
Isn’t it? Most GDPR consent screens have an easy “accept to everything” button and requires going through multiple steps to “not accept”, and many many more steps to “object” to their “legitimate interest” in tracking for the purposes of advertising. As long as these screens remain allowed and aren’t cracked down on (which I don’t foresee happening, ever), that’s the de facto meaning of “consent” in GDPR as far as I’m concerned: something that’s assumed given unless you actively go out of your way to revoke it.
It’s not what the text of the GDPR defines it as, but the text isn’t relevant; only its effect on the real world is.
Yes, definitely. Consent in GDPR is opt-in not opt-out. If it’s opt-out, that’s not consensual. And the law is the law.
Furthermore, for interstitials, to reject everything should be at least as easy as it is to accept everything, without dark patterns. Interstitials (e.g., from IAB and co.) first tried to make it hard to reject everything, but now you usually get a clear button for rejecting everything on most websites.
As I mentioned in another comment, the DPAs are understaffed and overworked. But they do move. A real-world example of a company affected by the GDPR, and that tries testing its limits, is Meta with Facebook. For user profiling, first they tried the Terms of Service, then they tried claiming a legitimate interest, then they introduced expensive subscriptions for those that tried to decline, now they introduced a UI degradation, delaying the user scrolling, which is illegal as well.
Many complain, on one hand, that the EU is too regulated, suffocating inovation, and with US’s tech oligarhs now sucking up to Trump to force the EU into allowing US companies to break the law. On the other hand, there are people who believe that the GDPR isn’t enforced enough. I wish people would make up their mind.
Those are different people, all who have made up their mind.
I thought I made it reasonably clear that I don’t care that much about what the text of the law is, I care about what material impact it has on the world.
I corrected you with facts, and you’re replying with your feelings. Fair enough.
To be fair, @mort’s feeling may come from non-actually-GDPR-compliant cookie consent forms. I have certainly seen where I couldn’t find the “reject all” button, and felt obligated to manually click up to 15 “legitimate interest” boxes. (And dammit could they please stop with their sliding buttons and use actual square check boxes instead?)
I think the worse case is you click “reject all”, but you don’t actually reject all, and the legitimate interests are still checked.
The facts you provided aren’t relevant. I’m talking about the de facto situation as it applies to 99% of companies, you’re talking about the text of the law and enforcement against one particular company. These are different things which don’t have much to do with each other.
You even acknowledge that DPAs are understaffed and overworked, which results in the lacking enforcement which is exactly what I’m complaining about. For what I can tell, we don’t disagree about any facts here.
Well, other people in this sub-thread are talking about GDPR. You might have switched the topic, but that isn’t alexelcu’s fault.
I’m talking about GDPR as well, focusing about what impact it has in practice. I have been 100% consistent on that, since my first message in this sub-thread (https://lobste.rs/s/de2ab1/firefox_adds_terms_use#c_3sxqe1) which explicitly talks about what it means de facto. I don’t know where you got the impression that I’m talking about something else.
But there is enforcement, it’s just slower than we’d like. For example, screens making it harder to not opt in rather than opt in have gotten much rarer than they used to be. IME now they mostly come from American companies that don’t have much of a presence in the EU. So enforcement is causing things to move in the right direction, even if it is at a slow pace.
There is a website tracking fines against companies for GDPR violations [1] and as you can see, there are lots of fines against companies big and small every single month. “Insufficient legal basis for data processing” isn’t close to being the most common violation, but it’s pretty common, and has also been lobbed against companies big and small. It is not the case that there is only enforcement against a few high profile companies.
[1] https://www.enforcementtracker.com/
Why do you lay this at the feet of GDPR?
it’s the other way around - most of the time you have to actively revoke “legitimate interest”, consent should be off by default. Unfortunately, oftentimes “legitimate interest” is just “consent, but on by default” and they take exactly the same data for the same purpose (IIRC there are NGOs (such as NOYB, Panoptykon) fighting against IAB and other companies in those terms)
“Legitimate interest” is the GDPR loophole that ad tech companies use to spy on us without an easy opt-out option, right? I don’t know what this means in this context but I don’t trust it.
It is not, ad tech has been considered not a legitimate interest for… Ever… By the Europeans DPAs. Report to your DPA the one that abuse this. There have been enforcement.
Every website with a consent screen has a ton of ad stuff under “legitimate interest”, most ask you to “object” to each individually. The continued existence of this patterns means it’s de facto legal under the GDPR in my book. “Legitimate interest” is a tool to continue forced ad tracking.
Yes, all of that is illegal under GDPR.
The problem has been that DPAs are understaffed and overworked.
I don’t think you’re disagreeing with me. It’s de jure illegal but de facto legal. I don’t care much what the text of the GDPR says, I care about its material effect on the real world; and the material effect is one where websites put up consent screens where the user has to “object” individually to every ad tech company’s “legitimate interest” in tracking the user for ad targeting purposes.
I used to be optimistic about the GDPR because there’s a lot of good stuff in the text of the law, but it has been long enough that we can clearly see that most of its actual effect is pretty underwhelming. Good law without enforcement is worthless.
No, it’s de facto illegal a well, law enforcement is just slower that we’d like. Ask, for example, Facebook.
De facto illegal for entities at Facebook’s scale? Maybe. But it’s certainly de facto legal for everyone else. It has been 7 years since it was implemented; if it was going to have a positive effect we’d have seen it by now. My patience has run out. GDPR failed.
I just gave you a concrete example of a powerful Big Tech company, with infinite resources for political lobbying, that was blasted for their practices. They first tried hiding behind their Terms of Use, then they tried claiming a legitimate interest, then they offered the choice of a paid subscription, and now they’ve introduced delays in scrolling for people that don’t consent to being profiled, which will be deemed illegal as well.
