The "Get Add-ons" view in Firefox is an iframe to a page hosted by addons.mozilla.org. AMO, as all Mozilla sites, use GA to collect aggregate visitor statistics. We negotiated a special contract with Google  to only collect a subset of data and that that data is only used for statistical purposes.
Mozilla tries to walk a very thin wire to ensure that we have the data we need to make sure our products are working properly without being intrusive, and to let concerned users opt-out of even that baseline data collection.
The "Get Add-ons" view in Firefox is an iframe
Honestly, you hugely fucked up with this one. You lost a massive amount of trust with me that took years to grow.
If you care about privacy, blind trust is never something you should have.
The TOR devs are fixing this part in their browser, and their comment was:
> Disallow `about:addons` unless the extensions directory is volatile, because regardless of what Mozilla PR says about respecting privacy, loading Google Analytics in a page that gets loaded as an IFRAME as part of an `about:` internal page, is anything but.
No, this is something that by law I have to be informed about. And Mozilla has a reputation of working for their users, so I actually trusted them.
I do agree with you after this, the trust was misplaced, Mozilla is not any better than Google, NSA, MfS/Stasi or GeStaPo, just not giving a single fuck about privacy, but I did trust them before this, and so did many others.
In fact, people only used Mozilla products because of this trust.
Choose to walk the thick line and even if you stumble, you will not fall.
It’s obvious this violates both the so-called "Cookie Law" and the Google Analytics ToS, as both require any page with tracking to specifically tell the user that they will track the user. And the so-called "Cookie Law" goes even further, and requires it to be directly done in a modal.
How did Mozilla, a company saying they fight for privacy, approve something that does not even meet the absolute minimum bar for privacy, the actual privacy laws?
The general consensus is that normal GA tracking alone does not meet the standards to trigger either the EU or the stricter Dutch cookie notification requirements since they are using first-party cookies not tied to PII and don't follow you across sites. And that's assuming a standard GA snippet, not the smaller subset of data Mozilla is collecting here.
Do you have a good reference for this? Especially the "don't follow you across sites" seems weird as Google will end up collecting hits from the same IP/browser/etc combo across sites, which trivially allows following.
TLDR: If you use the following code. You are fine to use GA without a notice under Dutch law.
ga('set', 'forceSSL', true);
ga('set', 'anonymizeIp', true);
Edit: what do we think?
I don't know about following you across sites, but "PII" is a US legal term, so I highly doubt it's a determiner in applying EU law. GA may not collect PII under US law, but it does fall into EU data protection compliance.
The problem in the EU is the system of enforcement. EU directives require member states to legislate individually, and to enforce their own legislation individually. If that enforcement is deficient, the case can be taken to the ECJ on an individual basis (at possibly significant cost). This doesn't work. Which has motivated the creation of GDPR, but unfortunately this doesn't come into play until 2018
This is what tofumatt was referring to when closing this Github thread.
However, given Mozilla's recent advertizing attempts slinging mud at Google/Chrome, it seems like they're asking for their credibility to be shredded publicly, in the media. This is an important enough matter that it deserves immediate escalation, to get a clear and coherent response at the organizational level that is communicated convincingly to users. Anything short of that (especially a simple local bug fix) risks winning the battle but losing the war, as Firefox's fundamental selling point now seems duplicitous and disingenuous.
I sincerely hope that Mozilla/Firefox developers have the vision to recognize that, and consider this matter of utmost importance. All the features and technical improvements they might hope to ship in the next several months are irrelevant compared to this single issue.
To me, this debate is a great example of a situation where an organization must be guided by its core principles -- not by what seems convenient in each specific instance.
Which "single issue" is that then? That AMO is using GA (and has been for years)? Or that TP doesn't work correctly for the in-browser UI?
I'm going to have to disagree with you there.
1. Mozilla casts aspersions on Google/Chrome for not respecting users' privacy. (eg: recent billboard advertizements)
2. Mozilla doesn't respect users privacy because it uses tracking, that too third-party, that too from Google.
Pot -> kettle -> etc...
Mozilla risks losing credibility. What fundamental principles do they claim to stand for, if they're willing to compromise those for convenience?
