1. 27
  1.  

  2. 28

    This article isn’t quite at the level of “zomg dihydrogen monoxide is LETHAL” alarmism, but it’s getting close. On one hand, it’s good to have a third-party review of Firefox’s privacy tradeoffs, but jumping up and down yelling “SPYWARE” doesn’t help educate anyone, it just feeds people’s sense of entitlement and injury.

    For example, the very first example of “spyware” on the list is that Firefox requests http://detectportal.firefox.com/success.txt at startup. If you’ve ever visited an airport, a coffee shop, or a mall with “free wifi” that automatically redirects you to a sign-in page where you can provide your email address in exchange for an hour of Internet access, you know what this is about: if you turn off this protection, then the next time you open your browser in such an environment, all your open tabs will be redirected to the sign-in page, and your browser state is ruined. Alternatively, if most of the websites you use are HTTPS, the situation’s worse: when you open your browser, websites will mysteriously fail to load with no indication why. And so, at startup Firefox makes an unencrypted request for a file with known, specific content, and if the response contains anything else, Firefox knows it’s behind a portal and needs to present the login page before it tries to restore any other state.

    So yeah, there’s a bunch of tradeoffs here:

    • do nothing
      • pro: privacy friendly!
      • con: terrible experience in a common environment
    • always make a portal-baiting request
      • pro: excellent experience, comparable to competing products
      • con: very slight privacy leak
    • make request by default, allow it to be disabled
      • pro: excellent experience by default, super-privacy-conscious people can still get what they want
      • con: very slight privacy leak by default

    I think Firefox has definitely made the right choice here, but I appreciate opinions may differ. On the other hand, just putting this behaviour under the heading “Phoning home” (as the OP article does) without any context doesn’t help anyone make an informed decision about this tradeoff.

    1. 6

      A fourth option might be to only make that request whenever a HTTPS certificate is failing. That way in the normal case where the user is logged into the portal or not using a portal-enabled Internet they won’t be calling out to Mozilla as often.

      But yeah, it’s difficult to be privacy-sensitive. It’s more work. Asking Firefox to be better than Chrome while doing more work and flying blind by not collecting any stats… doesn’t seem to be the best option here.

      1. 1

        Perhaps, but ensuring that the certificate used doesn’t expire and ruin everything sounds hard…

      2. 2

        if you turn off this protection, then the next time you open your browser in such an environment, all your open tabs will be redirected to the sign-in page, and your browser state is ruined.

        is this really what happens? i would expect only the active tab to load, which would be subject to the redirect. i wouldn’t call this a “terrible experience.”

        firefox could also ask users whether they want telemetry enabled the first time firefox starts up, like what VLC does. how would you feel about this option?

        1. 1

          firefox could also ask users whether they want telemetry enabled the first time firefox starts up, like what VLC does.

          nitpick: from my memory, this option is just for fetching media metadata from the internet, not for telemetry.

          1. 2

            what do you mean by telemetry and how do you know VLC’s use doesn’t constitute telemetry?

            to me, telemetry means automatic requests to Internet servers. am i using the term wrong?

            1. 1

              Good point. I’ve mainly heard the term telemetry used in conjunction with analytics and tracking, but I guess it’s not limited to those.

              1. 1

                it’s also fair to expect that any requests will be tracked and analyzed, even if their primary purpose is to fetch media metadata

          2. 1

            i would expect only the active tab to load, which would be subject to the redirect. i wouldn’t call this a “terrible experience.”

            These days browsers are smarter about lazily restoring tabs at startup, but they’ll still load the active tab in each window, plus however many pinned tabs the user has.

            Besides, data loss is data loss. Even if it’s just one tab of hundreds, it can still be a terrible experience for someone.

            firefox could also ask users whether they want telemetry enabled the first time firefox starts up, like what VLC does.

            I just booted up Firefox 66.0.1 (the latest stable version) with a fresh profile, and the two default tabs it opens are an advertisement for Firefox Sync, and the Firefox Privacy Notice, which is a huge list of all the various kinds of information Firefox may (deliberately or otherwise) collect, and why. Under the very first heading, “Improve performance and stability for users everywhere”, there’s an “opt-out” link which takes you to a support article about opting in or out, and a big “Choose how you want to share this data in Firefox” button which takes you directly to the “Firefox Data Collection and Use” section of the preferences where you can turn things off (including “Studies”).

            So Firefox does provide detailed information about telemetry, including how to turn it off, on first startup. It doesn’t provide a simple “telemetry yes/no” banner, because people have learned to click those away subconsciously, and if there’s one thing people like even less than things happening without their consent, it’s when they feel tricked into giving consent.