Your patience isn’t important. This is the legal system in action. Just because, for example, tax evasion happens, that doesn’t mean that anti tax evasion laws don’t work. Similarly with data protection laws. I used to work in the adtech industry. I know for a fact that there have been companies leaving the EU because of GDPR. I also know some of the legwork that IAB tried pulling off, but it won’t last.
Just the fact that you’re getting those interstitials is a win. Microsoft’s Edge browser, for example, gives EU citizens that IAB dialog on the first run, thus informing them that they are going to share their data with the entire advertising industry. That is in itself valuable for me, because it informs me that Edge is spyware.
I agree that the “we’re spying on you” pop-ups is a win in itself. I’m just complaining that it’s so toothless as to in practice allow websites to put up modals where each ad tech company’s “legitimate interest” in tracking me has to be individually disabled. If the goal of the GDPR was to in any way make it reasonably easy for users to opt out of tracking, it failed.
I’m not so sure. I’ve even seen this used as an argument against the GDPR: The spin they give it is “this is the law that forces us to put up annoying cookie popups”. See for example this article on the Dutch public broadcasting agency (which is typically more left-leaning and not prone to give a platform to liberals).
Roughly translated “all innovations in AI don’t work as well here as in the US. And why do you have to click on cookies (sic) on every single website?”
I have seen that as well, and I think it’s bullshit. The GDPR doesn’t force anyone to make any form of pop-up, nobody is forced to track users in a way which requires consent. The GDPR only requires disclosure and an opt-out mechanism if you do decide to spy on your users, which I consider good..
I agree, but at the same time I think the average user just sees it as a nuisance, especially because in most cases there’s no other place to go where they don’t have a cookie popup. The web development/advertising industry knowingly and willfully “complied” in the most malicious and obnoxious way possible, resulting in this shitty situation. That’s 1 for the industry, 0 for the lawgivers.
I agree that it didn’t have the desired effect (which, incidentally, I have spent a lot of this thread complaining about, hehe). I think everyone was surprised about just how far everyone is willing to go in destroying their website’s user experience in order to keep tracking people.
I’m not sure if you’re deep in grumpy posting or didn’t understand the idea here, but for legitimate interest you don’t need to agree and companies normally don’t give you the option. If you’re talking about the extra options you unset manually, they’re a different thing. The “legitimate interest” part is for example validating your identity through a third party before paying out money. Things you typically can’t opt out of without also refusing to use the service.
If you get a switch for “tracking” or “ads” that you can turn off, that’s not a part of the “legitimate interest” group of data.
I’m sorry but this isn’t true. I have encountered plenty consent screens with two tabs, “consent” and “legitimate interest”, and where the stuff under “consent” are default off while the stuff under “legitimate interest” is on by default and must be “objected to” individually. Some have an “object to all” button to “object” to all ad tracking in the “legitimate interest” category.
Here’s one example: https://i.imgur.com/J4dnptX.png, the Financial Times is clearly of the opinion that tracking for the purpose of advertising counts as “legitimate interest”.
I’m not saying that there’s any relationship between this pattern and what’s actually required by the GDPR, my understanding of the actual text of the law reflects yours. I’m saying that this is how it works in practice.
So when I login to lobste.rs (or any other important website) do I grant them the permission to use my credentials? ;-)
Pretty much
this comment remains property of the Mozilla Foundation and is presented here with their kind permission
Mozilla updated the article with a clarifying statement:
the problem is it doesn’t clarify anything. “basic functionality” is not defined. my guess is they want to be able to feed anything we type or upload to a site, to also be able to feed that into an LLM. “anything other than what is described” doesnt help because what is described is so vague as to mean anything “help you experience and interact with online content”
That is… not clarifying. And not comforting. “What is described” in the ToS is “to help you navigate, experience, and interact with online content.” That’s absurdly vague. And what is described in the Privacy Notice is absurdly broad:
Yes. That’s the fucking point.
I’m glad we have this contextless legalese to clarify things. I wonder if there’s some kind of opt-in data collection in Firefox that Mozilla might have legal obligations to clarify their rights to? Couldn’t be that… No, let’s put a pause on critical thinking and post stupid TOS excerpts as if Mozilla are going to steal our Deviantart uploads and sell them as AI training data.
If they need a ToS for a particular feature, then that “contextless legalese” should be scoped to that feature, not to Firefox as a whole.
This is precisely why the same organization should not do all of these things. If they want to do non-tool stuff to continue funding their mission they should start up independently managed companies that can establish these consents for a narrow band of services. They can give the existing organization control as a majority shareholder, with dividends flowing back to the main organization. That is the way to ensure that incentives don’t become misaligned with the mission.
They’re future-proofing their terms of service. That’s even worse than future-proofing one’s code, Though for different reasons.
That language comes off a bit … onerous
But what does it mean? To “navigate”.
That’s it I guess. Thanks for the find! Firefox is dead to me now. What’s the non-evil browser to go to nowadays?
librewolf seems to be the rage now: https://librewolf.net/
On MacOS/iOS there is the Kagi browser Orion: https://kagi.com/orion/
Once again I am baffled by how many people dismiss this with the usual “this is just legal boilerplate” or “the distro will patch it out”, just because it is Mozilla. I dislike Google as much as the next guy, but if this was Google, people would not have given the benefit of the doubt as much as they are doing now.
Even before this terms-of-use change, Mozilla has reportedly been acting evil for a long time and privacy-based Firefox forks have been necessary for just as long as Chromium has been deemed the monopoly.
I am tired of companies like Mozilla, Duckduckgo et al. getting a free pass in the FOSS community, even when the last few years clearly have shown that they use privacy as a publicity stunt.
It is legal boilerplate. I would make the same comment if EvilCorp had the same clause in their terms.
And I am sick and tired of people trying to find pointless things to be outraged about. There are enough actual bad things in the world. You don’t need to go inventing fake ones.
It is a legal boilerplate, but it is also (another) signal of the direction in which the Mozilla Foundation is moving.
