Hacker News new | comments | show | ask | jobs | submit login
Studying how Firefox can collect additional data in a privacy-preserving way (groups.google.com)
278 points by GrayShade 112 days ago | hide | past | web | favorite | 428 comments



I can do a quick summary of what's being proposed and why. I work in the JS team at Mozilla and deal directly with the problems caused by insufficient data. Please note that I'm speaking for myself here, and not on behalf of Mozilla as a whole.

Tracking down regressions, crashes, and perf issues without good telemetry about how often it's happening and in what context. Issues that might have otherwise taken a few days to resolve with good info, become multi-week efforts at reproduction-of-the-issue with little information.

It simply boils down to the fact that we can't build a better browser without good information on how it's behaving in the wild.

That's the pain point anyway. Mozilla's general mission, however, makes it very difficult to collect detailed data - user privacy is paramount. So we have two major issues that conflict: the need to get better information about how the product is serving users, and the need for users to be secure in their browsing habits.

We also know from history that benevolent intent is not that significant. Organizations change, and intents change, and data that's collected now with good intent can be used with bad intent in the future. So we need to be careful about whatever compromise we choose, to ensure that a change of intent in the future doesn't compromise our original guarantees to the user.

This is a proposed compromise that is being floated. Don't collect URLs, but only top-level+1 domains (e.g. images.google.com), and associate information with that. That lets us know broadly what sites we are seeing problems on, hopefully without compromising the user's privacy too much. Also, the information associated with the site is performance data: the time spent by the longest garbage-collection, paint janks.

This is a difficult compromise to make, which is why I assume it took so long for Mozilla to come around to proposing this. These public outreaches are almost always the last stage of a length internal discussion on whether proposals fit within our mission or not.

I'm not directly involved in this proposal, but I personally think it's necessary, and strikes a reasonable balance between the privacy-for-users and actionable-information-for-developers requirements.


> Tracking down regressions, crashes, and perf issues without good telemetry about how often it's happening and in what context.

If that's what you're aiming at. Collect the data but keep it local. Install some sort of responsiveness/"problem" monitoring. Ask the user to send data relevant to the problem if a problem occurs. IMHO there is no need to systematically collect user data for that.

Or get the data from a random sample of users. You don't need data from everyone.


This. Firefox prompts for feedback semi-regularly. I seem to recall it even bends over backwards to make it end-user friendly by having "Firefox made me happy / Firefox made me sad" options. It seems like it would not be difficult to tie that screen to a secondary prompt that says, "Can you briefly turn on some additional telemetry for us so that we can try to fix the problem?" Let the users make that choice to temporarily lower their shields so that you can get some useful data out of their machines, in exchange for the implicit pledge that you will use this data for troubleshooting this one explicit issue (i.e. whatever prompted them to click "Firefox made me sad").

That seems like a reasonable compromise to me. I'm happy to send logs if my browser crashes whenever I visit a certain page, and if I know I'm gonna be monitored for that period, I'll isolate my browsing habit to only visit that page. I do not consent, however, to sending everything--even anonymized--on the offchance that Mozilla will see the crash events and use it to flag that domain and maybe fix the issue on that particular page.


Awesome idea... why not introduce a "reproduce bug" mode which basically monitors all things in detail. If people are annoyed enough to send bug reports there is a good chance they will use it if properly presented. If people are not filing bug reports you don't really have a business there... If you generally need more of this telemetry advertise it and use it yourself...

That sounds way more reasonable to me.


> Or get the data from a random sample of users. You don't need data from everyone.

To my amateur ear, that actually sounds like a good compromise to lessen the blow somewhat more. You should suggest it to Mozilla :)


I'm not sure how that would help. If I opt-out of data collection, I don't think I'd be particularly pleased if I get randomly selected to be one of the users in this "random sample" and the stats get sent anyway.

And if I opt-in to data collection, why would it matter to me whether the stats I'm sending are a result of me being selected as part of a random sample or not? Might as well just _always_ send those stats; it doesn't matter to me.


That's what's proposed here. I guess no one actually read the post...?


There is no mention that once validated, that the RAPPOR-based metrics when fully deployed would be take from a random population. Only that the initial study of the system will be done to a random population.

FTA:

What we plan to do now is run an opt-out SHIELD study [6] to validate our implementation of RAPPOR. This study will collect the value for users’ home page (eTLD+1) for a randomly selected group of our release population We are hoping to launch this in mid-September."

Notably:

"this study will collect ... for a randomly selected group"

[6] - https://wiki.mozilla.org/Firefox/Shield/Shield_Studies


I added the second part about the random sample later to the comment when I moved the proposal already out of my short term memory. I hope they use the data from their initial study to test whether the opt-out group actually is different from the group they already get data from.


"This is a difficult compromise to make"

Then don't make the compromise.

As others have expressed here the reason few people opt in to data collection may be because they have chosen to use a Web browser that does not mandate the collection of data.

I'm assuming there will always be an opt out which I shall add to my list of things I have to do when installing Firefox.


> I'm assuming there will always be an opt out which I shall add to my list of things I have to do when installing Firefox.

There will be. Sorry for the hassle :(


How can I recommend my friends to use Firefox when I know they wont remember to opt out?


On Linux it may be that the various distributions decide to repackage Firefox with the default setting flipped. Not sure about the various policies on that one.

The ESR track presumably will have the default flipped because corporations get funny about data transfers to remote servers - mind you Microsoft seem to be getting away with it for business who don't have a full on Enterprise set up.


The way I see it is that if Firefox's userbase dwindles because of this, either we get our Firefox with opt-out telemetry or... Firefox dies. And now we have a Chrome monopoly.

I'm not sure I like that gamble.


> I'm not directly involved in this proposal, but I personally think it's necessary, and strikes a reasonable balance between the privacy-for-users and actionable-information-for-developers requirements.

I use Firefox and always opt into any telemetry that sends data back to Mozilla. You could say I am a fanboy. I think it is a HORRIBLE idea and Mozilla should scrap it yesterday and never bring it up again. If people bring it up again, send them to the roof team (if it doesn't exist, create one). If they come downstairs, fire them. You already have people like me who are willing to opt-in to every single thing you can try. For example, Firefox nightly on Android has consistently crashed for me about every five minutes or so since the last weekend and yet I keep using it. Don't throw away this goodwill.


The problem here is that, for certain types of data, statistics obtained exclusively from users who opt-in to data collection aren't very useful because they're heavily biased in favor of the type of user likely to opt-in (which often isn't very well representative of the average user).


Bias can be corrected statistically.


Statistics are not a substitute for the long-tail effect.

Lack of reporting from non-technical people who aren't aware they can opt-in cannot be corrected statistically, as the two categories of people (technical, non-technical) use the browser very differently.

For made up example, if you type "Yahoo" into the search bar and then type "Search" into the field and then type your search into the third page, you'll be acting as many normal world users do, and you may uncover crashes on page #2 at Yahoo that a technical user would never encounter, simply because they wouldn't type the word "Search" into the search field at Yahoo and trigger a JS bug where "Search" or "Yahoo" gets used one too many places and ends up crashing the CSS parser because it race conditions with repaint.

If that problem affects 0.01% of the Firefox population, that's a lot of people who don't think technically, and do feel regret when we crash and can't help them because we can't see where it crashed.

(Yes, employed. No, I didn't talk to anyone else before I posted here. My own thoughts, I am not a number^Wcorporation, etc.)


This is a horrible development. If Mozilla starts collecting this sort of data on an opt-out basis, it will put many users at risk. Seriously, WTF?

> This is a proposed compromise that is being floated. Don't collect URLs, but only top-level+1 domains (e.g. images.google.com), and associate information with that. That lets us know broadly what sites we are seeing problems on, hopefully without compromising the user's privacy too much.

Sure, there's no problem with images.google.com because it's generically innocuous. But what about pornhub.com for users in Saudi Arabia? Or some Japanese site that's essentially child porn for users in the US? The top-level+1 domain in many cases is totally incriminating.

> Also, the information associated with the site is performance data: the time spent by the longest garbage-collection, paint janks.

Maybe so. But it's collection of the top-level+1 domain that's the problem.

> I'm not directly involved in this proposal, but I personally think it's necessary, and strikes a reasonable balance between the privacy-for-users and actionable-information-for-developers requirements.

Fine. But then, make it opt-in, to protect users.


If it's so harmless, let users opt-in. Adding data collection via an opt-out is shameful, it shows that you know people would not want this and yet you'd prefer to get more data anyway.


Many problems here:

1. You're proposing a mechanism for collecting data, and a strategy for extracting more data than you currently do. You have not figured out the type of data that you will finally need, only a set of things that you currently envision. Naturally, the data that you will collect in the future will be more than what you currently envision. There is built-in mission creep that is dangerous.

2. What you currently envision is not fleshed out as especially useful. You only believe it is useful. The pain point of biased data is red herring. Your concern is more about not enough data.

3. You have found a technology which you believe will allow you to collect a lot of data anonymously. But none of you seem to understand the technology very well. It seems like a shiny toy that you are eager to go to town with. I am not sure this is the right attitude.

4. You're proposing to use your users in lieu of proper testers, or to save time. There are many ways to properly test software and to save time. Have they been explored? There used to be a time when beta software was a thing. Prompt the users to become testers for your beta software. If users don't want to be testers then don't collect data from them. How much data do you actually need anyway? Have you fully utilized your existing data?

Over all, I see this as a nice-to-have luxury, not some life-and-death situation, and subverting the goodwill of users is not worth it, IMHO.


> There used to be a time when beta software was a thing. Prompt the users to become testers for your beta software.

Firefox already has opt-in telemetry, and Firefox already has a beta channel. It's unclear to me how it would help to tie telemetry to the beta channel; that would just make the existing problems (not enough data, and biased data) even worse, since there are probably far more users willing to share telemetry data than to use beta software.


