
Update: Looking Glass Add-On - runesoerensen
https://blog.mozilla.org/firefox/update-looking-glass-add/
======
cddotdotslash
The amount of negative press this received nearly cancels out all the positive
news from Quantum's release barely a month ago. It's such a shame that the
years of hard work and effort on the dev teams are being overshadowed by such
a ridiculous marketing mistake. For a browser that is one of the last big
proponents of a privacy-centered, user-first web, these kinds of mistakes
can't happen... period. Now it's nearly back to the starting line on re-
gaining user trust again.

~~~
GunlogAlm
> The amount of negative press this received nearly cancels out all the
> positive news from Quantum's release barely a month ago.

Which is silly, IMO. What did this addon actually _do_ , besides be installed
without user consent? If this article is correct, the addon was installed
automatically but was not 'activated'. Seems like a fuss over nothing, to me,
but somebody correct me if I have the details wrong.

~~~
whalesalad
It's not what the extension did or did-not do, it's the fact that Mozilla was
originally a champion of privacy, open-source, and free software. The entire
purpose of this browser was to escape the corporate bullshit of Netscape/AOL.

I switched from Chrome to the latest Firefox browser due to the awesome work
the team has done on bringing it into the future. Then I find out that it
comes pre-loaded with Pocket and this dumb ass game extension for a TV show
promotion? Are you joking?! Fool me once...at least you can expect the level
of integration you get within Google/Chrome.

This was _completely_ incongruent with the ethos of Mozilla and Firefox. That
is why this is a big deal. It's a huge slap in the face to those of us who
choose to use this software because we know it WON'T do things like this.

~~~
endisukaj
What's wrong with Pocket?

~~~
yarrel
What's right with it? If I want to install it I will. I don't, but Mozilla
feel that is their choice to make, not mine.

You can't remove it (and disabling it is hard enough), so you cannot reduce
the attack surface of your browser if you don't use it.

It's also really badly integrated into the new mobile version.

~~~
r3bl
> and disabling it is hard enough

There's no need to disable it since nothing happens _until_ you click the
button. Removing the button itself is as simple as right-clicking it and
clicking on the (only) available option: Remove from Address Bar.

~~~
Hello71
but... why do I have to?

"there's no need to remove the crapware bundled with [pick one: Android,
Windows, Ubuntu] since nothing happens _until_ you click the button. Removing
the button itself is as simple as [opening the Settings, opening Control
Panel, apt-get remove]." mozilla is in a seriously bad spot if it's lowering
itself to the level of Acer, HP & co bundling crapware to the brim.

------
gfodor
I fully understand and empathize with the reaction that has happened and now
that Mozilla (my employer) has a statement apologizing and committing to a
public post-mortem (which I fully support) to the folks who are raising issues
with the timing and sequence of events leading up to the response itself since
Friday (I won't comment on the incident itself, since that's the job of the
post-mortem) I wanted to mention one thing that may help add some human
perspective:

Mozilla is a distributed organization and was on the last day of its in-
person, week-long, bi-yearly all-hands meeting in Austin on Friday when this
started. At the time, and through large parts of Saturday, _many_ Mozillians
were in last-minute meetings, airports, in the air, or on the road, and were
all concluding a week's worth of meetings where everyone was getting face time
with collaborators and hashing out in person what we're doing for the next 6
months.

I was not involved, but you can imagine that when trying to decide what to do
in response to something like this that many people need to coordinate. So it
was a bit of a perfect storm of having tired humans, many of whom were in and
out of internet access, etc.

edit: I fully understand the frustrated replies -- as I mentioned I personally
feel that the reaction by the community to what happened was justified -- I
wrote this not to comment on what happened (as noted in the post, Mozilla has
publicly committed to a post-mortem) but wanted to provide this info about
this unfolding when a lot of people were traveling, etc. I was happy and
thankful to see this posted today and our rollback of the add-on over the
weekend and hope that the follow-ups planned help us learn and move forward in
a way that the community supports.

~~~
simias
I think this is a big fuck-up by Mozilla but I agree that some of the
reactions are a bit over-emphatic. Actually I hope that this big backlash
means that Mozilla is _less_ likely than others to try something like that in
the future. I personally don't plan on changing web browser and I hope Moz
won't suffer too much for this mistake (if only because I love Rust).

That being said your reply and others before make me a tad uneasy because you
seem to say that it's possible for a small team of, I guess, mostly marketing
people can sneak an extension into a Firefox release "under the radar". Are
you telling me that if I have some access to the Mozilla repos I can wait for
one of this "bi-yearly" meetings and get questionable changes into the next
release? A web browser is a critical piece of software, you shouldn't be able
to push a novelty extension (regardless of intent) willy-nilly.

I think adding a new default extension in Firefox should go through _tons_ of
scrutiny and code review. And if that was the case I can't imagine that nobody
would've raised a big red flag along the way saying "wait guys, are we sure we
_really_ want to do this?"

~~~
gfodor
No I wasn't saying that at all, and wasn't commenting on anything having to do
with the roll out of the change, etc.

Also the stated goal from here by the folks working on remediations for the
post mortem is this can't happen again so hopefully what is shared at that
time will help alleviate concerns.

------
chrisseaton
> Over the course of the year Firefox has enjoyed a growing relationship with
> the Mr. Robot television show

This line is just absolutely crazy by itself when you think about it.

Why does a browser team have any kind of relationship at all with some TV
show? What is going on?

~~~
gkoberger
Mr Robot is a very activist show. It's entertainment, sure, but it's also
attempting to send a message to it's viewers. Mozilla is attempting to push
the same message. Aside from this misstep, what's wrong with that?

~~~
subjectsigma
(Somewhat off-topic, but Mr. Robot as an ''activist'' show is heavily steeped
in irony. Not only is the show a huge cash cow for a massive corporation, but
much of the second season is focused around the main characters realizing this
whole cyber-socialist revolution thing isn't what it was cracked up to be.
There's also insanity, violence, and heavy drug use, and things become more
abstract and more insane as the show progresses. It's very dark and somewhat
disturbing. Good television, but not sure that's a message Mozilla really
wants to align with?)

~~~
mplewis
Yes, in a capitalist system, money comes from somewhere, and there's no
ethical consumption. It's possible for that to happen and Mr. Robot to still
carry strong anti-capitalist, anti-1%, pro-digital freedom messaging.