I do agree that people should worry more about more impactful bad things, but this is also impactful and “actual”. Just maybe not for all.
The Python Package Index announced updated TOS yesterday. It has a very similar clause stating you grant them a license to things you send to them.
https://blog.pypi.org/posts/2025-02-25-terms-of-service/
Do you think this is a “signal” of a “direction” the Python Package Index and/or the Python Software Foundation is moving?
It seems to me that, contrary to the claim above, Mozilla isn’t getting a “free pass” — Mozilla is getting far more scrutiny and far less benefit of the doubt than other entities doing the same thing. And for no rational reason I can discern.
Well there are differences and similarities. Compare:
vs
The PyPI text is clearly about presenting the content in a way that could be construed as copyright infringement. The Firefox text has the much broader notion of use, which could mean anything including using the data to build a profile and selling it to partners.
Another comparison:
vs
These have more in common. Both agreements grant the service the right to quietly update the agreement on their website without notification or obtaining any further consent. PyPI didn’t have this provision in their previous terms either, and should not be given the benefit of the doubt for it IMO.
I’m not the person you asked, but I think it’s a signal that the organization is considering diversifying their revenue streams at the expense of user rights. It’s also an indication that they’re spending money on lawyers that could be spent on the service. Does that help?
But this new Firefox TOS isn’t about data I might send to Mozilla, it covers “input information through Firefox”. And the supposedly lawful bases of data gathering they have in their privacy notice are both vague and broad.
You underestimate my capacity for outrage! ;-)
Is the outrage you are outraged about not something pointless to be outraged about?
If my comment about patching it out came across as dismissive, I assure you it was not intentional. (In fact, I’m concerned that Debian will fail to do so.) I count myself lucky to be insulated from the worst of this shit by my distro, but the fact is that most people aren’t, and even if it doesn’t affect me personally I see it as a serious problem (but not a surprise, given Mozilla’s recent track record).
Thanks for clearing that up - your comment was indeed a bad example to pick. Clearly it would have been better to pick the one sarcastically leaning towards “It’s not like Mozilla will feed your input to an AI”, completely oblivious to the fact that five of the articles on the frontpage of the Mozilla blog are about AI.
Of course they didn’t really answer the question “why now?” What is it about the “much different technology landscape” that makes the rights that users have by default under the law untenable?
Why now? I suppose Google, after overbuilding AI capacity, has them at financial gunpoint about feeding user data to their slop machines.
There is nothing stopping Mozilla Corporation, or even the employees themselves, from moving away from a for-profit model and towards a non-profit model like the Wikimedia Foundation. The only people holding a financial gun to Mozilla’s head are Mozillans.
Is that economically viable for Mozilla? Has anyone done the projections?
I would not be surprised at all if Mozilla couldn’t support Firefox development solely with donations.
Mozilla Foundation’s Dec 31 2023 expenses (page five):
Alas, these numbers reflect the Mozilla Foundation as a whole, and not Mozilla Corp specifically, but it’s likely that the lion’s share of “software development” expenses in the Foundation fall under the Mozilla Corp bucket (if that isn’t the case, then the situation would look a bit rosier, I suppose). Administration expenses come out to 192 million. Administration percentage of expenses is 38.7%.
Wikimedia Foundation’s 2023-2024 revenue shows total revenue of 177 million, with 145.5 million coming from:
Their expenses bucket 137.8 million for Programmatic (100 million of which is personnel), 17.9 million for Fundraising, and 21.3 million for General and Admin. Administration percentage of expenses is 12%.
Being pessimistic, and assuming Firefox could only ever match Wikimedia Foundation’s 145 million in revenue from individual users (which excludes large grants or other enterprise contracts), that leaves a large gap no matter how you slice it. Mozilla Foundation’s admin expenses are absurd, but even excluding them entirely and only focusing exclusively on software development Program expenses (260 million) leaves a 115 million dollar gap. Mozillans would need to cut their annual compensation in half to even come close to closing that gap in such a scenario (they’d still be about 15 million in the hole, and that’s still optimistic as it excludes any admin or other expense).
So, can it be done? That depends. If Mozillans didn’t want to take any pay cuts at all, then they’d need to get serious about monthly recurring revenue to make that happen. Firefox averages 150 million MAU (monthly active users). Taking the Wikimedia Foundation’s “if every user donated X this year” approach, that comes out to at least two dollars per user each year to get revenue of 300 million, which would cover Program expenses at least. Aiming for three dollars would give them 450 million annual revenue. A few different ways to hit that 450M target:
I suspect 25 USD/month is on the upper end of what significant numbers of folks would be willing to pay for. And I’m not convinced they could find 1.5 million monthly customers to do it. Meaning that whatever the shortfall was, they’d have to find elsewhere. I think they could find that shortfall in grant funding from governments, especially if said governments were genuinely interested in breaking up Alphabet’s monopoly.
Basically, I don’t think it’d be impossible. I don’t think it’d be easy either. But I definitely think it is necessary for the future of the web.
At that point, I would seriously root for open democratic governments to bank-roll that non-profit model. It would be a win-win, protecting those democracies and the common-goods internet that democracy needs to function.
There is an occasional comment or article suggesting that the EU should just fork Firefox and take over financing completely. I guess they could fine there Mozilla Foundation for gdpr breaches (e.g. with MDN) to bootstrap the first year.
Forking without their devs instead of steering its development community sounds to me like a sure disaster.
That’s what the idea essentially conveys. Take over Firefox and the devs and run it via some actual non-profit, fully funded by the EU and not by the businesses. Not saying it’s a good idea necessarily, but I often remember it.
It could also have something to do with the chaos being wrought by the new administration, causing many other worse things for people to pay attention to and creating opportunities to ratchet up unpopular things like the erosion of user rights with less blowback.