In context, that might mean if there has to be some opt-out situation then opt-out for the beta channel might be slightly more acceptable.


Differential privacy is relatively battle-tested. I wouldn't be too worried about it standing up to scrutiny.


The problem with differential privacy is I have to trust the person aggregating the data to actually do it.


This is incorrect, at least in theory. RAPPOR is designed to protect the user's data even if an attacker can see all of their individual responses over time. Of course, there could be implementation issues...


Do you? Excuse my ignorance, but I thought there was a way to locally mangle the data before submitting. Is that not what apple is doing?


For the case of RAPPOR (and for what Apple is doing), you do not need to trust the aggregator with your data. These algorithms operate in the "local" model of differential privacy, where all privatization occurs on the users' local machines before being sent to the aggregator.


>Is that not what apple is doing?

I don't know, is it? How would I check, if I consider apple an untrusted actor?


Thanks for your input. Glad to hear someone from the Mozilla team on this thread.

Its an interesting compromise... because without improved performance and features, we'll lose Firefox entirely, and all of the relative privacy / security gains that entails. This is a good example where "perfect" privacy that reaches only a few is the enemy of "good" privacy that reaches more people.


Firefox must continue to exist if we are to have any browser without an economic incentive to be user-hostile. If they need performance traces from websites, and they have an open, clear discussion of how to preserve as much user privacy as possible, they should collect them.


The data collection MAKES it user-hostile. If they start collecting data, then there's no point for Firefox to exist - they're just a crappier version of Chrome.


If user privacy is paramount, then there are multiple ways to lower the privacy incursion that is caused by the data collection.

Only collect top-level domains of Alexa rank 1k. That users are using a highway is less sensitive than a specific street where there only exists 5 homes, and it reassures users that private domain names won't be leaked.

Send the data through Tor. That way you only get the data about the browser <-> site interaction, not user<->browser<->site interaction.

And make it opt-in and notify users of the purpose of the data collection. A good model to follow here is Debian installer and popcon. Follow the good practices of data collection in the free software world and do not use dark patterns.


This is a reasonable compromise, but it does bias the sample towards popular sites. Granted, many of these sites are the sites that Firefox struggles with, but browsing habits are a heavy-tailed distribution. That said, smaller sites do open the door for problems, so it's probably a workable compromise.

EDIT: It should also be completely disabled in Private Browsing mode -- otherwise the optics are even worse than they are now.


> there are multiple ways to lower the privacy incursion that is caused by the data collection

The OP actually discusses a very interesting method for doing exactly that using differential privacy techniques. I personally think that's a very good compromise for this use-case.


From the OP, one suggestion is to collect "top-level+1 domains". This don't solve the issue of a person going to "starting_a_union_inside_company_x.com", which would be a top-level domain. Niche domains don't have a large number of users and as such the users can be trivial to deanonymized. It is also rather common that domain name servers have a private and public side. Firefox could easily become a vector of leaking from the private side, possible revealing sensitive information such as unannounced products.

From the OP we can also see that they don't intend to store IP-addresses, but it will always be possible. By using a anonymity network they can reassure the user and at the same time eliminate the risk that a malicious actor in the future will silently manage to start tracking information about which websites users go to. Additional benefits is that Mozilla also won't become a target for governments, a risk that no organization can ever be safe from if they start gather information about users.

It is not enough to strike a reasonable balance between the privacy-for-users and actionable-information-for-developers. You also need to find a balance between risk management and time spent on reducing risks. What I propose primarily is that they spend a bit more time on reducing risks, as that would benefit everyone.


Even Alexa 1k could be quite sensitive, for example there are many porn sites in that list.


As an organization, we are very aware that some of the sites people visit using our browser would humiliate them if someone could draw a link between who they are and where they visited. This isn't restricted to porn, but that's certainly the most widely known category of site that falls under this heading. We consider this carefully every time we do anything with any user data ever, whether a crash report or the TLD+1 proposal described above.

EDIT: Don't forget that the DNS resolution for porn sites can be deanonymized and resold by your internet provider - there's nothing we can do to protect you from DNS being a cleartext, sniffable, mitm'able protocol.


Mozilla's crash reporter already has the option of submitting the URL.


There are a couple different reasons crash reports aren't sufficient:

1. Crash reports only report crashes. We need also want to see perf issues like GC and paint jank, etc.

2. Crash reports don't sample the general population, so statistically the information is less useful. If we get a perf issue, it's very important to know whether that issue is suffered by 10% of the users in general pop, or 0.5% of users in general pop. You want to prioritize the stuff that has the greatest impact on the general user population.

Lastly, crash reports are sort of a boolean filter - you only get the people that crash. The things I'd like to know to help in my development are things like "what is the histogram of max GC pause times on docs.google.com". Getting that info requires a good random sampling of the population, not just those who exhibit problems.


1. Then why not add a "perf reporter" and a "paint jank" reporter?

"Hi! It seems that this page is loading unusually slowly, would you mind submitting more details to help Mozilla diagnose the issue?

Click `More Details` to see exactly what information is being reported."

You even already have a good entry point for one of these - the "unresponsive script" dialog.

Personally, I'm far more likely to send you this data (after having looked over it) than even the opt-out case. If I have to opt-out of all data collection to be sure I don't accidentally report www.really-illegal-pornography.com to Mozilla I'll opt out and you'll never see any information from me at all. If I can avoid sending reports for www.reall-illegal-pornography.com but still report lots-of-annoying-javascript.google.com than you'd get more out of me.

2. If the issue is reported 10x more often on docs.google.com than on obscure.yahoo.com only because docs.google.com is far more common (even though the problem happens only on 0.00001% of visits to docs.google.com but on 10% of visits to obscure.yahoo.com) it does indicate that the issue in docs.google.com is more important. Sure it is rarer per visit, but a user is still 10x more likely to encounter it.


>You even already have a good entry point for one of these - the "unresponsive script" dialog.

Thanks for bringing that up.


> Lastly, crash reports are sort of a boolean filter - you only get the people that crash. The things I'd like to know to help in my development are things like "what is the histogram of max GC pause times on docs.google.com". Getting that info requires a good random sampling of the population, not just those who exhibit problems.

PLEASE do not go down this road. Look where "optimizing" video card drivers has led the video game industry. Game engine developers and game developers are lazier than ever. It is not up to you to make sure docs.google.com runs well on your browser. It is up to you to provide browser that adheres to (and defines if it must) standards. It is up to the web developers at docs dot google dot com to make their application work on Mozilla Firefox.


This is getting off-topic, but it's interesting. I think I have the exact opposite take on things from you :)

A program written by a developer and used by a user is a relationship between that developer and the user. I just work on the platform that allows that relationship to exist. I feel it's overstepping our boundaries as platform providers to say "we're not going to make this platform faster for you because we think developers are writing bad code using that performance as a crutch".

It feels like I'd be setting myself up as a self-appointed clergy over moral matters in software development. It's not a hat I'm comfortable with.


Why not think about the program you are working on as a program that is built to support the open standards that enable people to communicate and concentrate on performance within these standards? If someone wrote a bad performing non standard compliant code the program should throw an error.

Making bad code run faster is overstepping the boundaries.


But we're not making "bad code" run faster. We're making code run faster. The original counterpoint was that we shouldn't be, because improving the performance just gives leeway for bad programmers to use it as a crutch.

We don't prioritize bad code for optimization. See usage of 'with' in Javascript. We don't actively try to make it worse, but whenever a decision is presented which regresses 'with' performance for gains somewhere else, it'll probably be taken because we don't care about 'with' running fast.

But the example I mentioned: histograms of max GC pause times on a particular website. Or particularly bad janks, or long amounts of time spent in JS which might be the result of poor JS execution..

None of these optimize "bad code". They're just standard platform performance optimizations that help all programs. That will include "bad" programs as well.


THAT is your use case? And this just CAN NOT be done from opt-in? Makes no sense.

If mozilla can't see how utterly insane this is then there is no hope left.


>A program written by a developer and used by a user is a relationship between that developer and the user.

What about the relationship between you/Mozilla and the firefox users? This thread is evidence that at least some of the users are not happy that you are (in their eyes) sacrificing their privacy for future performance gains.


Making optimizations based on telemetry from real world sites doesn't mean you're optimizing for that one site only, like a video driver including hacks for a specific game. For example, shifting an array in Firefox used to be O(n) vs. O(1) in the competition [1]. Improving these sort of code paths benefits the entire web, even if the performance issue is discovered and profiled on docs.google.com.

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1348772


> Making optimizations based on telemetry from real world sites doesn't mean you're optimizing for that one site only, like a video driver including hacks for a specific game. For example, shifting an array in Firefox used to be O(n) vs. O(1) in the competition [1]. Improving these sort of code paths benefits the entire web, even if the performance issue is discovered and profiled on docs.google.com.

Again, the question should be if something "benefits the entire web", how can we discover it without an opt-out anti-feature? If the answer is we can't, then we don't want it. It is as simple as that.


>You only get the people who crash

Uh - these are the most important people. The. Most. Important. The people you just pissed off by taking a header in the middle of whatever it was they are doing. Your performance noodling is irrelevant if you aren't addressing those issues.

I'm sorry, but you make the team sound incredibly out of touch with statements like this. To offset the other platforms advantages in marketing visibility, Mozilla has to be better across the board to survive, so unless you guys aren't crashing at all now, I'd say that this should be job #1.


Yes, Firefox developers can only work on addressing crashes or performance issues, but not both.


Sounds good. I'll just work on making things crash faster then.


Top-level domains are still betraying the user's privacy. Does it bug me that PornoTube is significantly laggier on Firefox than YouTube? Sure. Do I want Mozilla to know that I'm visiting it? Hell no.


They wouldn't know that you are visiting it, just that someone is visiting it.


How can they not know that I'm visiting it? I mean, the data is coming from my IP address. Sure, they may be dropping that data before storage. But what if it's intercepted?


