
Firefox installs add-ons into your browser without consent, again - foxrider
https://medium.com/@neothefox/firefox-installs-add-ons-into-your-browser-without-consent-again-d3e2c8e08587
======
rgbrenner
The Firefox Monitor is not a telemetry study. It's this:

[https://blog.mozilla.org/futurereleases/2018/06/25/testing-f...](https://blog.mozilla.org/futurereleases/2018/06/25/testing-
firefox-monitor-a-new-security-tool/)

This extension is listed under about:debugging.. the same place where you'll
see other features like Pocket, Form Autofill, and Firefox Screenshots.

It's a new Firefox feature. It's not alarming, and it's not Firefox installing
things without your permission.

Complaining about this is literally complaining that the new version you just
installed has a new feature. If a new version didn't change anything, they
wouldn't need a new version.

~~~
mgurlitz
That post isn't explicitly about a Firefox Monitor extension, and I could only
find this rollout to US users mentioned on 3rd party websites. Those posts
include BugZilla links, but they're restricted.

I can easily disable Pocket, Autofill, and Screenshots in about:config, and
Firefox support explains that. With this extension, I'm missing a
"extensions.fxmonitor.enabled" option.

I understand it's good to build in optional security features like this, but I
don't see how it's acceptable to not notify users or provide an opt-out.

~~~
rgbrenner
here's an article about the add-on:
[https://www.ghacks.net/2018/08/25/firefox-62-firefox-
monitor...](https://www.ghacks.net/2018/08/25/firefox-62-firefox-monitor-
system-add-on-integration/)

They are missing the about:config setting.. but it's early. Might be a bug, or
maybe its not being used(?)

Eventually it'll display a popup in the UI that will notify you if the website
you're on has been breached. I think we can all agree that would be useful.

Edit: Here's the code for the add-on: [https://github.com/mozilla/blurts-
addon](https://github.com/mozilla/blurts-addon)

~~~
maxden
So reading that ghacks article, it goes live to all EN-US users on the 25th
Sept (my browser already has it), but we can't switch it off yet via:
about:config?filter=extensions.fxmonitor.enabled

Pretty poor to roll it out without the option of disabling it, especially as I
also ticked no tracking.

------
abdullahkhalids
Not taking sides on this, but this is what Mozilla has to say about this.
About "hidden addons" [1]:

> It is true that we're now releasing some features internally as something we
> call "System Extension", which technically is the same as an addon you could
> install on addons.mozilla.org, with the difference that these come pre-
> installed with Firefox and there is no way to disable them. We mainly do
> this to be able to ship updates faster, but it's also nice that we have some
> features totally separated, which makes the development process easier for
> us!

And about these particular addons [2]:

> we will measure Telemetry Coverage, which is the percentage of all Firefox
> users who report telemetry. The Telemetry Coverage measurement will sample a
> portion of all Firefox clients and report whether telemetry is enabled. This
> measurement will not include a client identifier and will not be associated
> with our standard telemetry.

[1] [https://superuser.com/questions/1117062/what-is-the-web-
comp...](https://superuser.com/questions/1117062/what-is-the-web-compat-
firefox-addon-avast-suggest-removing)

[2] [https://medium.com/@neothefox/firefox-installs-add-ons-
into-...](https://medium.com/@neothefox/firefox-installs-add-ons-into-your-
browser-without-consent-again-d3e2c8e08587)

~~~
jake_the_third
>we will measure Telemetry Coverage, which is the percentage of all Firefox
users who report telemetry. The Telemetry Coverage measurement will sample a
portion of all Firefox clients and report whether telemetry is enabled. This
measurement will not include a client identifier and will not be associated
with our standard telemetry.