            1. 1

              Besides, data loss is data loss. Even if it’s just one tab of hundreds, it can still be a terrible experience for someone.

              i must confess i don’t know exactly what properties people expect out of tab restoration. what data is lost? the URL of the tab that gets redirected? would this be available in the history?

              So Firefox does provide detailed information about telemetry, including how to turn it off, on first startup. It doesn’t provide a simple “telemetry yes/no” banner, because people have learned to click those away subconsciously, and if there’s one thing people like even less than things happening without their consent, it’s when they feel tricked into giving consent.

              how is what firefox currently does better? haven’t people learned to subconsciously close the ads and privacy notice tabs which are open by default? aren’t they already being tricked into giving consent? you think people would be more mad if they were given a telemetry yes/no banner at first startup?

              1. 1

                what data is lost?

                The URL, the page scroll position, form field content… imagine getting five paragraphs into a comment on a site like Lobsters, letting your browser restart to apply a security update, and suddenly your comment is lost to the ether. Sure, maybe people shouldn’t expect that to work 100% reliably, but it does work 95% reliably, which makes the last 5% all the more frustrating.

                you think people would be more mad if they were given a telemetry yes/no banner at first startup?

                Yes, I do.

                If somebody says to me “here’s what I’m going to do”, and then I ignore what they say, and then later I decide I didn’t want them doing that, that’s fundamentally my fault.

                If somebody says to me “to-let-me-do-the-thing-say-what” and I blink and say “what?” and they say “thanks!” and run off, I’m going to be annoyed, regardless of what they wanted to do. If it turns out to be something I didn’t want, I’m going to be doubly annoyed if they use my “opt-in” as an excuse, since they fact that they tricked me is already evidence that they knew I wouldn’t have said yes if I knew what was going on.

                People hate twenty-page small-print “terms and conditions” documents because they obscure what they’re asking you to agree to, and a “telemetry yes/no” banner would similarly obscure what it wants you to agree to. The Firefox Privacy Notice page really is a great example for how to present a complex set of ideas to a non-expert audience, and really I think that’s as much as anyone could expect Mozilla to do. You can’t force people to form an educated opinion, you can only make education as accessible as possible, and treat the people who blindly trust you anyway with dignity and respect.

                1. 1

                  The URL, the page scroll position, form field content… imagine getting five paragraphs into a comment on a site like Lobsters, letting your browser restart to apply a security update, and suddenly your comment is lost to the ether. Sure, maybe people shouldn’t expect that to work 100% reliably, but it does work 95% reliably, which makes the last 5% all the more frustrating.

                  i wouldn’t want to rely on it if it only works 95% of the time even with the telemetry preventing data loss due to captive portals. but i think this point is exhausted.

                  you think people would be more mad if they were given a telemetry yes/no banner at first startup?

                  Yes, I do.

                  If somebody says to me “here’s what I’m going to do”, and then I ignore what they say, and then later I decide I didn’t want them doing that, that’s fundamentally my fault.

                  If somebody says to me “to-let-me-do-the-thing-say-what” and I blink and say “what?” and they say “thanks!” and run off, I’m going to be annoyed, regardless of what they wanted to do. If it turns out to be something I didn’t want, I’m going to be doubly annoyed if they use my “opt-in” as an excuse, since they fact that they tricked me is already evidence that they knew I wouldn’t have said yes if I knew what was going on.

                  i don’t follow your analogy. VLC asks users “do you want to allow telemetry,” they select yes or no, then the program runs based on their preference. are either of your scenarios analogous to that?

                  People hate twenty-page small-print “terms and conditions” documents because they obscure what they’re asking you to agree to, and a “telemetry yes/no” banner would similarly obscure what it wants you to agree to.

                  a sentence takes less time to read and understand than twenty small-print pages. what exactly is obscure about “do you want to allow telemetry for these purposes?” followed by a bulleted list and a yes/no button?

                  The Firefox Privacy Notice page really is a great example for how to present a complex set of ideas to a non-expert audience, and really I think that’s as much as anyone could expect Mozilla to do. You can’t force people to form an educated opinion, you can only make education as accessible as possible, and treat the people who blindly trust you anyway with dignity and respect.

                  the privacy notice page is longer than the VLC notice and you have to read it and dig through documentation in order to disable telemetry. this is not obscure?

                  why can’t we expect mozilla to show us a telemetry yes/no button whenever they implement new telemetry?