But this may be a case where even though Mozilla is technically doing the right thing, perceptions will tend the opposite way. Without that statement in that old bug, most people would never know the Mozilla GA data is siloed.
Note that old-style extensions do work and currently still block this.
3. that a part of the browser chrome (which is technically iframing a website, but should still meet user expectation of being a part of the browser) is tracking users who have explicitly opted out of browser telemetry.
4. that in-browser telemetry includes sending user data to 3rd-parties without that being explicitly consented to.
Tbh, AMO using GA is something I don't really find acceptable, and would much rather was phased out, but having been aware of it for so long, it'll hardly drive me away. Most importantly, I can block it with an addon (unlike this issue).
Really though, the crux of the issue here from a PR perspective is not any individual technical failing, but the really disappointingly dismissive attitude of the Mozilla devs replying to comments on Github and here. If an employee of Mozilla can't see the significance of this, I worry about Mozilla's adherence to it's own stated mission.
They should stop that now after this PR disaster.
Telemetry actively benefits development of Firefox, and a pro-privacy user will want to strategically share their data with entities they trust in order to row back against the tide of entities that they do not trust.
Frankly, Mozilla are shooting themselves in the foot by sending any data from any of their products or web properties to their primary competitor.
This ship sailed a long time ago. Mozilla negotiated stricter privacy in their contracts with Google, and Mozilla Legal clearly believes Google will uphold those agreements despite it being a competitor.
You may be right, but I hope not. The fact Mozilla negotiated stricter privacy in their contracts is a step in the right direction, so this shows some desire to improve. It needn't be the final step.
Beyond that, there are other areas where there's been similar change. The Mozilla Stumbler project, for example, is explicitly designed to improve user choice in a privacy-sensitive area dominated by a Google service; a service that was embedded in Safari, Firefox and Opera 12 (Presto) for a long time without users being aware their browser was phoning home to Google.
I would hope this GA fiasco could someday be similarly resolved with enough user pressure.
I know many people ignore it just like with all the other "I agree" check-boxes that pollute websites, but it is a breach of the Terms to sneak it onto your site or service.
It's actually a good podcast episode and I recommend checking it out.
https://irlpodcast.org/ , https://twitter.com/tombrossman/status/883972350387134464
Additionally, this still violates the Cookie Law.
> The addressees of the obligation are Member States, who must ensure that the use of electronic communications networks to store information in a visitor's browser is only allowed if the user is provided with “clear and comprehensive information”, in accordance with the Data Protection Directive, about the purposes of the storage of, or access to, that information; and has given his or her consent. The regime so set-up can be described as opt-in, effectively meaning that the consumer must give his or her consent before cookies or any other form of data is stored in their browser.
>> I thought web extensions couldn't block that content.
> I just ran a couple of tests, and I believe you are correct.
> Legacy uBlock Origin can block the network request to GA.
> However webext-hybrid uBO as per Network pane in dev tools does not block it. Same for pure webext Ghostery, the network request to GA was not blocked, again as per Network pane in dev tools.
> What is concerning is that both uBO webext-hybrid and Ghostery report the network request to GA as being blocked, while it is really not as per Network pane in dev tools. It's as if the order to block/redirect the network request was silently ignored by the webRequest API, and this causes webext-based blockers to incorrectly and misleadingly report to users what is really happening internally, GA was not really blocked on about:addons, but there is no way for the webext blockers to know this and report properly to users.
> This is what I have observed, hopefully this can be confirmed by others.
uBlock WebExt does not block GA.
I added a specific filter for the GA domain, but still uBlock failed to block again.
Unrelated, I noticed Firefox also made a connection to aus5.mozilla.org which sets cookies named _ga and _gid.
The latter is expected. The former isn't. In any case you should report this to the author, not here.
As I mentioned in #1107: we will not be
removing analytics support entirely. It
is extremely useful to us and we have
already weighed the cost/benefit of
Ew. Firefox, I am ashamed to know you.
"Which browser should I use"
The optional NoScript add-on does stop this script from running, even on that page. You'd have to configure NoScript to block Google Analytics. I, for one, globally block Google Analytics scripts.