Connections to the Mozilla Telemetry server are done over HTTPS, so all an interceptor would know is that you are sending Telemetry and not what that Telemetry is.


OK, fair enough. Then an adversary inside Mozilla that can intercept the data. I mean, the NSA is inside Mozilla, right? It'd be foolish, in my opinion, to assume that they're not. Such a juicy target, and all.


No compromise, I switched to FF on Android to avoid this crap from Chrome and now you'll do it as well.

I look forwards to the fork.


Palemoon on android works wonderfully.


They already said that anything they would do would have an opt-out available.


Regardless, opt-in should not be the default.

They say they have to default to opt-in because otherwise users will not enable this type of data collection. That, in my opinion, should be the #1 indicator that users DO NOT want this collection happening in the first place. They default to opt-in because they know most people won't opt-out, either because they forget, aren't aware that it is happening, or various other reasons.

I'm okay with them collecting any data they want to so long as it is opt-in (because I never will). Mozilla is slowly eroding their original, core values.


Take a list of sites, for example Alexa top 10,000 and make an automatic script that browse these sites and collect whatever information you need. Have a bunch of devices, phones, laptops, PC's from different brands doing this. This will not cost much and you don't have to spy on your users.


".. we can't build a better browser without good information on how it's behaving in the wild."

Who decides what is a "better" browser?

1. Is it the authors? Do they write the software for themselves and agree to share it for free with anyone who may want to use it?

2. Is it the users? Do the authors solicit feedback from users to determine what users want? If users demanded a browser with no default telemetry, would the authors comply?

3. Is it third parties who have an interest in the behavior of users? For example, domain name industry, ad-supported businesses, their employees or advertisers themselves. Are the authors on salary, compensated indirectly from advertising revenue? Or does it come from somewhere else?

4. Is it all of the above? If we follow the money where does it lead? Whose decision of what is "better" is the most important?

Mozilla is descended from a defunct 1990's company that aimed to license a web browser to corporations for a fee. It would have been very clear in that case who the browser was being written for. But today, it is not so clear who Mozilla is serving. It resembles some sort of "multi-stakeholder" project.

It would be nice to have a browser that fits description 1 or 2. I believe there are plenty of folks, including some developers, who would appreciate a browser with no default telemetry. By virtue of the total absence of data collection, they might consider it "better" than alternative browsers that "need telemetry" for whatever reason.


> Don't collect URLs, but only top-level+1 domains (e.g. images.google.com), and associate information with that.

Using "images.google.com" as an example is too convenient.

That would be great if you could also add whatever TLD+1 most people would rather keep private as another example right after "images.google.com".


>This is a proposed compromise that is being floated. Don't collect URLs, but only top-level+1 domains (e.g. images.google.com), and associate information with that.

Until sites start programmatically generating a unique subdomain for each [Firefox] user.


> Don't collect URLs, but only top-level+1 domains (e.g. images.google.com)

Do you consider images.google.com to be eTLD+1? The eTLD would be .com; so, eTLD+1 would be google.com; and hence, images.google.com would be eTLD+2?

eTLD: https://en.wikipedia.org/wiki/Public_Suffix_List


Yeah, you're right. Thanks for the correction. It's eTLD+1, I just erroneously used images.google.com as an example.


This is clearly an example of the infamous off-by-one error.


>>This is a difficult compromise to make,

Sorry I do not accept this compromise. Mozilla seems to have lost its way of late. Sad to see a company that was at the fore front of Privacy, and Security abandon that in name of market share and performance.

I would rather sacrifice performance for privacy, not the other way around.

From EME, to the adoption of Browser Extensions as the only customization option, now this.... Mozilla and FF is changing in ways that are harmful to the open, secure, and private web. Following the trends and policies of MS and Google is not the correct path.


I think the core disagreement here is not ideological per se, but on premises. I agree with the motivation of not collecting any data.

That said, I don't feel that we have a choice but to compromise. If we don't build a better browser, then the other browsers will win by default, which means you lose all those privacy and security motivations anyway.

This is not some gleeful romp down the yellow brick road of data collection. It's a hard-searched, difficult compromise to a question that there are no good answers to, and LOTS of disagreement about.


What are we attempting to "win". Again I go back to my statement of compromising princibles in the name of market share

I have used FF since Ver 1.0 for a few reasons the top ones being it is Open Source, it has always been the most privacy and security focused browser, and were strong advocates of Open Standards that where inter-operable on ALL platforms with out vendor lock in

FF is still open source.... the rest that seems to be in flux now.


> What are we attempting to "win". Again I go back to my statement of compromising princibles in the name of market share

I don't see it as an either-or, but rather a balance to strike. A perfectly private browser with no marketshare doesn't help users. A completely compromised browser with 100% marketshare doesn't help users either.


It would not be no marketshare. It would be the market share you have today people that respect the princibles FF once stood for

Mozilla is not happy with us current users though, they would much rather trade us for Edge and Chrome Users..

Mozilla has made it clear it does not value the Users that desire Privacy, Customization, and Power in the hands of the user. Mozilla has Dreams of "beating chrome" a pursuit I have no interest in and place no value in.


But the marketshare "today" is tanking. It's at 10% and falling. There's no reason it won't get so small that it can't support development any longer.


Then it might be more appropriate to say "has attempted to trade us for Edge and Chrome Users." I think it's inevitable that if they continue on the path they've been on since they started losing marketshare they will disappear, and sadly with so many years of audience-alienating development behind them that no one will pick it up.

The only hope is that one of the forks of earlier versions manages to get enough developers and an institution behind it that they can bring it back to popularity, but before that happens we might be calling the internet "Chromenet" and google won't allow you to visit their sites unless they have been signed with a valid Chrome developer key.


Nah, we'll just switch. If you are trying to become Chrome, we'll just use Chrome. (Firefox+data collection < Chrome not logged in).

Edit: I've been with you guys since the beginning, but the line is drawn here.


Why is the choice between opt-in vs opt-out of automatic behavior?

If Mozilla wants perf data, collect it and then prompt the user "crash reporting" style.

I would totally opt-in to prompts. Give it a threshold and ask, "This page seems to frequently perform less well on your computer, would you like to send us a report?"


Random sampling, basically. The value of random sampling is hard to overstate - it gives you a real picture of what's going on. A non-random sampling gives you a picture, but you have no way of confirming that the picture is a reflection of reality.

Random sampling and privacy run into conflicts not just in the browser space, but everywhere else. For example, recently the Canadian government went through a period where it allowed census respondents to optionally answer some questions that were previously mandatory (using privacy arguments). The result was several years of poor census information. The recent government reinstated the mandatory census questions.

The browser is just one arena where this everpresent conflict between knowledge and privacy plays out.


I've used Netscape then switched to Firefox when Netscape became way too bloated, then enjoyed years and years of Firefox getting better, supporting new JS and HTML5 features all WITHOUT telemetry and with the Crash Reporting window where I can see the data that is being submitted and submit it if I want to submit it.

What have changed so much in last 5 years or so that now you have to get all this data? What is wrong with just building a standarts compliant browser that runs JS fast and has easy to understand settings (where I don't have to go to about:config to disable the WebRTC/telemetry/Pocket etc) ?


> What have changed so much in last 5 years or so that now you have to get all this data?

To be honest, a lot. Once again, this is my personal take on the matter, not Mozilla's view.

First off, browsers were a LOT simpler back then. The sophistication and complexity in a browser has grown significantly in the last decade or so.

Secondly, browsers have matured. Remember that this software category has only been around for 20 years or so. Compared to the code quality in browsers today, browsers of 10 years ago were crude and simple. As a software category matures, the low-hanging fruit dry up, so it's harder and harder to improve your product.

Lastly, competition. Firefox has the luxury of being released when the biggest competitor (Microsoft) wasn't putting real effort into its browser product. Google will not make that same mistake with Chrome.

Basically, the information we needed back then was less, because the problems were much more obvious, because the whole industry was still pretty young. Now browsers are much more mature, the ecosystem is much more complex, has a much wider user base, and the problems are becoming harder and harder to pin down.


I think it's good to annotate this with your other comment as to why Firefox has to join this competition, rather than just do it's think and disregard its marketshare:

> A perfectly private browser with no marketshare doesn't help users. A completely compromised browser with 100% marketshare doesn't help users either.


That make sense for top sites and Flash.

But for things like perf and regression? Really?

You might miss out on issues if users don't submit, but each submission is an indication of problem (because it's Firefox that decides a problem is bad enough). And you can still prioritize based on how common that problem is.


Under the "collect and prompt" scheme, you are still sampling randomly.

A random sample of users experiences perf issues, a random sample of users opts-in to the collection, you get a random-sample of data. (If you suggest they opt-in to continued collection, you might even get a continuous stream of samples from the same user.)

Yes, that data won't cover the people who don't have issues, but do you need to optimize for them? It also won't cover people who have issues but still don't opt-in, but do you think that is somehow correlated to the severity of the issue? Otherwise the data will be mostly unbiased. The variance will be higher than if you made it opt-out, but if you are doing sound statistics, you will have to handle that anyway.


The thing is, I think, that the users that opt-in to the collection aren't "a random sample", but rather "a sample of users biased towards certain profiles".


And how did they find that out?


In part, AFAIA (but I've only limited statistical training) this is a well known feature of voluntary datasets. But IIRC they've also done user studies and compared those.


If you become everything people dislike about the other browser, nobody is going to care what happens to you.


Here's what's going to happen.

You people are going ahead with this idiotic plan - because that is what Mozilla does, asks for feedback and then proceeds to ignore feedback - and you will lose another 2% market share.

The reason is painfully obvious: You betrayed one of the core principles of Firefox, which is privacy. You pissed off a lot of people which will NEVER come back because you stabbed them in the face and spat in the wound.