~~~
golergka
> It's possible for that to happen and Mr. Robot to still carry strong anti-
> capitalist, anti-1%, pro-digital freedom messaging.

What? I must admit that I haven't watched the third season yet, but the
aftermath of the "revolution" shown in the second is a perfect rebuttal to the
idiotic anti-capitalist ideals of the main heroes. When I started watching, I
was afraid that it would turn into a typical "occupy something" propaganda,
but it turned out much more intelligent and thoroughly implemented jab at it's
own characters.

------
2g67vupsoknn
> Even when turned on no user data was collected or shared.

This is disingenuous at best.

The extension (when enabled) injects an extra HTTP header into your browser's
requests to 3 specific sites[1], (at least) one of which appears to be
operated by NBC Universal.

Are we really supposed to believe that _all_ of the servers handling these
"special" requests were set up without any kind of logging enabled? That NBC
Universal wasn't tracking how many times each page was loaded? And from which
IP addresses? And when?

Mozilla needs to clarify what they meant by "user data" and "collected" here.
Seems like they're trying to hide the fact that your data WAS collected -- by
a 3rd party, which is perhaps worse.

[1] [https://github.com/mozilla/addon-wr](https://github.com/mozilla/addon-wr)

~~~
rpns
It required turning on via an about:config preference, the code on GitHub
seems to have changed since then for the separately installed version.

If you look into the repo history you can see what it was doing before:

[https://github.com/mozilla/addon-
wr/blob/21ff53d2d5baab591d2...](https://github.com/mozilla/addon-
wr/blob/21ff53d2d5baab591d29b4ea5847d74cb6901b2c/addon/bootstrap.js#L15-L39)

~~~
2g67vupsoknn
Thanks for the additional information.

In any case, the claim that "no user data was collected or shared" is suspect.

Users who enabled the extension and visited NBC Universal's site (and others)
were sending extra HTTP header data to the server, data that identified them
as a Firefox user, of a specific version, who had a particular extension
installed -- that's how the "engagement" worked.

Do you think the server(s) that handled these types of "special" requests were
configured to specifically _not_ log the incoming traffic or extra headers?

Do you think that NBC Universal would spend the resources to build an
elaborate[1] ARG focused on digital "engagement" with fans, form a
relationship with Mozilla to promote the show and ARG to Firefox users, but
also specifically _not_ collect data about those users?

It seems unlikely.

[1]
[https://wiki.gamedetectives.net/index.php?title=Mr._Robot_AR...](https://wiki.gamedetectives.net/index.php?title=Mr._Robot_ARG)

------
hysan
I hope this post mortem includes insight into how the bug tracker is being
handled. We've now seen with Cliqz and Looking Glass that there are certain
members of the Mozilla team that have no qualms with making controversial
tickets private and locking/deleting comments in public tickets. That's not a
behavior that fosters trust in a community that is in dire need of it.

~~~
Crespyl
There's something to be said for firm moderation in public forums, but there's
a point at which it starts to look like evasion and shutting down discourse
rather than making forward progress and winning hearts and minds.

I hold Mozilla to a very high standard of openness, transparency, user rights,
and technical competence; something they've invited (and indeed earned) in the
past, and they need (and, I hope, still _want_ ) to be called to account when
they fall short of that standard.

------
pablo-massa
It's hard to forgive. I believe that ethical branding exists, and Mozilla was
able to create an emotional relationship with many people, that's why this
issue hurts deep for many.

When I can't uninstall the Google Plus app from my Nexus 5 I get mad, when
Apple put that U2 album on every iPhone I laughed, but this was different, it
was disappointing, I feel the same vibes when I do an Ubuntu fresh install and
see those Amazon links, but this is even more unexpected, I just can't believe
it when I read it, for me, it can be told as a joke on when Mozilla lost his
principles, I just can't see it as a silly marketing decision, sorry.

For the people who also get emotional, I encourage to think in all the good
stuff that Mozilla did, and try to forgive this big conceptual mistake, but
don't try to forget about it.

Note: My English isn't the best and I'm from my phone.

~~~
mercer
I had this 'relationship' with Mozilla until the Pocket and Cliqz(?) debacles.
Either one of these I'd have shrugged off as a misstep, but having done both
kind of squandered the goodwill.

And now with this too I think the only way to get me 'back' (and probably many
others) is not just just some words and promises, but an explanation as to
_why_ they keep doing this kind of stuff, and some concrete solutions to keep
it from happening (firing one or more higher-ups?).

I'm rather skeptical that they will actually 'change their processes', but I
really hope they do.

While it might seem overblown, I'm even _more_ inclined to stick with Chrome
because at least that's a known 'evil', and do any sensitive stuff in Safari.
I don't want it to be that way, but it do.

~~~
CannisterFlux
Have you been reading the Mozilla Glassdoor reviews?
[https://www.glassdoor.com/Reviews/Mozilla-
Reviews-E19129.htm](https://www.glassdoor.com/Reviews/Mozilla-
Reviews-E19129.htm)

I'm subscribed to the RSS feed and I think there are clues in the posts over
the last couple of years to explain why Mozilla feels so fake nowadays. Here
are some choice quotes (FWIW I use Firefox on Desktop and Android pretty much
exclusively, I think the product is great but the marketing is terrible):

"I have never worked for a company with so many middle managers."

"Full of corporate middle managers with not much to do. Expect many meetings
with product managers, engineering managers, project managers, strategy
managers, with one developer to solve simple problems."

"Management is rotten to the core. The company is very top heavy with some 30
executives that travel the world first class to have meetings in lavish places
but in the end nothing comes from it."

"Cut the corporate bs at the top and empower the people doing actual work to
drive where the company goes."

"Company vision and mission is feel-good therapy for the upper inner-circle.
The company is bleeding talent and the core business is imploding."

~~~
Crespyl
Those are tragic to read.

There's some really good technical work still coming out of the org, Rust,
Servo, and the various pieces of Quantum have me more excited about software
than I have been in a while; but the increasing number of _non-technical_
missteps are making it hard to support the company as a whole.

------
seanwilson
> Instead of giving users the choice to install this add-on, we initially
> pushed an update to Firefox that installed the “Looking Glass” add-on for
> English speaking users. This add-on was installed and set to ‘OFF’ and made
> no changes in the user experience unless it was explicitly turned on by a
> user, but it was added.