I’m not aware of ways in which my “personal information” could possibly “change hands with another party in exchange for monetary or other benefits” that I personally wouldn’t consider selling my data. I would appreciate it if Mozilla would either bring back the promise that they don’t sell my data (and then keep that promise), or explain exactly how my data “changes hands with another party in exchange for monetary or other benefits” so that I can be the judge of whether or not I consider that acceptable.
Collecting and sharing data with partners to show ads is something which I would consider to be “selling data”, FWIW.
To me, it sounds like Mozilla has realized that it’s breaking their promise to never “sell data” (in ways that its users would consider to be “selling data”) and is trying to weasel their way out of admitting that.
They also have a very low view of the intelligence of their users if they think we’ll actually believe their excuses.
Additionally, somehow Mozilla has managed to go 20-25 years without needing to update this wording, so why now?
💯 well put.
I’m not dogmatic to a fault. I will walk back my criticism if Mozilla can point to one example where “we do X and you wouldn’t describe that as selling your data but it MIGHT possibly run afoul of the CCPA’s definition of selling your data.”
I don’t think X exists. And why should I when the CCPAs definition sounds extremely clear cut to me. The onus is on Mozilla to explain to me how this is more nuanced than I realize. Just give us ONE example.
Flicking through the Firefox Privacy Notice it’s all reasonably clear… however doing ctrl-f “sponsored” “ads” “marketing” it does seem like an exercise in “how much can we monetise our users who stick with defaults while placating our power user cohort with opt-outs?”
If you use a distro-packaged build of Firefox that comes from competent packagers, this will certainly be stripped out. Unfortunately it’s not clear to me that said competent packagers exist. Debian in most cases is very good at this kind of thing, but the Debian packager for Firefox is employed by Mozilla and has a terrible track record for removing even the most egregiously unpopular shit from Firefox.
I’m curious to see what Fedora will do.
I would suspect that “having a terrible track record for removing even the most egregiously unpopular shit” is likely a direct prerequisite of Debian’s permission to use the Firefox branding.
IOWs, if stripping-out ever happens, in any distro, the result will have to be called Iceweasel.
That or LibreWolf. Either one would be a big improvement IMO.
From the new Terms of Service:
It sounds like this wouldn’t apply to distro packages, depending on what the undefined “authorized sources” are.
I think you’re parsing it the wrong way around.
It’s the terms of service. You don’t have to agree to terms of service to use (read, modify, etc.) the source code, because the source code in itself does not offer any services.
You only have to agree to the terms of service to use a binary that presumably has the API keys (that would enable the binary to communicate with the provider of the service) compiled in. Whether you need to agree to these terms to use a given binary probably depends on whether it has Mozilla’s API keys compiled in.
Yes, and the would-be benevolent packager would take these there sources, which provide no services, and build his own executable code.
The question though is, did they need to accept the terms to download the sources? If the packager never needed to see the terms and didn’t agree to them, do the terms apply to this other binary?
What you’re describing would be a flagrant DFSG violation, so any packager would hopefully not package it in the first place if so.
I’d expect that the packager would have to agree to the terms of service (and, transitively, agree to bind their users to those terms) in order to get the Mozilla API keys, or something like that.
Does this new EULA conflict with the DFSG?
Edit: this doesnt apply to the source code anyway
Can you elaborate and/or provide a reference? The only identifier I could find for the packager was “Maintainers of Mozilla-related packages”:
https://qa.debian.org/developer.php?login=team%2Bpkg-mozilla%40tracker.debian.org
It would also be good to get some clarity on the channels that could be used to ensure Debian is following its principles. I know they pride themselves on some form of internal democracy.
I wish I had a better reference but all I have is https://hachyderm.io/@joeyh/113082688008129977 and recollections of other discussions I’ve had with him.
If you know of git-annex or any of his other work, you’ll know Joey Hess has been deeply involved in Debian in the past, but admittedly it’s not a super thorough source.
They also changed their FAQ.
Previous version (Feb 6):
According to https://news.ycombinator.com/item?id=43195081, that text was probably still there a couple of hours ago. Now, however, https://www.mozilla.org/en-US/privacy/faq/ (snapshot) says:
I’m guessing it’ll change again soon, the current version
does not seem to be written by a lawyer.raises the question of “how do I determine whether I’m one of the ‘most people’ who wouldn’t think of you as selling my data”, and I doubt they’ll want to answer that.On the positive side, the current version does shed some light on how people at Mozilla are thinking about it.
To editorialize a bit more, it seems to me they think that Google is likely stop funding them soon, either because they decide to or because the government forbids Google from paying for being the default search engine. This would put them between a rock and a hard place.
If this is Firefox’s best idea for how to survive such a shift, I have doubts that that “make money with ads, but try to be less bad about it than the other guys” is a viable business model, since it makes both users and advertisers unhappy. They’ll be constantly pressured to switch to a purer “make money with ads, and do anything to make advertisers who are unhappy with Google happier with Firefox” model, that also seems suspect in how viable that is.
I worry that Firefox won’t survive, the browser market becomes a Chrome-Safari duopoly, and we’ll all be poorer for it. I’m not sure what the alternative is; for example whether there’s any hope of Firefox persisting while being maintained by unpaid volunteers.
I read this more as Google expecting quid pro quo for their money.
From the snippet above:
So data is shared (maybe not new).
And it’s shared with partners that make it all viable. Since Google funds the party (afaik), it’s Google.
And the data is our data, otherwise it wouldn’t need to go through “privacy preservation”.
I don’t understand why Mozilla needs a license to do anything with my content. What is Mozilla’s role in this relationship? My computer is running a piece of software, I input some data into the software, I ask the software to send the data to servers of my choice (for example the lobste.rs servers, when I hit “Post” after typing this comment). What part of this process requires Mozilla to have a “nonexclusive, royalty-free, worldwide license” to that content? And why did they not need to have that “nonexclusive, royalty-free, worldwide license” to that content a week ago? I would get it if it only applied while using their VPN, but it’s for Firefox too?