You also gave Microsoft and Google a freebie. Now they have something else to throw back at you: your supposed "more private" Firefox phones home with your users' browsing history (not strictly true, but people don't dig that deep into the minutiae).

Hows that stopping them from winning by default? You basically just disqualified yourself...

Make this thing optional, otherwise you are dead meat. If you can't "win" without betraying your principles, it's time to either throw down the towel and give up or just be upfront and admit that you are going to go all in, users be damned.

That last option would actually probably gain you a few users.

Edit: spelling...


I guess this is offtopic, but what do browser extensions have to do with openness, security, or privacy?


It is a factor in openness, the Browser Extension API as being developed by FF, MS, and W3c is very very limiting far more limiting than the old XUL based model

It can be a factor in security both positive and negative as XUL was very powerful and could be abused, but it also was used by some projects to enhance the security of FF or provide other security related functionality that is now no longer possible unless FF allows or builds it into the browser directly. Same for Privacy.


It's limiting at the moment because it's not finished yet. And Firefox in particular has far outpaced any third-party or industry-wide standards in adding new APIs. They've been proactive and responsive in getting feedback from addon developers while designing the APIs. I would say security addons are one of the top priorities. For example here's a blog post by the NoScript developer: https://blog.mozilla.org/addons/2017/08/01/noscripts-migrati... "I feel that Mozilla has the most flexible and dynamically growing browser extensions platform"


I will openly admit that I am skeptical of any initiative that has the Backing of the W3C, Microsoft or Google. All of which have proven they are more than willing to sacrifice user privacy and security

So since Web Extensions / Browser Extensions was started by all 3 of those entities with FF adopting them I am very very cautious of them


In Google Analytics issue last month, "legacy" uBlock could block the connection while webextension version couldn't. It can't because it is not allowed to (openness), as a result your privacy is compromised.


There are many very, very political people inside Mozilla. Some of them may even want to commit political violence. Political violence seems to be a problem that just grows and grows, so how can we be sure that it's not supported in Mozilla. These would be a very small minority of Mozilla of course, but the problem is that you don't know who it is. And it only takes a single extremist to betray your users. To get your users injured or even killed.

The same concern will of course apply to any other data harvesters, but that's for another thread


Ok, I get your point. You need the extra debugging information.

Now, here's my concern. I DO NOT want compromises. I DO NOT want to balance anything. I DO NOT want this telemetry crud on my browser spewing out my browsing history to anyone, no matter how anonymous you people claim it will be.

I just want a decent web browser.

What are my options? "Mozilla's way or the highway"? Redirect evil.telemetry.things.mozilla.org to /dev/null? Go back to elinks?

Or will there be a "disable this piece of crap utterly and completely" button somewhere not hidden under an URL? Or even better, a compile flag?

Edit: spelling...


There'll be an opt-out, just as there always has. That's not what's being discussed here. The question is whether to allow these stats to be collected as an opt-out vs opt-in.


Before you send any telemetry get informed consent by presenting the user a dialog enumerating everything that you are sending and I'd be fine with opt-out otherwise this is a dark pattern and you are getting on my shit list.


If you present the user a dialog, that is effectively opt-in, which is what already exists.


You wouldn't say anything else, so your statements don't change anything: Any company which wants to collect more data would justify it in the same way.

The main reason to collect data is monetization. People don't like to think they're being sold, so it's justified on other grounds. That's a universal. Since the way data is monetized is to track and segregate users, claims that it can be done in a privacy-respecting fashion are, therefore, specious.

There is one conclusion to be drawn here, and it isn't that Mozilla is going to respect my privacy.


Are you honestly suggesting that the only possible use for aggregate user statistics is for ads? Not for A/B testing or tracking performance regressions?


I'm saying that the behavior of someone who was collecting aggregate statistics for ads and the behavior of someone who was collecting aggregate statistics for another reason would be identical in this forum, so we must assume the worst.


Note: "planning" means "reaching out for feedback about".

Also interesting: the method they plan on using for anonymising this: https://en.wikipedia.org/wiki/Differential_privacy#Principle...

If that is not sufficiently anonymous, then please submit the reasoning why to Mozilla.


I think the burden here is backwards? URLs may contain Protected Health and other Identifying Information. If this data leaks SSL and could be sent to a 3rd party, then it makes Firefox an unsuitable client for a great many applications.

EDIT: OK. It's boolean flags (like use of flash) plus an eTLD+1 (example.org; not myname.example.org?). Even so, I believe this tracking should be opt-in with a disclosure screen that explains exactly what Mozilla is recording. Informed consent is a practice we should be promoting, even if it seems unnecessary.


They don't plan on collecting URLs, just (eTLD+1). The only real issue I can see here are users who have registered their own domain under an eTLD, and have it set to their home page.

eTLD: https://en.wikipedia.org/wiki/Public_Suffix_List


> The only real issue I can see here are users who have registered their own domain under an eTLD

Doesn't the differential privacy system described above prevent even that from being an issue?


I'm not sure if they're planning on collecting every homepage domain here, or just asking something like "Is your homepage domain in the list of top 1000 domains?". In the former case, just having the domain listed could leak information. In the latter case, I can't see any issues.


It's more like: "Is your homepage google.com? Flip a coin, if it's heads tell me the truth, otherwise flip another coin and answer yes if it's heads or no if it's tails." (A bit simplified, but that's the general idea behind differential privacy.)


They're not planning to send full URLs, only domains. Also, the system described is resistant to attacks even if the data is captured (SSL leaks). I don't have enough statistical knowledge to understand how that works, though.


My concern is that it relies on differential privacy, or privacy through deniability. Which seems like a poor fit when it comes down to submitting URLs visited, unless they plan on submitting fake URLs when the "coin flip" comes up as tails twice in a row?

Not to mention, people will tend to visit the same websites repeatedly. The entire premise of DP is that the real data will stand out from the noise, creating a compelling picture of what an individual visits on the web. How will that aggregate data be anonymized, when it is reported with (a minimum of) an IP?

In short, this still requires a lot of trust in Mozilla, even with the DP algorithm, to not do the wrong thing with the dataset. And, in my eyes, making this opt-out and not opt-in already compromises that trust.


That’s still personalized data.

Mozilla has been violating even the minimal legal standards in the EU for years, and no one cares.

It’s insanity that an organization promoting its products with privacy doesn’t even meet the minimal legal standards. We’re seeing Google Analytics tracking in parts of the browser ("Get new Addons" page, for example), without even the legally required cookie warning.

EU law is clear on this, as soon as you store any data, do any tracking, connect to any third party, or transmit anything for analytics, you have get opt-in.


do_I_have_very_bad_medical_condition.com

Wouldn't that still leak health information? Less overall, but if any is bad, this still isn't acceptable.


Sure, except that with differential privacy, say 5% of telemetry reports would be marked as visiting do_I_have_very_bad_medical_condition.com anyway – regardless of whether they actually did.


What if a person visits 10 domains all indicating the same thing?

5%^10. Very very unlikely. Sounds very similar to "guilty beyond all reasonable doubt".


> URLs may contain Protected Health and other Identifying Information

A URL must not contain PHI. If it does, a breach has already occurred.

And Firefox is only collecting the domain names, it looks like.


What do you mean, a URL must not contain PHI? You can't prevent a non-tech minded person from submitting questions about their health to any text field linked to a form with a GET method.

I'd argue that domains are the same- there are tons of domains that clearly indicate what they're about (e.g. stop-drinking.example)


You can argue it all you want. Whoever is storing that is responsible under the Canadian laws criminally. It's probably the same if not worse in other countries (Germany, etc).


@clarkevans But submitting search input via the GET method (e.g. https://www.google.com/search?q=how+to+stop+drinking ) are a common practice in leading search engines.


> What do you mean, a URL must not contain PHI? You can't prevent a non-tech minded person from submitting questions about their health to any text field linked to a form with a GET method.

You can't, but that can't be part of Mozilla's threat model, and it's not relevant here anyway because Mozilla isn't collecting it.

And even if they were, that's not considered PHI legally. You are free to type any information about your own health that you want anywhere; that doesn't make it legally PHI, unless you are providing it to a Covered Entity.

> I'd argue that domains are the same- there are tons of domains that clearly indicate what they're about (e.g. stop-drinking.example)

This information is not legally considered PHI. As for privacy, SNI means that all domains you visit are already visible in transit, even if you are using SSL. Domain names are not considered private.


> This information is not legally considered PHI.

Do you have any sources that go into more detail?

When I've worked on PII in analytics, even TLDs were treated carefully. (obviously not the same from a legal perspective...)


> Do you have any sources that go into more detail? When I've worked on PII in analytics...

PHI is an incredibly well-defined term legally and is not equivalent to PII. Some things that constitute PHI actually wouldn't qualify as PII.

There are a lot of resources that explain HIPAA in great detail; if you want to know the specifics like here, you have to read the bill and the case law itself.


>>You can't, but that can't be part of Mozilla's threat model,

How normal everyday people actually use their product cant be a part of the threat model... Really?

That is scary...


I don't care what the legal definition of PHI is, I am concerned that Mozilla is collecting actual personal health information (if not through URLs, the domain name concern is still valid). And I know that DNS resolution is not necessarily secure from snooping, but having one extra orginazation explicitly collecting this data is more dangerous than not having one extra org collecting it.


As a practical matter, there are lots of applications that use GET for user submitted search data. Since GET requests encode user entered information into the URL and since the URL is typically found in web server logs and other tracking/history mechanisms, it is unwise to use GET for user-submitted data in applications that are concerned with privacy. However, it was not always considered unwise: REST advocates recommend GET when the underlying information representation doesn't change as a side effect of the request. Therefore, one might just as well say that logging of URL query parameters is the technical problem.

That said, when a "breach" has occurred is a legal distinction involving the control of information -- when protected data moves beyond those who have a duty to protect it. Saying that a particular technical approach creates breach is inaccurate.


