
Unknown Mozilla dev addon "Looking Glass 1.0.3" on browser - shak77
https://support.mozilla.org/en-US/questions/1194583
======
blauditore
Many people seem to be shocked because Mozilla installed an add-on
automatically. In my opinion, it doesn't really matter since the code is
coming from Mozilla - they're building the whole browser, so they could
introduce functionality anywhere. If someone distrusts their add-ons, why
trust their browser at all?

The main question is what behavior is being introduced. I haven't researched
deeply, but apparently the add-on does nothing until the user opts-in on
studies.

~~~
kryptiskt
The major problem is that they installed an add-on without properly
communicating what it was. A somewhat smaller problem but still a big problem
is that was an utterly frivolous add-on that shouldn't have been pushed to
people who didn't explicitly want it. But the biggest problem is that Mozilla
seems to have trouble understanding why any of those two would be a problem, I
want my browser vendor to be serious and not play silly games that can so
easily backfire.

Yeah, add-ons from Mozilla merits the same trust as the browser. But this cuts
both ways, this stuff undermines my and probably more people's trust in the
browser.

~~~
kryptiskt
So this is the first response from Mozilla in the Gizmodo article:

“Firefox worked with the Mr. Robot team to create a custom experience that
would surprise and delight fans of the show and our users. It’s especially
important to call out that this collaboration does not compromise our
principles or values regarding privacy. The experience does not collect or
share any data,” Jascha Kaykas-Wolff, chief marketing officer of Mozilla, said
in a statement to Gizmodo. “The experience was kept under wraps to be
introduced at the conclusion of the season of Mr. Robot. We gave Mr. Robot
fans a unique mystery to solve to deepen their connection and engagement with
the show and is only available in Firefox.”

This is horrible. They pushed out this crap under false pretenses as a study
and obfuscated it. Don't talk the ethics talk if you're not prepared to do the
ethics walk.

~~~
avtar
I've been using Firefox for 90% of my browsing for a few years now and really
want to continue to do so but I really wish Mozilla would stop shooting
themselves in the foot already. This once again gives the impression that they
have some teams that aren't in touch with the reality on the ground, that
these types of initiatives hurt their chances of gaining more users.

~~~
bigbugbag
Let me suggest you a browser aptly named waterfox, that could be described as
firefox without mozilla nonsense.

[1]: [https://www.waterfoxproject.org/](https://www.waterfoxproject.org/)

~~~
scrollaway
Waterfox _is_ nonsense, no offense to the people behind it. Removing some
stuff from Firefox and calling it a day does not make a better Firefox, it
just makes for a preconfigured one. You might as well just run Chromium.

The problem is that Mozilla is a good company, that has had a true net
positive effect on the world, especially in tech, and continues to do so
_today_ with wonderful projects like Rust etc.

If Mozilla were a shitty company, we could all simply dismiss Firefox and get
on with our day. But Mozilla is not a shitty company and the fact they keep
shooting themselves in the foot like GP said, the fact they are completely out
of touch with their userbase, that they cannot see the OBVIOUS problems with
this addon even after the Pocket debacle, is ridiculous.

~~~
bkdbkd
Heaven forbid the decisions about what features an application gives and takes
away are decided by lowly users. The free in free software means libre still,
right? So if someone forks over 1 change or 10 they are still libre to do it,
or is that passe? Its free as in liberty, as in freedom of thought, or is that
also passe?

Forking a project, and adding features and removing pulls that you don't want
and/or need is kinda the idea behind the whole 'open source' thing.. cause
what else would you do with the source code, but compile it.

Speaking of Firefox, a build or two ago, without warning, Firefox deprecated
(broke) every add-on. Because [insert-old-architecture-security-
justification]. It's not like anybody was doing anything real with a browser
anyway.

~~~
scrollaway
The new extension system was announced years in advance, including the warning
that XUL addons would eventually be deprecated.

This design decision is behind a large part of the performance improvement in
57.

Yes I'm sad, I lost some of my favourite addons as well. But this move was
announced well in advance and it _had a serious technical reason behind it_.

In a difficult situation, Mozilla made a tough decision that is good in the
long run and that benefits all its users. Crying "fork!" over it is so blind
it leaves a bad taste in my mouth.

> _So if someone forks over 1 change or 10 they are still libre to do it, or
> is that passe?_

It's nonsense. Doesn't mean they can't do it, doesn't mean it's not nonsense.
Furthermore, in some situations, forks can be harmful to the overall health of
an already fragile ecosystem. They're not free of externalities.

------
pgl
Previously:

* [https://news.ycombinator.com/item?id=15921134](https://news.ycombinator.com/item?id=15921134)

This is a link to the GitHub issue:

* [https://github.com/gregglind/addon-wr/issues/36](https://github.com/gregglind/addon-wr/issues/36)

There are several scary things about this:

\- Unknown Mozilla developers can distribute addons to users without their
permission

\- Mozilla developers can distribute addons to users _without their knowledge_

\- Mozilla developers themselves _don 't realise the consequences of doing
this_

\- Experiments are not explicitly enabled by users

\- Opening the addons window _reverts configuration changes which disable
experiments_

\- The only way to properly disable this requires fairly arcane knowledge
Firefox preferences (lockpref(), which I'd never heard of until today)

~~~
kbenson
> Unknown Mozilla developers can distribute addons to users without their
> permission

"In related news, unknown website developers can distribute programs and run
them in your browser. Additionally, it's been determined that browsers
sometimes download changed versions of themselves without your permission.
Worst of all, we've determined that sometimes the program you download and run
yourself on your computer does stuff it didn't say it would do!"