                  1. 1

                    I guess my basic argument is:

                    • if Alice wants to do something on Bob’s behalf, and she can obtain Bob’s informed consent first, she should do so
                    • if Alice can’t obtain Bob’s informed consent (because Bob can’t be contacted, because Bob is too busy to listen to a properly detailed explanation, or for some other reason) and Alice is say 90% sure that it’s in Bob’s interest, it’s OK to go ahead as long as she describes what she’s doing somewhere Bob can find it, and she’s willing to stop if Bob does express an opinion later
                    • if Alice can’t obtain Bob’s informed consent, it’s not OK to ask an oversimplified version of the question and treat the answer as consent, since the consent would not be fully informed
                    • it’s also not OK to ask a super-detailed over-complexified version of the question, since we know most people won’t read it, and the consent would still not be fully informed

                    VLC’s startup notice falls into the first category - VLC is not too complex, the privacy risks are easy to explain, and so it’s reasonable to present the question directly at first startup.

                    Firefox falls into the second category. Firefox is very complex, and its privacy risks are intricate and involve multiple parties. They can’t be easily summarised in a sentence or two, so Firefox just makes the information as accessible as possible without actively getting in people’s way, and does its best.

                    The third category is your hypothetical version of Firefox that asks for telemetry consent at first startup. I claim it’s not possible to describe Firefox’s privacy risks more clearly and concisely than the Privacy Notice page already does, so any shorter summary would be misleading and the answer would not ethically count as permission.

                    The fourth category is every “I have read and understood the terms and conditions” checkbox, or a hypothetical version of Firefox that pointed people to the Privacy Notice and demanded people read it before giving consent. You can’t force people to read and understand things, so that would still not ethically count as permission.

                    As for asking permission about each new kind of telemetry individually, that might be OK, if each kind can be described concisely enough. You couldn’t ask too many questions in a row without fatiguing people, though, and there might be features whose risks are wildly different depending on what other features they’ve consented to. Overall, I suspect it might be problematic for engineering reasons even if it was ethically fine.

                    1. 1

                      if Alice can’t obtain Bob’s informed consent (because Bob can’t be contacted, because Bob is too busy to listen to a properly detailed explanation, or for some other reason) and Alice is say 90% sure that it’s in Bob’s interest, it’s OK to go ahead as long as she describes what she’s doing somewhere Bob can find it, and she’s willing to stop if Bob does express an opinion later

                      how can i express to firefox that i want no automatic requests to remote servers?

                      is firefox willing to stop?

                      i can go to the privacy notice page, click the “Improve performance and stability for users everywhere,” follow the links to the privacy preferences page, and uncheck the boxes under “firefox data collection and use.”

                      but that’s not enough, as explained in the original post. there are many other ways firefox sends automatic requests which can tell a remote server about your browsing. they can’t be disabled through the GUI. even if i set things in about:config or a custom user.js file, firefox will add more telementry features which are buried in a privacy notice page and require digging to figure out how to disable. you really think this is the best we can ask for?

                      1. 1

                        Firefox is a user agent, a tool for automatically turning a high-level user goal (“show me the front page of https://lobste.rs”) into a collection of requests to remote servers. If somebody really want absolutely zero automatic requests to remote servers (no images, no css, no following HTTP redirects), then their expectations are so far from the normal definition of “web browser” that they’d probably be happier with a completely different product.

                        Specifically for telemetry, my understanding is that occasionally Mozilla will add some new measurement that they’re interested in (for example, some statistic about a newly-added feature) but the existing “disable telemetry” option in the GUI is a master switch - if it’s disabled, it disables newly-added measurements too.

                        If by “telemetry” you include the various other miscellaneous connections described/slandered in the original article, then yes, sometimes Mozilla does add enabled-by-default features that involve automating requests to remote servers. However, historically Mozilla have worked very hard on minimising the privacy risk of such features (the Safe Browsing feature in particular I think is quite elegant), and I personally trust them to make responsible decisions in future. If they ever mess up, I’m sure it’ll be all over Lobsters and HN.

                        No software is infinitely configurable, if you really need to prevent a piece of software from doing something, don’t run it.

                        1. 1

                          Firefox is a user agent, a tool for automatically turning a high-level user goal (“show me the front page of https://lobste.rs”) into a collection of requests to remote servers. If somebody really want absolutely zero automatic requests to remote servers (no images, no css, no following HTTP redirects), then their expectations are so far from the normal definition of “web browser” that they’d probably be happier with a completely different product.