Why do I not need to accept a similar ToS to use e.g Curl? My relationship with Curl is exactly the same as my relationship with Firefox: I enter some data into it (via a GUI in Firefox’s case, via command-line arguments in Curl’s case), Curl/Firefox makes a request towards the servers I asked it to with the data I entered, Curl/Firefox shows me whatever the server returned. Is it Mozilla’s view that Curl is somehow infringing on my intellectual property by not obtaining a license to the data I provide?
Basically, they are trying to have some service to sell. Go to
about:preferences#privacyand scroll down to “Firefox Data Collection and Use” and every section below there is about data that Firefox collects and sends to Mozilla so they can do something nominally-useful with it. In my version there’s also “Sync” and “More From Mozilla” tabs, which are even more of the same.Someone at Mozilla has decided that the fact you don’t want to buy the services is irrelevant, they’ll just sell all that juicy data produced as a side-effect to whoever wants it. More than they already were, anyway.
Maybe they only mean inputs into Firefox itself and not the sites that you visit with Firefox. Things like Pocket, the add-on store, the password manager, and the “report broken site” form. I’m sure they could make this clearer if it’s the case, but I’m personally willing to lean towards this.
If that’s the case, it’s seriously impressive to be 2 “clarifications” in after the original announcement and still not have made that part clear. Anything that’s left unclear at this point is surely being left unclear intentionally.
Ha. I wish I’d thought of that question.
Arguably you do have to agree to something to use curl, but it’s very minimal and certainly supports your point. Here is curl’s licence (which is not one of the standard ones), from https://curl.se/docs/copyright.html :
I found the Privacy Notice rather clear. It lists several distinct uses of data, and clarifies which usage uses which sorts of data. (In particular, the data I’m most worried about is “Content”, the stuff I type into Firefox; but most usages discussed in the Privacy Notice restrict their data and do not include my Content.)
They also seem to be careful about which data remains on the device and which is shared with their servers, for example being explicit about some (opt-in) AI features being implemented with a small language model that runs locally is a nice touch.
This privacy notice gives me the impression that the Firefox people still mean well – these terms of use do not look like a secret plot to siphon all my content away, store them in their servers, for vague model-training purposes that they haven’t completely thought about yet.
For me, the problem is this statement
So unless I have a diff bot watching this notice for changes, at any moment Mozilla can gain additional privileges relative to my data, and I’ll be none the wiser. It’s a rather large escape hatch for them.
Typical companies offering online services write to their users when terms of service change, and I would expect Mozilla to do the same if it changes its privacy notice. You may be assuming that Firefox is acting in bad faith, or is likely to act in bad faith in the future. I’m personally still willing to believe that Mozilla would not outright lie or try to trick us with this – the fact that this Privacy Notice is generally reasonable and displays a care for details that I think are important (such as whether the data is processed locally or on their serves) tends to support my assessment that they are trying to do things right.
It is of course entirely possible that Mozilla becomes adversarial at some later point in the future (I have disagreed with some of their decisions in the past), but I have the impression that the amount of risk that I am tolerating is okay, by still using their product until I learn in the news that they sneakily changed their Privacy Notice to do something bad .
Your position is very reasonable.
I’m not of the opinion that Mozilla is acting in bad faith. My concern is that their terms and privacy notice now give them considerable latitude to do so at any time in the future. In other words, I have no faith in institutions remaining “good” or neutral. Google once believed in “don’t be evil”, and Mozilla once believed in user autonomy and privacy. I believe in the fact that buyouts happen, leadership changes, and values shift over time. And these changes are perhaps an indication of the latter.
In short, my feeling is that these terms open the door to malicious action made legal by their breadth and malleability. And I think where you and I differ is our estimation of that risk.
Time will tell :)
[edit]
I wasn’t aware of this leadership change when I wrote the above comment: https://blog.mozilla.org/en/mozilla/mozilla-leadership-growth-planning-updates/
Why would they give themselves the right to transgress your expectations, if they didn’t want to maintain the possibility of doing just that?
I went back to the Privacy Notice and it says, in the Changes section:
This sounds reasonable to me.
We probably differ in opinion here too.
I can’t recall a notification of terms/policy change that has enumerated actual changes. I just had a look through my mail archive at messages matching “updated our” (there were a lot of matches).
None of them list what the material changes are, and simply link to the new policy document. The ones that make a feeble attempt at enumerating the changes make vague statements like “made more readable”, “explanations of data we collect”. Which, to be fair to your argument, is what you want to know – that a change has been made.
If these notices came with a diff, I’d be satisfied.
Credit to winkelmann on HN for calling this out first.
The acceptable use policy, bullet points replaced with a numbered list for discussion purposes
Since the only thing the acceptable use policy does is restrict services, and it explicitly applies to your use of Firefox, I conclude that Firefox must be contained in the word “service”. I also note that the terms include
Which would tend to reject any interpretation of the above callout of the acceptable use policy which has it only apply to certain services you use within it.
That is messed up. I feel strongly about ‘freedom zero’ of free software – that is The freedom to run the program as you wish, for any purpose. It seems we’re backsliding on the very fundamentals.
In that same vein, I’m absolutely baffled and exasperated by software licenses feeling the need to try and make me agree to not use their software to break the law.
First of all, I’m with you: software freedom zero is that I can use the program however I wish. Fuck off with telling me how I may or may not use the program.
Second: Breaking the law is already… against the law. Who thinks that someone would fire up a piece of software with the intent of breaking the law, but then decide against it because of a license agreement? I’m willing to break the law and have actual consequences, but I’m not willing to break a license agreement where the worst case is that the vendor might somehow disable access to their stupid program? I’m so tired of living in a world that is so unserious.