In all seriousness, I understand this is an important issue, and needs to be
addressed, but we've obviously gotten to the point as a society recently where
no news can't be played up for hype by pundits and commentators for their own
benefit (and probably without realizing they are doing it in a lot of cases).

The whole way this is being presented (by many here, not to pick on the
parent) as a new chunk of the sky falling is what _I_ find really troublesome.
No, chicken littles, the sky isn't falling, but there _is_ some interesting
shit going on up there that deserves a look.

I fail to see how getting half the people frothing at the mouth and the other
half downplaying it just to try to keep some sanity in the discussion helps
for a good outcome.

~~~
bigbugbag
> "In related news, unknown website developers can distribute programs and run
> them in your browser. Additionally, it's been determined that browsers
> sometimes download changed versions of themselves without your permission.
> Worst of all, we've determined that sometimes the program you download and
> run yourself on your computer does stuff it didn't say it would do!"

No they can't, despite mozilla removing the option to prevent this, I have an
extension preventing website to run code in my browser without my permission.
it happens to be one of the most popular firefox extension: noscript. (also
umatrix and request policy).

No the browsers do not download changed version of themselves, they do not
have the administrative permissions required to install programs on my box. I
get my update from the official distro repository on my terms.

I do not download and run programs, they come from the distro repository. This
is a matter of trusting the package maintainers but up until now this has
served many people well.

It seems you guessed wrong and it does not work the same for everybody, some
of us have chosen to take the extra step required for this kind of
misadventure to be unlikely.

~~~
kbenson
> No they can't, despite mozilla removing the option to prevent this, I have
> an extension preventing website to run code in my browser without my
> permission. it happens to be one of the most popular firefox extension:
> noscript. (also umatrix and request policy).

You've conflated third party javascript with javascript in general. You _can_
turn off javascript entirely, but unless you do so, that website is generally
able to ship javascript to you as included scripts from the same domain or in
a script section or inline with attribute handlers.

> No the browsers do not download changed version of themselves, they do not
> have the administrative permissions required to install programs on my box.
> I get my update from the official distro repository on my terms.

Yes, they very often do. Currently, they generally ask if you want to restart
using the new version and give you that choice, but they are often downloading
newer versions of themselves ahead of time to speed up this process.

Whether they have permissions depends entirely how you installed the
application. If it wasn't installed globally, user permissions are all that is
needed.

> I do not download and run programs, they come from the distro repository.
> This is a matter of trusting the package maintainers but up until now this
> has served many people well.

Good! I hope you've also never _ever_ piped wget output to a shell for some
application's quick installer. I also hope you've never installed any
programming language module through that language's package manager and not
your distro's package system, because those are notoriously bad at making sure
there's not holes through which bad stuff can happen either.

Regardless, it's possible that the package you downloaded, no matter the
source, _can_ do something other than stated.

> It seems you guessed wrong and it does not work the same for everybody, some
> of us have chosen to take the extra step required for this kind of
> misadventure to be unlikely.

Actually, I don't think I guessed wrong because I wasn't _guessing_ anything,
and I never said it works the same for everybody. I believe, since I was
careful to qualify my statements, that each is easily proven correct, and I've
done so.

------
proaralyst
Looks like it's a promo for Mr Robot, which is really not ok.

> What's happening? Are you a fan of Mr Robot? Are you trying to solve one of
> the many puzzles that the Mr Robot team has built? You’re on the right
> track. Firefox and Mr Robot have collaborated on a shared experience to
> further your immersion into the Mr Robot universe, also known as an
> Alternate Reality Game (ARG). The effects you’re seeing are a part of this
> shared experience.[0]

EDIT: looking at this[1] comment, perhaps it's not a promo?

[0]: [https://support.mozilla.org/en-
US/kb/lookingglass](https://support.mozilla.org/en-US/kb/lookingglass) [1]:
[https://www.reddit.com/r/firefox/comments/7jh9rv/what_is_loo...](https://www.reddit.com/r/firefox/comments/7jh9rv/what_is_looking_glass/dr6fiaz/)

~~~
exelius
Seems kind of like it is part of an ARG. I can't say I'm totally against
something like that; Mozilla's gotta make money somehow, and as long as it's
not selling out user privacy it's a better tradeoff than Chrome.

~~~
tamriel
> Mozilla's gotta make money somehow

They're a nonprofit; they're not allowed to just "make money". And, they
already take donations.

~~~
hbosch
I think the the term “non-profit” is more about how an organization spends the
money, rather than how they make it. Non profits and charities definitely
bring in money through channels other than donations...

~~~
tamriel
I agree.

I merely challenge the notion that a nonprofit -- which proudly tumpets its
benevolence and non-profitness -- should get a free pass for covertly
installing advertising arrangements, just because they need to "make money".

Their charter and marketing is all about defending the internet from the
companies doing shady things to make money, so they can't have their cake and
eat it.

~~~
djsumdog
There is a difference between a non-profit and a non-for-profit (most health
insurance companies are the later; go try and figure that out).

Firefox gets most of its donations from corporate sponsors. That's why the
default search and switched back and fourth between Yahoo and Google; it's all
about the amount of money they contribute for that. I'm not sure, but Pocket
might be another example.

User contributions are actually pretty low. They don't go out and request them
though like NPR or Wikipedia.

~~~
bigbugbag
You're confusing mozilla foundation and mozilla corporation here. The default
search with google and yahoo is not donations for the foundation but a
commercial contract with the corporation.

I'm not sure mozilla even gets a significant amount of donations compared to
their commercial contracts.

------
y0ghur7_xxx
This happened to me yesterday, so I looked for it.

