
Things to know about the GDPR, Mozilla and Firefox - Garbage
https://blog.mozilla.org/internetcitizen/2018/05/23/gdpr-mozilla/
======
throwaway974
I have a profitable, bootstrapped SaaS business. It's not based on ads or
selling data. I don't even have a freemium plan. Only a limited free trial
after which you have to start paying. It's a trivial application that stores
mostly already public data. Only email is required to login so that I can send
password reset and other such communication.

I've been talking to a very well known giant corporation for months. The VP
and director love my product and want to start using it right away for their
department. But their legal team is scared shitless with 4% fines in GDPR.
They are putting some draconian clauses, (various ISO certifications and such)
in the contract that I, as a small company, cannot comply. That's their
interpretation of GDPR. It doesn't matter whether it's right or wrong.

The VP and Director are really nice people and I've developed very good
rapport with them. But I'm afraid their patience will run out soon and they'll
go back to using spreadsheets. A lose-lose situation.

This is the side-effect of GDPR.

I'm all up for GDPR. I have uBlock, have blackholed all Facebook domains, etc.
But don't assume that GDPR doesn't affect normal business transactions. Anyone
who says, "Oh, how hard could it be?" has no idea what they are talking about.

------
dekrg
That's interesting as what it's website privacy policy actually says looks the
exact opposite of GDPR compliant. From
[https://www.mozilla.org/privacy/websites/](https://www.mozilla.org/privacy/websites/)
which is linked from as Privacy link from
[https://addons.mozilla.org](https://addons.mozilla.org).

>We may use cookies, clear GIFs, third party web analytics, device
information, and IP addresses for functionality and to better understand user
interaction with our products, services, and communications. Learn More

>You can control individual cookie preferences, indicate your cookie
preferences to others, and opt-out of web analytics and optimization tools.
Learn More

~~~
gcthomas
If the data collected is not personally identifying data, then GDPR is not
interested in it. Maybe it _is_ PII, but the quoted policies don't say that.

> We may also use cookies, device information and IP addresses, along with
> clear GIFs, cookies and third party services to help us understand __in the
> aggregate __how users engage with our products, …

~~~
athenot
This brings up a interesting point: cookies are not just for user/session
identification. Yes that's how the majority of the apps work but instead, it's
totally possible to use cookies to customize a site's experience, feature by
feature. A cookie for the theme, a cookie for the font prefs, etc. Yet most
sites still insist on logging the user in to customize the experience, and
rely on some central storage to determime user preferences.

~~~
tbranyen
This is a terrible use case for cookies. Any browser reset or change, new
computer, your phone, etc, and you need to redo the whole experience every
time. I'd rather login and customize once.

Cookies get sent with most requests as headers so you're unnecessarily bogging
down requests with data unrelated to the session.

~~~
pixellab
100% exactly. Cookies are device and moment specific. Whereas a user account
can easily save and transport the saved experience/setting anywhere the user
wants to access them.

~~~
gkya
Firefox (and Chrom{e,ium} AFAIK) can sync up your cookies, among other things.

~~~
trumped
but if you go this route, you have to share them with a third party (Mozilla
or Google)?

~~~
gkya
Yes, but Firefox's Sync is open source [1], so you should be able to set up a
private instance. IDK how easy or hard it is though.

[1]
[https://wiki.mozilla.org/CloudServices/Sync](https://wiki.mozilla.org/CloudServices/Sync)

~~~
Anthony-G
Thanks for the suggestion. That wiki page brought me to [https://mozilla-
services.readthedocs.io/en/latest/howtos/run...](https://mozilla-
services.readthedocs.io/en/latest/howtos/run-sync.html) which I intend to try
out. I want to migrate my a Firefox profile from Windows to Linux and synching
seems to be the easiest way to transfer bookmarks and saved passwords.

------
xd1936
That's a powerful headline, but unless I'm being A/B tested, it has little to
do with the article. Did you mean to link to "13 things to know about the
GDPR"?

~~~
exikyut
It seems to have been modeled off of
[https://www.reddit.com/r/firefox/comments/8m0f03/mozilla_wil...](https://www.reddit.com/r/firefox/comments/8m0f03/mozilla_will_not_update_its_privacy_policy_it/)

~~~
LandR
I got the email from mozilla too, where they say it's not another privacy
policy update and link to that same blog post.

I guess from the email it was implied that they are already compliant, but
then the linked blog post in the email in no way confirms that...

Weird.

The email said:

>> Does it seem like every service, app or subscription you've signed up for
is sending you a privacy policy update? It's all because of the General Data
Protection Regulation, aka the "GDPR," a sweeping new European regulation
taking effect this Friday.

GDPR has implications for many organizations, and that includes Mozilla. But
unlike other organizations, Mozilla has always stood for and practiced data
privacy principles that are at the heart of privacy laws like the GDPR. It
feels like the rest of the world is catching up to where we've been all along.

------
billysielu
OK great, can we have First Party Isolation enabled by default now? Y'know,
for privacy. Browsers should be protecting users by default.

~~~
JohnTHaller
Just have the browser present the user with the choice on install.

( ) Enable third party cookies. This may allow third party websites to track
you across the internet.

( ) Disable third party cookies. This may break some functionality on some
websites.

It's no more confusing to end users than the endless sets of checkboxes
websites have to use for GDRP or the pointless click OK to accept cookies
notices.

~~~
zerostar07
Yup thats how it should be. Technical solutions are always superior to
regulations.

~~~
coffeeiscold
It seems like the regulations help to create an environment conducive to
innovation. There is now a strong incentive to solve the problem "a better
way". Let's hope it happens!