I think logging is unrelevant here because it can be set up to log POST data too or not to log query string. But the problem with leaking data via referrer exists. Google encrypts (or obfuscates) search query in referrer for example.


A group of URLs tied with the IP accessing them may leak such data. Maybe not in exact violation of the law, but it would allow for a reasonable estimate of the chance of someone at that IP address having some given condition.


Any submission of data requires the transmission of an IP address, which is personal data and necessitates appropriate protection.

I very much hope that the Debian maintainers (and hopefully also the guys preparing Fennec in F-Droid) will disable such data collection mechanisms, either completely or hidden behind an explicit opt-in instead of the opt-out suggested in the e-mail.


> Any submission of data requires the transmission of an IP address, which is personal data and necessitates appropriate protection.

Do you have a citation for that broad assertion? My understanding is that this is highly variable across legal jurisdictions and even in Europe, which typically leads the way in privacy, it's not that simple. See e.g. https://www.whitecase.com/publications/alert/court-confirms-... discussing an EU Court of Justice ruling that had two requirements: the ISP can link that IP address to an individual AND the website operator can get that information from the ISP.


Within the new European GDPR framework, IP addresses are to be considered as personally identifiable information, so the concern is warranted. What's decisive when characterizing an information as identifiable or not is not the fact of being actually able to perform the de-anonymization of the information (e.g. via the ISP in case of an IP address), but the mere possibility of it.

Legally though Firefox would be allowed to collect this anonymous data from the user by having him/her send the data e.g. to an API endpoint they provide via IP-based communication, they would just not be allowed to associate the data with the IP address of the user submitting the data. In the end, it comes down to trusting the party that collects the data, at least if they don't perform anonymization of the IP address via other means, e.g. by passing the information through a third party proxy server.

BTW, GDPR does forbid to turn on such data collection by default (privacy by default), so they would be required to get the explicit opt-in from the user for that.


>Within the new European GDPR framework, IP addresses are to be considered as personally identifiable information,...

My understanding is that many of these details are yet to be settled with GDPR. The case referenced above was not interpreted under GDPR, which has yet to take effect. The definitions of personally identifiable data data rather vague, and precedent has not been set. A quick search showed conflicting opinions, but one perspective to consider is quoted below:

> In addition, businesses should note that Recital 26 to the recently adopted EU General Data Protection Regulation ("GDPR") states that the test for whether a person is "identifiable" (considered in detail above) depends upon "all the means reasonably likely to be used" to identify that person. The CJEU in Breyer did not directly consider the issue of likelihood of identification. If the BRD was not reasonably likely attempt to identify Mr Breyer from his IP address, this could potentially give rise to a different analysis under the GDPR. Consequently, it may be necessary for the CJEU to revisit this issue after enforcement of the GDPR begins on 25 May 2018.

This is a few years old, so if you know of some new decision or regulation that clarifies it would be great to know!

https://www.whitecase.com/publications/alert/court-confirms-...


The GDPR does not provide a list of data types that are considered personal or not personal, instead it uses a definition which states what criteria need to be met for data to be personal and gives a list of relevant categories, which explicitly includes "online identifiers":

https://gdpr-info.eu/art-4-gdpr/

Now, you could of course argue that often it's not possible to infer the identity of a person given an IP address (e.g. because it is a dynamically allocated IP address by an ISP or an IP address of a proxy server through which many users connect to the Internet) and therefore store it, it would be very hard to impossible though (IMHO) to ascertain that none of the IP addresses which you store could be used to identify a specific person (what e.g. if there are 5 % static IPs in your data?). This in turn would make treating all of your IPs as non-personal data a risky business to say the least, as there will almost certainly be a way to identify at least some of your users from their IP addresses. The fact that you don't know about a particular way of doing this identification is not relevant for this.

My advice: If you do not use a very robust method for making sure that all the IPs you store are non-identifiable I would recommend not storing them at all (or at least truncating them to 24 bits, which does also not always eliminate deanonymization risk though).


GDPR was approved on 25th of may 2016 with the IP address defined as the poster above you specified is my understanding


It might not be legally protected, but that doesn't change how sensitive it is.


What's up with calling obvious stuff by "broad assertion"?

Are you saying that people can not be identified by their IP address?


Because it's neither obvious nor globally true. Legal status varies around the world and from a technical perspective an IP address on its own doesn't usually identify a person unless you have other information — account data, correlated data from other sites, etc. — and things like NAT and public wifi make that necessary to reliably link activity.

I think it's important to talk about this issue – especially the importance of not storing it long-term — but from my perspective the real concern is the industry dedicated to linking and sharing your online activity. Without that an IP has little value and with it they can deanonymize most people without using IPs.


> Any submission of data requires the transmission of an IP address, which is personal data and necessitates appropriate protection.

And requires an opt-in under EU law, which makes this entire thing even more ridiculous.


Then don't send the correct source IP address, with simple statistics gathering like this I hardly expect they require a response. It would mean there would be no personal data whatsoever.


Most ISPs filter spoofed IP addresses nowadays[1]. Even if your ISP doesn't prevent it, NAT might. You wouldn't get a whole lot of responses this way, and there'd be a strong bias because of regional differences w.r.t. filtering.

[1]: https://spoofer.caida.org/summary.php


How would you do that, though? The browser has to open a socket to something to do this, after all. And that already is a violation.


You'd just send a UDP packet with a spoofed source address and forget about it. There's no need to open any sort of 2-way connection for data that's only being transmitted in one direction (from browser to metrics server).


You could transmit the telemetry through Tor.


Tor is blocked in some places and viewed as very suspicious in others. If you're already in a place where you're trying not to draw attention to yourself, using Tor might not a good option.


This isnt how tcp/ip works


With udp/ip it would work, if none of the routers on the way to the destination filters spoofed IPs.


Wouldn't spoofing IP addresses risk the data packets being filtered out by ISPs or other upstream network providers? IMO if keeping IP addresses hidden is a concern, it'd be better to use something like TOR.


Does an IP address actually require an opt-in? And if it does, does it only apply if it is being stored?


Yes[1], no[2]. An IP address is "personal relationships" data and collecting, processing or using such data is prohibited unless allowed by law or the concerned person gives consent.

[1]: https://en.wikipedia.org/wiki/Bundesdatenschutzgesetz#Types_...

[2]: https://en.wikipedia.org/wiki/Bundesdatenschutzgesetz#Overvi...


The way I interpret this, if you don't collect, process or use the IP address beyond it being incidentally involved in the transmission of anonymized data, it shouldn't require explicit consent.

Otherwise literally everything that connects to the internet in some way would have to treated in that way, and that's not how the law is currently enforced.


> Any submission of data requires the transmission of an IP address

Not true. Tor has demonstrated that it's entirely possible to transmit data over the internet without revealing your IP address to the party you're transmitting to.


At a heavy latency cost, and under dubious asumption that regular people control all exit nodes.


Actually no, it doesn't matter who controls the exit nodes as long as your only concern is keeping your IP private. (Exit nodes can indeed do bad things to unencrypted traffic, but that's irrelevant for this use case.)

Latency also doesn't matter here; this telemetry could take 5 minutes to reach its destination and it wouldn't matter, so long as the data is eventually received.


Hmm, I've never thought of that. I like your idea.


The point is not whether this method is "sufficiently anonymous", the point is:

I don't want my browser to collect any kind of data.


Why?

No, seriously; why? I don't get this mentality at all.

Let's ignore the exact implementation here for a moment, and assume that Firefox is somehow magically doing this data collection in such a way that it is guaranteed the data collected cannot be traced back to you as an individual. (E.g. "sufficiently anonymous".)

What problem do you have with that, specifically? How does this harm you in any way?


If it's through "secure" code, you can't always guarantee it in the future nor what Mozilla does with this data in the future. Also it doesn't set a good precedent to proceed in this direction of opt-out behavior in Firefox.


In this case, it's not through secure code though, it's through the nature of the data being sent itself. Differential privacy is meant to ensure you _can't_ use the data to make any sort of inferences about individual users; only about users as a whole.

That's kinda beside the point here though, as the GP seemed to be against collecting this data _regardless_ of whether or not it's anonymized or not. I'm interested in hearing why.


And I don't get the mentality where I should justify why I don't want my tools to report what I am doing.

I'm ok with testing things and sending feedback, but when I switch to a production environment, I just want my tools to behave like my tools, not the testing farm for somebody else.

Why should I prove to you that it would harm me? I just do not want it, it should be enough.


I don't know, to me that's a bit like running a torrent client and expecting the default setting to be "no seeding, download only". After all, the torrent client is _your_ tool, right? Why should it do anything except the bare minimum required to download the files you want? Why waste upload bandwidth on something that doesn't benefit the user?

Obviously that's ridiculous, right? If the default setting was to not seed, torrent clients would be much less useful for everyone involved. Browsers sending usage stats are much the same way. While no individual user benefits from _their machine_ sending those statistics, it's better for the user population as a whole if the default setting is to send them, since those stats help the browser vendor build a better browser. (And before you cry "privacy", remember that in this context we're talking about a situation where the statistics are being sent in a way that is "sufficiently anonymous" such that privacy isn't an issue. See the GP.)

So while I agree you certainly should have the right to disable sending usage statistics if you wish (just as many Torrent clients let you disable seeding), expecting that to be the default setting is a bit strange.


It’s a question of consent.

Imagine I came to your house, and photocopied all your documents.

Don’t worry, I blanked out the name, so it’s completely anonymous, and everything is where it used to be.

Would you be okay with that?

I certainly wouldn’t.

Making this opt-in or opt-out is a question of consent, and choosing opt-out shows that you don’t give a flying fuck about me, and only want your own benefit.