The Extension actually does nothing, but invert (make them upside down) a few
words on specific sites.

It's an experiment called "PUG ARG" to check whether page contents sniffing
works. Its page doesn't reference any Bugzilla issue or Wiki page, while
[https://wiki.mozilla.org/Firefox/Shield/Shield_Studies/Queue](https://wiki.mozilla.org/Firefox/Shield/Shield_Studies/Queue)
doesn't list it.

The source code references
[https://support.mozilla.org/kb/lookingglass](https://support.mozilla.org/kb/lookingglass),
which (as of now) only says "test - 12817".

The add-on tests whether specific words can be detected on sites; the current
list has nice picks like "revolution" and "privacy". Of course, this is only a
test, but in the future Firefox might look for specific terms in the pages you
load and do specific things based on them.

The other thing it's doing is to send an extra header to three specific sites:
[https://github.com/gregglind/addon-
wr/blob/da464ac8f1c3b0894...](https://github.com/gregglind/addon-
wr/blob/da464ac8f1c3b089405ca96fc68b999d2b624ef4/addon/webextension/background.js#L52).
I suppose the words and the domain are a reference to the Mr. Robot series.

The add-on describes itself as an "Augmented Reality Game Experience" and was
made by a certain "PUG Experience Group": [https://github.com/gregglind/addon-
wr/blob/da464ac8f1c3b0894...](https://github.com/gregglind/addon-
wr/blob/da464ac8f1c3b089405ca96fc68b999d2b624ef4/package.json).

Of course, Shield Studies are supposed to be a way of making "more informed
product decisions based on actual user needs".

[https://www.reddit.com/r/firefox/comments/7jh9rv/what_is_loo...](https://www.reddit.com/r/firefox/comments/7jh9rv/what_is_looking_glass/)

~~~
_Codemonkeyism
Wow, FF is sniffing the content and changing words.

Could not think of anything worse a web browser could do.

Do they change political arguments on pages in the future to see how I react
in a user study?

Signed Mr. Guinea Pig

~~~
bad_user
That's ridiculous, since FF is literally fetching and rendering that content,
being its raison d'être.

You can't "sniff" what is already yours to begin with.

~~~
brador
Sniff implies sending. It's the scanned content transportation and destination
that's the issue.

~~~
bad_user
There's no sending involved with this add-on.

------
hitekker
1) Mozilla uses weird, spooky language in an add-on.

2) Users are justifiably concerned.

3) Mozilla explains that the add-on is actually anodyne; the developers
responsible were having fun with an opt-in research service.

4) Some users try to justify their initial overreaction by painting Firefox as
mysterious, dangerous entity, fabulating conspiracy theories about one of the
most forthright and open OSS companies in the world.

Really, guys. If Mozilla was hellbent on invading your privacy, do you really
think they would proudly entitle their tracker "Looking Glass". Or would they
call it debugservice_1223?

~~~
Karunamon
3.5) Most users insist that this isn't okay, that addon installations should
be approved by the owner of the computer.

This isn't about what the addon itself does or does not do, it's the principle
of force-pushing unwanted content without prior affirmative consent.

This would apply even if the addon was just a stub that didn't have any
executable code in it. In this case, it's worse: an ad.

~~~
hitekker
I would agree with you, if the add-on in question was not developed, shipped,
and offered by the people who made the browser, of which the add-on sandbox is
a part.

In my view, that sandbox is a trusted area between the browser and the user.

Mozilla has the privilege accorded to it as the developer of the browser, to
modify the addon sandbox so long as they don't infringe on my interests, e.g.,
security, stability, privacy, speed.

For example, Chrome automatically disable extensions that ask for too many new
permissions upon update. Chrome will also make it difficult to add extensions
that are not listed on the chrome store.

If we remove the right for browser developers to install, uninstall and alter
add-ons, then we're essentially forcing them to modify the browser instead,
which is overkill for the add-on in question.

At the end of the day, if you can't trust the developers of your browser, then
you should install another one and disable add-ons entirely.

3.5 falls into 4.

------
majewsky
In the Preferences, scroll down to "Data Collection and Use", and disable
_everything_.

I know that you only need to need to turn off "install and run studies", but
this has now cost Mozilla all telemetry data from me, and I encourage everyone
to do the same.

~~~
sundarurfriend
I've switched to Waterfox, because of things like this (including the Cliqz
issues). I'm all for Mozilla making money and trying things, the problem is
the way in which they do it. They fail to respect the users enough to
communicate things, and have not been behaving like a user-friendly
transparent company for some time now. I was a big enough fan to regularly
donate and urge friends to do the same, but something has gone wrong inside
the company.

~~~
majewsky
I heard about Waterfox, but support for legacy extensions is a huge warning
sign. I don't want to be stuck on FF56 technology forever.

------
Sir_Cmpwn
What the fuck Mozilla? You can't just sideload extensions that are _literally
ads_. There is no universe in which this is even a little bit okay.

[http://qutebrowser.org/](http://qutebrowser.org/)

~~~
pecg
And this is exactly what I'm going to do, switch to a simple browser, in my
personal computers. If they programmed firefox to be capable of doing thinks
like this, then definitely I cannot trust them anymore.

------
kotrunga
Go to settings, look in Firefox Data Collection and Use.

Why are these turned on automatically? Plus, I turned mine off, and now
they're back on again, with this looking junk installed.

What the heck Mozilla? What happened to caring about the users? We definitely
can't trust Mozilla anymore.

~~~
nikanj
Firefox has a tendency of resetting it's settings. I think the UI calls it
"Refresh", but it's basically yet-another-nagbar that we all know and hate.