Why was this done over asking the user to install the add-on themselves? Given
relatively few people were going to use this, why push it to every English
speaking user? It's not like enabling an extension or installing one is much
different in terms of UX but allowing the former is much more intrusive for
everyone not interested in "Looking Glass".

~~~
Vinnl
These kinds of things usually happen due to people being so focused on their
project at hand, that they become unable to see how the experience would be
for people not involved in the project. You can see this happening all the
time if you work in a semi-large organisation.

~~~
digi_owl
And the FOSS world seems to have attracted a megaton of this myopia in recent
years it seems. Victim of its own success?

------
devit
Why is the "Chief Marketing Officer" apologizing?

Is he the person in charge of which code gets shipped to Firefox users? If so,
that seems rather bad, and it ought to stop.

If not, maybe the person in charge (probably the CTO) should be the one
apologizing for letting them ship this thing?

~~~
anygregor
Mozilla doesn't have a CTO any more. The SVP of Firefox should have been the
decision maker in this case.

------
bjt2n3904
So this is coming from the Chief Marketing Officer...!? If this was a
marketing/advertising related debacle, then the buck stops with him.

Either he approved this (which shows privacy isn't on his list of concerns),
or he doesn't know what his marketing department is doing (which doesn't speak
volumes about his leadership).

Interesting that no other Chief Officer is writing the letter.

~~~
int_19h
What really surprised me about all this, is that apparently not a single
person involved in shipping the extension had any concerns about that whole
"install it for everyone, oh, and it shouldn't show in list of extensions
either" (it did, but that was a bug - it wasn't supposed to).

It would seem to imply either that there are very few people involved in that
decision - which is strange, because, given the privacy and security
implications of this kind of stuff, this is exactly the sort of thing where
you get formal sign-offs, probably including legal. Or that there were many
people, but none of them cared - which doesn't speak well of Mozilla's
internal priorities...

~~~
rocky1138
> apparently not a single person involved in shipping the extension had any
> concerns

You don't know this for a fact, do you? A lot of discussion goes on at
companies that we don't always know about before a decision is made by someone
holding a more senior position.

~~~
int_19h
I don't know this for a fact. But I'd expect "told you so" public posts by now
if that were the case.

------
cjsuk
_" We didn't think hard enough"_ is the 2017 version of _" we thought we could
get away with it"_

~~~
reustle
You're right, but it started a few years ago. At least.

------
jarym
"We took immediate actions to correct this" \- no you didn't, you immediately
tried to justify it!

You made an indefensible mistake and then tried to defend it. Totally
inadequate for anyone in a CxO position and the only reasonable response is to
step down imo.

~~~
r3bl
How did Mozilla try to defend it?

~~~
cjbprime
The initial response published by Gizmodo neither apologizes nor says the
plugin will be removed:

> “Firefox worked with the Mr. Robot team to create a custom experience that
> would surprise and delight fans of the show and our users. It’s especially
> important to call out that this collaboration does not compromise our
> principles or values regarding privacy. The experience does not collect or
> share any data,” Jascha Kaykas-Wolff, chief marketing officer of Mozilla,
> said in a statement to Gizmodo. “The experience was kept under wraps to be
> introduced at the conclusion of the season of Mr. Robot. We gave Mr. Robot
> fans a unique mystery to solve to deepen their connection and engagement
> with the show and is only available in Firefox.”

This new apology -- from the same person! -- now claims that their values
_were_ compromised, but it doesn't say so in a way that acknowledges that they
previously felt differently, or explains what caused them to change their
mind, which leaves it feeling dishonest.

------
suby
I'm happy to see an apology, but there are further steps they could take. I
just did a clean install of Firefox and unless I somehow messed that up, it
looks like user studies are enabled by default. Someone correct me if I'm
wrong here, as I didn't expect that to be the case.

They should absolutely not be running any sort of user studies on people who
may not be aware it is being done, which is going to be the case with the
current setup. The only way it sits right in my mind is if user studies are
opt-in instead of opt out.

This is especially ridiculous as their marketing is focused on respecting
privacy. An apology is nice, but changing this setting would go a long way
towards proving that.

~~~
detaro
I believe that is a strong part of the current outrage: people did not realize
that this existed and was turned on. Since actual studies would collect actual
user data (unlike this now), the fact that it surprises people suggests that
they did not obtain meaningful consent for their data collection.

At least from a quick search, I could not find good documentation what studies
do exactly to avoid or properly handle personal data, it's possible that they
do a very good job of that. (Suggestion to Mozilla: talk about these details
at least after the study is done, show what you found. Hopefully: More tech-
content to publish, less questions, less ugly surprises)

------
burnte
"We didn’t think hard enough about how our actions would affect the community,
and we’re sorry for letting you down."

Yes, I know, Mozilla. I've been telling you this for 18 years now, and you
still don't listen. I've called annoying, an unfair critic, and an asshole,
and yet I've been RIGHT every time. And I've taken the time to tell you this
for years because I CARE. That's why I spent years as a bug triager, a teacher
to new triagers, a community member, a community news site publisher, and
potential employee. And it's why I gave up on you about 3 years ago.

Mozilla has always had a tone-deafness about criticism pertaining to it's
public perception, and I have absolutely no reason to believe it will change.
An idea takes hold, and people who suggest that maybe it might be perceived in
a different light are ignored and shut out. Mozilla can't learn from its
mistakes, and it's very sad, because they're not mistakes that are costly to
avoid.

------
1024core
This "apology" is written by the CMO. Why is the CMO writing this apology? Why
didn't it come from the CEO or the COO, the people actually responsible for
shipping the product?

~~~
Meph504
Because this whole mess was very likely pushed by the marketing dept. and when
things went wrong, and it rolled down hill it landed in their lap.

~~~
blub
Why does the marketing department have the power to force install things on my
computer? What the hell is the technical leadership doing at this company?

What the hell is the data protection officer doing? I hope they have one at
least.

~~~
dcminter
For me, Mozilla needed to answer three questions:

* Do you know you fucked up?

* How did this happen?

* What will you do to ensure this doesn't happen again?

They've only answered the first one (admittedly with the "right" answer) so I
have to assume marketing have the reins and won't be relinquishing them.

------
whois
What's really the big deal? It was sent out disabled. They didn't get payed
for it. It's like if devs snuck in an Easter egg for their favorite show in a
video game.

Everyone keeps calling this the "end if Mozilla" and all that, I think people
are overreacting juuussstttt a bunch.

Chill out, put down your pitchforks, and keep the flag disabled.

~~~
cevn
I'm a big a firefox fanboy as the next guy. But they didn't send it out
disabled. I never opted into studies but the plugin was enabled on my browser.
If mozilla wants to retain users who value privacy, they need to put their
money where their mouth is and not sell them out for ARG $$.

I'm not the only one, and this apology doesn't admit to that. Therefore it's
as good as, if not worse than, no apology. Definitely considering switching
back to chrome.

~~~
cpeterso
The installed Looking Glass add-on was enabled, but it didn't do anything
unless the user manually set an about:config flag to enable the add-on's
functionality.

~~~
a_imho
Maybe it was harmless, but the browser betrayed user trust.

~~~
enord
Maybe they did something silly that had no real consequences, but the browser
should face consequences.

~~~
Crespyl
Loss of trust is a very real consequence.

------
ben_jones
To regain my confidence mozilla would have to release a real audit log about
how this happened. Because to me it looks like some Hollywood executive is
close to someone high up at mozilla, and that individual at Mozilla shoved an
update straight past QA, something which is unacceptable in such a security
critical piece of software.

Look I get it, companies make mistakes. Quantum was amazing. A lot of Mozilla
work is amazing. But now I know this is something I can expect from Mozilla,
and not from Google chrome.

------
Gatsky
The outrage to significance ratio is off the charts on this one.

~~~
jacquesm
The fuck it is. Mozilla, champion of the free web goes corporate, the first
action after their force-fed update ('for your own good') is to start pushing
this sort of thing? Significance of trial balloons should not be
underestimated.

~~~
Gatsky
I see your point. But large tech organisations commit these faux
pas/atrocities (depending on your point of view) all the time, regardless of
their relationship with profit. I think the reason they happen at all and the
shrill tenor of the associated backlash come from the same place though - a
kind of echo chamber insularity.

~~~
blub
Well, if the US had privacy laws with teeth, said organisations would learn
quite fast not to commit such "mistakes".

As such, all it takes apparently is a corporate drone to push hard enough and
_poof_ go the customer rights.

Food for thought regarding your outrage comment: one does not protect their
rights by bending over every time they are taken advantage of.

------
chris_wot
And what about the non-transparent bug?

[https://bugzilla.mozilla.org/show_bug.cgi?id=1423003](https://bugzilla.mozilla.org/show_bug.cgi?id=1423003)

And no updates on the public bug, _and_ it was summarily closed:

[https://bugzilla.mozilla.org/show_bug.cgi?id=1424977](https://bugzilla.mozilla.org/show_bug.cgi?id=1424977)

That hardly inspires confidence on transparency.

~~~
zbraniecki
I don't have access to the private bug myself, but I can try to reason about
it.

I believe that at this point, opening up this bug would do exclusively harm
and no good to anyone. There's nothing I can imagine in the bug to be of value
to our understanding of the situation. If the people working on it were
oblivious to what they are doing, then it would just look plain stupid from
hindsight 20/20\. If the people working on it were aware and hoped that no one
will raise a fuss, then it'll look even worse for them.

The important fact is that Mozilla reacted, and that the leadership does have
access to this bug. Whoever was involved is probably currently involved in
debriefing what has happened there and that bug is part of it.

I hope it'll be open at some point, but I'd hate if access to the bug resulted
in a witch hunt and public shaming of that person/people which, as we all
know, the Internet is great at.

We know that our leadership reacted and we know that they recognize what has
happened. I'm not asking you to trust them, obviously that has to be regained
and the process is painfully slow, but I do ask you to give them time. The
emotional reaction is short-termed. I hope that this incident will have a long
term positive consequences to our project.

~~~
chris_wot
Of course, a witch hunt does no good to anyone and to my mind, it's a mistake
(albeit a bad one).

My issue is that the public bug was closed off early. In future, perhaps the
Mozilla team might take it into account that communication might be smoother
if they keep things more transparent.

I'm a massive fan of Mozilla. In fact, I'm trying to get more folks in my org
to use it instead of Chrome (it's a hell of a lot more stable, and the Chrome
team tends to break our web apps frequently). I largely trust Mozilla far more
than the Google team, and this unfortunate episode, for me at least, just made
me mad because it was such a major cock-up that it was entirely unexpected.

~~~
zbraniecki
I feel you. I really do. It's been a rough week for a lot of us :(

------
dilawar
Well, even though their marketing team did break the user trust, I am not
moving to other browsers. For simple reason that I owe more to Firefox than to
other browsers.

I am sticking with Firefox unless they stoop lower than the other competitors.

Though I liked the backlash over this. Good to keep Mozilla on toes. I'd
rather show tough love to Mozilla than accept 'grim' and move to other
browsers.

------
danso
As a huge Mr. Robot fan, but one who realizes how niche the show is (the
ratings have substantially dropped year after year), I’m embarrassed that
Mozilla sullied its reputation for such a small promo — at least U2 was a huge
band most people have heard of when Apple pushed their music onto users. The
controversy makes Mr. Robot look pretty bad too, even though AFAIK, Firefox
(unlike Amazon’s Echo) never was prominently mentioned on the show.

------
Sir_Cmpwn
This article is not visible from the main page of the blog, or via search:

[https://blog.mozilla.org/](https://blog.mozilla.org/)

Probably a mistake? Probably...

~~~
dumindunuwan
nice catch :D

~~~
Sir_Cmpwn
Credit for noticing this goes to an IRC friend.

------
djanogo
Why does Mozilla have a relationship with a television show?, does the show
promote Firefox?.

"..Firefox has enjoyed a growing relationship with the Mr. Robot television
show.."

~~~
detaro
> _does the show promote Firefox?_

That seems to have been the point of running an ARG tying Firefox to the show.
Get viewers to use Firefox to "play".

------
j_koreth
Still heavily disappointed with Mozilla I this case, especially due to the
previous outrage with Pocket.

~~~
justinclift
> due to the previous outrage with Pocket.

Which they _still_ haven't fixed. That's still forced on _everyone_
regardless. :(

~~~
fabrice_d
Mozilla bought Pocket. It would be extremely surprising if they turned their
back on shipping it by default. However it's so easy to disable that this is a
non issue.

~~~
justinclift
Maybe a non-issue for you. Less so for others it seems. :)

------
Veedrac
Imagine you download an update for a video game. In the settings is a new
oddly-labeled toggle that, when enabled, changes a few sprites as an homage to
a popular celebrity.

This button was meant to be hidden by default, but was accidentally shown to
5% of their userbase. The developers later apologised that the wording spooked
their customers, some of whom were aware that certain malicious game mods also
gave opaque additions to the settings page, and removed the change thereafter.

Q: Do you boycott this company?

~~~
CptMauli
The difference is, it is not a video game.

~~~
zolthrowaway
Exactly. GP is not using an apt comparison. For many people, the primary
reason to use Firefox is privacy. They made a massive faux pas against their
primary selling point and people are upset.

Would you consider switching a product if the main reason you liked a product
came into question? I think any rational person would.

~~~
Paianni
Not really, because there aren't any thoroughly supported, mainstream browsers
as clean of spyware features as Firefox.

~~~
zolthrowaway
It would be easier for me to use Chrome. All of my coworkers use Chrome.
Before Quantum, Chrome had better performance [1]. Chrome is everywhere. I
have to test my web apps on Chrome regardless of whether it is my primary
browser or not.

I'm not saying I'm leaving Firefox, but I am going to reevaluate which browser
I choose. Mozilla lost a lot of trust from me and I am going to reevaluate how
I interact with their products.

If supported, mainstream, and clean of spyware are the three boxes you are
trying to check and you still feel Firefox checks them, great. But, now is as
good of a time as any to reevaluate why you are using a browser and if the
browser really meets what you are looking for.

[1] [https://www.digitaltrends.com/computing/best-browser-
interne...](https://www.digitaltrends.com/computing/best-browser-internet-
explorer-vs-chrome-vs-firefox-vs-safari-vs-edge/2/)

------
chrismartin
We really need a fork of Firefox with all the garbage removed, including the
ability for Mozilla's marketroids to push things at us remotely. (Also
"telemetry", DRM, Pocket, spam on the new tab page, etc.)

A browser should just be a tool which answers to the user. I want my browser
to be like a pair of pliers or a bicycle, neither of which have relationships
with television shows. I think Iceweasel was essentially this, until the
Debian project abandoned the effort.

~~~
TheDong
> removed .. telemetry

We want our browsers to work. Without telemetry, they simply won't be able to
find and solve bugs and crashes effectively.

Without crash reporting and other basic telemetry, it's basically impossible
to know how prevalent certain bugs and configurations... which is of the
utmost important for making a browser which actually works.

~~~
chrismartin
> Without telemetry, they simply won't be able to find and solve bugs and
> crashes effectively.

Users can be prompted to report bugs with some facility to provide telemetry
(e.g. after a crash), but the browser must ask permission first.

On-by-default telemetry is tantamount to malware exfiltrating information
about your computing activity to a third party.

~~~
pcwalton
> e.g. after a crash

Not "e.g. after a crash", "only after a crash". That's about the only kind of
telemetry you can get on a "prompt on each occurrence" basis like that. Just
monitoring crashes is not nearly enough to create a competitive browser.
Performance bugs, many of which are specific to older systems mostly used by
people who can't be expected to file bugs in Bugzilla, cannot be reliably
caught without some kind of telemetry.

------
jacquesm
What really bugs me is that I had a perfectly good Firefox until a few scant
weeks ago when Mozilla decided to force-feed me an upgrade to new browser tech
that I didn't ask for, screwed me six different ways at once in the middle of
a project where I fairly critically depended on an extension that suddenly
stopped working that had just about half the notes of a project in it and
then, to add insult to injury push their own add-ons down my throat that I
didn't ask for.

For someone who has stood by Mozilla over the last decade or so and who never
switched to Chrome you can't begin to imagine how pissed off I am. User trust
is earned bit-by-bit, you can lose it all in a day. Ask Lenovo how that sort
of thing works.

~~~
zbraniecki
Hi,

I'm sorry you had this experience.

> (...) where I fairly critically depended on an extension that suddenly
> stopped working (...)

We communicated about the old addons deprecation for over a year. I'm sorry
the news didn't reach you, but we tried. If it didn't reach to you in time for
a year, I doubt we could have done anything more to not make it sudden for
you.

> User trust is earned bit-by-bit, you can lose it all in a day.

I know. You can imagine how I feel I hope.

~~~
jacquesm
I know the add-ons would stop working, that's why I had a perfectly good FF 52
running which was supposed _not to upgrade_. The fact that it did (on all
three of my machines, no less) caused me no end of annoyance. Fortunately I've
managed to fix it, at the cost of lots of lost time in the middle of a time
critical job.

~~~
zbraniecki
Oh! I didn't see that in your previous message.

Did you file a bug? I don't understand how your ESR channel could update you
to 57 as it's still on 52!

~~~
zbraniecki
Is there a chance you're not on esr channel on Ubuntu?

This is the channel that stays on ESR -
[https://launchpad.net/~jonathonf/+archive/ubuntu/firefox-
esr](https://launchpad.net/~jonathonf/+archive/ubuntu/firefox-esr)

Hope it'll work for you and I apologize for the incident!

~~~
jacquesm
Thank you I will look into this. The way my machines were installed is stock
Ubuntu and then Firefox ESR from this link:

[https://download.mozilla.org/?product=firefox-esr-latest-
ssl...](https://download.mozilla.org/?product=firefox-esr-latest-
ssl&os=linux64&lang=en-US)

That went into a separate directory (~/ff/) with a symlink from
/usr/bin/firefox to /myhome/ff/firefox/firefox

After that I locked down all access to mozilla domains to make sure it would
not do anything funny again.

I'm not sure where that 'channel' link you put there lives, I assume that's
one of the about:config settings?

Possibly it somehow managed to use the settings from the original browser
installed with Ubuntu rather than the ones that it came with. That would at
least explain the weird upgrade behavior.

edit: located the 'channel' setting it's app.update.channel and it is set to
simply 'esr'. But I have no idea what it was in the past, this is a completely
fresh installation in my homedir.

Thank you for all your time, I have to go to sleep now.

~~~
ac29
At the risk of sounding like a Linux snob, there is a right way and a wrong
way to do package management in Linux. Installing binaries into your home
directory then linking them to a system directory isn't the right way, unless
it absolutely can't be avoided. Not surprised this happened -- use the package
management system that comes with your distribution, especially if you have
special requirements on maintaining certain versions.

~~~
justinclift
While you're technically right :), it's pretty common for people to discover
this the hard way.

It sounds like jacquesm's hit that point, unfortunately at a time critical
spot. Probably won't happen twice though. :)

Thinking about this a bit more, it almost sounds like the Ubuntu supplied
Firefox (in the base system) was updated to v57, and likely overwrote the
/usr/bin/firefox link.

If that's the case, then the manually downloaded v52 ESR is probably still in
/myhome/ff/firefox/firefox.

jacquesm, when you have time to check... see if you can launch the version in
/myhome/ff/firefox/firefox directly (instead of using the /usr/bin/firefox
link). It'd be interesting to see which version is in there. :)

~~~
jacquesm
I realise the timeline is a bit confusing by now but here is the complete
sequence:

\- install Ubuntu \- remove OS supplied Firefox package \- install Firefox ESR
\- have a 'surprise upgrade' \- re-install Firefox ESR \- have another
'surprise upgrade' \- install Firefox ESR in my homedir \- symlink it from
/usr/bin

So now if it pulls any other tricks I can restore the symlink and call it a
day, but for now it looks as if that last move did the trick because since I
did that (and dropped all FF domains in through /etc/hosts) it has not done
any more upgrades, though there is a chance that it attempted to do that.

The one saving grace in the whole story is that at least the plug-ins that got
forcibly removed/disabled had their data survive the whole ordeal.

~~~
justinclift
No worries. :)

------
rebelwebmaster
I wonder if "process changes" include actually enforcing the already-existing
rules around Shield deployments that were outlined on their wiki.

~~~
SethKinast
I don't really plan on giving them a chance; I went to
about:preferences#privacy and removed the permission.

------
SamReidHughes
This was an inactive extension that didn't do anything unless you activated
it, right?

~~~
nkkollaw
Maybe.

What about enterprise installs, where IT must have control over what gets
installed on the company's computers..?

~~~
angus-g
I'd hope they opt out of participating in the shield program?

------
wangii
what I am not happy with mozilla is the 'internal review'. Firefox is
opensourced, Mozilla is non-profit. Although there must be something need be
keep in private, I don't think the review process falls into that category. In
fact, Mozilla, why don't take the opportunity to make yourself more
transparent?

~~~
FireBeyond
Well, that was a complaint about the issue from the start. As soon as the red
flags started to get attention on Bugzilla, the "bug" about this was marked
"private/internal only".

------
pasbesoin
Screw all your "legacy" extensions, but here's a crap marketing extension for
you. You're welcome.

~~~
pasbesoin
I actually want Mozilla to succeed -- to be clear.

But there are reasons I use Firefox -- the extensions, as is also the case
with many others.

And I find a bit of irony in a "worthless" extension being force-fed to us,
the month after stable kills off its, well... "stable" of now "legacy"
extensions.

An as for Mr. Robot, since that's the topic of the extension of in question, I
imagine he wants, for his browser, to "have it his way."

Security, yeah. But not loss of his ability to filter, "firewall", or even --
gasp -- spoof, what gets sent up and down. Or what _his_ user agent chooses to
do with it.

So, less "cross-branding", and more API updates and enhancements, please.

------
privacywall
I've been following the conversation for the last couple days and I think I
may have a solution.

I have been working on a program to block telemetry tracking at the OS level.
It's called PrivacyWall, and it was originally meant to stop unwanted data
collection by Windows 10. I built this to be a solution to block unwanted data
collection by companies that sellout their customers to advertisers instead of
putting their users first. It is more powerful than an Adblocker because it
operates at the OS system and is able to block tracking by Windows programs
and the Windows 10 operating system. I just added support to block Firefox
tracking with the telemetry urls that Looking Glass is sending data to.

I haven't been able to work on it for the last 3 months because I was trapped
by the hurricane in Puerto Rico without power, internet, water.

It's not ready for prime time, so this is a beta. You can try it here:
[https://www.privacywall.org](https://www.privacywall.org)

I'm making it available for free for non-commercial use. PrivacyWall blocks a
list of known Firefox, Chrome, and Edge telemetry urls and Windows 10
telemetry urls when you turn it on. You can also turn it off easily through
the task tray. After you install PrivacyWall, no program on your computer will
be able to send data to those urls anymore behind your back.

If you try it out and like it or hate it, please send me your feedback. Let me
know if there are more urls I should add to the block list.

I have limited time to continue supporting this project. If anyone is
interested in helping out, let me know.

------
tomc1985
They should have given the same treatment to Pocket and Hello: optional,
manifests as an add-on, and possibly off-by-default for certain kinds of
users. Instead we get value-adds baked directly into the broswer itself. I
HATE this new age of corporate-oriented thinking, especially from a company
that claims to reject those values.

I suppose Looking Glass is progress....

------
zakk
I don't think this is the full story. They claim the add-on was disabled by
default, and needed to be manually activated.

Note that the description of the Looking Glass addon was "MY REALITY IS JUST
DIFFERENT THAN YOURS."

Note also that I have never activated such add-on.

Now, If I go to about:studies (for those not familiar with SHIELD studies
[https://support.mozilla.org/en-US/kb/shield](https://support.mozilla.org/en-
US/kb/shield)) I see the following 'study':

pug-experience Complete • My reality is different than yours

So, there was a Mozilla study, with almost the shame shady description, which
DID run by default, at least for some users.

Are the Looking Glass add-on and this SHIELD study completely unrelated? Why
do they share the same description? Why is Mozilla using these shady
descriptions in the first place?

Probably I am just being paranoid, but Mozilla has done nothing to gain my
trust, lately.

~~~
Manishearth
> Are the Looking Glass add-on and this SHIELD study completely unrelated?

The addon is the shield study. Shield is the mechanism for deploying addons
(usually A/B tests) to release populations.

What was enabled was a small piece of code[1] that would enable the _full_
addon when a pref was flipped.

[1]: [https://github.com/mozilla/addon-
wr/blob/master/addon/bootst...](https://github.com/mozilla/addon-
wr/blob/master/addon/bootstrap.js#L20-L41)

------
Sohcahtoa82
I just wanna know what kind of idiot thought this was a good idea from the
beginning.

I mean, I'm just a cybersecurity guy and a software engineer. I'm no PR
person. But it doesn't take a PR expert to know that the world would
eventually find out about an addon getting installed without permission and it
would be a disaster.

~~~
itronitron
If they rename 'addon' to 'ad-on' that might help Mozilla manage user
expectations.

~~~
scrollaway
What are you talking about?

~~~
itronitron
I'm talking about Mozilla using the Firefox 'addon' extensions mechanism to
support an ad campaign, hence renaming the extension mechanism to 'ad-on'
might make it more clear to users what Mozilla is using it for.

~~~
scrollaway
Ads usually have a financial exchange to them. And this didn't use the add-on
system, it inappropriately used the studies system.

~~~
itronitron
it is referred to as an 'add-on' 12 times in the blog post by the Mozilla
executive

~~~
scrollaway
Because it was turned into an addon following the debacle, which was the
correct move. If you're going to make jokes you could at least research the
material?

------
detaro
A bit clearer than the initial empty press statements, but I guess we'll have
to wait for the detailed post-mortems and changes to see how far their
understanding for the various concerns goes. Not much detail here.

------
Traubenfuchs
Mozilla continues its history of adding crap to Firefox that most people don't
want, without asking. Anyone remember pocket?

~~~
Paianni
It's their browser, they can do whatever they want.

~~~
scott_karana
That attitude sure turned out well for Opera.

------
binaryapparatus
While unfortunate it is good that this happened. It will help some 'more
creative' individuals in marketing feel the boundaries they didn't understand.

Comparing FF and Chrome security/privacy wise is ridiculous, I really don't
understand that anybody tries to compare those two.

~~~
pmlnr
People were comparing it to Chromium. Chrome and Chromium are not the same.

~~~
Paianni
Chromium still has more pervasive spyware features than Firefox with all the
data collection options enabled.

------
paulie_a
I would honestly like to know who thought this was a good idea. Screw the
press release of "we"

------
rootlocus
> We didn’t think hard enough about how our actions would affect the community

Which can be interpreted as "we didn't expect you to be such whiny bitches". I
was hoping for something along the lines of "this breaks our principle
<<Transparent community-based processes promote participation, accountability
and trust.>> [1]". But PR seems to be more important than respecting
principles.

This time it was a disabled marketing addon. Next time it might be something
worse. Betraying your core principles is a serious red flag.

> Over the course of the year Firefox has enjoyed a growing relationship with
> the Mr. Robot television show

And this is the first time I hear of it.

[1] [https://www.mozilla.org/en-
US/about/manifesto/#principle-08](https://www.mozilla.org/en-
US/about/manifesto/#principle-08)

------
weerd
Funny thing about this whole situation... I've never heard of Mr. Robot until
now and after reading about it I want to watch it.

------
lovelearning
Why would anybody do something like this that installs unwanted software on
millions of devices worldwide just to provide entertainment to a handful of
fans of some television show most users, I suspect, haven't even heard about?
I have difficulty believing that there was no payment; if there wasn't any
payment, what exactly was Mozilla gaining from this?

~~~
elaus
They got screen time on the TV series and apparently some "sponsored by
Firefox" metioning in the credits (?). So the whole "unpaid" thing is a bit
misleading as they did get something in return (which has direct cash value).

------
zaro
> We didn’t think hard enough about how our actions would affect the
> community, and we’re sorry for letting you down.

It's OK Mozilla. Don't be too harsh on yourself. Everybody makes mistakes. We
still love you :)

------
a_imho
It is pretty frustrating that moz://a is better at entrenching Chrome than
Google.

------
martin_andrino
I just hope this makes the outraged people quiet for a while. This is a clear
apology and Mozilla seems to have learned the lesson. Let’s now show some love
and support for this powerful open-source organization.

~~~
jacquesm
For a clear apology there are some mighty funny sentences in there, I suggest
you read the thing again.

~~~
tiltdil
It seemed like a fair apology written by a non-tech person who may not
understand the situation 100% and was given some bullets to write about.

We must forgive them and stop being so negative. They've made their apology.
If _this specific_ thing happens again then I'll join you with some pitch
forks.

To be so negative and full of hate isn't healthy for anyone.

~~~
btschaegg
> It seemed like a fair apology written by a non-tech person who may not
> understand the situation 100% and was given some bullets to write about.

In the context of the last big "good guys" entity in a sector where technical
understanding is key, this might make it even worse. User trust is the single
thing the browser ecosystem boils down to.

I don't think you're accurate in identifying hate as the catalyst for this
issue -- I'd go with _concern_. And seeing one's concerns handled with such
thoughtlessness does foster negativity.

We care because we know FF is the best mainstream pick when it comes to
privacy and user rights, and seeing Mozilla go down that route reminds us that
we're very easily screwed.

------
guelo
Jascha Kaykas-Wolff should be fired. Marketing shouldn't be allowed to modify
the shipping bits at all, even if the Chief Marketing Officer tells them to.
Any and all product changes should go through engineering and tracked in
bugzilla. The CMO can file a ticket in the open just like anybody else can.

~~~
dang
This counts as a personal attack. Those aren't ok on HN and we ban accounts
that do it, so please don't do it again. You may not owe better to whoever
installed an extension in your browser but you do owe better to this
community, if you want to comment here.

I'd appreciate it if you'd (re-)read
[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)
and take the spirit of this site more to heart. Also
[https://news.ycombinator.com/newswelcome.html](https://news.ycombinator.com/newswelcome.html).

p.s. Your comment without the first sentence would be fine.

------
DonHopkins
Fixed Firefox spelling and URL master (#43) @gregglind gregglind committed 4
days ago:

\+ "description": "MY REALITY IS JUST DIFFERENT THAN YOURS.\n\nLooking Glass
is a collaboration between Mozilla and the makers of Mr. Robot to provide a
shared world experience. Are you a fan of Mr. Robot? If so, join the hunt for
answers!\n\nParticipating in this shared world experience requires explicit
user opt in. If you are not actively participating in the ARG (Augmented
Reality Game) no modifications will be made to
Firefox.\n\n[https://support.mozilla.org/kb/lookingglass"](https://support.mozilla.org/kb/lookingglass"),

 _Sigh_. Again [2], it's definitely not an "Augmented Reality Game". And it
hardly qualifies as an "Alternate Reality Game", which is defined as "intense
player involvement with a story that takes place in real time and evolves
according to players' responses". [3] How does this extension affect the
evolution of the TV show's plot? If there's not interactivity and feedback,
it's Alternative Reality Static Content (aka Alternative Facts), not a game.

For what it's worth, we developed a TV show with Current TV called "Bar Karma"
[4..7] along with a web site and mobile app, enabling viewers to
collaboratively write, discuss and vote on the scripts of each episode. But as
far as I can tell, that's not the point of this extension.

[1] Fixed Firefox spelling and URL master: [https://github.com/mozilla/addon-
wr/commit/fdd61682e5b8ef778...](https://github.com/mozilla/addon-
wr/commit/fdd61682e5b8ef778a5c3e8dd688d1cd28b2a4a6)

[2] Not AR:
[https://news.ycombinator.com/item?id=15936727](https://news.ycombinator.com/item?id=15936727)

[3] Alternate reality game:
[https://en.wikipedia.org/wiki/Alternate_reality_game](https://en.wikipedia.org/wiki/Alternate_reality_game)

[4] Will Wright's Current TV show shooting pilot this week:
[https://www.engadget.com/2010/08/20/will-wright-current-
tv-s...](https://www.engadget.com/2010/08/20/will-wright-current-tv-show-
shooting-pilot-this-week/)

[5]
[https://en.wikipedia.org/wiki/Bar_Karma](https://en.wikipedia.org/wiki/Bar_Karma)

[6] Bar Karma | Trailer:
[https://www.youtube.com/watch?v=JIlTVoedDXY](https://www.youtube.com/watch?v=JIlTVoedDXY)

[7] Will Wright Talks Bar Karma:
[https://www.youtube.com/watch?v=5tsWTb9RHSQ](https://www.youtube.com/watch?v=5tsWTb9RHSQ)

------
pkamb
> unpaid collaboration

Even _worse_ if this wasn't a google-like revenue deal.

~~~
ufo
Mr Robot advertises Firefox in the TV show.

It is unclear if Mozilla is paying them or if this is an unpaid thing in both
directions.

------
biocomputation
I totally understand that this was not okay, but at least Mozilla apologized
and is in the process of making things right. To the best of my knowledge,
Mozilla is not a greedy, power-hungry org that serves its own interests first.

Every company makes mistakes. Mozilla are really, really, really trying to
actually make the web/society a better place, and they deserve support from
anyone who actually cares about these things. I get that stuff like this isn't
cool, but at least they are responsive.

We are as close as we have ever been to a complete corporate takeover of the
web, and now is not the time for those of who support Mozilla to turn against
them or each other.

------
haZard_OS
I'm glad that Mozilla has responded in this way. My disappointment remains,
however.

I am one of those not affected at all by the Looking Glass extension but
still, my trust is Mozilla (which has been eroding as of late) has suffered
greatly.

    
    
      I am giving Mozilla exactly one more chance before uninstalling FF on ever device I have. In the meantime, I will no longer volunteer for ANY data collection.
    
      Last chance, Mozilla.

~~~
orf
But.... why? And what browser on gods earth are you going to switch to that
has the same respect for privacy as Firefox (excluding poorly maintained FF
forks).

It's a blip, one you where not affected by at all and in the scheme of things
not major compared to other vendors. But hey, boo mozilla uninstall everything
and use lynx/curl!

~~~
cuckcuckspruce
Mozilla as an organization and Firefox displayed their reckless disregard for
my privacy. It would be foolish to dismiss it as just a blip.

If Mozilla cared about people trusting them with their privacy then they
shouldn't have evicerated that trust by installing an extension (even switched
off) behind their back.

They did this with Looking Glass, they did this with Pocket, and they did this
with non-free WebRTC support. Three strikes and you're out!

~~~
orf
Ok, so are you going to be using Edge or Chrome, and which of those respects
your privacy more than Firefox.

No organisation is perfect and you have a right to be angry, but you're being
a bit extreme IMO. It's much more nuanced than three strikes and you're out,
and it's a shame to reduce it to that level.

------
j_s
I read some other news story on this today. Is there an actual apology yet?
And if not, does it matter?

In my mind, no apology is better than a 'sorry you were upset' non-apology,
but there are apologies that manage to seem genuine as well. As I write this I
am reminded of the show 'The Orville's "apology tour"... I don't necessarily
think an apology is needed or helpful.

Always interested in examples of corporate PR, whether negative, neutral-ish,
or positive.

Edit: obviously I don't care enough(?) about the specifics of this instance...
Hopefully it's also obvious that I appreciate the chance to evaluate the
community's response to a favored company. Mozilla seems to be allowed quite a
bit of leeway.

~~~
r3bl
If you actually read the article, I'm pretty sure you'll find the words "we're
sorry" in there.

~~~
j_s
Thanks. Do you have time to expand on why this counts as a genuine apology to
you (or not?).

Interesting to me that all it takes to count as an apology to some is the
words 'we're sorry'.

I hope to find similar discussion(s) where an HN user practiced his hobby of
rewriting corporate apologies. Also nice to have another example where initial
response can be completely tone deaf with little consequence.

~~~
2g67vupsoknn
You might find this thread[1] of interest.

All you have to do is drop the word "sorry", it doesn't matter if the apology
actually addressed any of the concerns that were raised.

FB was sorry for being "unclear". Mozilla is sorry for "the confusion" and for
"letting down members of [the] community".

The headlines will read "[Company] apologizes for [event that triggered
criticism]" and everyone will carry on as if the apology directly addressed
that event. The lawyers and shareholders will breathe a sigh of relief, and
the matter will soon be forgotten.

[1]
[https://news.ycombinator.com/item?id=15449954](https://news.ycombinator.com/item?id=15449954)

~~~
j_s
Thanks for another example, and the specifics of this one.

From what you've said it doesn't sound like anyone at Mozilla (specifically
the Chief Marketing Officer representing the company) apologized for doing
anything wrong. "letting down" comes closest for sure and may be enough for
most.