If you continue to post uncivil comments to HN we are going to ban you. You've had many more warnings than usual.

https://news.ycombinator.com/newsguidelines.html


What is uncivil in this comment? I’m sorry, but I don’t see anything problematic in there, and I’d say the same to anyone’s face IRL, given the same circumstances.

There is a swearword used, but it’s not in the context in any way uncivil, as the plural "you" that it is referring to is an abstract person, a hypothetical entity – not any actually involved person. (In this case, the potential future group of people at Mozilla who might decide to override an explicit choice I made for their own convenience)


Profanity isn't an issue on HN but "you don’t give a flying fuck about me, and only want your own benefit" is not, to my ear, the sort of thing one says to an abstract entity.


Have you also read the "and choosing opt-out" before that?

The topic is a choice that Mozilla plans to make, and is questioning users, and more about.

The decision has not been made.

My argument is that, if Mozilla (and whatever users Mozilla asks to give an opinion), choose to override the current decisions of users who do not want telemetry, and require a new hidden opt-out, then that would be proof that they (as group) don’t really care about the users choices.

The user I was talking to has no power in making that choice, nor do I. Nor is all of Mozilla making that choice.

I was using "you" with the meaning of the German word "man", (I’m natively German): one; you; they; people (indefinite pronoun; construed as a third-person singular).


Ok, probably a linguistic misunderstanding in this case. But you've straddled the civility/incivility line so often in your comments here that I still wish you would take a few more steps in the right (for HN) direction. I bet translation issues would cease to be a problem if you did.


Then why promote the browser as such?

Remove all "we respect privacy" from the advertisement.

It's misleading.


Because data collection that is "sufficiently anonymous" _does_ respect privacy. If it's completely impossible to tie the data collected to any one particular user, how does the existence of that data compromise privacy in any way?


We can go into an amazing yet pointless semantical argument of what "privacy" means. But let's look at this from a different perspective:

I like your faith. However, if this change goes in, and the capability is there, it will get misused. Because, statistically that's how these things go on this planet+capitalism.


Actually, the way they're implementing this, even if Mozilla decided to try to misuse the data in the future, they still wouldn't be able to, since the data itself is "sufficiently anonymous" (unless of course you want to argue otherwise, like the root comment was suggesting you do).

Or are you saying you're worried that they could _start_ collecting non-anonymized data in the future? If so, I don't really get that argument either. People always have the ability to change what they're going to do in the future, Mozilla deciding now not to collect this data wouldn't change that.


Ok, we changed the title from "Firefox planning to anonymously collect browsing data" to (hopefully more representative) language from the first paragraph of the article.


Can you tell me the URL of the page containing the form where I can submit my feedback?


See the OP.


This is like saying "diffie hellman key exchange has no flaws, therefore https implementations are perfectly secure".


I'm not saying anything has no flaws, just that if it has, it would be nice if you would inform Mozilla about them.


As someone familiar with differential privacy, and (somewhat less) with privacy generally, here are some suggestions for Mozilla:

1. Run an opt-out SHIELD study to answer the question: "how many people can find an 'opt-out' button?". That's all. You launch this at people with as much notice as you would plan on doing for RAPPOR, and see if you get a 100% response rate. If you do not, then 100% - whatever you get are going to be collateral damage should you launch DP as opt-out, and you need to own up to saying "well !@#$ them".

2. Implement RAPPOR and then do it OPT-IN. Run three levels of telemetry: (i) default: none, (ii) opt-in: RAPPOR, (iii) opt-in: full reports. Make people want to contribute, rather than trying to yank what they (quite clearly) feel is theirs to keep. Explain how their contribution helps, and that opting-in could be a great non-financial way to contribute. If you give a shit about privacy, work the carrot rather than the stick.

3. Name some technical experts you have consulted. Like, on anything about DP. The tweet stream your intern sent out had several historical and technical errors, and it would scare the shit out of me if they were the one doing this.

4. Name the lifetime epsilon you are considering. If it is 0.1, put in plain language that failing to opt out could disadvantage anyone by 10% on any future transaction in their life.

I think the better experiment that is going on here is the trial run of "we would like to take advantage of privacy tech, but we don't know how". I think there are a lot of people who might like to help you on that (not me), and I hope you have learned about how to do it better.


This is ridiculous. I use and recommend Firefox for pure ideological reasons, because frankly, Chrome/Chromium is miles ahead of them.

If they start opt-out tracking using the same approach as Google I do not see any reason to use it nor install it for my friends and family. That's some data for you, Mozilla.


Your stance is paradoxical, because Chrome has been improved based on data mined from users, and not in as nearly a considerate way as Mozilla is proposing.

You want Firefox to succeed as a browser, but to be able to better compete it needs better usage data.

Wouldn't you prefer for Firefox to be the best browser available, AND also be considerate towards your privacy rights?


Company A does bad thing which benefits them massively, allowing them to have a better product. Some people dislike that approach and flock to company B which promises not to do the bad thing. Now company B start doing the same thing 'for better good' but promises to 'keep it moderate'.

At this point why would anyone stay with the company B which broke its promise once, just in the hope that it won't break the promise again? It has already lost the trustworthiness and it also has the worse product. Might as well use products from company A.


This is specious reasoning. Company B is not doing "the same thing" at all. Company B is collecting data, but not only is it far more limited (e.g. collecting domains instead of URLs), it's done in a way that protects privacy. You can't just throw up your hands and say "well, they're collecting some data, therefore we may as well just throw away all privacy protections and use the browser by the company whose business model is based on collecting all the personal information they possibly can".

Privacy is not a boolean.


Opt-Out vs Opt-In is a question of consent. Do you value your own benefits more than my own right to determine my own life?

If yes (and that’s what you get when you choose opt-out), then we’re done. There is no gradual change there, it’s a binary question if you value the user or your own benefit more.


The world is not black & white. If Firefox starts collecting a small amount of data in a privacy-sensitive manner and makes it opt-out, that does not at al make it equivalent to e.g. Google collecting all the user data it can.


But it means they have an equal value system: Convenience being always more important than Privacy.

And that’s strictly incompatible with mine.


Except that's not true. Firefox collecting a small amount of data in a privacy-aware manner does not mean "convenience being always more important than privacy", not by a long shot. I don't understand why you're insisting on such an absolute black & white viewpoint.


Firefox being so arrogant to presume I want to collect the data by default is a very rude thing. You don’t just assume someone wants it, and do it for them, especially if it might hurt them.

First ask, then fuck up. Is that concept so hard to understand?

If you’d do that IRL to someone they’d never talk to you again, it’s the same with Firefox if they do this.


Firefox collecting data in of itself isn't at all rude, or problematic. Nobody cares if Mozilla has "data". What they care about is if they collect data that violates the user's privacy. The whole point of RAPPOR and differential privacy is it's an approach to collecting data that is supposed to preserve user privacy. So the real question is, does it preserve user privacy sufficiently that it's ok to make something opt-out instead of opt-in? But that's not what you're complaining about, you're just ranting because they're collecting data, period, without actually understanding the extent to which your privacy is being violated (if at all).

And of course this all started with you saying that you may as well switch to another company's products, a company which you know violates your privacy quite significantly. You still haven't explained why Firefox collecting a small amount of data in a way that tries to minimize any privacy violations means you should just give up any semblance of privacy and use a product that tries to collect as much personal information as possible.


First off, I’m a developer myself. A developer in the EU. In Germany. Working on open source. In fact, on open source with goals to preserve privacy.

I’ve dealt with these issues before myself.

And I understand well what they collect, how, and why. I understand how painful it is when you have no data on what is used, and how, or not even crashreports.

But there also is a limit to how far you can go, and where consent is required.

And when transmitting anything, or collecting anything, consent is required.

You could make it dependent on situation. If a performance issue occurs, show a bar: "Is this website slow? Click [Here] to submit a report so it can be improved. [Details] [X] Always submit".

This gives the user a far better understanding of what is submitted, why it is needed, it is contextual, and it is still opt-in (but with far better conversion)


If Google does not respect my privacy, why is the proposed way to gather information based on Google's approach?

And if the way Mozilla gathers data is much more considerate, what results can I expect from it? Better parallel requests and data fetching, hardware acceleration, etc are all features that are missing for me as a Linux user. They don't need my dataset for that, it's probably all in their bug tracker.


Wouldn't you prefer for Firefox to be the best browser available, AND also be considerate towards your privacy rights?

I prefer absolute privacy over some minor advantages on irrelevant webpages.

How do you even think this system would work in restricted environments such as governments where even the presence of code that could collect data is an absolute no-go?


Your stance is paradoxical, because you already stated Chrome is willing to go farther to improve their browser.


How is Chrome miles ahead? Both seem to work just fine for me, neither being noticeably faster or better. I like a couple of minor Firefox features, so that's what I stick with.


Firefox -> Chrome is a sidegrade at best. Literally only reason I use it is because I got fed up with weird little CSS quirks I couldn't replicate in IE or FF, but were very present in Chrome.


As you may have read in the feedback request, Mozilla is proposing to use differential privacy – differential is very different from tracking.

For more information, see https://en.wikipedia.org/wiki/Differential_privacy for instance.


My point is not the way you label gathering information from your users but rather that it is about implementing something Google proposed.

If the mechanism works, fine, but why should I use Firefox over Chromium then? Opt-out data collection is in violation to my core beliefs and what I believed to be Mozilla's principles.

Collecting data without asking the user about it is - to me - in violation to the very definition of privacy and calling some way to anonymise data (who guarantees that the cryptographic approach to this is not obsolete in a few years?) "differential privacy" is at the very least dishonest.


Existing telemetry in Firefox already works on an opt-out basis. This changes nothing.


Existing telemetry dosent collect browsing data


So, I read that, and already see two problems. One - DP provides privacy by deniability. How does that apply to URLs (or even just domains)? For a domain to show up, I have to have visited it (unless Firefox will report back random domains).

