
Studying how Firefox can collect additional data in a privacy-preserving way - GrayShade
https://groups.google.com/forum/#!topic/mozilla.governance/81gMQeMEL0w
======
kannanvijayan
I can do a quick summary of what's being proposed and why. I work in the JS
team at Mozilla and deal directly with the problems caused by insufficient
data. Please note that I'm speaking for myself here, and not on behalf of
Mozilla as a whole.

Tracking down regressions, crashes, and perf issues without good telemetry
about how often it's happening and in what context. Issues that might have
otherwise taken a few days to resolve with good info, become multi-week
efforts at reproduction-of-the-issue with little information.

It simply boils down to the fact that we can't build a better browser without
good information on how it's behaving in the wild.

That's the pain point anyway. Mozilla's general mission, however, makes it
very difficult to collect detailed data - user privacy is paramount. So we
have two major issues that conflict: the need to get better information about
how the product is serving users, and the need for users to be secure in their
browsing habits.

We also know from history that benevolent intent is not that significant.
Organizations change, and intents change, and data that's collected now with
good intent can be used with bad intent in the future. So we need to be
careful about whatever compromise we choose, to ensure that a change of intent
in the future doesn't compromise our original guarantees to the user.

This is a proposed compromise that is being floated. Don't collect URLs, but
only top-level+1 domains (e.g. images.google.com), and associate information
with that. That lets us know broadly what sites we are seeing problems on,
hopefully without compromising the user's privacy too much. Also, the
information associated with the site is performance data: the time spent by
the longest garbage-collection, paint janks.

This is a difficult compromise to make, which is why I assume it took so long
for Mozilla to come around to proposing this. These public outreaches are
almost always the last stage of a length internal discussion on whether
proposals fit within our mission or not.

I'm not directly involved in this proposal, but I personally think it's
necessary, and strikes a reasonable balance between the privacy-for-users and
actionable-information-for-developers requirements.

~~~
stewbrew
> Tracking down regressions, crashes, and perf issues without good telemetry
> about how often it's happening and in what context.

If that's what you're aiming at. Collect the data but keep it local. Install
some sort of responsiveness/"problem" monitoring. Ask the user to send data
relevant to the problem if a problem occurs. IMHO there is no need to
systematically collect user data for that.

Or get the data from a random sample of users. You don't need data from
everyone.

~~~
Vinnl
> Or get the data from a random sample of users. You don't need data from
> everyone.

To my amateur ear, that actually sounds like a good compromise to lessen the
blow somewhat more. You should suggest it to Mozilla :)

~~~
mintplant
That's what's proposed here. I guess no one actually read the post...?

~~~
dsp1234
There is no mention that once validated, that the RAPPOR-based metrics when
fully deployed would be take from a random population. Only that the initial
study of the system will be done to a random population.

FTA:

 _What we plan to do now is run an opt-out SHIELD study [6] to validate our
implementation of RAPPOR. This study will collect the value for users’ home
page (eTLD+1) for a randomly selected group of our release population We are
hoping to launch this in mid-September. "_

Notably:

"this study will collect ... for a randomly selected group"

[6] -
[https://wiki.mozilla.org/Firefox/Shield/Shield_Studies](https://wiki.mozilla.org/Firefox/Shield/Shield_Studies)

------
Vinnl
Note: "planning" means "reaching out for feedback about".

Also interesting: the method they plan on using for anonymising this:
[https://en.wikipedia.org/wiki/Differential_privacy#Principle...](https://en.wikipedia.org/wiki/Differential_privacy#Principle_and_illustration)

If that is not sufficiently anonymous, then please submit the reasoning why to
Mozilla.

~~~
clarkevans
I think the burden here is backwards? URLs may contain Protected Health and
other Identifying Information. If this data leaks SSL and could be sent to a
3rd party, then it makes Firefox an unsuitable client for a great many
applications.

EDIT: OK. It's boolean flags (like use of flash) plus an eTLD+1 (example.org;
not myname.example.org?). Even so, I believe this tracking should be opt-in
with a disclosure screen that explains exactly what Mozilla is recording.
Informed consent is a practice we should be promoting, even if it seems
unnecessary.

~~~
chimeracoder
> URLs may contain Protected Health and other Identifying Information

A URL must not contain PHI. If it does, a breach has already occurred.

And Firefox is only collecting the domain names, it looks like.

~~~
p49k
What do you mean, a URL must not contain PHI? You can't prevent a non-tech
minded person from submitting questions about their health to any text field
linked to a form with a GET method.

I'd argue that domains are the same- there are tons of domains that clearly
indicate what they're about (e.g. stop-drinking.example)

~~~
chimeracoder
> What do you mean, a URL must not contain PHI? You can't prevent a non-tech
> minded person from submitting questions about their health to any text field
> linked to a form with a GET method.

You can't, but that can't be part of Mozilla's threat model, and it's not
relevant here anyway because _Mozilla isn 't collecting it_.

And even if they were, that's not considered PHI legally. You are free to type
any information about your own health that you want anywhere; that doesn't
make it legally PHI, unless you are providing it to a Covered Entity.

> I'd argue that domains are the same- there are tons of domains that clearly
> indicate what they're about (e.g. stop-drinking.example)

This information is not legally considered PHI. As for privacy, SNI means that
all domains you visit are already visible in transit, even if you are using
SSL. Domain names are not considered private.

~~~
Flammy
> This information is not legally considered PHI.

Do you have any sources that go into more detail?

When I've worked on PII in analytics, even TLDs were treated carefully.
(obviously not the same from a legal perspective...)

~~~
chimeracoder
> Do you have any sources that go into more detail? When I've worked on PII in
> analytics...

PHI is an incredibly well-defined term legally and is not equivalent to PII.
Some things that constitute PHI actually _wouldn 't_ qualify as PII.

There are a lot of resources that explain HIPAA in great detail; if you want
to know the specifics like here, you have to read the bill and the case law
itself.

------
frankmcsherry
As someone familiar with differential privacy, and (somewhat less) with
privacy generally, here are some suggestions for Mozilla:

1\. Run an opt-out SHIELD study to answer the question: "how many people can
find an 'opt-out' button?". That's all. You launch this at people with as much
notice as you would plan on doing for RAPPOR, and see if you get a 100%
response rate. If you do not, then 100% - whatever you get are going to be
collateral damage should you launch DP as opt-out, and you need to own up to
saying "well !@#$ them".

2\. Implement RAPPOR and then do it OPT-IN. Run three levels of telemetry: (i)
default: none, (ii) opt-in: RAPPOR, (iii) opt-in: full reports. Make people
want to contribute, rather than trying to yank what they (quite clearly) feel
is theirs to keep. Explain how their contribution helps, and that opting-in
could be a great non-financial way to contribute. If you give a shit about
privacy, work the carrot rather than the stick.

3\. Name some technical experts you have consulted. Like, on anything about
DP. The tweet stream your intern sent out had several historical and technical
errors, and it would scare the shit out of me if they were the one doing this.

4\. Name the lifetime epsilon you are considering. If it is 0.1, put in plain
language that failing to opt out could disadvantage anyone by 10% on any
future transaction in their life.

I think the better experiment that is going on here is the trial run of "we
would like to take advantage of privacy tech, but we don't know how". I think
there are a lot of people who might like to help you on that (not me), and I
hope you have learned about how to do it better.

------
embik
This is ridiculous. I use and recommend Firefox for pure ideological reasons,
because frankly, Chrome/Chromium is miles ahead of them.