Incidentally, I also block third-party-site Google.com scripts, but that is harder on websites like Hacker News, which will sometimes send for a Captcha check that only completes successfully with Google.com enabled in NoScript.
[edit: I am using the legacy add-on, which Mozilla I guess will disable in November 2017]
All sites using Google Analytics are supposed to inform the user according to Section 7 of the GA ToS: https://www.google.com/analytics/terms/us.html
Just because "no one else does it" and Google turning a blind eye towards violators doesn't mean they're not violating the ToS.
As a European this is annoying, but one has to ask itself the question if Mozilla should willfully disadvantage itself here.
I was going to say Google does the same, but an actual clean profile shows that Google.com shows a banner "A privacy reminder from Google" on first use.
Some parts of Firefox populate the content of some “about:” pages (like about:addons) from web-based sources. Thanks to your comments, we better appreciate how users may not know that content in those pages can come from a web service, and can use third-party analytics. We don’t like to surprise our community, and are disappointed that we did.
It's always been important for us to use Google Analytics and other analytic services in a way that meets the expectations of Firefox users. We have taken great care to ensure that our partnership with Google is structured so that they are prohibited from creating user profiles from our website data, or from tracking users across other websites. We also need to help ensure that we are clear where Mozilla products and services make use of those services.
We want to make sure we follow our “no surprises” rule (https://www.mozilla.org/privacy/principles/) , so we are exploring solutions that inform our users about how these pages in Firefox use web content and analytics tools - and provide our users with tools to better control the data that may be sent. We’ll be making changes in the near term, and will publish updates as we make progress.
Pot meet kettle
You're comment hasn't added any value to the conversation, it's just a rant.
Just look at any Mozilla bugzilla issue addressing Linux video acceleration, as an example.
Can you provide a link?
Need to thank you though, for adding value.
I disagree, his meta-analysis of how these conversations tends to go adds to the conversation by making us all aware of trends bigger than this one story.
Your post criticizing him, however, seems to add nothing to this conversation.
I, on the other hand, am contributing by rejecting your baseless assertion and supporting the meta-analysis of the on-topic topic, that comment threads about public bugs tend to be low quality.
I'm also supporting the topic materially, if you catch my drift.
It was a mistake, and not as huge of one as people are making it out to be. As they have repeatedly pointed out, their GA contract makes it essentially a non-issue, unless you believe Google is so obsessed with tracking that they will violate their contract with Mozilla.
 Which is, incorrectly, not being respected. This is a bug which they will fix.
These are things which are greatly helped by having good analytics (Telemetry for the browser, analytics on your sites). You have to realize that to some extent these goals aren't mutually compatible. Developer resources don't appear out of thin air, even for open source software. Note how in the threads Mozilla explicitly acknowledges alternatives to GA.
Your comparison is a false equivalence, because it's not about telemetry vs privacy, it's about consent. If Mozilla devs adhered to the ethos of the company they took a job at they simply would not have implemented this feature.
If Mozilla devs adhered to the ethos of the company they took a job at they simply would not have implemented this feature.
It looks as when the problem was reported, this was in fact the reaction: make it respect DNT. Using GA by itself rose no red flags because Mozilla has a privacy-enforcing deal with Google about it.
> Using GA by itself rose no red flags because Mozilla has a privacy-enforcing deal with Google about it.
I saw that, and I guess that legal contract may appease some people. Personally, I would rather not have to trust a company with a well-earned reputation for breaking the law when it comes to respecting users' privacy. I would rather they spent the time they invested into negotiating that contract on self-hosting instead.
> a browser which has privacy as a core principle
Sorry, but sad truth is, those two things are mutually exclusive.
The modern web is all about running pieces of code. Websites give you a code and expect you to run it (or they'll break). You can throw in some heuristics (e.g. blacklist known offenders and replace them with do-nothing shims) and try to keep up with the ever-changing world, but here is just no way to have this guesswork as a core principle and expect things to not break.
The term "tracking" has become abstracted to a point where many forget that they usually want to be "tracked" (by hitting "reply" here on HN, YCombinator is "tracking" who I am - user account - and what I've written).