Two - DP is only really private over a small data set per individual. If DP were enabled for even two days, you could get a very accurate picture of the sites I visit, since a majority of the domains reported would be necessarily be accurate values.


One: I'm pretty sure that the idea is to report back random (existing) domains, yes.

Two: That's an interesting question. You'd need to ask it to someone with more domain knowledge than me.


> I'm pretty sure that the idea is to report back random (existing) domains, yes.

Here's a concern that comes up from that implementation option: any outliers from the set of existing domains (which would likely simply be implemented as a list of strings) would immediately be able to be called out as a "True" value, while a single reporting of a domain could reliably called out as a "False" value. Unless, of course, you choose a randomization algorithm which exhibits a very strong clustering trait.

You could also limit reports to those domains which are in the whitelist, but that would voluntarily neuter the reporting; something they seem less-than-eager to do.

Ultimately, it will all come down to the implementation details, which are unlikely to be available until after the opt-in release, and auditable by a remarkably small number of people in the open source community.


RAPPOR uses a Bloom filter. It doesn't report the domain itself; it reports (a corrupted version of) a handful of bits of a hash of the domain.


Good info, thanks!



The single largest advantage of Firefox over other browsers is that despite all odds and occasional missteps they managed to respect users' desire for complete privacy.

  For Firefox we want to better understand how people use our 
  product to improve their experience. 
Sure thing. But the fact that they are unhappy that some (many?) people are opting-out from the data collection is merely a sign that they don't want to understand why people are using Firefox in the first place. By opting out from the data collection people effectively tell them over and over again that they don't want for Mozilla "to understand how they use Firefox" or "to improve their experience", not at the expense of their privacy.

No phoning home. No telemetry, no data collection. No "light" version of the same, no "privacy-respecting" what-have-you. No means No. Nada. Zilch. Try and shovel any of that down people's throats and the idea of Firefox as a user's browser will die.


> No phoning home. No telemetry, no data collection. No "light" version of the same, no "privacy-respecting" what-have-you. No means No. Nada. Zilch. Try and shovel any of that down people's throats and the idea of Firefox as a user's browser will die.

https://github.com/mozilla/addons-frontend/issues/2785

And now this :-(

I have been using Firefox since before it was called that. I develop my apps in it, even though most of my colleagues have switched to Chrome years ago. Even though it is (or was for a while) slower than Chrome for things like Canvas.

But I use because I believe in Free Software. But Mozilla keeps disappointing. DRM, bundled 3-rd party apps, analytics, tracking... It is just so very sad. :-(

Also, I have 17 add-ons installed (11 active). At present, of these 17, only 2 will continue working after November when the switch to WebExtensions is enforced.

Where to go from here?


> DRM

Mozilla fought DRM until the very end and lost. If Firefox is to have any chance at remaining a mainstream browser it needs to support Netflix and the likes. You can't seriously blame them for this, because they are damned if they do and damned if they don't.

EME is implemented as unintrusively, securely and privately in Firefox as possible. No DRM is downloaded or run on your computer until you specifically consent to it, and the DRM components run in a sandbox.


> Mozilla fought DRM until the very end and lost. If Firefox is to have any chance at remaining a mainstream browser it needs to support Netflix and the likes. You can't seriously blame them for this, because they are damned if they do and damned if they don't.

Yes I can, and I will, because they sold out. They sold out their principles for the sake of market share. (And looking at their marked share, fat lot of good that did for them anyway.)


I'd suggest you research the topic of negative and positive liberty. I'm all for a free and open source experience but what about the liberties of content creators? What about my right to as a user to be offered content with the knowledge that I won't and don't want to know its inner workings as long as it's passive non-malicious code?


I will be happy to do so, once consumers and content creators (and specifically the companies they sell rights to) are on a level playing field in terms of legal protections and lobbying powers.


This isn't about the money or power you or I have. This is about freedom to distribute content and the agreement between the user and the creator while you're asking the browser to be the ideological arbiter of this transaction. If you're all for freedom, you should logically see that not including the DRM option is inhibitive of both the user's and the creator's freedoms. As a browser, it should be ideologically agnostic to my downloading of an executable or zip file that goes against freedom, privacy and all that we hold dear and it should still be my right and freedom to download and view as I legally please. The Richard Stallman approach does have its limits.


I don't buy that argument, sorry. Because it requires something as anti-freedom as DRM to exist in the first place.


> Yes I can, and I will, because they sold out

Excuse me, but did you support Mozilla with time/money?

> They sold out their principles for the sake of market share.

12% is still better than 1%, and the thing that mostly changed the landscape was the fact that mobile Internet heavily disfavors Mozilla (e.g. Android ships with Chrome, iPhone with Safari), and Google has a heavy advantage when it comes to advertising and engineering.


> Excuse me, but did you support Mozilla with time/money?

Yes, I have done. Thank you for the snark.


That's different. Netflix is optional. The AdSense and the telemetry discussed aren't.


Also, Firefox has been adding things like Pocket while removing simple options that have been part of Firefox since the beginning claiming that it should be part of an add-on (like the option to disable javascript) and they are also adding privacy invasive options like "Block dangerous and deceptive content"... Firefox is still my favorite but that can always change...


Even worse, in that discussion, it appears that there's a backdoor built into Firefox so that WebExtension-based ad blockers can't block Google Analytics. Only old-style add-ons can block it.

"It's as if the order to block/redirect the network request was silently ignored by the webRequest API, and this causes webext-based blockers to incorrectly and misleadingly report to users what is really happening internally."[1]

[1] https://github.com/mozilla/addons-frontend/issues/2785


This is a specific issue with that preference page. You can easily observe that the WebExtension version of uBlock does block Google Analytics, just not on the about:add-ons page.

There are probably security reasons why add-ons can't modify about:add-ons. Imagine an add-on that could hide itself by modifying that page.

Please don't spread FUD.


I'm not really sure what your concern is here. Let's assume for a moment that Firefox's implementation of differential privacy in this scenario is completely correct, and that as a result it's completely impossible (even in an information-theoretic sense) to learn anything about any individual user using this data; only about many users in aggregate.

In this scenario, how exactly would Firefox's actions here compromise anyone's privacy?


Why are they not letting people decide? If it is not harming anyone's privacy, and they make it clear that it isn't, then what is the problem with letting people opt-in to it?

Instead, it's telling that they are choosing to force people to opt-out. They know that their users don't want this, but don't care.


Opt-in inevitably results in data being heavily biased in favor of the small minority of users who go out of their way to opt-in. For some stuff that's fine, but for certain types of data you really do need a broad, unbiased sample of users in order for the data to be at all meaningful. (Usually to answer questions like "What percentage of users use x feature?" Or "What level of jank does the average user experience on facebook.com?")

They still _are_ planning to let people decide for themselves whether to participate (via opt-out), they're just using a default that's more likely to result in unbiased sample data.

Again though, what's your actual concern? Provided this feature doesn't compromise anyone's privacy even _if_ its enabled, what's wrong with having it be opt-out?


I have no way of knowing how this may or may not compromise my privacy without a deep understanding of the techniques being used. I am meant to trust Mozilla and hope that they haven't overlooked some weakness in the algorithms used. The obvious security choice is to not add this feature in. The 'Provided this feature doesn't compromise anyone's privacy' is a fantasy, because no-one can be sure of that.


But that's true of _any_ new feature that gets added to Firefox. Anytime you change code, there's a chance you could be creating a new vulnerability that compromises users' privacy or security in some way.

If, as some commenters here [have suggested][1], this telemetry would help improve Firefox by significantly reducing the amount of time it takes Mozilla to fix bugs and performance issues in the browser, what makes you think that's not worth the risk when other features (such as the performance fixes themselves) are?

[1]: https://news.ycombinator.com/item?id=15072157


It's obviously far, far more likely in code that is designed to send my browsing habits to a 3rd party (in whatever encoding). Do you not see this, or are you just trying to extend out these arguments to some ridiculous extreme for the sake of it?


I don't know what level of risk this implementation carries with it. Probably more than a performance fix to the JavaScript interpreter, yes, but is it really a significant enough risk to make this feature not worth implementing? Maybe it is, maybe it isn't; I honestly don't know.

You just seemed to be arguing that _any_ amount of risk would be too much, which in my view is ridiculous since, as I said, all new features carry with them some amount of risk.


You just seemed to be arguing that _any_ amount of risk would be too much

Unfortunately that's exactly the kind of thing I was talking about, extending arguments to ridiculous extremes.

I have never said any amount of risk would be too much. In this particular instance, I think the risk and the unknowns are clearly too much.


> In this particular instance, I think the risk and the unknowns are clearly too much.

But why? I don't claim to know enough about RAPPOR to say for sure that the risk _is_ worth it, but it seems a little presumptuous to claim it isn't without knowing _anything_ about the project or Mozilla's proposed use of it.

That's why I assumed you were arguing that _any_ amount of risk would be too much; you didn't include any sort of analysis of the risk/reward in your previous comments, and without knowing the risk the only way to conclude this feature is definitely _not_ worth it would be if you already considered the acceptable level of risk to be zero.


Well, the alternative is not a Firefox without telemetry, it's Chrome. If Firefox can't do what it needs to do to stay relevant it's going to die. Developers are already treating Firefox as a second class browser, so this is not an abstract threat.


If I want a browser with telemetry, I can just as well use Chrome.

It’s Firefox without telemetry, or no Firefox at all.


Software was built for decades without this data and can continue to be built without this data for decades to come.


>>Provided this feature doesn't compromise anyone's privacy even _if_ its enabled, what's wrong with having it be opt-out?

The only Anonymous Data is data that is never collected. If they collect data it is a violation of privacy.


Why?


Because opt-in data is inherently biased and is a terrible indicator for common user behaviour.


It would, however, be useful data for the common user behaviour of people who opt in to tracking.

This doesn't really seem unreasonable to me. Obviously part of the inherent cost if not wanting to be tracked is going to be not having your raw user data included in evaluations of what people want.