If they start opt-out tracking using the same approach as Google I do not see
any reason to use it nor install it for my friends and family. _That 's_ some
data for you, Mozilla.

~~~
binarymax
Your stance is paradoxical, because Chrome has been improved based on data
mined from users, and not in as nearly a considerate way as Mozilla is
proposing.

You want Firefox to succeed as a browser, but to be able to better compete it
needs better usage data.

Wouldn't you prefer for Firefox to be the best browser available, AND also be
considerate towards your privacy rights?

~~~
dagenleg
Company A does bad thing which benefits them massively, allowing them to have
a better product. Some people dislike that approach and flock to company B
which promises not to do the bad thing. Now company B start doing the same
thing 'for better good' but promises to 'keep it moderate'.

At this point why would anyone stay with the company B which broke its promise
once, just in the hope that it won't break the promise again? It has already
lost the trustworthiness and it also has the worse product. Might as well use
products from company A.

~~~
eridius
This is specious reasoning. Company B is not doing "the same thing" at all.
Company B is collecting data, but not only is it far more limited (e.g.
collecting domains instead of URLs), it's done in a way that protects privacy.
You can't just throw up your hands and say "well, they're collecting some
data, therefore we may as well just throw away all privacy protections and use
the browser by the company whose business model is based on collecting all the
personal information they possibly can".

Privacy is not a boolean.

~~~
kuschku
Opt-Out vs Opt-In is a question of consent. Do you value your own benefits
more than my own right to determine my own life?

If yes (and that’s what you get when you choose opt-out), then we’re done.
There is no gradual change there, it’s a binary question if you value the user
or your own benefit more.

~~~
eridius
The world is not black & white. If Firefox starts collecting a small amount of
data in a privacy-sensitive manner and makes it opt-out, that does not at al
make it equivalent to e.g. Google collecting all the user data it can.

~~~
kuschku
But it means they have an equal value system: Convenience being always more
important than Privacy.

And that’s strictly incompatible with mine.

~~~
eridius
Except that's not true. Firefox collecting a small amount of data in a
privacy-aware manner does not mean "convenience being always more important
than privacy", not by a long shot. I don't understand why you're insisting on
such an absolute black & white viewpoint.

~~~
kuschku
Firefox being so arrogant to presume I want to collect the data by default is
a very rude thing. You don’t just assume someone wants it, and do it for them,
especially if it might hurt them.

First ask, then fuck up. Is that concept so hard to understand?

If you’d do that IRL to someone they’d never talk to you again, it’s the same
with Firefox if they do this.

~~~
eridius
Firefox collecting data in of itself isn't at all rude, or problematic. Nobody
cares if Mozilla has "data". What they care about is if they collect data that
violates the user's privacy. The whole point of RAPPOR and differential
privacy is it's an approach to collecting data that is supposed to preserve
user privacy. So the real question is, does it preserve user privacy
sufficiently that it's ok to make something opt-out instead of opt-in? But
that's not what you're complaining about, you're just ranting because they're
collecting data, period, without actually understanding the extent to which
your privacy is being violated (if at all).

And of course this all started with you saying that you may as well switch to
another company's products, a company which you know violates your privacy
quite significantly. You still haven't explained why Firefox collecting a
small amount of data in a way that tries to minimize any privacy violations
means you should just give up any semblance of privacy and use a product that
tries to collect as much personal information as possible.

~~~
kuschku
First off, I’m a developer myself. A developer in the EU. In Germany. Working
on open source. In fact, on open source with goals to preserve privacy.

I’ve dealt with these issues before myself.

And I understand well what they collect, how, and why. I understand how
painful it is when you have no data on what is used, and how, or not even
crashreports.

But there also is a limit to how far you can go, and where consent is
required.

And when transmitting _anything_ , or collecting _anything_ , consent is
required.

You could make it dependent on situation. If a performance issue occurs, show
a bar: "Is this website slow? Click [Here] to submit a report so it can be
improved. [Details] [X] Always submit".

This gives the user a far better understanding of what is submitted, why it is
needed, it is contextual, and it is still opt-in (but with far better
conversion)

------
huhtenberg
The single largest advantage of Firefox over other browsers is that despite
all odds and occasional missteps they managed to respect users' desire for
complete privacy.

    
    
      For Firefox we want to better understand how people use our 
      product to improve their experience. 
    

Sure thing. But the fact that they are unhappy that some (many?) people are
opting-out from the data collection is merely a sign that they don't want to
understand why people are using Firefox in the first place. By opting out from
the data collection people effectively tell them over and over again that they
don't want for Mozilla "to understand how they use Firefox" or "to improve
their experience", not at the expense of their privacy.

No phoning home. No telemetry, no data collection. No "light" version of the
same, no "privacy-respecting" what-have-you. No means No. Nada. Zilch. Try and
shovel any of that down people's throats and the _idea_ of Firefox as a user's
browser will die.

~~~
Ajedi32
I'm not really sure what your concern is here. Let's assume for a moment that
Firefox's implementation of differential privacy in this scenario is
completely correct, and that as a result it's completely impossible (even in
an information-theoretic sense) to learn anything about any individual user
using this data; only about many users in aggregate.

In this scenario, how exactly would Firefox's actions here compromise anyone's
privacy?

~~~
joosters
Why are they not letting people decide? If it is not harming anyone's privacy,
and they make it clear that it isn't, then what is the problem with letting
people opt-in to it?

Instead, it's telling that they are choosing to force people to opt-out. They
know that their users don't want this, but don't care.

~~~
Ajedi32
Opt-in inevitably results in data being heavily biased in favor of the small
minority of users who go out of their way to opt-in. For some stuff that's
fine, but for certain types of data you really do need a broad, unbiased
sample of users in order for the data to be at all meaningful. (Usually to
answer questions like "What percentage of users use x feature?" Or "What level
of jank does the average user experience on facebook.com?")

They still _are_ planning to let people decide for themselves whether to
participate (via opt-out), they're just using a default that's more likely to
result in unbiased sample data.

Again though, what's your actual concern? Provided this feature doesn't
compromise anyone's privacy even _if_ its enabled, what's wrong with having it
be opt-out?

~~~
joosters
I have no way of knowing how this may or may not compromise my privacy without
a deep understanding of the techniques being used. I am meant to trust Mozilla
and hope that they haven't overlooked some weakness in the algorithms used.
The obvious security choice is to not add this feature in. The 'Provided this
feature doesn't compromise anyone's privacy' is a fantasy, because no-one can
be sure of that.

~~~
Ajedi32
But that's true of _any_ new feature that gets added to Firefox. Anytime you
change code, there's a chance you could be creating a new vulnerability that
compromises users' privacy or security in some way.

If, as some commenters here [have suggested][1], this telemetry would help
improve Firefox by significantly reducing the amount of time it takes Mozilla
to fix bugs and performance issues in the browser, what makes you think that's
not worth the risk when other features (such as the performance fixes
themselves) are?

[1]:
[https://news.ycombinator.com/item?id=15072157](https://news.ycombinator.com/item?id=15072157)

~~~
joosters
It's obviously far, far more likely in code that is designed to send my
browsing habits to a 3rd party (in whatever encoding). Do you not see this, or
are you just trying to extend out these arguments to some ridiculous extreme
for the sake of it?

~~~
Ajedi32
I don't know what level of risk this implementation carries with it. Probably
more than a performance fix to the JavaScript interpreter, yes, but is it
really a significant enough risk to make this feature not worth implementing?
Maybe it is, maybe it isn't; I honestly don't know.

You just seemed to be arguing that _any_ amount of risk would be too much,
which in my view is ridiculous since, as I said, all new features carry with
them some amount of risk.

~~~
joosters
_You just seemed to be arguing that _any_ amount of risk would be too much_

Unfortunately that's exactly the kind of thing I was talking about, extending
arguments to ridiculous extremes.