If you'd be happy with a browser exclusively to view public, static content, then it could be done.
For selectively disabling tracking, you need uMatrix, but a component of the Firefox bug being reported here is that the extensions API used by uMatrix is failing to block GA in this particular case.
> but a component of the Firefox bug being reported here is that the extensions API used by uMatrix is failing to block GA in this particular case.
uMatrix and uBlock Origin fail to block GA only when using their web extension versions.
What's the status of blocking third-party cookies again? (cries)
It's probably realistically possible to disable those with the existing browsers. Problem is, that will also break sites that expect you to have all those available. And it's said that there are too many of those (I never saw a proper analysis, though)
Just consider: there are sites (one of my favorite pizza delivery sites does that) that break if you just block Google Analytics ga.js (or their newer versions, whatever they're called) scripts. Just because they have stuff like `_gaq.push` hardcoded into click handlers and if those raise exceptions, they fail.
There is absolutely no need for font enumeration. A browser can decide do download fonts it does not have from the site (what will indeed open it to some tracking), or use another cache (with other, different tracking possibilities). But any way it chooses, it just needs to cache the fonts locally to avoid most of the tracking.
There's no reason for local storage to permit 3rd party tracking. WebRTC was a mistake, and WebGL although well meant is so complex that will never work well.
Caching is one of the ways of tracking you. If site A says it needs some custom font, the browser will have to download it. If then site B (affiliated with A) asks for the same font, and the browser loads it from cache instead of asking site B, then it knows that you've been to site A.
As for local storage, I only needed it for some greasemonkey extensions. Do legit sites actually use it?
> font enumeration, canvas, WebGL, WebRTC
I have all of these disabled for the last 2 years or so actually and I don't feel like I miss anything. Only a few non-important sites need these.
> Just consider: there are sites (one of my favorite pizza delivery sites does that) that break if you just block Google Analytics ga.js (or their newer versions, whatever they're called) scripts. Just because they have stuff like `_gaq.push` hardcoded into click handlers and if those raise exceptions, they fail.
I think that uBlock Origin avoids that if you have the experimental filter enabled.
It's a little less clear here because we're embedding a website into an interface that appears to be part of the browser, which is why there was a suggestion by a maintainer in the first response that we should use both Do Not Track and a Firefox data collection flag. But the Do Not Track preference is just as well-exposed as other flags, so I doubt that would have an effect on many users who would object to this tracking (who are very likely to have turned on Do Not Track).
Currently, no matter what privacy settings you set, you are being tracked, without being informed about it, without opt-out. This is likely even illegal in the EU.
Block ads / tracking outside the browser, eg using a hosts blacklist: https://github.com/StevenBlack/hosts
This allows you to use any browser. I've found Firefox to be buggy and slow on OS X so I use Chrome. It's great on Windows though.
Pale Moon (not too cross-platform), qutebrowser (if you're fine with Webkit and keybindings).
There is also netsurf and dillo but they are not as compatible due to the lack of js and incomplete css support.
I suggest to have a look at Iron browser (open source Chromium with phone-home stuff patched out) or Chromium build in general (with curated settings or stuff patched out yourself). And Vivaldi (reminds one to older Opera UI) is quite good, though closed source.
I put up with Firefox's single threaded nonsense for years, with their outright refusal to properly implement hardware acceleration for Linux, and with their clearly inferior performance. And now I find out they've got Google Analytics on a page where uBlock Origin can't even block it (at least not post FF 56), and that doesn't even respect my telemetry settings (which I've obviously disabled). Every decision they've made lately seems to be targeted at gaining the attention of people who clearly couldn't be arsed to get off Chrome if they proved it gives you cancer, instead of making it better for people who are keeping it afloat.
Congratulations, Mozilla. You've put a whole bunch of us out on the lookout for a replacement. Enjoy your descent into obscurity.
Any other recommendations for privacy-respecting, open source browsers? This seems like a good time for a competitor to earn some market-share.
Mozilla Developer also mentioned:
Actually, @muffinresearch pointed out we could probably just observe Do Not Track here,
because this pane is actually a web page loaded in an iFrame inside the browser page.
That might be faster to ship. Just thinking aloud :smile:
I'm definitely for giving users the option to disable this.
- 1984, George Orwell.
2) The indicated cookie (from bug 1026538) is a cookie sandboxed for privacy reasons and NOT your real Google cookie. It broke the cookie manager exactly because it was sandboxed.
So tell me, what do you mean by using quotes around "bug"?
Even on a Mozilla webpage I wouldn’t expect to see Google Analytics, but instead something like Piwik.
Oh, not arguing that. Even with Google out of the picture entirely, Telemetry is a nice example. But I'd argue it is needed to stay relevant as a browser. So it's not a good counterargument to Mozilla's decision here.
You can see from the relevant bugs that GA vs Piwik and such were certainly considered, so people are definitely thinking about "maybe we shouldn't do that". In the case of GA, it ended up with required data silo-ing on Google's side.
For some people that won't be enough.
The only reason people use Firefox nowadays is because they don’t trust Google. The intersection between "Trusts Google not to abuse data they get access to" and "uses Firefox" is the empty set.
It's a false equivalence. There is a difference between trusting Google not to abuse data they legally guaranteed not to abuse (Firefox), versus, well, pretty much plainly saying your data will be used, and knowing that the product has many features which make the tracking more pervasive and invasive (Chrome, Google Accounts, etc).
I'd love for Mozilla to not use any Google stuff at all, but I'd also love a pony.
I fully expect Google to abuse any data they think they can get away with. But I also expect Google Legal to make sure that Google adheres to the contracts they sign, and in this case they have a contract with Mozilla that requires the GA data to be silo'd. While I'd feel better if Mozilla didn't use GA at all, I also understand why they do use it, and I'm not going to pillory them over it.
There's a page on the wiki aboit various forms of data collections . It os pretty descriptive of the information they send.
The page you linked to starts with "Firefox sends various data back to Mozilla".
Nowhere does it say "Firefox sends various data back to Google Analytics" on that page.
Though it also doesn't mention GA.
Telemetry not associated with GA is generally considered to be different from telemetry collected via GA.
No. That’s the big issue.
You have to actively search out if Firefox tracks you to find out that this happens. That’s pretty secret.
As an aside it suprises me that this is so blown up today (while tracking shipped a long time ago). Many complaining users will even comment or share this via their Chrome browser, which is far worse than Firefox (still not saying that Firefox is doing everything right here :) )
Hi Mozilla, Piwik team here. Would you mind explaining what you found worse in Piwik VS Google and reporting your feedback to us, so we have a chance to improve and in the future to see Mozilla use Piwik to track users, rather than Google?
Additionally, that page has special access to allow installing addons, or removing them, and the Google Analytics script might be able to abuse that to install an addon that leaks your data.
Fore sure, this will leak info you'd rather not, but I see no evidence it allows de-anonymization. If it did, any custom tracking NoScript doesn't know about would defeat Tor.
And that's not the case.
After I learned that Firefox sends data to3rd party servers pretty much like Chrome, and that I was able to turn it off in Chrome, I've been staying with Chrome, as it is at least usable, performance-wise.
I would argue for this on the GitHub issue but they would rather silence all opinions than work around the ill informed ones.
uBlock Origin is no legacy, but probably one of the best options. Glad to see so much contempt from Moz leadership.
I am really wondering why they want to replace xul addons with the web extension ones when they are so weak compared to the xul ones?
To many, I suspect that is the prime intent.
The single biggest loss for me personally has been the ones that would save unsubmitted form content in case of crashes, accidental window/tab closure, etc. When I checked recently, there no longer appeared to be any add-on available that provided this valuable functionality.
I even contributed to one this morning that is quite attractive, called Tab Center Redux.
If you do this add-on tracking despite this option is turned off, this is a clear breach of trust. If I have this option off, then I expect that exactly such a tracking of usage and customization like described above is NOT happening.
Which reads a lot like "they are giving us a pile of money to breach your privacy, so to hell with you."
I didn't expect that I'd have to do that on an about: page.