Differential privacy does not ensure complete information theoretic security as you say. There is a parameter ε that determines the amount of privacy, and in this case you do not get to set it, somebody else does.


Interesting point. Admittedly, my understanding of differential privacy is very rudimentary, but isn't that only a risk under the assumption that you can ask the same user the same question multiple times, and get a new, independently chosen answer every time? If you can only ask each question once and every subsequent time you ask you just get the same answer, is that not secure in the information theoretic sense? Perhaps there's some other factor I'm missing?

> in this case you do not get to set it

Nothing's been decided yet. If this is something you want to advocate for, maybe consider suggesting that in the thread linked in the OP?


You are speaking of perhaps Google's RAPPOR protocol specifically, in which answers are sent through a series of BSC-like channels. These channels introduce noise, meaning the input signal is degraded, but by no means is it gone -- otherwise no statistics could be collected. Multiple independent reads would be an obvious attack; actually it's a form of repetition coding; but there are many other coding strategies against noisy channels -- there is an entire field dedicated to that task alone. To contrast, encrypting with a one-time pad is information theoretically secure.

Attacks aside, the point is really that in this age of statistical machine learning we should be vigilant against even this sort of data collection. A leak is a leak. Ideally people can opt into providing just enough information for the statistics they want to participate in and no more; realistically, more is always collected.


Ah, fair point. I guess it's incorrect to say it's impossible to learn _anything_ about a user as an individual using data generated using differential privacy. Just that what you do learn is more of a small statistical possibility than a sure thing. (E.g. "The user visited this site." vs "There is a 5% higher than average chance the user visited this site.") And that's even assuming you already know who "the user" is (which certainly isn't a given).


That is a massively unwarrented assumption, and the burden to show things are otherise is on the party that wishes to push these changes.


Fair point. What would you accept as sufficient proof that their implementation is correct?

If your answer is "nothing" then I think you're being unreasonable. Firefox risks compromising security/privacy with _every_ new feature they implement, not just this one, and it's clear from [other comments][1] in this thread that this feature is just as important for the overall functionality of Firefox as any other feature would be.

[1]: https://news.ycombinator.com/item?id=15072157


> I'm not really sure what your concern is here.

You must be kidding me.


> Currently we can collect this data when the user opts in, but we don't have a way to collect unbiased data, without explicit consent (opt-out).

That to me suggests the problem isn't that too many people are opting-out, it's that not enough people are opting-in.


It's not even that not enough people are opting in, it's that the people opting in are "people that would opt-in", i.e. they match a certain profile that makes them not representative of the average user, and thus less good sources to draw conclusions from. Because presumably, the users who opt-in are tech-savvy users who actually read dialog windows presented to them, and thus behave very differently from the average user.


Clearly those users that dont choose to opt in are wrong, and mozilla needs to make this choice for them...

This trend towards parentalism in software, especially software that is supposed to be user driven is frankly a steaming pile of garbage.

If you have any shred of pretense of being pro-privacy and pro-user dont do this mozilla.


It's more that a lot of people really don't care one way or another, and will neither go out of their way to opt-in or opt-out.

Additionally, it's not that Mozilla just disregards user privacy here: differential privacy being used would mean that no user has to reveal their private information, but looking at all the data in aggregate would still allow Mozilla to gain useful information on how to make Firefox better.


So, let me see if I can follow your argument.

Because most people don't care, it was decided to implement a feature that is flat out contrary to people caring.

Management decisions like this don't exactly inspire confidence about the future of the browser.


The people that don't care one way or another are mostly using Chrome.


> What we plan to do now is run an opt-out SHIELD study [6] to validate our implementation of RAPPOR.

IMHO, this is a bad idea. Many people I know already use Firefox because they're weary to give Google (Chrome) all their data.

Firefox should make this feature opt-in only.


This might finally prompt me to start compiling Firefox for all my devices, or at least evaluate some of the high profile forks.

It's not just about the data, it's about the lack of consent. If you just ask people for permission on the initial startup, I'm sure most people will be fine with enabling it. Last time I installed Firefox, it just showed a tiny bar at the bottom of the window, which is pretty easy to miss. I'd expect fewer dark patterns from Mozilla, that's the kind of shady behavior you see coming from Microsoft. I always try my best to disable or block anything which phones home without explicitly asking for consent.

Tunnelblick [0] is a good example of this being done well. On the initial run they ask if you want to enable automatic updates. It includes the option to disable sending anonymous system information, as well as including a disclosure widget with a brief explanation and a table showing the information that would be sent. [1]

[0] https://www.tunnelblick.net

[1] http://i.imgur.com/tWQX5aB.png


> Firefox should make this feature opt-in only.

I agree, but note that they are explicitly trying to get more info than they can from the small, biased sample that is users opting in.


Then they should fix that by asking in the GUI politely if you are willing to share and also explain how-to disable it easily.

Just starting to collect your browsing data is a bad idea (tm) especially if your main claim is "more privacy".


> they are explicitly trying to get more info than they can from the small, biased sample that is users opting in.

Maybe because most people using Firefox use it precisely because they don't want the browser vendor to track their behaviour?

I wonder how the Torbrowser folks will deal with this.


They claim is biased but is it really biased? How do they know? I think this is just making up excuses so they can collect more data.

They get good enough data from the people that have volunteered it. I don't know what makes them think it's biased but I seriously doubt that is true.


Because, usually the kind of people that’d opt in are techies/power users or work (volunteer, or paid) for Mozilla themselves. Let’s say only 1% of your userbase opts in to this, how is that not biased? (As it currently stands, I believe this is a further optin in a tucked away menu).


Then they should make the possibility to opt-in more prominent, instead of switching to opt-out with the option tucked away in some menu where only techies/power users will disable it.


The Mozilla user base is already biased. Plus they can run experimental test fixtures to canvas sites. This sounds like a solution looking for a problem.


>They claim is biased but is it really biased? How do they know? I think this is just making up excuses so they can collect more data.

Informed, constructive opinion there.

One clear sign of the bias is that the crash rate of the browser goes up massively every time a new version transforms from beta to release. Clearly, it's not renaming that string that makes the browser crash. The populations are just fundamentally different.

To give an obvious example, beta users are overwhelmingly more like to have up to date video drivers. (Which can be seen in crash reports, but is also very logical).


Absolutely. If this is helping users, it should be easy to convince them to turn it on.


That's not how it works. Most users don't care and will simply use whatever the default is; and when it comes to anonymous usage statistics, "most users" is _exactly_ the group of people you want to be collecting them from; otherwise your results will be skewed heavily in favor of a small minority of power users.


I aways have a problem with this aurgument.

Most users do not care because they do not understand the true ramifications of their not caring. It is not like that looked at all the data, then made made an informed choice to share everything.

FF should be at the heart of caring for users privacy EVEN IF THEY THEMSELVES DO NOT.

The average person does not understand technology, how much data they are leaking about themselves and how this data can be used against their interests

Taking advantage of that ignorance for any type of gain is unethical IMO, most companies willfully exploit this collective ignorance Mozilla should be better than most companies.


Why would optimising for the power users be wrong though? In most cases if it's good enough for the power users who tend to break things more often than regular people it is perfect for the regular users.

Quite the opposite if the focus too much on the regular users they might get too much noise and never notice issues in the more complex features that only power users tend to use.

You want the heavy users of your product sending in reports not the average Joe because he is less likely to even notice a issue.

Higher level features are less likely to be covered by tests and more likely to break just because of their complexity however you wont have many average people using them.


Because there's much less power users than normal users, and browsers that only cater to power users are useless because they end up not working on any websites. That's webcompat for you.

Former Opera people can tell a few stories there.


Precisely. Most people don't have an explicit preference. And collecting data on every possible human would give better results -- useful even if they don't plan on justifying running any specific test. We should probably use our expertise in computer networks to create universal, unjustified surveillance. As long as there is an opt-out option (hopefully we can use a complex tracking method so people don't understand the implications of not opting out -- oh, wait, RAPPOR already does that! Mozilla really stepped up their game here).

[EDIT: Firefox branding used to use the word privacy a lot. I can't find it on their website much at all anymore.]


When I browse to firefox.com I get [1] which has this text:

  More privacy
   
  Firefox doesn’t sell access to your personal information  
  like other companies. From privacy tools to tracking 
  protection, you’re in charge of who sees what.
  Here’s how Firefox protects your privacy
So yes they still advertise with that as one of the major features.

[1] https://www.mozilla.org/en-US/firefox/?utm_medium=referral&u...


Indeed, I didn't find the subpage until later. I also like how, it isn't that you _have privacy_, but _more privacy_, because access isn't being sold like other companies. Someone must have noticed that they should only make promises they'll keep and toned down the language.

For instance, from the same page 8 years ago: "we have experts around the globe working around the clock to keep you (and your personal information) safe."

https://web.archive.org/web/20090827204813/http://www.mozill...

Or this quote from the equivalent site 6 years ago:

"And, as a non-profit organization, protecting your privacy by keeping you in control over your personal information is a key part of our mission."

https://web.archive.org/web/20110902025003/http://www.mozill...


> Most users don't care and will simply use whatever the default is

These users will be installing Chrome, not Firefox.


I hope not. If that's true, then Firefox is in serious trouble. There aren't nearly enough power users and privacy enthusiasts around to make Firefox a significant player in the browser market all on their own.


Why not?

The switch barrier is non existent. Most of the replies in this thread are ideological. Nobody is arguing CSS rendering speed comparisons and such.

People use Firefox because they like it.

People are irrational but like is huge. Toyota over Hyundai. Vacations at the sea instead of skiing. Firefox over Chrome.

The like is a habit, but if all things are equal and free, a very flexible one.


That’s exactly why Firefox is around 5% global marketshare. Only the powerusers are left.

And this move will also drive them away.

More

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: