
Mozilla's page talking about privacy has Google analytics enabled - hippo8
https://shapeoftheweb.mozilla.org/trust/governmentSurveillance
======
taspeotis
Mozilla have a Google Analytics Premium account and they try to minimize the
information they share [1].

    
    
        Our Google Analytics premium account is set to opt-out on all of 3rd party
        uses of the data and the only people who have access to the anonymous
        aggregated data is Mozilla Employees. This is not the normal Google
        Analytics setup that most people use on other websites.
    
        Also, to increase privacy we flipped the anonymize flag in the Google
        Analytics request...
    

[1]
[https://bugzilla.mozilla.org/show_bug.cgi?id=1122305#c8](https://bugzilla.mozilla.org/show_bug.cgi?id=1122305#c8)

~~~
vog
Why don't they simply analyze the log files on their own, without sharing that
data with other companies?

For example, running some log files offline through AWstats is not that hard,
and the AWstats output is quite good for most purposes.

~~~
vdaniuk
>AWstats is not that hard, and the AWstats output is quite good for most
purposes.

You haven't done any serious web analytics at scale, have you?

~~~
cbd1984
You're missing the point so comprehensively I have to conclude it's
deliberate.

~~~
vdaniuk
Huh, am I? Has anyone offended by this "transgression" of privacy by Mozilla
thought this through to its logical conclusion? Let's see.

1\. Mozilla is one of the good, independent orgs that don't have profit as
their main goal. They do fight for the interests of the community at large.

2\. If they remove third-party analytics from their web properties, Mozilla
instantly loses valuable actionable insights that significantly increase their
efficiency as an organization. Creating a viable alternative to Google
Analytics is practically impossible for Mozilla due to lack of resources.

3\. If Mozilla loses operational efficiency, Google/Microsoft becomes more
powerful and are able to obtain more users for Chrome/IE. They use all
analytics they need. Less users for Mozilla means less income from search
engine deals and less influence.

4\. No meaningful privacy increase for users is achieved, Google Analytics is
now installed on (billions - 1) websites.

So. You want a non-profit with proven track record of shipping great software
and protecting the interests of individuals to take a significant hit in the
name of hard-line ideological principle that won't really benefit the users.

I guess I am missing the point.

~~~
mattmanser
I mean this is an honest way, but what actionable insights?

Mozilla aren't selling anything on that page. They won't be making key
engineering decisions off of the page.

Could you detail the gains that they could make that makes the world a better
place? That justify _any_ sort of tracking over '300, 000 people viewed this
page today' that you can get from your own logs?

There is some data that might be _occasionally_ useful, like screen sizes, but
only _occasionally_.

~~~
Osmose
Off the top of my head, based off things we normally look for in our
analytics:

\- See how people get to the privacy page from where they enter the site.
Useful to see if some categories are getting more traffic than others, so that
we can re-balance if, for example, we think that Privacy is not getting the
attention we want it to.

\- See how long people are staying on this page. What if the writing or
infographic don't make sense to users? We can try and improve them so that
users come away with a better understanding of privacy.

\- How are users interacting with those circles? If they're not hovering over
any of the circles, maybe we should make it auto-switch between them to draw
the user's eye over. Or maybe if they're only hovering over the first three,
we should make those first three the most important aspects of privacy to make
sure they're seen.

The goal of Shape of the Web is (in my eyes) to educate users about the issues
that the open internet faces today, and to help give them a framework for
thinking about what the web is (it's hard to think about a thing if you don't
know how it's "shaped"). All of these metrics help us improve the page's
ability to convey information so we can better educate users.

~~~
pdkl95
> \- See how people get to the privacy page from where they enter the site.

You don't need a 3rd party to learn the order of pages you served to any given
client. That one is so simple you only need 'grep' and the server log.
(aggregation into whatever statistics you want to learn is a trivial exercise
left for the reader)

> \- See how long people are staying on this page.

The entire point is that you _do not_ have a right to that information, other
than what you can infer from the client later loading another page. Applying
technical methods to gain access to private information like this simply makes
you the the spy invading people's privacy. Worse, as most people do _not_
understand these technical details, you are a eavesdropper who is preying on
ignorance.

> so that users come away with a better understanding of privacy.

...while you simultaneously violate the same user's privacy. Do you seriously
not understand that you're making the "We had to destroy the village in order
to save it" style of ends-justify-the means argument that ignores how you've
started to act like that which you are supposedly fighting against.

> hovering over

Again, the _entire point_ is that you don't get to know that information. That
is a perfect example of the type of data the privacy-focused people are trying
to protect. We really don't give a _damn_ if that information is _useful_ ; if
you're recording anything beyond the HTTP requests you receive (the explicit
request from the client), then you are the spy and therefore the enemy. If you
want to understand how effective your pages are, _find another way_ to deduce
that information. This is why traditional businesses pay people to participate
in focus groups, to name one example.

------
bshimmin
And they also include JavaScript from [https://ethn.io/](https://ethn.io/),
the relative privacy value of which you can judge for yourself, and whose
parent company, I note in the footer, was bought by Facebook...

~~~
yebyen
These people have a Del tha Funkee Homosapien reference right on their landing
page. I therefore can't muster any hate onto them.

------
UserRights
When you open a freshly installed Firefox on Ubuntu or Windows (that is where
I checked) you will have a google cookie set right before the first usage,
without any chance of opting out or being asked before.

Yes, anybody can change the startpage, delete all cookies and restart the
browser. How many users will do this? And does forcing every user into google
surveillance comply with this privacy marketing of mozilla, or is it just a
zynical fake campaign?

There should be a startpage explaining what cookies are, describing the
difference between temporary and permanent cookies and how these help to track
your web usage, and provide one single, visible button to delete all cookies.

After this I should be asked if I would like to help mozilla funding by
redirecting me to a google web search which will set a permanent cookie.

~~~
robin_reala
Is this due to the Safe Browsing database?
[http://blogs.wsj.com/digits/2012/02/28/the-google-cookie-
tha...](http://blogs.wsj.com/digits/2012/02/28/the-google-cookie-that-seems-
to-come-out-of-nowhere/)

If so then it shouldn’t be present in current versions. Did you accidentally
import cookies from another browser? Probably worth filing a bug if not.

~~~
gorhill
> it shouldn’t be present in current versions

This is what I see at launch[1]:

    
    
        http://clients1.google.com/ocsp
        https://safebrowsing.google.com/safebrowsing/download?...
    

[1]
[https://cloud.githubusercontent.com/assets/585534/7666597/5f...](https://cloud.githubusercontent.com/assets/585534/7666597/5f287288-fbb9-11e4-877d-83d0fbc1c777.png)

~~~
kbrosnan
The safe browsing cookie is in its own networking sandbox.

[https://dxr.mozilla.org/mozilla-
central/source/netwerk/base/...](https://dxr.mozilla.org/mozilla-
central/source/netwerk/base/nsNetUtil.h#1730)

[https://dxr.mozilla.org/mozilla-
central/source/toolkit/compo...](https://dxr.mozilla.org/mozilla-
central/source/toolkit/components/downloads/ApplicationReputation.cpp#958)

[https://dxr.mozilla.org/mozilla-
central/source/toolkit/compo...](https://dxr.mozilla.org/mozilla-
central/source/toolkit/components/url-
classifier/nsUrlClassifierStreamUpdater.cpp#130)

------
userbinator
I've had GA's domains redirected to 0.0.0.0 in HOSTS ever since I knew of
them.

It's also another one of these single-page-apps that require JavaScript to
display any content at all.

I think with such a design they're clearly not targeting the sort of privacy
levels that more users on HN than the Internet in general expect.

~~~
Programmatic
Check out RequestPolicy sometime if you're concerned about GA and other
tracking and went through the trouble to bit bucket it in hosts; it's really
nice to be able to set which other sites any given site can contact, and I
trust it more than the other curated options like Ghostery etc. since I can
see for myself where each site is allowed to go.

~~~
Silhouette
Unfortunately the Firefox 38 update broke RequestPolicy.

There are other extensions that do a similar job, including a volunteer effort
to continue the original extension, but right now none of them seems quite as
neat and reliable as the original.

~~~
SSLy
uMatrix has been recently released for FF. Basically, it's a better RP

[https://github.com/gorhill/uMatrix](https://github.com/gorhill/uMatrix)

~~~
Silhouette
That looks similar to existing plug-ins like Policeman. These are great for
technically-minded power users who understand the implications, but IMHO they
far too complicated for "normal" users who just want a bit of added privacy
and security without spending half their lives tweaking configurations.

~~~
gorhill
If you stick to clicking only the hostnames, it's no different than
RequestPolicy. Otherwise there is uBlock's dynamic filtering which does
essentially the same thing as RequestPolicy:

[https://github.com/gorhill/uBlock/wiki/Dynamic-
filtering:-de...](https://github.com/gorhill/uBlock/wiki/Dynamic-
filtering:-default-deny)

------
ChrisAntaki
Mozilla tried to launch a site to help educate people while tracking
engagement?

This seems like a much bigger issue than the NSA copying entire datastreams
from American internet hubs.

~~~
sp332
I don't get your comment (even sarcastically). It's not that big, but it's
still a problem. People who are trying to avoid being tracked would probably
prefer not being tracked. The page is self-defeating.

~~~
hobs
Well I do! Complaining about a moz site having google analytics is 100% bike
shedding, everyone has an opinion because they have no idea how to fix or
address the bigger issues, so lets complain about a website, we all know how
to do that!

If we cannot pick our battles, then we will just lose because of the
dissipation of all of our efforts across everything "that is still a problem".

When I weigh out the benefits vs the costs, I dont see why moz would pick any
other option, everything else is more work, and google already tracks you
across most of the internet.

Whether or not you showed up on a mozilla page is not going to change their
understanding of your habits by much.

~~~
sp332
Mozilla isn't some bystander, they're a major player in the fight against mass
surveillance. That's why it gets such a big reaction when they seem to be
enabling it. People start doubting their whole commitment to the cause.

------
aw3c2
The website is totally broken for me:
[http://i.imgur.com/y01g1NG.png](http://i.imgur.com/y01g1NG.png)

~~~
0xff00
You should mention which platform/browser/version you're running so they can
fix it.

------
kuschku
This is completely inacceptable.

Preaching water and drinking wine, eh?

If they’d really want some kind of tracking, they could have used a locally
installed system like piwik, as the largest issue with tracking comes when the
data from many sites is combined.

~~~
threeseed
Sure. They could've done that. But that would cost how much to install, manage
and configure remembering that (a) Mozilla gets quite a bit of traffic and (b)
that is money that could be better spent on their products.

------
tombrossman
Not only enabled, but in breach of the Google Analytics' Terms which state
very clearly: _" You must post a Privacy Policy and that Privacy Policy must
provide notice of Your use of cookies that are used to collect data. You must
disclose the use of Google Analytics, and how it collects and processes data.
"_

See section 7 "Privacy" here for the full text.
[http://www.google.com/analytics/terms/us.html](http://www.google.com/analytics/terms/us.html)

~~~
userbinator
They do mention it here, so I don't think they violate GA ToS:

[https://www.mozilla.org/en-US/privacy/websites/](https://www.mozilla.org/en-
US/privacy/websites/)

 _Third party Services We use third party services such as Google Analytics
and Optimizely. They use cookies, IP addresses, and online data tools._

~~~
tombrossman
I see no privacy policy on the shapeoftheweb.mozilla.org site though you are
correct that they do post that privacy policy on the completely different
website www.mozilla.org.

I suppose they would argue that's the same but I don't think it is good enough
(especially for a site preaching privacy values). It should be down in the
footer, or even better they should be using Piwik and skipping GA completely.

To me, this feels like a website built by a pro-privacy team who had some
marketing or PR person slap the GA code in there with no comprehension of
irony at all.

EDIT: Also to note that mozilla.org uses UA-36116321-1 tracking and
shapeoftheweb.mozilla.org uses UA-49796218-22, which indicates to me that they
are aware that these are two distinctly different sites.

~~~
nikolak
>I see no privacy policy on the shapeoftheweb.mozilla.org site though you are
correct that they do post that privacy policy on the completely different
website www.mozilla.org.

It's on the same subdomain, and it includes link to mozilla.org which has link
to privacy policy which also applies to shapeoftheweb.mozilla.org:

>This privacy notice applies to Mozilla operated websites, which include the
domains mozillians.org, mozilla.org, firefox.com, openbadges.org and
webmaker.org. This includes, for example, bugzilla.mozilla.org,
reps.mozilla.org, careers.mozilla.org, developers.mozilla.org,
support.mozilla.org, addons.mozilla.org, and wiki.mozilla.org.

------
miji
one of the prime reasons gnu forked firefox for icecat was google safebrowsing
, besides that i dont think firefox really doesnt give a shit about your
privacy and shit like that . their primary concern is to ship software , not
code quality or issues of relevance to users .if the illusion can be
maintained that it does care about your privacy then it works fine for them ,
it works fine for their major "donors".

------
KraigWalker
Next time you go to a movie theatre and there's someone standing there keeping
count of how many people are going in - because it's there job or something -
make sure to complain they're infringing on your right to privacy.

~~~
MisterWebz
That same person is also standing at the entrance of almost every other
building. To make his job easier he's also given you a unique identifier, so
that he can notice when you enter a building he watches. I'm sure you've never
noticed him, most people don't.

~~~
Drakim
And at the end of the day, he goes over hist list of what buildings you went
into, to analyze what sort of things you like so he can show up at your door
as a door salesman to sell you some product he believes you will be interested
in.