I have never said _any_ amount of risk would be too much. In this particular
instance, I think the risk and the unknowns are clearly too much.

~~~
Ajedi32
> In this particular instance, I think the risk and the unknowns are clearly
> too much.

But why? I don't claim to know enough about RAPPOR to say for sure that the
risk _is_ worth it, but it seems a little presumptuous to claim it isn't
without knowing _anything_ about the project or Mozilla's proposed use of it.

That's why I assumed you were arguing that _any_ amount of risk would be too
much; you didn't include any sort of analysis of the risk/reward in your
previous comments, and without knowing the risk the only way to conclude this
feature is definitely _not_ worth it would be if you already considered the
acceptable level of risk to be zero.

------
kogepathic
_> What we plan to do now is run an opt-out SHIELD study [6] to validate our
implementation of RAPPOR._

IMHO, this is a bad idea. Many people I know already use Firefox because
they're weary to give Google (Chrome) all their data.

Firefox should make this feature opt-in only.

~~~
yjftsjthsd-h
> Firefox should make this feature opt-in only.

I agree, but note that they are explicitly trying to get more info than they
can from the small, biased sample that is users opting in.

~~~
Fuxy
They claim is biased but is it really biased? How do they know? I think this
is just making up excuses so they can collect more data.

They get good enough data from the people that have volunteered it. I don't
know what makes them think it's biased but I seriously doubt that is true.

~~~
Operyl
Because, usually the kind of people that’d opt in are techies/power users or
work (volunteer, or paid) for Mozilla themselves. Let’s say only 1% of your
userbase opts in to this, how is that not biased? (As it currently stands, I
believe this is a further optin in a tucked away menu).

~~~
yorwba
Then they should make the possibility to opt-in more prominent, instead of
switching to opt-out with the option tucked away in some menu where only
techies/power users will disable it.

------
cJ0th
While I do understand the allure of collecting this kind of data I find it
highly disturbing to see this from Mozilla.

I think not having perfect information about the users is a trade off that
should be made in order stay an alternative to most other browsers. There are
still ways to get more data by other means, though. When it comes to most
visited websites, for instance, the alexa ranking should give a good, if not
perfect, idea.

------
stutonk
Just want to add a little volume to the general opinion here that collecting
user data, no matter how anonymous, is a terrible idea for a product whose
only appealing quality is that it respects its users privacy.

Data is both highly alluring and addictive as evinced here by Mozilla
potentially willing to shoot itself in the foot to get some. What's to keep
this from becoming a frog in a boiling water kind of situation? How can I
trust that Mozilla is going to adhere to their own stated standards? The
easiest answer is that I won't have to because I can just use something else.
Personally, the only reason I use Firefox is because it's slightly less
convenient to set up a secruity-patched version of Chromium.

Other people in this thread have made the excellent points of the fact that
not enough people opting in to data collection is in itself a critical piece
of data. Moreover, things such as "Which top sites are users visiting?" can be
answered by looking at data from page ranking services and then they can go to
those sites on their own testing equipment to answer their other questions. A
little investment in acquiring this data by not spying and maybe getting a
wider array of testing equipment is probably less costly than the potential
for loss in market share that they're already struggling to hold.

------
dagenleg
In the end Mozilla is simply going to go through with it and there's nothing
we can do about it. Just like with the killing of the XUL plugins - the
company simply didn't care about the outcry. I mean why would they? The amount
of people that cares about stuff like 'customization' or 'privacy' is slim.

So we will toothlessly complain but then the changes will be shoved in our
throats, because obviously why would one care what the non-targeted
demographics whines about. And of course it will be framed as being 'for our
own good' and half of the people complaining with just deal with it, just like
the majority already does.

~~~
yborg
The good news is that the project remains open source. The upcoming
XULpocalypse already was set to make the existing Firefox forks permanent, so
those of us that care will be moving to one of these anyway. Presumably these
will not contain telemetry code.

------
dhimes
I generally trust Mozilla, but I really don't understand what they are going
to get out of the data. Their explanation leaves me scratching my head.
Perhaps it's simply because I don't work on browsers?

How does seeing which sites users use that need Flash drive their decision-
making. Either they support Flash, or they don't.

And- ditto for "Jank" (not sure I understand that term, frankly- why is it
capitalized?). Some developers don't optimize well- how is Mozilla going to
use this? I think they do a good job over on MDN.

I guess I'd like to be sure I understand what problem they are trying to
solve. Maybe they feel like without understanding their users they can't keep
up with Chrome. I see people talking about how good Chrome is. And I must
admit- it is sweet for me too. But that may be because (1) I don't have it
loaded up with add-ons like I do Mozilla and (2) they have optimized for
certain sites like youtube and gmail and I just can't get Firefox to work all
that well on those sites.

But I'm not convinced that they need my data to fix that.

EDIT: On the other hand, Chrome seems to lose my passwords on every upgrade so
it won't be my main browser until if fixes that little issue, which is going
on, what, 5 years now?

~~~
froydnj
(Disclaimer: I work for Mozilla.)

"Jank" is our internal term for slow, non-responsive interaction with the
browser (the capitalization of it in the original message is a little
peculiar). If you click your mouse button, and then a second or more later,
the item that you were clicking on the screen responds? That's jank. That
input form that's not keeping up with your typing? That's jank. And so on.

We can (and do) collect statistics on how much jank people are experiencing,
and we can look for ways to improve those statistics, but knowing what
particular sites (not complete URLs, just eTLD+1 sites) jank occurs on is much
more actionable. Browser developers can go visit particular sites to
experience and analyze the jank for themselves, or we can see what janky sites
are particularly popular in a given region and focus our efforts on improving
those sites--either by doing things more efficiently in the browser, or
reaching out to the site developers and asking them to consider changing
things to make their site work better in Firefox. (Complete URLs would be even
more actionable, but we don't want to collect your complete browser history.)

The argument for Flash is similar: we can get aggregate usage numbers for
Flash, and perhaps see how that correlates to jankiness (or crashiness, or
what have you), but having some information on what sites are using Flash
makes the data even more actionable, for similar reasons as those given above.

~~~
SubiculumCode
Spending resources optimizing Firefox for how sites implement their JS seems
over the top. The heaviest sites tend to be the most mainstream anyway, imo,
and those are easy to pick out.

I am a Mozilla supporter for more than a decade, but this is the wrong move.

------
damnfine
I say it over and over. You can not completely anonymize data with any
reliability. Please note the qualifier, many systems work for many vectors,
but any sufficiently large dataset can be used to graph habits and correlate
them. Maybe there is a safe way, but I put the onus of proving it on the
person implementing it.

~~~
digitalzombie
> You can not completely anonymize data with any reliability.

Well... there's actually a field for that. I forgot what they call that field
because of how niche it is but my friend at google is doing just that.

He said there are math theorem to prove that it's sufficiently anonymize.

He gave an example of how Netflix competition with the data they gave
researchers were able to deanonymize it. And his job was to prevent that at
google.

I can see why if you're trying to sell users data while maintaining privacy.

~~~
kuschku
Mozilla currently uses Google Analytics for tracking, with "IP Anonymization"
enabled.

Which, according to Google’s FAQ,
[https://support.google.com/analytics/answer/2763052?hl=en](https://support.google.com/analytics/answer/2763052?hl=en),
just blanks out the last byte of the IP.

Which is useless, because it still includes enough personalized data as to be
completely and utterly reversible.

~~~
veeti
Google Analytics has nothing to do with this. As clearly linked in the mailing
list, you can read the paper and source code for the client-side differential
privacy tech used.

~~~
kuschku
Then check out [https://github.com/mozilla/addons-
frontend/issues/2785](https://github.com/mozilla/addons-frontend/issues/2785)

------
js8
I liked Firefox for years. I have lived through years of shenanigans such as
broken extensions, forgetting what tabs I had open because Firefox
accidentally closed without restoring them, moving icons and menus around for
no reason, and recently, an update on my Ubuntu that broke scrolling of pages
(with PgUp/PgDown). And now this..

I am starting to think that they just don't want people to use Firefox.

Yeah, I know it's free software, so I have no right to complain. I just wonder
why?

~~~
tunap
Where governments and corporations are concerned, the "why" condenses down to
two simple answers: commercialization(profit) or weaponization(control)... it
is easily conceivable that both will result over time. I hope Tor & EFF start
giving more love to Pale Moon & it's ilk, but that may just be mitigating the
inevitable death by 1000 cuts to privacy.

------
bugmen0t
The linked paper to RAPPOR is really, really noteworthy here.

In essence, Firefox will ask itself whether it visited website X and flip a
coin and if it's heads, it will _lie to the server_ and send a random boolean.
If it's tail, it will not. This way there is no way for anyone (including
Mozilla) to know whether you actually visited the website. But the statistics
will work out such that the collective data from everyone will give a good
representation of all users. I find this a neat technology to collect data in
a privacy-preserving way. And there's an opt-out (opt-in won't work because it
creates bias and provides messy results).

I really, honestly don't understand why people are so upset.

------
norea-armozel
I'm not sure why Mozilla needs to track what sites I'm going to but if they
add tracking into their browser then I'm just going to have to find another
browser or at least put together a build of Firefox without the tracking. It's
not so much that I have anything to hide but the fact that I'm not interested
in being their product. If they can't remember that they're a nonprofit that's
suppose to make a FOSS-based browser which doesn't spy on people and works
well with web standards then they just need to shutdown. I know that's extreme
but I'm just frustrated with the further corporatization of the Internet even
on the margins like Firefox. Everything just has to be a product or a way to
commodify the use thereof.

------
unethical_ban
I am ashamed of the general "sky is falling" tone in this thread. I'm a
privacy advocate. I know I'm not a fan of submitting gmy browser history (even
domain-only) to another organization. Mozilla has always been the most
privacy- and user-focused browser, and I think that history should be taken
into consideration before the sky falls.

People are insulting the developers, saying Chinese owned, VPN-operating Opera
would be better for privacy... there is a lot of nonsense here.

IMO this is not the most needed feature, and I would be happy for Firefox to
keep in mind its reputation as a product focused on user privacy.

------
yjftsjthsd-h
This might not be so bad as I expected from the title, but implementation
details will really matter. If, for instance, they collect exact homepage
URLs, they cannot make it anonymous (some site include username as URL
components).

~~~
DangerousPie
They are only considering collecting "eTLD+1, e.g. facebook.com or
google.co.uk" so this should almost certainly not be an issue.

~~~
icebraining
My homepage is my self-hosted reader, at rss.<myname>.com :)

~~~
DiThi
They should ensure statistics are submitted per domain, in a way nobody can
know the users of <my_name>.com are also using <kinky_site>.com

------
yakult
1\. Any data collection at all deanonymizes the user, cf panopticlick.

2\. Frankly even opt-out is not acceptable. I can't recommend any software
that peridically asks users for data access, since there exist non-technical
users who have a nonzero chance of clicking yes to everything. If they are
related to me in some way this compromises my privacy also.

~~~
sp332
_1\. Any data collection at all deanonymizes the user, cf panopticlick._

This isn't true. Panopticlick collects a ton of data about your browser that
this proposal will not. There has been a lot of research done in this area and
we know how to collect anonymous datasets.
[https://arxiv.org/abs/1407.6981](https://arxiv.org/abs/1407.6981)

~~~
yakult
Look at it from a security-conscious user's perspective: I would have to
verify that:

1\. The concept is sound. 2\. It is implemented as described. 3\. It is
implemented with no bugs. 4\. Mozilla is trustworthy 5\. Any third-parties
Mozilla involves in this process are also trustworthy. 6\. All of the above
will remain true.

Doing this would take a tremendous amount of both time and expertise, if even
possible. If every piece of software I use makes me do this every year or so,
I would get nothing else done.

In practical terms, your argument is no better than just saying, 'trust us,
we're good for it', regardless of the merits of your tech. And we know Mozilla
baked Google Analytics into FF's addon page, so trust is in short supply.

~~~
NabenHarb
Except if you actually read and understood the link, points #1, 4, 5 aren't a
concern. Moreover, points #2, 3, and 6 apply to just about every piece of
software used.

~~~
yakult
what percentage of FF users on the planet do you expect could read a paper on
differential privacy and actually verify those points, while understanding all
the ifs and gotchas, and be able to tell if any of the arguments are wrong?
What percentage of that elite group would actually be willing to devote the
time and energy, for free, for every one of the thousands of softwares they
use?

~~~
NabenHarb
Not many, certainly. Which is perhaps why it's better for this to be
implemented (since differential privacy is a known, rigorous definition for
privacy), rather than to leave it up to the larger majority of users who (by
your implication) don't understand it and won't be bothered to understand it.

------
darrmit
I still use Firefox specifically because of Chrome's privacy concerns and was
under the impression after dropping FirefoxOS Mozilla was headed in the right
direction.

It seems they've convinced themselves that the only way to improve the product
is to collect data on their users, rather than continuing to push the idea of
privacy - which, in my opinion, if marketed correctly, could win over a lot of
users. The browser is still fundamentally awesome.

This seems like the kind of thing they could push through their TestPilot
program and just market it, rather than pushing it to everyone by default. But
I imagine they want to push it to everyone specifically so they can take
advantage of those who are ignorant to the ability to opt-out.

~~~
sp332
It seems your premise is wrong since Firefox's market share has been steadily
declining for years. Privacy apparently doesn't matter to that many people.

~~~
izacus
I'm sure losing the only advantage over technically superior Chrome is going
to help their market share!

~~~
sp332
Losing a major technical disadvantage will probably help.

------
Multicomp
Yeah, if you could keep your hands off from collecting my data without my
consent, that would be great.

Otherwise I might as well just use Chrome. Hopefully some PR guy will pour
some water on this before it turns into a dumpster fire.

------
codedokode
I don't really understand why it is necessary? Cannot they just take top 100
sites from a rating like Alexa? And if they want to evaluate the performace,
they could buy a cheap Celeron or Atom-based laptop with Windows and browse
those top 100 sites. I am sure that this will give more information than any
statistics.

------
chinathrow
"One recurring ask from the Firefox product teams is the ability to collect
more sensitive data, like top sites users visit and how features perform on
specific sites."

I would say that is none of the browser vendors business.

Please stay away with your opt-out stuff - it bothers me. Make it opt-in,
always and forever.

~~~
jasonkostempski
Even opt-in is a problem. There's no way to be 100% sure the checkbox in the
UI is and always will be respected. It maybe something as innocent as logic
woopsie or something as nefarious as intentionally and quietly changing it to
opt-out during an update. A better option, keep the data sharing code out of
Firefox; opt-in to log locally; if they user decides they want to share
something with Mozilla, give them instructions on how to email or upload the
files.

------
suby
I've been using Firefox as my only browser for at least 12 years. If they go
through with this, I'll switch to something else. I don't know how they could
think that this is acceptable.

~~~
drtillberg
I think Mozilla's boldness in stating the plan to systematically leak user
information, is a tipping point. Will increase usage of Opera, Midori,
Chromium. As for Tor integration with Firefox, that really is a shame, I hope
Tor integrates with something else.

~~~
Yoric
It's not "stating the plan", it's calling for feedback. If you disagree,
provide feedback :)

~~~
GhotiFish
People universally stated their feedback about pocket and it's still there.

Why participate in a no-op?

~~~
sp332
Because the Pocket feedback I remember was about privacy concerns, and those
were addressed.

~~~
CaptSpify
> those were addressed.

source? I never saw anything addressed other than "don't worry about it, it's
for your own good"

~~~
sp332
The code in the browser is a stub. No data gets collected let alone sent
anywhere until the user adds a Pocket account. Pocket updated their privacy
policy, and they open-sourced the browser integration code.
[https://venturebeat.com/2015/06/09/mozilla-responds-to-
firef...](https://venturebeat.com/2015/06/09/mozilla-responds-to-firefox-user-
backlash-over-pocket-integration/)

~~~
CaptSpify
But based on the article, it wasn't addressed until users raised a stink about
it. And it wasn't just privacy, it was also closed-source, unnecessary
features that should be an addon, etc.

~~~
sp332
Why would it be addressed before anyone complained? And it was planned as part
of the Readability feature, which is very popular and not considered
"unnecessary". But FF devs were having a hard time making a good read-it-later
UI and decided to use Pocket instead of reinventing the wheel.

Edit: To be clear, I think the browser code was always a stub, and the privacy
policy was modified before the feature launched as part of Firefox.

~~~
CaptSpify
My concern is that Mozilla has been on a "Sure, you can provide feedback, but
we're gonna do it anyway" streak. Pocket is quite unnecessary, and would be a
great candidate for an add-on. I don't know their reasons for bringing it in,
but it seems pretty cut and dry that there were a lot of users who didn't want
it even after it was cleaned up, and Mozilla ignored them.

~~~
sp332
I think you're probably just underestimating how popular it is. Tagging
activity tripled from 2012 to 2017. They had 10 million monthly active users
in February when Firefox bought them.

~~~
CaptSpify
Does Mozilla look at any of the other top add-ons and implement them natively
in the browser? Why was Pocket so special?

~~~
sp332
[http://www.planet-libre.org/?post_id=18514](http://www.planet-
libre.org/?post_id=18514)

[https://groups.google.com/d/msg/firefox-
dev/B3jJq_kUuIQ/32zv...](https://groups.google.com/d/msg/firefox-
dev/B3jJq_kUuIQ/32zvEupOGGMJ)

[https://www.reddit.com/r/firefox/comments/388ryl/pocket_and_...](https://www.reddit.com/r/firefox/comments/388ryl/pocket_and_hello_look_like_ways_to_get_sponsors/crtlabs/)

This is the best I can do not being involved and two years after the fact.

------
syshum
And the trend towards being a Google Chrome Clone continues...

First it was killing customization.

Now they are killing Privacy.

Why should I use this browser again?

------
yuhong
Worth mentioning is that they are using
[https://github.com/google/rappor](https://github.com/google/rappor)

------
throw2016
Why is Firefox hellbent in reducing any advantage it has over Chrome and
becoming an unnecessary clone.

Who runs Mozilla, do they understand why anyone would choose Firefox over
Chrome?

Maybe it's time to put a spotlight on the management and decision making
structures of increasingly important open source projects like Firefox to
ensure they are being run in the public interest.

~~~
Mystrl
Because firefox as it is now is slowly dying. It looks like data collection is
such a huge advantage that anyone not doing it is doomed in the long term.

------
reacweb
Do not do that. Privacy respect is the most important differentiating point of
firefox.

~~~
criddell
I wonder how valuable the data is going to be for the Firefox team? The cost
in reputation may be large, so I'm guessing this must be pretty important for
them.

------
Raphmedia
> "Which top sites are users visiting?"

Could someone explains to me how this information is useful to a browser
vendor? It's not as if they are optimizing on a site by site basis.

~~~
jasonkostempski
They want to sell user data, plain and simple. "Improve user experience" is
the standard excuse. Basically they're saying we want to collect a bunch of
information we already know people don't want us collecting, so we want to
make it opt-out and we'll pinky-swear it will be kept anonymous. There's no
way for them to send data to their servers truly anonymously; there's no way
for them to guarantee everyone who has access to the data before it's
anonymized will not do something they're not supposed to. They're asking us to
move away from a not having to trust anyone to trusting them by default.

I'm sure you already know all this and I'm sure people are getting sick of
hearing rants about it every time it comes up. This is the second time in a
week for a Mozilla product. I suspect they're trying to exhaust the ranters so
they're just left with the users who don't care, "have nothing to hide", or
think it's their duty to help the browser vendor squash bugs. No software or
service should be trusted until it's absolutely necessary to get the job the
user wants done, not the job the browser vendor wants done. It will never be
necessary for a browser to send browsing data back to the browser vendor to
get to a website.

------
eli
I think it's worth approaching this with an open mind and giving Firefox at
least a little bit of the benefit of the doubt. It's pretty plain to see how
such aggregate usage data would lead to a better product for everyone.

How many people here use website/app analytics to improve products they work
on?

~~~
tjoff
_It 's pretty plain to see how such aggregate usage data would lead to a
better product for everyone._

No, it is not. Especially not for something such as a browser which is mostly
transparent to the content.

~~~
eli
Browser performance is very closely tied to specifics of the content. That's
why optimizing for e.g. JS benchmarks doesn't always result in a browser that
feels any faster.

~~~
tjoff
I can't think of a statement more vague than that.

Or why any external data would be needed at all, let alone why the opt-in data
would not be sufficient?

------
jordache
is mozilla planning on circumventing all of the methods outlined here for
identifying unique users?
[https://panopticlick.eff.org/](https://panopticlick.eff.org/)

------
godelski
Wouldn't an easy solution be to just give a right click function that says
"bug on this page"? You get a nice and easy way to the user to report a page
and you are non-intrusive. If you're concerned with what pages users visit the
most, why not just check Alexa ratings?

------
t49261
Why is this proposal hosted on Mozilla's main competitor's discussion
platform? That seems unprofessional at best, an irrational blind spot of the
corporation that is decimating their market share with dubious marketing and
monopolistic practices. Isn't an organization the size of Mozilla able to host
policy discussions on one of their own domains? What are people who do not use
Google products supposed to do?

By now people should be aware that it is not just the content that is
important, but also the metadata. A browser that phones home with information
on users' browsing habits is not acceptable to many of us, who will move to
forks or a different browser altogether. This from one of the people who
"doesn't complain, but just never goes back."

------
zb3
I've removed all URLs from about:config and replaced them with localhost
(search for "http"). This should help with privacy-related issues as long as
no API endpoint is hardcoded.

~~~
kuschku
I did the same, but used [https://error.invalid/](https://error.invalid/), as
that URL is guaranteed to never resolve.

~~~
jwilk
Unfortunately, it is not.

[https://tools.ietf.org/html/rfc6761#section-6.4](https://tools.ietf.org/html/rfc6761#section-6.4)

> _Name resolution APIs and libraries SHOULD recognize "invalid" names as
> special and SHOULD always return immediate negative responses. Name
> resolution APIs SHOULD NOT send queries for "invalid" names to their
> configured caching DNS server(s)._

It's only SHOULD, not MUST. And in fact, the glibc resolver (and I bet also
other major implementations) does send such queries to the DNS server.

~~~
kuschku
> And in fact, the glibc resolver (and I bet also other major implementations)
> does send such queries to the DNS server.

Using the glibc resolver as baseline is a bad idea, it’s broken beyond hope.

Try resolving
[http://-emmawatson.tumblr.com/](http://-emmawatson.tumblr.com/), which is a
valid URL under newer standards, and works on all other systems. The Glibc
authors refuse to merge patches fixing this, because they disagree with the
standard.

------
alexrs95
I work at Mozilla, but I'm speaking for myself here, and not on behalf of
Mozilla as a whole.

For those interested in understand more about this project and why we're doing
it, here you can find an introduction of Differential Privacy and what we're
trying to do.
[https://twitter.com/Alexrs95/status/896366072240144385](https://twitter.com/Alexrs95/status/896366072240144385)

~~~
tjoff
What you guys just won't grasp is that:

1\. You will absolutely obliterate any trust you have with actions like this.
This is important. Because if you continue to ignore this and you will have
tons of data but you will be absolutely clueless as to why your product and
brand are completely abandoned.

2\. This data isn't worth that much to begin with. Here is a crazy idea, try
to make a better browser instead.

~~~
moosingin3space
This data will be used in the pursuit of #2. As it turns out, a lack of
understanding of what users are doing with their browsers is an obstacle to
making a better browser. Performance issues in complex systems often only show
up in production, and that's what Mozilla is trying to collect this data to
fix.

~~~
joosters
Why is opt-in data not sufficient? Why can't Mozilla take the top-N sites and
test them out for themselves?

~~~
Yoric
We're already doing that. Experience shows that this is not sufficient to
accurately catch regressions.

Also, just because a site is part of the top-N doesn't mean that it's part of
the top-N for Firefox users.

~~~
joosters
Can you give any examples of sites and URLs that you've missed with opt-in
data?

------
FlyingLawnmower
I am surprised that there is such a fundamental misunderstanding of
differential privacy on the Hacker News crowd.

Meeting the standard of true differential privacy is one of the strongest
known unconditional privacy guarantees. It will prevent Mozilla from being
able to answer _any_ user specific questions. For example, they might have an
accurate count of how many people visit Google.com (say 60% of their user
base), but they will be mathematically unable to point to exactly which 60%
visited the site.

Differential privacy in the RAPPOR implementation is peer reviewed and well
understood. We can also review the actual code that ships in Firefox, which is
a big plus over the Chrome implementation. There are some caveats -- what
epsilon are they setting, are they adding an appropriate amount of noise, how
do they protect against repeated queries, etc. but all of these can and will
be reviewed by the differential privacy community.

I am not affiliated with Mozilla or Google, though I do work in the field of
differential privacy. On mobile now, but I am happy to provide links or answer
questions to people who might have any when I am back at a laptop.

~~~
GrayShade
I only skimmed the RAPPOR paper, but can you discuss the worst-case scenario
where an NSA-like adversary is able to each data point when it arrives?
Assuming this happens from the start, how much information would she be be
able to obtain?

> We can also review the actual code that ships in Firefox, which is a big
> plus over the Chrome implementation.

Sure, but note that it's been implemented already and will be pushed to the
users as an add-on, without going through the full release process. Even this
HN post seems to have been prematurely buried.

It would have been possible for this to be deployed without anyone knowing.
Post-hoc reviewing of functionality as sensitive as this is not the ideal
solution.

------
kxyvr
I'll also contend this is a disturbing, terrible idea.

I design optimization algorithms and software professionally and the majority
of that software is released open source. Now, does my software likely run
terribly on some problems that my users give it? Absolutely. That probably
costs me business because they get frustrated, give up, and go somewhere else.
And, to combat that, I could absolutely engineering my libraries to send
anonymized information about their problem structure back to my company.
Certainly, it would help me improve my software and algorithms. I also view it
as horribly unethical, a breach of my customers trust, and an unacceptable
course of action. Look, I want my software to work well for everyone, but it's
part of my job to figure out when things don't well and fix that beyond
scraping information about my customers uses automatically.

I contend this is a terrible idea and very much would like Mozilla to abandon
it.

------
JoshMnem
Normally, I would vote for opt-in only, but I think that it could be opt-out
for Firefox as long as there are no dark patterns that make it difficult to
opt-out. The survival of Firefox is extremely important for the future of the
Web.

If it is opt-out, then Mozilla would have to be extremely open about how to
opt-out and exactly what is tracked.

------
nerdponx
What I have not seen here is a discussion of how, exactly, collecting browsing
behavior will help Mozilla improve Firefox.

~~~
veeti
Start by actually bothering to read the link:

> One recurring ask from the Firefox product teams is the ability to collect
> more sensitive data, like how features perform on specific sites.

> [for example]: "Which sites does a user see heavy Jank on?"

~~~
madez
Ask for it. Don't just collect the data. Ffs, what has the team behind FireFox
become? I need a new browser.

~~~
Ygg2
They did and too few people said yes.

On the other hand, everyone complains Firefox is slow.

So,few pay, few opt in, and everyone complains.

~~~
tunap
"They did and too few people said yes."

There's the answer. And the response? "Tough shit", we'll take away that
choice granularly. For our own good, apparently.

Moz has been giving tough shit with caveats for more than a few years now.
Perhaps that is why market share is falling?

~~~
Ygg2
There is a story about people getting driver's license having a check box to
opt-in into being organ donors, and very few said yes. Once the box was
changed to opt-out, very few said no :)

The question is are people saying no because they are privacy conscious, or
because they don't care. My money is on latter. In general more people care
about Firefox being fast than security.

What's a bigger issue for Firefox is deprecating its add-ons. That's going to
hurt its marketshare way more than telemetry data.

------
lucideer
From a technical perspective, I'm not quite so bothered by what data Mozilla
collects about me, how often, &c. I'm happy to opt-in to Telemetry and don't
mind if it's extremely "comprehensive" in what it measures.

The real issue here is with ethos and perspective. I use Firefox because the
ethos of the company and its employees, and their general "take" on issues
like this allows (or has allowed) me a general sense of trust in them.

Even the very existence of this discussion erodes that trust. This says to me
"the people making this browser don't understand the importance of consent,
and have a vastly different perspective on the value of privacy to mine".

If your developers need more data from Telemetry, _get consent_ and collect
more data. Establish trust in users in what you do with that data.

------
thinkMOAR
"If Firefox is dedicated to preserving privacy, then no Opt-in data feature
should be added. "

I really don't understand this of the user, while previous sentence he writes:

"but I will say that I believe Opt-in is pro-privacy, while Opt-out is anti-
privacy."

~~~
ajc-sorin
I think he's saying that not having an opt-in/out feature would show FF's
dedication towards privacy, but if they are going to have an Opt-feature, Opt-
in is better than opt-out.

------
a3_nm
If you do not like the idea that by default Firefox will send data to Mozilla
about your Firefox usage (no matter the privacy protection techniques being
used), you should probably be aware that Firefox is already sending this kind
of data to Mozilla. This is called Firefox Health Report and is pointed out in
their privacy policy: [https://www.mozilla.org/en-US/privacy/firefox/#health-
report](https://www.mozilla.org/en-US/privacy/firefox/#health-report)

FHR is also opt-out, i.e., enabled by default. If you do not like this, you
may want to disable this as well.

------
lasermike026
Idea, pay people for their anonymized data. It's opt-in with an incentive.

------
staticelf
If they do this, I will uninstall Firefox and start recommending some other
browser. Mozilla has really sunk in my eyes the last couple of years but this
is the final spike in the coffin for me.

~~~
morganvachon
What else is there, though, at least for mainstream users? There's Chrome
which has been doing this since the beginning for Google, there's Safari but
only if you're on a Mac, and there's a smattering of smaller browser projects
on Linux that are good in their own right but not mainstream enough to have
the features of the big four.

On Windows, Microsoft Edge is of course a lean and capable browser, but the OS
itself is also collecting telemetry on you at all times, including browsing
habits.

Hopefully someone will fork Firefox for Windows/Mac/'nix and strip out all the
telemetry and data gathering bits, otherwise there's not much choice left for
a privacy focused, full featured, fully supported browser on all platforms.

~~~
staticelf
Most likely Brave, Edge, Opera or Vivaldi. I haven't really dug into if they
do telemetry but some quick google searches tells me that at least Vivaldi
does not. Brave is also a browser all about privacy so it would be weird if
they do spy on their users.

But you are correct, if Firefox falls as the last bastion in the web browser
world to protect users privacy there is little choice left of really nice
browsers.

If / when Firefox does this however there is really no real reason to even
pick Firefox to begin with since all the other major players do the same.

~~~
morganvachon
Brave sounded interesting until I saw this at the bottom of the landing page:

"Brave makes money by taking 5% of any donations and -- _after it is fully
implemented -- a small cut of advertising that is placed._ Brave even shares
some revenue with you -- at least as much as we receive."

Then there's this:

[https://brave.com/about-ad-replacement/](https://brave.com/about-ad-
replacement/)

If they are planning to inject ads into the browser and somehow pay their
users a kickback, how do they expect to maintain a reputation as a privacy
focused project? Even if they offer to pay in cryptocurrency, they are still
tying browsing habits and targeted advertisements to a trackable user. No
thanks.

I had switched from Chromium back to Firefox after Google was caught injecting
binary blobs into Chromium at build time[1], and so last year when I decided
to drop all Google products from my life, I already had a great (if slow)
browser making it less of a hurdle. Now, though, I think I'll stick with
Safari on my phone and Mac, and find a way to sync bookmarks from Safari to
Midori on my other systems.

[1] [https://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=786909](https://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=786909)

~~~
staticelf
Yeah that makes me also not want to run it. But still, there are a few options
even if neither is very good. I will probably just start running Edge or
something since I already use Windows.

But I much rather just continue to use Firefox.

------
have_faith
Can someone more knowledgable than me explain the benefits to this data
collection exactly? The link mentioned finding urls with jank and the like, is
it not easy to find such sites?

The real problem seems to just be marketing though. Regular people either
don't see any reason to consider looking for an alternative browser or don't
understand the differences. Years ago Firefox had a larger market share
because the internet as a whole had a larger share of tech-savvy people and
they had IE as a competitor.

------
lngnmn
That would be a public relations suicide!

Greed and monetization of user's data - this is the only real business model
which brings profit. There is, probably, already a long queue of customers
willing to pay for the data.

And, of course, "anonymity" is nonsense. The whole point of collecting data is
to classify users into target groups and model user's behavior. In other words
- to collect the data for machine learning algorithms and sell access to the
datasets and other services.

------
occamrazor
Why opt-out? I understand that if the users have to make an effort to submit
telemetry data, most won't. But it could be a dialog at update/installation
time, wich requires the user to choose between yes amd no. If a users says no,
they clearly value their privacy more than additional features or stability of
their browser, and Mozilla's values include respect of the users' choices
about their own data.

------
fenwick67
It's my computer, my data, and my bandwidth. If they do not provide an opt-
in/out I'm going to start using a Chromium fork instead.

------
tunap
Hey Dang, HN mods!

With the 300+ upvotes and active discussion still occurring at hour 7 since
posting, care to explain how the algorithm has relegated this discussion to
the fourth page and is still dropping? Is the much less active, day old
posting of a SF author's death more heavily weighted than an inconvenient
topic that is important to several more factors of readers?

~~~
grzm
You can search HN for other comments from the mods regarding the algorithm,
but the short answer is that ranking is not a simple, transparent algorithm,
nor is it independent of mod input. Ranking is dependent on time, commenting
rate, user upvotes _and_ flags (which don't result in a '[flagged]' tag until
a threshold is reached), as well as mod input. Too much commenting activity
can trigger the "overheated discussion detector", which can push a post down.
Given that this has 213 upvotes and 319 comments (at the time of this
posting), I'd say the latter is likely, though it's hard to say.

In my experience, the quickest, most reliable way to contact the mods is via
the Contact link in the footer. You might want to try that as well if you're
looking for an expedient response.

~~~
tunap
Thanks for response, grzm. Considering neither of Mozilla's recent gaffe
postings appear in the 400+ 'recent' list today, I will forgo contributions to
the site. Open info != cloistered nor censored. YC has interests to protect
after all the market speak and spurious posturing is washed away. I will miss
the less controversial content, but my clicks & data history seem to be my
only vote that matters anymore.

------
nonbel
Let's be honest here. In many people's opinion (including my own) firefox has
gotten _worse_ since they started all this telemetry stuff. Supporting this,
marketshare has also been dropping. So, I don't think they know how to
properly interpret the data they are getting. Either that or the data is so
messy as to be worse than useless.

------
sillyrat
I'm amazed that no one in this thread has yet mentioned Waterfox as an
alternative - it uses Firefox as a base and then strips out telemetry,
"pocket", and more:
[https://www.waterfoxproject.org/](https://www.waterfoxproject.org/)

------
binaryapparatus
Thanks firefox. Not.

One of the last truly shiny examples of open source is losing the plot. Not
only that it requires pulseaudio (alsa?), it is getting harder and harder to
use it normally with FreeBSD. Now this.

I've had enough, testing links -g and it works well for most of my browsing
needs.

~~~
debdrup
May I suggest w3m-img, tmux and uxrvt compiled with mouse support?

------
zaro
On one hand Mozilla doing something like that is anti privacy. On the other
hand how is Mozilla supposed to impprove FF w/o detailed usage data.

In theory can be done, but in practice they are competing with Chrome and
their team has waaay more data to use. And th is data gives them an edge at
least on the decision which parts are worth improving.

So they can either start collecting some data and really piss off their most
vocal privacy minded users and try to use this data to improve FF and steer it
away from the death spiral it's on. Or they can keep the vocal privacy minded
people happy continue to work in the dark and pretty much ensure that FF will
become one of the insignificant .3% market share browsers.

Because somehow I kind of feel that multimilion fundraisers to make FF popular
again aren't gonna happen second time.

~~~
madez
Why would FireFox be on a dead spiral for not tracking it's users? If they
want browsing data, then can use their own.

~~~
froydnj
(Disclaimer: I work for Mozilla)

The problem with our own browsing data--by which I'm assuming you mean the
browsing habits of our ~1000 employees--is that it's wildly non-representative
of the broader population. For instance, people here routinely have browser
sessions with 10, 100, or even 1000+ tabs. These numbers also indicate that
the browser is an application you start, and then you just leave up for a
while, perhaps until you restart your computer or you have to update for
whatever reason.

The latest statistics we collected on a broader sample of users indicates that
the _average_ number of tabs is...2. The _average_ session length is on the
order of minutes, not days. Such knowledge leads to very different choices
when deciding what browser features to prioritize.

And it's not just browsing usage, either: most employees probably have a top-
of-the line (or close to it) Mac laptop, Windows desktop, or Linux desktop;
developers have a machine with four, eight, or even more cores. These machines
are hardly representative of the wider Firefox user base: a significant
majority of our users (~70%) has a machine with two cores, and users with a
_single_ core in their machines outnumber users with 8+ cores. We'll not even
cover graphics hardware or screen resolution here; see
[https://hardware.metrics.mozilla.com/](https://hardware.metrics.mozilla.com/)
for more examples.

Using our own browsing habits and our own machine specs for making decisions
is not feasible.

~~~
madez
Then I realize Firefox is not a browser made for me. I don't care about the
marketshare of my browser. I want it to to make my browsing easier and faster,
while never compromising on security and privacy. _Any_ outgoing connection
without my action is not OK. Not even Googles Safe browsing. If have to decide
between having both Javascript and Google Safe Browsing, or neither, I would
take the latter.

I value the expertise at Mozilla. Could you point to a browser that might fit
me?

------
mattdeboard
Man, Mozilla has been planning to do this for a long time! One of my first
open-source contributions was helping a team work on this exact issue, and
that was in early 2010.