------
positivecomment
Out of _literally_ all the software vendors I know, including the one I'm
working for, Mozilla is the one I'd have least expected to allow such a thing.
I'm very surprised (Negatively, needless to say)

~~~
Simon_says
I would have said the same thing until they integrated the W3C Encrypted Media
Extensions. It's clear they lost their way some time ago.

~~~
icebraining
Why? They allowed proprietary extensions (e.g. Flash) from the start. I don't
like it, but I don't see how it represents a loss of their way. Mozilla was
never GNU.

~~~
Simon_says
Big difference between an extension and being integrated into the browser.
It's directly analogous to the difference between your OS being closed source
and your OS being able to run closed source programs. The former is a
liability; the latter is an ability that you grant to users to use the system
the way they want.

~~~
icebraining
The CDM modules are not integrated with the browser. The browser only has an
(open source) sandbox to run them.

------
garganzol
Mozilla Firefox installer is signed by a code-signing certificate. But at the
very end it means nearly nothing: if the developer cannot be trusted, no
amounts of certificates, green bars, smart screens, stores and walled gardens
can fix that.

That's a very important point to grasp, as I hear a lot of voices nowadays
claiming that the modern security model (read walled gardens of all kinds) is
the universal panacea.

Just the opposite, it brings a false sense of security making you more
vulnerable. It also tends to inhibit a healthy and free market competition
when a lot of potentially good software suppliers are gated off from the
walled gardens from the start.

~~~
fixermark
In general though, what is the alternative to trusting the source and
distributor of a piece of content? As you've noted, if you can't trust the
developer, the walled garden is irrelelvant... But if you can't trust the data
source, isn't basically everything about the medium irrelevant?

In contrast, if you do trust the data source, why is a walled garden model of
security worse than alternatives?

------
edibleEnergy
Somewhat tangential to this particular issue, but this is a good lesson for
developers in why you should be dry and explicit in your writing.

Sure `alert("FFFUUU WHY U NO WORK");` keeps you entertained for 5 minutes
while you debug a problem but when that accidentally gets to prod...

~~~
napsterbr
I see you, but your example outlines a problem with the process/workflow, not
with the developer.

~~~
scott_karana
GP meant the style of _writing English_ , not code. Funny messages almost
always end up causing problems at the end of the day.

------
exikyut
HOLD THE PHONE

The support thread links to [https://support.mozilla.org/en-
US/kb/lookingglass](https://support.mozilla.org/en-US/kb/lookingglass).

That page says, in a clearly delineated box,

> _No changes will be made to Firefox unless you have opted in to this
> Alternate Reality Game._

PLEASE EXPLAIN THIS INCONSISTENCY.

~~~
LyndsySimon
Hopefully, it's a bug, and that addon wasn't intended to be installed (much
less active) universally like it is.

That doesn't make it OK, but it would make me look at them with suspicion
instead of hostility.

------
cJ0th
Ffs .. I've just checked my addons b/c of the headline and sure enough it has
been installed against my will.

I've been very loyal to mozilla over all these years but this really is not
ok. If they keep doing shit like this I'll switch to a fork.

------
ksec
I just wanted to add a few things.

1\. I notice it yesterday, only because Avast was showing I have a low trust
level Add-On installed in Firefox.

2\. I googled it, and the first results was from Mozilla, showing it was part
of their studies and experiment.

3\. That was Ok, because I trust Mozilla, although somewhere in the back of my
mind I thought every studies were supposed to be opt-in, since I have a few
Add On installed in the week and I dont restart my browser, I thought i might
have clicked it by mistake.

4\. Now I am reading this through, I am more then worried. If I am reading the
online comment correctly, Mozilla installed an Add On without user permission,
enabled, collected data, and not for their own UX studies but a third party.

And to make the matter worst, that Add-On is now gone. It disappeared in my
Add on Screen now I just check. Call me old fashion but that is not how i view
privacy.

Like I said before, Mozilla's management and culture has a tendency of self
destruction and messing things up right after they start being good. Still
this is turning around much quicker then I thought.

~~~
franga2000
I cant find any indication that Mozilla was collecting any data from this
addon, either for themselves or for anyone else. The only way anyone would
even be affected by it is by going to one of 3 hard-coded websites owned by
the network behind Mr. Robot (a show known for putting easter eggs all over
the web) and hovering over some text. It's definitely a dick move, but it
isn't spyware as some people are saying, just a very poorly executed
promotion.

------
alkonaut
If they state as an explicit principle that no addons/studies are actually
enabled unless the user opted in, then I’m going to give them the benefit of
the doubt that _if_ that happened to users that did not opt in, it was a
terrible mistake (I.e a bug).

I can tolerate bugs, much more than I can tolerate sneaky app behavior. But I
hope the statement about explicit opt-in will be repeated, and this will be
explained.

At first I thought it must have been users that explicitly had opted in, but
with so many users claiming they haven’t, it seems unlikely.

The next possibility is that preview versions have things opt-out instead of
opt in (because in preview versions you need more data from users - typical
for closed alphas etc) - _but_ then this should be very clearly explained on
download/install.

~~~
alkonaut
I haven’t understood whether this thing is completely inert or actually does
anything without opt in.