~~~
JohnTHaller
Except they don't. If they'd simply legislated that all web browsers have to
ask that question, awesome. Instead, they legislated that every business on
earth has to explain it to end users and separately ask for consent. So, even
if all web browsers were updated to correctly ask for third party cookie
permission, every business on earth still needs to do all the expensive hoop
jumping.

------
deaps
I've gotten emails from sites I signed up for at least a decade ago. I find it
troubling that _that many_ sites I've signed up for had to actually change
their privacy policies because of this. But I guess in the end, it's a good
thing that they're all changing.

~~~
OldSchoolJohnny
Pretty much every site you ever had to sign up for has had to change things,
it's part and parcel of the process.

------
kuschku
Great, so about:addons doesn’t use tracking Google Analytics cookies anymore?
Or has a visible way to disable it (you need to enable DNT to get rid of
this).

And Firefox Nightly does not track personally identifiable telemetry anymore?

No. Mozilla still tracks every step I take.

What the fuck, Mozilla?

EDIT: Example. Go to If you go to view-source:[https://addons.mozilla.org/en-
US/firefox/](https://addons.mozilla.org/en-US/firefox/) — In the code you’ll
find Google Analytics, and if you open the page, it’ll set tracking cookies.
No cookie notice, no opt-in, at all.

How the FUCK is this supposed to be GDPR-compliant? Cambridge Analytica is
more GDPR-compliant than this.

EDIT 2: See also [https://github.com/mozilla/addons-
frontend/issues/2785](https://github.com/mozilla/addons-frontend/issues/2785)
to show that about:addons loads addons.mozilla.org, including the Google
Analytics trackers without opt-in.

EDIT 3: See also [https://www.mozilla.org/en-
US/firefox/channel/desktop/](https://www.mozilla.org/en-
US/firefox/channel/desktop/) which explains that Nightly and Beta always send
telemetry, which can not be turned off in any way, and your only way to avoid
it is to stop using the product, which again violates the GDPR section on
"free consent".

~~~
GlitchMr
> Great, so about:addons doesn’t use tracking Google Analytics cookies
> anymore? Or has a visible way to disable it (you need to enable DNT to get
> rid of this).

I can imagine this being legitimate interest, can be disabled with DNT flag,
and it's not personal data. Mozilla signed a legal contract with Google which
prevents Google from using this information.

> EDIT 3: See also [https://www.mozilla.org/en-
> US/firefox/channel/desktop/](https://www.mozilla.org/en-
> US/firefox/channel/desktop/) which explains that Nightly and Beta always
> send telemetry, which can not be turned off in any way, and your only way to
> avoid it is to stop using the product, which again violates the GDPR section
> on "free consent".

Options -> "Privacy & Security" > "Nightly Data Collection and Use"

Also, it uses word "automatically", not "always", and "Learn more" link on
this page tells you how to disable that. Additionally, telemetry information
is NOT personal data - it stores information like how many times you have
opened web browsers, how many tabs do you use, but it doesn't send personal
data.

Crash reports may contain personal data, but even on nightly, they aren't
automatically submitted.

~~~
kuschku
> I can imagine this being legitimate interest, can be disabled with DNT flag,
> and it's not personal data. Mozilla signed a legal contract with Google
> which prevents Google from using this information.

Still it would require at least a cookie notice.

> Options -> "Privacy & Security" > "Nightly Data Collection and Use"

That does not disable all telemetry, there were a few discussions about this
on the bugtracker, in Nightly, some kinds of telemetry can not even disabled
through about:config as they are set to "locked: true".

~~~
hartator
> I can imagine this being legitimate interest, can be disabled with DNT flag,
> and it's not personal data. Mozilla signed a legal contract with Google
> which prevents Google from using this information.

Actually the do not track and tetemetry preferences do not work on the addon
page.

~~~
GlitchMr
Do Not Track should work on addons page, if it doesn't, it's a bug.

Telemetry settings however don't work unfortunately :(.

------
dvfjsdhgfv
Moreover, many EU companies don't need to update it either.

~~~
jhall1468
And a ton of non-EU companies don't, but are doing so for future purposes.
Despite territorial scope, a company without any form of business in the EU,
they can't entorce this against non-EU businesses.

~~~
krageon
You are wrong. This is a misconception that has thankfully died down a bit
over the past week or so, but apparently it is still a bit alive. There are
accords in place between (for example) the US and the EU, which allows the EU
to hand out fines overseas. The reverse is also true (the US can and does
litigate in the EU).

~~~
jhall1468
Show me case law where an EU government fined a US company and how they
enforced payment of that fine.

~~~
krageon
When did I mention case law? Shouldn't you be asking me for proof of the
accords I mentioned, which is what I'm actually talking about?

~~~
mbesto
So where is the evidence of the accords? How will they enforce it?

~~~
jhall1468
You won't get a response. There aren't any accords and there's no way to
enforce it. It's empty threats.

------
AznHisoka
Good. Now make sure you don't email me to tell me your privacy policy has not
change please :)

------
kadenshep
GDPR is the best thing to have happened to the internet in a long while.

~~~
diego_moita
I downvoted because your comment doesn't add anything to the discussion and,
in the context of this post, looks a bit like trolling.

There are people that like and do not like the GDPR. Telling that you belong
to one group is not even information.

~~~
kadenshep
I'm stating an affirmative position. You wrote two paragraphs explaining why
you clicked a button because you don't think my post adds anything to the
discussion, or is somehow trolling.