                          i think you understand the distinction between requests made in order to display a web page requested by the user, and requests made without any action or without being necessary to display a page.

                          If by “telemetry” you include the various other miscellaneous connections described/slandered in the original article, then yes, sometimes Mozilla does add enabled-by-default features that involve automating requests to remote servers.

                          presumably you don’t include these in your definition of “telemetry.” what substantive difference is there?

                          1. 1

                            The distinction between requests necessary to display a page and requests unnecessary to display a page may be blurry. For example, portal detection is sometimes necessary to display a requested page, and the only way for Firefox to know for sure is to send the request. So is it necessary or not?

                            Strictly speaking, “telemetry” means “measurement at a distance”. A feature designed to automatically send local measurements to a remote system is telemetry; a feature that’s not automatic or only accidentally sends local measurements isn’t really telemetry. It might possibly be abused, but these non-telemetry signals should be designed to minimise their usefulness as telemetry.

                            For example, your ISP could use portal-detection pings to infer that you use Firefox; but they could also read your user-agent from any unencrypted HTTP request you make, so that’s not a big deal. Mozilla could use it to infer that one of your ISP’s customers uses Firefox, but it’s a much less reliable signal than things like update checks or actual telemetry. Mozilla could use the timing of the ping to infer when your ISP’s customers commonly use Firefox, but they could nearly as reliably determine that by looking at the timezone your ISP’s head office is in.

                            1. 1

                              The distinction between requests necessary to display a page and requests unnecessary to display a page may be blurry. For example, portal detection is sometimes necessary to display a requested page, and the only way for Firefox to know for sure is to send the request. So is it necessary or not?

                              it’s never necessary. it may give clues that a page cannot be reached, but it doesn’t help you reach the page.

                              Strictly speaking, “telemetry” means “measurement at a distance”. A feature designed to automatically send local measurements to a remote system is telemetry; a feature that’s not automatic or only accidentally sends local measurements isn’t really telemetry. It might possibly be abused, but these non-telemetry signals should be designed to minimise their usefulness as telemetry.

                              so firefox’s “disable telemetry” option disables features which are explicitly designed for measurement, but does not disable other features where telemetry is a side effect.

                              should users have control over the telemetry that happens as a side effect?

                              1. 1

                                Literally any network traffic at all, explicitly requested or otherwise, can be tracked and collated to provide information about the participants. Even the absence of network traffic can be a privacy leak - if there’s only one person on a given subnet that has disabled Firefox’s portal detection, a request that’s not preceded by a portal-detection request almost certainly comes from that person.

                                Given that a web-browser has to make some number of network requests to perform its function, I think it’s reasonable for the browser to make any number of extra requests, as long as the extra requests take negligible total extra time, use negligible total extra battery, and add negligible total extra privacy risk. Adding a new request might increase privacy risk (if it’s related to some identifying information) or reduce it (if it makes my network traffic look more like everybody else’s).

                                I think it’s reasonable for Mozilla to offer users control over what Mozilla does with their data (and they do, which is good); I think it’s unreasonable for Mozilla to offer users control over what third parties (ISPs, governments, engineers with Wireshark) do with users’ data, since Mozilla can’t enforce or even reliably influence that.

                                1. 1

                                  I think it’s reasonable for the browser to make any number of extra requests, as long as the extra requests take negligible total extra time, use negligible total extra battery, and add negligible total extra privacy risk.

                                  so to clarify, you think mozilla should decide on behalf of users what is a negligible privacy risk? they shouldn’t have control over the telemetry that happens as a side effect of other features?

                                  1. 1

                                    Not screwtape, but yes.

                                    If I wanted to spend my limited time and energy making those decisions, I could do so fairly easily, since the source and build scripts are all available for free.

                                    Mozilla provides me with the option of making my own decisions, and also supplies a prebuilt binary that frees me from having to make them myselfves.

                                    I choose the prebuilt binary that makes those decisions for me.

                                    1. 1

                                      it’s easy for you to understand and modify firefox code?

                                      1. 1

                                        In the scheme of things, sure. The codebase is large and unfamiliar, but grep will get you pretty far.

                                    2. 1

                                      I’m not saying users shouldn’t have control, I’m saying they don’t have control. I, as a user, have no idea who might be passively observing my network connection, or what patterns of traffic they might be looking for or ignoring. There is no combination of Firefox configuration options I could enable or disable that would guarantee a lower privacy risk than I currently have, even if there were options for every byte of every header of every possible request.