If it is downloaded and listed without opt-in, but only actually invoked after
opt-in, then I’ll call it acceptable (not great, but not terrible either)

~~~
callahad
The source is at [https://github.com/gregglind/addon-
wr/](https://github.com/gregglind/addon-wr/)

Its startup is controlled by the addon/bootstrap.js file. Per line 22, it's
completely inert unless the user manually toggles
`extensions.pug.lookingglass` in about:config:
[https://github.com/gregglind/addon-
wr/blob/59659431fd2a75c33...](https://github.com/gregglind/addon-
wr/blob/59659431fd2a75c33ac70a0e6e3e193a01ff8f66/addon/bootstrap.js#L22-L24)

------
simlevesque
Mozilla can't stop doing crap like this. I love the engineering behind it and
thr tech but I don't want any of your shenanigans. This makes me affraid to
update.

------
Tomte
I like Mozilla a lot. And this extension doesn't really bother me, since it's
benign.

But oh boy, do they have a talent for always doing benign and harmless things
that look bad at first glance. It's almost like they want to turn away typical
messaging board users.

------
mcintyre1994
Menu > Options > Privacy & Security > untick Allow Firefox to install and run
studies

I deliberately kept that enabled initially but if they're going to use it for
Adware..

~~~
pythonaut_16
If you're still using Firefox after this it's probably safest and best just to
disable everything under Firefox Data Collection and Use

------
confounded
While I agree that releasing this as an undocumented extension was a poor PR
move, in practical terms, I don’t see how this is any more insidious than the
‘no internet’ dinosaur jumping game built in to chrome.

Both are first-party. The difference seems to be that the dinosaur game keeps
you entertained, where as this hopes to promote awareness of privacy/security.

~~~
mynewtb
The dinosaur was not placed there by a movie studio to promote a random.movie.

~~~
confounded
Neither was the Looking Glass extension.

~~~
trendia
It is related to Mr Robot

------
pmlnr
FF 57 installed from Debian unstable repository has "Data reporting is
disabled for this build configuration" \- which disabled, in theory, the
shield "studies" as well. I don't know who made this decision at Debian, but
thank you.

~~~
chippy
I wonder if the Ubuntu stable ones have this too?

~~~
trendia
Ubuntu once sent everything typed in the search bar to Amazon, so...

------
Sytten
And this is one of the reasons I stopped my yearly donation to the Mozilla
foundation even if I love the new FF. If they need money so badly they should
push their donation campaign and keep their products clean instead of pushing
some shady alliances with big corporations.

------
MikkoFinell
Canceled my monthly donation because of this.

~~~
dymk
I deleted my Facebook because of this and I'm much happier as a result.

------
jordigh
So, a lot of people in this thread are saying that Mozilla is a non-profit.
There are in fact two Mozillas. One is the Mozilla Foundation, which is the
non-profit. They are not involved with Firefox development, as I understand
it. The Mozilla Corporation, which I think is owned by the non-profit, does
the development. I think the foundation just does cute videos and outreach and
other things not directly related to writing software. I also understand that
if you donate money to the Mozilla foundation, the money would not make it to
Mozilla corp and thus would not pay for the salary of any Firefox hacker.

I've never quite understood how exactly does this financial arrangement work
and I would be grateful to anyone who could explain this to me.

~~~
CommieBobDole
It's the other way around - the foundation owns the corporation.

[https://en.wikipedia.org/wiki/Mozilla_Corporation](https://en.wikipedia.org/wiki/Mozilla_Corporation)

------
heroprotagonist
I don't remember if this is opt-in or not, but I do not have it in my Firefox.
Maybe I just removed it myself immediately after first install, when I went
through to update all of the privacy and other browser settings.

I agree that it seems like a crappy extension, and people should be upset
about things being preloaded to their browser.

But there's a point here to be made, that if you're concerned about privacy at
all today, you need to look at the settings of any software after you install
it. It doesn't matter how much previous trust you have for the developers.
This should just be default behavior so that any surprise is met immediately,
and not after any damage it could perform has been done.

------
linkmotif
Didn’t I see something on here recently about Mozilla increasing its revenue
significantly? [0] ;)

[0]
[https://news.ycombinator.com/item?id=15880565](https://news.ycombinator.com/item?id=15880565)

------
_Codemonkeyism
Anyone know how I can turn off Firefox sending technical details and
interactions?

Everytime I turn this off, and restart FF it's on again.

58.0b11

~~~
kuschku
If you are on a Nightly or Developer build, you can not turn it off, I asked
on Mozilla’s IRC.

Downloading these builds is considered opt-in into telemetry, and
toolkit.telemetry.enabled is hardcoded to enabled, the opt-out checkbox
literally does nothing, I was told. And about:config confirmed this.

~~~
detaro
Okay, having a checkbox that does nothing is _really bad_. The fact that the
privacy policy only just says something like "this policy might not apply to
non-release builds", without actually having a policy for those also is more
than questionable.

------
_Codemonkeyism
One step ahead (Quantum), two steps back.

------
r1b
Doesn't bother me at all - I am fully acclimated to the idea that the browser
and other applications _do_ run arbitrary A/B test and other code all the
time.

------
FrozenVoid
I switched to waterfox for quite awhile. I've lost trust in mozilla when they
bundled "Pocket" and people then didn't think much of it. When you lose
ability to control the browser its no longer a fair game. Bundling addons,
changing settings, ads and "enhancements" no one asked for, all eroded trust.
Not to mention its aping Chrome more and more each version. We need more
firefox forks, not less. Chrome has dozens, because the privacy threat from
google is obvious: firefox hdoesn't have that much forks,because its trusted
by distro makers to be safe(but its not, as mozilla just proved). People are
upset when this implicit assumption that Firefox is the only browser(among
modern graphical browsers) you can trust is actually false.

------
Santosh83
There is more information on this Reddit post:

[https://www.reddit.com/r/firefox/comments/7jvm2t/this_lookin...](https://www.reddit.com/r/firefox/comments/7jvm2t/this_looking_glassmr_robot_sht_really_psses_me_off/)

~~~
Ajedi32
The original thread from 2 days ago:
[https://www.reddit.com/r/firefox/comments/7jh9rv/what_is_loo...](https://www.reddit.com/r/firefox/comments/7jh9rv/what_is_looking_glass/)

------
Karunamon
Better yet, it appears that these "studies" (read: Mozilla pushing addons to
your browser without notification or permission) are default opt-out.

Will they stop doing it? Of course not. I can't recall any time that this
company has changed course in response to outcry.

~~~
mjw1007
I can: when they renamed firebird to firefox.

~~~
throwanem
Was that outcry? I thought it was that or get sued. Been a while, though, so
maybe I misrecollect.

------
rrdharan
TechCrunch and Gizmodo just picked up the story:

[https://techcrunch.com/2017/12/15/mozillas-mr-robot-promo-
ba...](https://techcrunch.com/2017/12/15/mozillas-mr-robot-promo-backfires-
after-it-installs-firefox-extension-without-permission/)

[https://gizmodo.com/mozilla-slipped-a-mr-robot-promo-
plugin-...](https://gizmodo.com/mozilla-slipped-a-mr-robot-promo-plugin-into-
firefox-1821332254)

Also AFAIK the second link has the first official response of any kind? "A
representative told Gizmodo the company is looking into the issue."

------
sharno
It's a PR disaster from Mozilla. I was once a Mozilla rep and I'm ashamed of
this. Studies like these should always be turned off by default and the user
can opt in voluntarily. But launching Firefox and digging into the preferences
to find that I'm enrolled into some studies by default is unethical for me.
Sadly, I'll have to switch to Brave or some other privacy concerned browser
until I see an official statement and action from Mozilla. I'm sure the
management there have something to do with all of this.

------
bitmapbrother
Big Browser is watching. Browse freely with Firefox.

[https://pbs.twimg.com/media/DDsLeqvV0AE1k-2.jpg](https://pbs.twimg.com/media/DDsLeqvV0AE1k-2.jpg)

The hypocrisy is amazing.

------
kamranjon
I actually discovered this because my browser would not stop running at 100%
cpu utilization about 3 days ago, not doing anything, just sitting at
Google.com with one tab open. It freaked me out because I couldn't find any
documentation on the extension. Once removed Firefox was running fine again. I
guess I'm relieved to know it wasn't some malware or something more sketchy,
but I am wondering what it was doing pegging my cpu at 100% whenever my
browser was open...

~~~
callahad
Whatever you experienced is very unlikely to be caused by this add-on. The
add-on only initializes if you manually dig into about:config and enable
`extensions.pug.lookingglass`. Otherwise, it just starts up once at browser
launch, checks that preference, and shuts itself down.
([https://github.com/gregglind/addon-
wr/blob/59659431fd2a75c33...](https://github.com/gregglind/addon-
wr/blob/59659431fd2a75c33ac70a0e6e3e193a01ff8f66/addon/bootstrap.js#L22-L24))

If you're able to consistently reproduce the issue, please let me know.

------
zb3
The best way to disable these things is to go to about:config, search and
delete/replace all mozilla urls. For this particular case, the api url is
probably in "extensions.shield-recipe-client.api_url" [0]

[0] - [https://dxr.mozilla.org/mozilla-
central/source/browser/exten...](https://dxr.mozilla.org/mozilla-
central/source/browser/extensions/shield-recipe-client/bootstrap.js)

------
ChrisSD
I'm using FF57 and did not get this addon. Was I just lucky?

~~~
esseti
same. is it just US stuff?

~~~
majewsky
I'm in Germany and it was installed here.

------
randomString1
Once again saved by
[https://github.com/pyllyukko/user.js](https://github.com/pyllyukko/user.js)

------
sjroot
I just checked my installation of Firefox and this addon was present as well.
The developers involved (Greg Lind et al) should acknowledge this and
apologize.

~~~
Danihan
Same, why is this in my addons..?

I really don't understand what they were thinking.

------
linkmotif
I checked out FF for the zillionth time the other week after the Quantum
release hoping to love it, but the deep Pocket integration was just too
offputting. Turning it off requires some Googling. There were other irritating
commercial things too. It’s a shame. FF is probably the most important open
source project in the world and it’s a shame they do stuff like this. I’m
still on Chrome :(

~~~
calcifer
> but the deep Pocket integration was just too offputting

You mean the single button that does _literally nothing_ until and unless you
click on it?

~~~
lozenge
Add a couple more buttons and hey, you've got a toolbar going.

Why can't they just make a web browser that's... just a web browser? Chrome
has never had buttons to email pages with gmail, record videos onto YouTube,
share pages on G+ etc.

~~~
kej
The default new tab in Chrome contains links to all of those things and more.

~~~
nyrikki
Not exactly a great example if Mozilla is trying to claim the high ground.

------
mshenfield
From the wikipedia article. linked in the ticket

> Shield Studies are available on all channels. Individual studies can be opt-
> out or opt-in and any and all data being collected will be declared openly.
> After confirming willingness to participation, a self expiring add-on will
> be installed on the user's machine.

Mozilla is only installing an experimental feature ass an add-on if they opt
in.

------
seanalltogether
As of about 5:30 GMT it looks like the addon was automatically removed from my
browser. I know I saw it a couple hours ago.

------
herogreen
What I really do not understand is why this game thing was installed
automatically given that websites can ask the user to install an extension
when they land on a webpage. A popup that is part of Firefox shows up and asks
the user if he really wants to install it.