Third: I know this is a “cover your ass” thing, but that’s not good enough for me. Here in the U.S., people shoot and kill each other, yet gun manufacturers aren’t on the hook for the crimes. And I’m pretty sure you don’t have to sign a license agreement to purchase a gun or ammunition wherein you promise not to break the law with it. Alcohol companies aren’t liable for someone getting drunk and killing someone with their car. Neither is the car manufacturer. The idea that a fucking web browser feels the need to “protect itself” from being liable when a user breaks the law is a joke.
I feel like I’m taking crazy pills.
Separating out discussion of the exact terms into a self reply since it feels like a comment that should be voted on separately.
This is a shockingly restrictive policy. For some examples:
Bullet point 8 prohibits using firefox to sell, purchase, or advertise controlled products or services. You cannot use firefox to legally acquire life saving medication. Entirely law abiding drug manufacturers cannot use firefox to sell or advertise their products.
Bullet point 9 forbids graphic depictions of violence in all manners - uploading, downloading, transmiting, displaying, or granting access. You can’t use firefox for making, publishing, or even just consuming journalism on police brutality, war, etc.
Bullet point’s 9 restriction on graphic violence and sexuality also forbids using firefox to watch most PG or higher movies, browse many social media sites, etc.
Bullet point 2 forbids sending unsolicited communications, you can’t do cold outreach to people using firefox.
Bullet point 2 forbids intercepting or monitoring communications not intended for you, you can’t do security research using firefox, something as simple as investigating how your bed is spying on you would require intercepting communications not intended for you.
Bullet point 4 prohibits deception. You can’t play many common games using firefox.
Bullet point 10 is a super-charged version of the GDPR. If you collect personal information without consent, even if you have a legitimate use for it that would satisfy every privacy law in the world, you may not use firefox to do that.
Every bullet point here except 1, 5, 12, and 13 is basically Mozilla trying to step in and define their own version of what is acceptable to say, do, and promote that is highly restrictive, offensive to the principles of free speech, and contains none of the nuance that even the most authoritarian dictatorships would recognize is necessary in regulating conduct.
I take no significant issue with bullet point 1 because it seems unlikely that breaking this contract is in any way worse than breaking the actual law, and bullet points 5, 12, and 13 because they appear to be strict subsets of what is already forbidden under number 1.
It does contain some jurisdiction smuggling, even if it is unlikely to be a practical issue: if «applicable law» is on the books, but is either in the process of being inevitably struck down in court, or is explicitly condemned by your current place of residence, are you still violating the contract?
Update: They’ve removed the portion of the terms that incorporated this acceptable use policy :)
Though it’s frustrating to see them pretend this is because people misunderstood the terms and not admit it’s because they messed up the drafting of them.
https://github.com/mozilla/bedrock/commit/d459addab846d8144b61939b7f4310eb80c5470e#diff-a24e74e4595fa85440a2f4e7e5dcfe68aba6e1e593aef05a2d35581a91423847L65
Feels like this should be higher up.
For those that didn’t click, it’s the commit removing the answer to the question “Does Firefox sell your personal data?”
Damn. You found the receipt.
Did they just accidentally make it against ToS to look at porn in firefox?
From the ToS:
From the Acceptable use Policy:
“You may not use any of Mozilla’s services to [..] download [or] display [..] graphic depictions of sexuality”
The question hinges on if the firefox browser is a service. They just published a terms of service, and the framework of “continued usage is passive consent for future ToS updates” definitely comes from the services world.
(From the ToS)
Obviously IANAL and those are not legal arguments 🤷
What if there were a browser that you have to pay $20/month to use. For that expenditure, the browser legally guarantees to
It could still be open-source. But I trust a product more when I know up front how it’s monetized and what the incentive structure is for the developer(s).
Then millions of people around the world would not be able to afford it.
Yes, but that could still be a profitable business model. Hey.com isn’t free, but it’s thriving.
Yeah but the people left on the outside of the profitable business model still matter, and deserve to have options that don’t exploit them. It’s part of the solution, but it can’t be the whole solution
I wonder if or how this impacts derivatives like Zen?
Last I checked, Zen was mostly patches applied on top of Firefox — presumably these “features” could also be patched out. And since it is being built from source it should not be violation of their ToS.
And this is one of the many reasons why it’s important to have a diverse set of viable and capable implementations for any standard. And standards that are not so convoluted as to make that nigh-impossible.
Another clarifying statement from Mozilla
https://blog.mozilla.org/en/products/firefox/update-on-terms-of-use/
The new language is: “You give Mozilla the rights necessary to operate Firefox. This includes processing your data as we describe in the Firefox Privacy Notice. It also includes a nonexclusive, royalty-free, worldwide license for the purpose of doing as you request with the content you input in Firefox. This does not give Mozilla any ownership in that content.”
I understand the need for such a license for eg. operating a web service that I upload data to, but not for a browser running on my machine when it’s interacting with things that have nothing to do with Mozilla.
Is it a coincidence that this stuff happens exactly at the same time as Chrome disabling ad blockers?
Can you share a reference for this?
Good question. My personal experience is that I just opened Chrome earlier today and it told me that uBlock Origin isn’t supported anymore so it got disabled. As I was thinking to myself that the time has come to jump ship to Firefox finally, I’ve run into this post. Here are some news articles all from today, mentioning this.
Oh, it’s this again.
So, look. Every single internet-connected thing that involves anything that could even be considered user-generated content, and has lawyers, sooner or later inserts a clause into its terms saying you grant them a royalty-free, non-exclusive, non-revocable (etc. etc.) license to copy and distribute things you, the user, input into it.
This is like the most standard boilerplate-y clause there is for user-generated content. It’s a basic cover-your-ass to prevent someone suing you for copyright violation because, say, they just found out that when you type something in the built-in search box it makes a copy (Illegal! I’ll sue!) and transmits the copy (Illegal! I’ll sue!) to a third party.