                                      If there was a master “absolutely no non-essential network requests” toggle, it would have to carry the label “this may increase or decrease your privacy risk, or increase the risk from some sources while decreasing it from others, or have no practical effect”. That’s not giving users control over their privacy, it’s a dice-roll.

                                      The answer to “which changes in this new version of Firefox have possible privacy implications” is always “all of them”. The answer to “which changes are relevant to my privacy” is always “that depends on your individual needs”. If a user doesn’t trust Mozilla’s general-purpose defaults, and doesn’t want the responsibility of figuring out which available options are relevant to their personal concerns, what can Mozilla possibly do for that user?

                                      1. 1

                                        If a user doesn’t trust Mozilla’s general-purpose defaults, and doesn’t want the responsibility of figuring out which available options are relevant to their personal concerns, what can Mozilla possibly do for that user?

                                        a non-essential network requests yes/no button would do

          3. 5
            Phoning Home

            See @Screwtape’s answer.

            Google Analytics

            The Google Analytics thing seems to be misrepresented. The article states

            Firefox has been integrated with the spyware platform called “Google Analytics”[1]. Firefox has been confirmed to now send analytics to Google. According to a Firefox developer the spyware in Firefox is “extremely useful to us and we have already weighed the cost/benefit of using tracking.” and that Firefox will not remove Google Analytics support entirely.

            This implies that Google Analytics is built in to Firefox (the browser). That would be somewhat surprising. However, the direct quote from Mozilla that the article uses as a source is as follows:

            “Wanted to address your position though: We don’t give the “data directly to Google”. See the discussion here: https://bugzilla.mozilla.org/show_bug.cgi?id=858839. The short version is: tl;dr: We now have an option to opt-out of Google doing anything with the data that Google Analytics collections on Mozilla websites. GA tracking is anonymous and at the aggregate level and we use it to improve the experience of our websites.

            So, according to Mozilla, yes Google Analytics is being used. But it’s not built into the browser, rather, it’s built into the websites that Mozilla runs (*.mozilla.org). That’s a very different thing.

            Safe Browsing

            The safe browsing stuff basically checks your websites against known malicious domains. I think I read that at least Google Chrome (Chromium) uses a bloom filter, which Firefox might also do. This means that it doesn’t need to look up every single domain (which would be too slow). Instead it can check locally, and when it thinks the domain is malicious (the bloom filter doesn’t give it an exact confirmation, just a probabilistic one) it verifies with the server. This can be turned off easily, just go to Preferences > Privacy and Security > Untick Block dangerous and deceptive content.

            Yes, this is a slight privacy issue. Although I think the checks use hash sums so that Google doesn’t actually know which domain you’re checking. On the other hand, this protects a lot of users that are less tech-savy. Also, anyone can find out which domains you’re browsing on because DNS traffic is not encrypted (although Mozilla is working on that) and even when you use HTTPS, the domain name is still sent over in clear text, this is called SNI and is necessary for the server to present the right certificate.

            Anti-privacy search engines by default

            Google is the default search engine. Which makes sense, because Google is probably the best search engine (unless you’re looking for porn, apparently?), it is the most widely used one, and Google is paying Mozilla to have it as default. However, You can change it easily by going to Preferences -> Search -> Default Search Engine and selecting something else, like DuckDuckGo, which comes preconfigured.

            1. 1

              Although I think the checks use hash sums so that Google doesn’t actually know which domain you’re checking.

              presumably those hash sums are unique for a given domain.

              1. 1

                It’s documented here. Kinda hard to look this stuff up without having unique hash sums.

                1. 1

                  so google would know which domain you’re checking

            2. 3

              Uh, oh, didn’t know :/ and Google Analytics? :(

              1. 3

                I think these efforts are valuable, because I believe users should be able to disable these features if they want to.

                1. 3

                  Most of these are already documented by Mozilla themselves: https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections

                2. 2

                  As most of the reported things have “mitigations”, as the author stated, he is right about one thing. Using the default new tab page does randomly make requests to sites previously visited. This is wrong in many ways. My uneducated guess is that it caches the images/content/title of the most visited pages.

                  I’ve managed to disable that by unchecking everything under the Firefox Home Content section of the Options page. I also make sure that my new tab page is always a blank page. This fixes the “random requests”.

                  For ultra-paranoid mode, I go in about:config and search for mozilla.org and delete all values which match a URL like the following https://input.mozilla.org/%LOCALE%/feedback/%APP%/%VERSION%/. I don’t do this under normal circumstances, but have played with it in the past, just to make sure that the browser doesn’t “phone home” in any circumstances.