------
fishywang
Is the "Unknown" part in the title really unknown, or just Mozilla trying to
protect its developer(s) from pitchforks? If it's really "unknown", then
that's the really concerning part.

------
gaius_baltar
I haven't noticed this extension sending data to outside services. Did
somebody find if/where it does that? If it is sending personal or browsing-
related data out, we can flood the servers with garbage.

------
jstewartmobile
Posted here a few days ago about how Mozilla being for-profit joined at the
hip with a non-profit seems kind of shady, and got dogpiled for it. Then they
do this as a tie-in for Mr. Robot.

Vindication!

------
zeep
I use Firefox 58 beta developer edition in the USA and this extension didn't
install automatically...

Maybe the government need to start sponsoring Mozilla so that they stop doing
things like this.

------
arunc
This is disappointing rather. When Mozilla spent $$ in advertising Firefox
Quantum in the internet media articles, they could have mentioned this at
least somewhere in them.

------
UmmNope
Mozilla takes in about half a billion dollars per year, has anyone considered
the consideration for which this money is being paid ?

~~~
callahad
That's FUD. Mozilla is a 501(c)3 non-profit, and our audited financial
statements and IRS Form 990 can be found at [https://www.mozilla.org/en-
US/foundation/annualreport/](https://www.mozilla.org/en-
US/foundation/annualreport/)

~~~
jordigh
Mozilla is... both. There's the Mozilla Foundation which is a nonprofit and
the Mozilla Corporation which is very much not.

I've never quite understood what each Mozilla does, but AIUI, the Firefox
development is all done by Mozilla Corp and the nonprofit does stuff like make
those cute videos about how Firefox is going to save the world and make us all
smiley and multiethnic.

I've talked to a number of Mozilla employees, and they also seem confused
about the relationship between the corp and the foundation.

~~~
Sylos
The Mozilla Corporation is 100% owned by the non-profit Mozilla Foundation, so
any earnings that the Corporation makes, they either have to reinvest, put it
to the side to reinvest it later or pay it out to the Foundation, where it's
again in non-profit hands (i.e. forced to invest into their specified
mission).

The only way that the Corporation could do shenanigans, is by paying their
employees higher wages than would be necessary to hold them or is considered
reasonable for the job that they do.

It was set up, because there's limits to how much money a non-profit is
allowed to put to the side, which would have limited Mozilla's strategic
flexibility.

------
CoolGuySteve
This is the second spyware extension in recent memory.

How hard is it to fork Firefox with all this stuff hardcoded off?

~~~
wila
waterfox? or perhaps pale moon are what you are after?

------
603security
Developers have a million other ways to be cute and clever.

------
sumanthvepa
I've been seeing the YouTube logo inverted recently. I wonder if this has
something to do with it. If so. I'm done with Firefox. I've used it since it
was Netscape in 1996. Enough is enough.

~~~
nicolaslem
This has nothing to do with Firefox, it was Youtube promoting its Youtube
Rewind:
[https://en.wikipedia.org/wiki/YouTube_Rewind](https://en.wikipedia.org/wiki/YouTube_Rewind)

------
AdmiralAsshat
[https://support.mozilla.org/en-
US/kb/lookingglass](https://support.mozilla.org/en-US/kb/lookingglass)

 _The Mr. Robot series centers around the theme of online privacy and
security. One of the 10 guiding principles of Mozilla 's mission is that
individuals' security and privacy on the internet are fundamental and must not
be treated as optional. The more people know about what information they are
sharing online, the more they can protect their privacy._

...which you've done by installing a fishy-looking addon without our
permission and making us less likely to trust you?

Well-done, Mozilla.

~~~
theossuary
If you clicked on the link about shield studies you'd see it says they're opt
in, did you not getting prompted about it?

~~~
yborg
Apparently it's getting loaded anyway for some people that say they had
"Studies" disabled and/or "Studies" itself became re-enabled.

The whole idea of slipping paid advertorial content into what are billed as
"research" kind of gives the lie to this whole thing and is why I never turn
these on in any product. Which is also why it's now "opt-out" by default, and
why it will eventually not be an option at all. It's all for our own good, you
see.

~~~
Ajedi32
You don't just need "Studies" enabled, you also need to explicitly opt-in to
each specific study on an individual basis:

> Participation in an individual study is opt-in

Source:
[https://wiki.mozilla.org/Firefox/Shield/Shield_Studies](https://wiki.mozilla.org/Firefox/Shield/Shield_Studies)

If that didn't happen in this case, then I suspect it's probably a bug.

~~~
acqq
> you also need to explicitly opt-in

Wrong, as far as I see: Looking in my about:config, I see

    
    
        app.shield.optoutstudies.enabled=true
        browser.onboarding.shieldstudy.enabled=true
    

_enabled by default_. The settings that I've changed from the default are
shown in bold. These aren't bold. Those are the defaults. Everybody can check.

That means that the user must actively take steps to disable them, if he knows
that they exist and where he can disable them.

Every time the user creates a new profile, and most probably also when he
"refreshes" an old one, he has _by default_ the studies _allowed._

It's even worse in other aspects: through the UI the "Allow Firefox to install
and run studies" can be unchecked but it doesn't change the value of
"experiments.enabled" to false in about:config.

Apparently the "experiments" allow Mozilla to install the "experimental"
extensions to any user, without him knowing. And these extensions are
invisible in the GUI! Even if the user goes to the about:config and sets
extensions.ui.experiment.hidden to false, it will be automatically set to true
again.