But about every six months someone notices once of these clauses, misinterprets it, and runs around panicking and screaming OH MY GOD THEY CLAIM COPYRIGHT OVER EVERYTHING EVERYONE DOES WHY WOULD THEY NEED THAT PANIC PANIC PANIC PANIC PANIC OUTRAGE OUTRAGE PANIC.
And then it sweeps through the internet with huge highly-upvoted threads full of angry comments from people who have absolutely no clue what the terms actually mean but who know from the tone of discussion that they’re supposed to be outraged about it.
After a few days it blows over, but then about six months later someone notices once of these clauses, misinterprets it, and runs around panicking and screaming OH MY GOD THEY CLAIM COPYRIGHT OVER EVERYTHING EVERYONE DOES WHY WOULD THEY NEED THAT PANIC PANIC PANIC PANIC PANIC OUTRAGE OUTRAGE PANIC.
And then…
@pushcx this should not be allowed on lobste.rs. It’s 100% outrage-mob baiting.
Saying that everyone else does it does not make it okay. Are there court cases or articles describing the limits you say are implicit?
If you are as right as you think you are, then you could be educating instead of complaining to moderators.
That’s the point. GDPR has not been that well tested in court. As long as it hasn’t, people will stick to legal boilerplate to make it as broad as possible. This is why all terms of services look like copypasta.
Putting words in my mouth doesn’t make a counterargument.
What do you think is not OK about this boilerplate CYA clause? Computers by their nature promiscuously copy data. Online systems copy and transmit it. The legal world has settled on clauses like this as an alternative to popping up a request for license every time you type into an online form or upload a file, because even if nobody ever actually would sue they don’t want to trust to that and want an assurance that if someone sues that person will lose, quickly. They’ve settled on this because copy/pasting a standard clause to minimize risk is a win from their perspective.
Why is this evil and bad and wrong from your perspective? Provide evidence.
The system we currently have may be structured in a way which makes clauses like this necessary or expedient in order to do business, but the validity of such a clause for that reason doesn’t excuse the system that created it.
But Firefox isn’t a web service. It’s a program that runs on my computer and sends data to websites I choose to visit. Those websites may need such legal language for user generated content, but why does Mozilla need a license to copy anything I type into Firefox?
This. I’ve chatted with a few lawyers in the space and this is literally the first time we’re seeing that interpretation to apply to a local program you choose to run that is your agent.
Firefox integrates with things that are not purely your “local agent”, including online services and things not owned by Mozilla. And before you decide this means some sort of sinister data-stealing data-selling privacy violation, go back and look at my original example.
So clearly rejecting their TOS should just toggle off all of those services, right?
None of these are activities falling under copyright, so a license is meaningless.
The list of data subprocessors is short and well documented: https://support.mozilla.org/en-US/kb/firefox-subprocessor-list
So it also can’t be an issue of “let’s be blanket because we can’t give you the list”.
The Python Package Index has almost exactly the same clause in its terms of service for things you voluntarily choose to send to them.
I guess their legal advisers are just bad or something. Maybe you could go see about getting hired to replace them.
When you upload something to the python package index you do so because you intend for the python package index to create copies of it and distribute it, which needs a license.
When you make a comment on pull request for work you don’t intend for Mozilla to have anything to do with that. You don’t intend for Mozilla to receive your post. Nor to have any special rights to view it, distribute it, make copies of it, etc. They do not need a license because they shouldn’t be seeing it. Moreover you don’t even necessarily have the right to grant them said rights - someone else might own the copyright to the material you are legitimately working with.
These scenarios are not even remotely similar.
If you use their integrated search which might send things you type to a third party, Mozilla needs your permission to do that.
If you use their Pocket service which can offer recommendations of articles you might like, Mozilla needs your permission to analyze things you’ve done, which may require things like making copies of data.
If you use their VPN service you’re passing a lot of stuff through their servers to be transmitted onward.
There’s a ton of stuff Mozilla does that could potentially be affected by copyright issues with user-generated/user-submitted content. So they have the standard boilerplate “you let us do the things with that content that are necessary to support the features you’re using” CYA clause.
More specifically, their recommendations are at odds with the interests of users.
The question for random people reading these clauses is what does that mean? Legalese can be hard for lawyers to understand. It’s much harder for mere mortals.
I think everyone is OK with Firefox (the browser) processing text which you enter it into. This processing includes uploading the text to web sites (which you ask it to, when you ask it to), etc.
What is much more concerning for the average user is believing that the “ royalty-free, non-exclusive, non-revocable (etc. etc.) license” is unrestricted.
Let’s say I write the worlds most beautiful poem, and then submit it to an online poem contest via FireFox. Will Mozilla then go “ha ha! Firefox made a copy, and uploaded it to the Mozilla servers. We’re publishing our own book of your work, without paying you royalties. And oh, by the way, you also used Firefox to upload intimate pictures of you and your spouse to a web site, so we’re going to publish those, too!”
The average person doesn’t know. Reading the legalese doesn’t help them, because legalese is written in legalese (an English-adjacent language which isn’t colloquial English). Legalese exists because lawsuits live and die based on minutiae such as the Oxford Comma. So for Mozillas protection, they need it, but these needs are in conflict with the users need to understand the notices.
The Mozilla blog doesn’t help, because the italicized text at the top says: It does NOT give us ownership of your data or a right to use it for anything other than what is described in the Privacy Notice
OK, what does the Privacy Notice say?
(your) …data stays on your device and is not sent to Mozilla’s servers unless it says otherwise in this Notice
Which doesn’t help. So now the average person has to read pages of legal gobbledygook. And buried in it is the helpful
Identifying, investigating and addressing potential fraudulent activities,
Which is a huge loophole. “We don’t know what’s potentially fraudulent, so we just take all of the data you give to FireFox, upload to our US-based servers, and give the DoJ / FBI access to it all without a warrant”. A lawyer could make a convincing and possibly winning argument that such use-cases are covered.