------
z3t4
In the latest version of Firefox on Windows it calls home when exiting and
visiting certain web sites (flash maybe?). I did not opt in for anything.

------
liminal
This is great. A principled well-considered approach to collecting useful
information in a way that respects people's privacy. Go Mozilla!

------
hellbanner
What's your favorite open-source browser?

------
AznHisoka
This doesn't matter. SimilarWeb, Jumpshot and other clickstream companies are
already doing this, in an even more non-transparent manner by using browser
extensions that track every URL you visit, and searches you do, let alone the
domain. I say let Mozilla give them some competition!

------
lepouet
Well, if it's really needed, why not.

------
Paul-ish
What impact will this have on bandwidth?

------
hellbanner
How does Mozilla earn $?

------
Animats
Mozilla: you do not have a need to know for that information.

------
GrayShade
I tried to be unbiased in the submission title and it's probably late enough
that this will be buried, but here are some my thoughts:

> They don't plan on collecting URLs, just (eTLD+1).

This is true as of right now, but can change at any time in the future. From
the post:

> What we plan to do now is run an opt-out SHIELD study [6] to validate our
> implementation of RAPPOR. This study will collect the value for users’ home
> page (eTLD+1) for a randomly selected group of our release population

This test consists of collecting domains, indeed, but that doesn't say
anything about what will happen in the future.

> Note: "planning" means "reaching out for feedback about".

Planning means planning. Today they're reaching for feedback, and the plans
might change or not.

> Hello, Redditors...

This is my fault, I suppose, for posting the link here :). Many of the angry
comments are uninformed, but the users, educated or not, are stakeholders here
and Mozilla should be prepared for the fallout. There have been situations in
the past (Pocket, Google Analytics) where well-formulated feedback from users
was raedily dismissed.

> One recurring ask from the Firefox product teams is the ability to collect
> more sensitive data, like top sites users visit and how features perform on
> specific sites. Currently we can collect this data when the user opts in
> [...].

Does anyone know what this is about? Telemetry? Because I _will_ disable it if
so.

> Allow Firefox to install and run studies

This is from the Nightly settings page but is pointing to
[https://support.mozilla.org/en-US/kb/shield](https://support.mozilla.org/en-
US/kb/shield), which doesn't exist (yet?). For anyone interested, there's a
wiki page about them
[https://wiki.mozilla.org/Firefox/Shield/Shield_Studies](https://wiki.mozilla.org/Firefox/Shield/Shield_Studies).

> What we plan to do now is run an opt-out SHIELD study [6] to validate our
> implementation of RAPPOR.

This still sounds bad enough to forever poison "SHIELD" for me. It's also
terribly named because it doesn't "protect" anyone.

> No telemetry, no data collection.

Without telemetry it would be almost impossible for the developers to figure
out what works or not, and what's fast or not in Firefox. There's a whole
spectrum here from "no telemetry" to "creepy". Please don't ignore this.

> Now they are killing Privacy.

Please try to get informed. A Mozilla employee in this thread (alexrs95)
posted a series of tweets about what's being proposed:
[https://twitter.com/Alexrs95/status/896366072240144385](https://twitter.com/Alexrs95/status/896366072240144385).
It's short enough, so please read at least that before complaining.

> What's your favorite open-source browser?

Firefox :).

> I've removed all URLs from about:config and replaced them with localhost
> (search for "http"). This should help with privacy-related issues as long as
> no API endpoint is hardcoded.

Beware of SHIELD, as Mozilla may still have the ability to push extensions to
the browser.

> He said there are math theorem to prove that it's sufficiently anonymize.

I've not dug deep enough into the RAPPOR paper, but they do consider in
passing the possibility of an attacker that has access to _all_ of the
collected data (think
[https://en.wikipedia.org/wiki/National_security_letter](https://en.wikipedia.org/wiki/National_security_letter)).

> Everyone else

Please be kind.

EDIT: Looks like this post might have been pushed back from the front page by
a moderator. I'm not sure I'm fine with that.

~~~
kasabali
Comment threads are a useful way of organizing the discussion, why did you
choose to not use it?

~~~
GrayShade
Indeed, that might have been better. The thing was that many arguments ideas I
took issue with were repeated by different people and I didn't want to spam
all those comment threads.

My reasoning is that people might search for my comment (I sometimes do when
others post), but by the time I wrote the it the first comment page was full
and it ended up on the second one.

------
jancsika
This is really slick.

It's like describing to a spouse a system of sex with strangers that includes
blindfolds and a hazmat suit. Such a system could be a great way for a person
to learn more about their sexual tastes and improve coitus overall. If the
spouse is anxious about the system, then all they have to do is find a problem
with the hazmat suit that would endanger the...

Wait, spouse, you haven't even studied the system that I so carefully designed
to protect you from the possibility of...

Spouse?

Has anyone seen my spouse?

------
calcifer
Can we at least stop with the FUD please?

> DRM

EME is not DRM, it's a fully open source spec to support third-party DRM
modules. If you don't actively choose to install a DRM module, there is no DRM
in your Firefox.

> 3-rd party apps

Like what? Pocket is fully owned by Mozilla.

> analytics, tracking

So far this has been 100% opt-in. It _might_ change with this new thing, but
even that's not for certain.

~~~
gbuk2013
> Can we at least stop with the FUD please?

Can we please stop with using the word FUD for things that are not? The very
idea of accepting DRM as a possibility in the browser was a slap in the face
to those who believe in internet freedom.

> Like what? Pocket is fully owned by Mozilla.

Check your facts: it was added to FF 1.5 years before Mozilla bought it. It
was an example of them just not giving a shit and adding it anyway.

> So far this has been 100% opt-in.

Check your facts: the Google Analytics in the extensions page that I linked is
explicitly "opt-out" and even that happened only because people found out
about it and (rightly) raised a stink.

[https://news.ycombinator.com/item?id=14753546](https://news.ycombinator.com/item?id=14753546)
and
[https://bugzilla.mozilla.org/show_bug.cgi?id=697436#c14](https://bugzilla.mozilla.org/show_bug.cgi?id=697436#c14)

(And really, of all the analytics choices, they fucking picked Google
Analytics?!)

~~~
SubiculumCode
So freedom is not having the choice to use DRM?

~~~
gbuk2013
I don't buy that argument, sorry. Because it requires something as anti-
freedom as DRM to exist in the first place.

~~~
SubiculumCode
You would outlaw locks for the front doors of houses too?

~~~
gbuk2013
No, because physical goods and 0's and 1's are not the same.

~~~
SubiculumCode
All 0's and 1's occupy real electrons in real space. They are not part of the
ether. You are making a distinction between electronic information and the
physical that is artificially derived.

I think perhaps you are saying that a pattern of information should not be
locked up, but instantiations of a pattern can be.

------
lazarus101
Please don't turn Firefox into a botnet!

------
throwaway725494
Does anyone know why Firefox always phones home to:

    
    
        firefox.exe	3588	TCP	pc-name	49172	ec2-35-167-184-4.us-west-2.compute.amazonaws.com	https	ESTABLISHED	3	667	5	3,334		
    

I have a tool called TCPView (a Microsoft sysinternals tool) that inspects my
traffic. I disabled all the Mozilla telemetry and it still phones home to this
server. The connection is encrypted going through port 443. It even appears in
different forks of Firefox like Waterfox. Is this unique to me, or does anyone
else notice this? My best guess is that it's some sort of telemetry they're
collecting. Keep in mind I disabled updates so it's not pinging update servers
either. Also: It happens only when I visit a website, and doesn't appear when
I start up the browser for the first time. I also have no plugins installed.
Since I see some Mozillians in this thread I figured it's the best place to
ask!