~~~
Ajedi32
Are you sure that's what those config options do? I tried looking them up, but
they don't seem to be listed in Mozilla's config documentation:
[http://kb.mozillazine.org/About:config_entries](http://kb.mozillazine.org/About:config_entries)

According to the Wiki page I linked in my previous comment, global settings
shouldn't even matter in this case; since each SHIELD study must be opted into
on an individual basis. (Or at least, that's how it's _supposed_ to work.)

Edit: Looks like the wiki was updated to state that some studies can be opt-
out rather than opt-in. This also seems in-line with the documentation for
SHIELD, which has a section on opt-out studies:
[https://normandy.readthedocs.io/en/latest/user/actions/opt-o...](https://normandy.readthedocs.io/en/latest/user/actions/opt-
out-study.html)

~~~
acqq
Your link in edit part is the answer to your question before the edit:

[https://normandy.readthedocs.io/en/latest/user/actions/opt-o...](https://normandy.readthedocs.io/en/latest/user/actions/opt-
out-study.html)

"opt-out-study: Install a Study Add-on Without Prompting

The opt-out-study action installs an add-on, typically one that implements a
feature experiment by changing Firefox and measuring how it affects the user."

They are obviously the topic of:

app.shield.optoutstudies.enabled=true

That I mentioned.

I see a lot of commenters trying to excuse them. The problem is, people
allowed the "studies" because Mozilla claimed that they are "measuring"
whatever "to make Firefox better." They never told anybody that they are
selling the "studies" functionality which silently installs ("opt-out" not opt
in!) to the advertisers.

I don't know how anybody can defend such an approach.

------
igravious
Between broken font handling and this Looking Glass thing whatever it is
Firefox 57 (Quantum) has been less than stellar.

------
megamindbrian2
They should rename Firefox to Fiasco.

------
shak77
This is what it looks like:
[https://imgur.com/a/mriUw](https://imgur.com/a/mriUw)

It scared the hell out of me! Are these guys losing their minds?

It was reported as a bug and the response thus far is indeed underwhelming for
such a severe issue:
[https://bugzilla.mozilla.org/show_bug.cgi?id=1424977](https://bugzilla.mozilla.org/show_bug.cgi?id=1424977)

~~~
bwat49
It wasn't supposed to be visible on the addons page

~~~
mark-r
I don't think that makes it better. Knowing that there's a way to get an addon
installed invisibly is going to be more justification for paranoia.

~~~
bwat49
You can disable these studies under Options | Privacy and Security

~~~
_red
I hate the fact that Firefox increasingly makes me jump through all sorts of
hoops to find all the hidden options to turn off their various spyware
attempts. Its the Win10 of browsers...

~~~
teddyfrozevelt
Going through your browser settings really is quite the hoop.

~~~
_red
Yeah, its so intuitive for the average person to type: about:config in address
bar and scroll through hundreds of oddly named parameters to turn off spyware.

Comments like yours are illustrative of a certain mindset. When you encounter
the complexity of domains you are not intimately familiar with (court system,
law, finance, etc), and those complexities are designed specifically to make
it hard for you to protect yourself, I'm sure you are just as understanding as
you are now.

~~~
bwat49
You're being hyperbolic, you don't need to go into about:config.

It's right in the main browser settings, under the Privacy and Security
section where one would expect settings like this to be

~~~
bigbugbag
If what you say is true, please point me to where I can find the following
privacy settings in the main preferences:

    
    
      network.websocket.enabled
      network.IDN_show_punycode
      dom.event.clipboardevents.enabled
      dom.storage.enabled
      dom.indexedDB.enabled
      dom.battery.enabled
      dom.enable_user_timing
      dom.enable_resource_timing
      dom.netinfo.enabled
      layout.css.visited_links_enabled
      browser.safebrowsing.phishing.enabled
      browser.safebrowsing.downloads.remote.enabled
      browser.safebrowsing.malware.enabled
      browser.send_pings
      beacon.enabled
      privacy.donottrackheader.enabled
      privacy.trackingprotection.enabled
      dom.enable_performance
      datareporting.healthreport.service.enabled
      datareporting.healthreport.uploadEnabled
      toolkit.telemetry.enabled
      toolkit.telemetry.unified
      media.peerconnection.enabled
      media.peerconnection.ice.default_address_only
      media.peerconnection.ice.no_host
      media.eme.enabled
      media.gmp-eme-adobe.enabled
      webgl.disabled
      geo.enabled
      camera.control.face_detection.enabled
      device.sensors.enabled
      security.tls.unrestricted_rc4_fallback
      security.tls.insecure_fallback_hosts.use_static_list
      security.ssl.require_safe_negotiation
      security.ssl.treat_unsafe_negotiation_as_broken

~~~
justinclift
Errr... is "dom.enable_performance" really a privacy setting?

Doing someone online searching now, not seeing an explanation for it. There is
one other HN post though, also mentioning it in a privacy context, but not
further info either. :/

------
jerianasmith
Having issues with your extra? Beginning with Firefox 57 (in discharge), just
additional items manufactured utilizing WebExtensions APIs, the new innovation
for Firefox expansions will work.

------
natch
The cringe-worthy construction "different than" which should be "different
from" makes this episode even worse.

------
pythonaut_16
Just checked and saw the Looking Glass add-on installed on my work laptop.

I've uninstalled Firefox and will be removing it from all of my computers. I
had just started slowly migrating back to it with the performance enhancements
in the latest update, but honestly I don't think I can get past a breach of
trust at this level.

~~~
djsumdog
I switched to Vivaldi a few months back and tried out FF57 recently. I really
wanted to move back to FF again, but two weeks in, the performance
enhancements just seem really overrated. The UI is still draggy, load times
are not great.

I ended up going back to Vivaldi.