The psychological reason for being upset is that they are confused by complicated things which affect them personally, which they don’t understand, and which they have no control over. You can’t address that panic by telling them “don’t panic”.
Could you explain why the concern is necessarily born of confusion rather than accurate understanding?
I didn’t say the concern is necessarily born of confusion. I said that the concern was because they didn’t understand the issues.
you said the reason for being upset is that they are confused. sorry if I was changing your meaning by adding “necessarily.” why do you say the concern is because of confusion or lack of understanding? what understanding would alleviate the concerns?
I don’t see a lot of difference between confusion and lack of understanding. Their upset is because the subject affects them, and they’re confused about it / don’t understand it, and they have no control over it.
This is entirely normal and expected. Simply being confused isn’t enough.
What would alleviate the concerns is to address all three issues, either singly, or jointly. If people don’t use Firefox, then it doesn’t affect them, and they’re not upset. If they understand what’s going on and make informed decisions, then they’re not upset. And then if they can make informed decisions, they have control over the situation, and they’re not upset.
The solution is a clear message from Mozilla. However, for reasons I noted above, Mozilla has to write their policies in legalese, when then makes it extremely difficult for anyone to understand them.
but who does “they” refer to? are you saying this describes people in general who are concerned about the policy, or are you just supposing that there must be someone somewhere for whom it is true?
what about people who have an accurate layman’s understanding of what the policy means, and are nonetheless concerned?
The actual reason for them being upset is that someone told them to be afraid of the supposedly scary thing and told them a pack of lies about what the supposedly scary thing meant.
I propose to deal with that at the source: cut off the outrage-baiting posts that start the whole sordid cycle. Having a thread full of panicked lies at the top of the front page is bad and can be prevented.
And if you really want to comfort the frightened people and resolve their confusion, you should be talking to them, shouldn’t you? The fact that your pushback is against the person debunking the fearmongering says a lot.
i.e. you completely ignored my long and reasoned explanation as to why people are upset.
Alternatively, you could look at the comment above in https://lobste.rs/s/de2ab1/firefox_adds_terms_use#c_yws3nv, which explains clearly just how nefarious and far-reaching the new policy is.
I haven’t seen you debunk anything. In order to “debunk” my argument, you would have to address it. Instead, you simply re-stated your position.
I explained why your position wasn’t convincing. If you’re not going to address those arguments, I don’t need to respond to your “debunking”.
At best that comment points out that a consolidated TOS for Mozilla “services” is confusingly being linked for the browser itself. Nothing has been proven in the slightest about it being “nefarious”, and the fact that you just assert malicious intent as the default assumption is deeply problematic.
So your position is completely unconvincing and I feel no need to address it any further.
But you’re not debunking the fear mongering. You’re conspicuously ignoring any comment that explains why the concern is valid. Don’t hapless readers deserve your protection from such disinformation?
You’re largely describing boilerplate for web services, where the expectation is that users input content, and a service uses that content to provide service.
Firefox is a user agent, where the expectation is that users input content and the agent passes that content through to the intended service or resource.
You can call this boilerplate if you like, but it certainly gives Mozilla unambiguous rights relative to what you put into it.
This really does beg the question: Firefox is 20 years old. Why did they only feel the need to add this extremely standard boilerplate-y clause now?
Their lawyers won the debate this time.
why though?
what exactly does that mean? Were they already actively doing this, and the lawyers “won” by updating the TOS to cover that behavior? Or did the lawyers “win” because they were pushing for a business decision to change Firefox’s data gathering activities?
Please, If you could reflect for a moment on your own comment that you have written could you determine if comes off as outraged?
I am incredibly tired of this sort of thing sparking ignorant outrage on a regular basis. It should not be permitted on this site.
There’s a “hide” button just for you. You can be the ninth lobster to click it!
This post is
Many much more mild examples have been removed on this site without hesitation. This one has to be, too, if the site rules mean anything.
I disagree. I think this is actionable, relevant, and very on-topic. I’d even argue about that with you here, except that you in particular have a very solid history of bad-faith arguing, and I have better things to do.
Anyway, so far 84 of us have upvoted it, vs 7 “off-topic” flags and 8 hides, for a ratio of about 5:1, if we care about user opinions. Your paternalism isn’t a good look. Just hide it, flag it, and move on!
I will note that we have both a
privacytag andlawtag, which are explicit carveouts for this sort of content.Now, whether or not we should retire those or not is a bigger question.
We already know the site rules don’t mean anything. The same rules are regularly violated for Apple marketing presentations.
What would a post that is not meant to whip up outrage look like? Presumably the blog author did their best to write such a post.
I wouldn’t say that the site rules don’t mean anything–I would say that many users and even admins have disregarded them for political expediency.
The long-term effects of this, of course, are deleterious…but that doesn’t matter when gosh darnit, the outgroup is wrong right now.
In the case of Apple, there’s a weird sort of thing where a
releasetag covers what is technically marketing. They also are both a large software and hardware vendor and, like it or not, have a large userbase. I’m not saying we should see a constant dripfeed of Apple propaganda, but it isn’t entirely without precedent.Of course. I adopted the parent comment’s hyperbole to avoid getting bogged down in minutia. But there’s nothing wrong with more clarity and precision.
then don’t express the ignorant outrage?
I’m really surprised to see anyone pay even the slightest of attention to this on Lobsters. It’s something my granddad would post to Facebook (example)
Such an ad-hominem argument is something my grandma would post on Instagram.
It’s not an ad hominem. I’m not attacking anyone instead of their argument.
took me half an hour to remove the stupid logo in new tabs. Thanks https://connect.mozilla.org/t5/discussions/disable-permanently-new-tab-layout/m-p/85943
horrible.
This is so outrageous! But kinda expected:)