Telemetry for telemetry. Nice.

~~~
trendia
> Telemetry for telemetry. Nice.

It's just a matter of time until some developer poses the question:

"Are people who opt out of telemetry more likely to use Linux? Or live in
Europe? Or have NVidia GPUs? Or... "

and gosh darn everyone else at Mozilla begins to wonder the same thing, and
the best way to answer that question is to include it in your "totally not
telemetry" telemetry reports, and then we're back to Square One.

------
gergles
Yeah, this is absurd. If I am opted out of telemetry, that means _don 't send
any fucking telemetry_. That includes the fact that I opted out of telemetry.

If you aren't going to let me opt out of telemetry, don't give me the option.
It's clear Mozilla is absolutely desperate to get 'telemetry' data to justify
the continued Mickey Mousing of Firefox and I will happily cast aspersions
from here about how I'm sure they'll say "well only 2% of users don't send
telemetry, so whatever data we get from it lets us drive all our development".

Edited to add: From the bug, you can go into about:config and add a
New>Boolean pref "toolkit.telemetry.coverage.opt-out" and set it to true to
opt out of this totally-not-telemetry telemetry.

~~~
eli
It seems wrong to assume malice

~~~
gergles
Eh, they snuck in a hidden extension to specifically send telemetry for people
who don't want to send telemetry, and expressed publicly that that was the
intent behind the extension.

I'm not really assuming much malice there. I am assuming malice in how they'll
use the data, but given their past track record of removing features based on
telemetry data, I don't think I'm making too big a leap.

~~~
sjwright
But if they embedded the feature into the core rather than into an extension,
that would have been okay? Seriously, you're complaining about an
implementation detail.

~~~
bigbugbag
You mistaken, the issue is not about extension or core, the issue is that they
specifically added code to track and monitor people who expressedly choose not
to be tracked or monitored by mozilla.

telemetry used to be opt in, it's been changed to opt out. And now those who
have opted out have their own special telemetry that cannot be disabled.

~~~
sjwright
Unless you never use your web browser to visit any website ever, I just don't
see what the issue is here. The information they're gathering is outrageously
trivial and thoroughly anonymised.

This whole discussion shows an absurd lack of perspective by some people,
particularly in the light of what Chrome does... or what Android does... or
what LITERALLY EVERY SINGLE TCP CONNECTION TO LITERALLY ANYTHING ELSE ON THE
INTERNET does...

------
51lver
GNU icecat is a firefox fork with many privacy violating issues removed. It's
pretty nice.

~~~
ewzimm
This is one reason why GNU is so important. Some people might think they're
zealots about free software, but if you have to trust someone with your
software, wouldn't you rather trust someone who has built their reputation on
respecting privacy and freedom? It goes beyond the debate about software
licensing.

------
Insanity
I have also opted out of data collection for firefox, but the mentioned
extensions in the article can not be found for me.

I can, however, find one under the telemetry heading called "follow on
search".

EDIT: I'm using Firefox quantum 60.2.0esr. Just because the add-on is
installed does not make it active though, I can't see it as being active (or I
can not find an option to enable / disable it anyway)

~~~
rhelmer
This is only being served to Release channel users currently (per the bug in
the extension ID,
[https://bugzilla.mozilla.org/show_bug.cgi?id=1487578](https://bugzilla.mozilla.org/show_bug.cgi?id=1487578))

ESR users are on a separate channel.

------
mishurov
Makes inappropriate advances.

------
remarkEon
This is annoying, yes.

Changing the default search engine to yahoo every time there's an update is
equally annoying.

~~~
asadotzler
Firefox doesn't do this. Third party software on your system (look at
downlaoders, anti-virus apps, etc.) is doing this to Firefox. Firefox's search
default is Google and if it's changed by you you'll know it and if it's
changed by an extension you installed it'll say so in the Search preferences.
I may be able to tell you which piece of malware on your system did this to
Firefox if you'll do a search for something and paste the address here so I
can look at the search address parameters.

~~~
bigbugbag
Firefox did change default search engine to yahoo at some point, IIRC it was
around the time yahoo was trying to sell itself at the best possible price.

I remember having to go through a dozen clients to fix their custom settings
for search engines that had been switched to yahoo and eventually migrating
some of them from firefox to waterfox.

------
jstewartmobile
Web is already an exploitative platform. Mozilla's just trying to keep their
end up.

Most of the good stuff is libre anyway. Self-host a Wikipedia mirror and some
python docs, use lynx, and let Google/Mozilla/Yahoo/et.al. put that in their
pipes and smoke it.

