Hacker News new | comments | show | ask | jobs | submit login
Firefox is on a slippery slope (drewdevault.com)
2023 points by Sir_Cmpwn 71 days ago | hide | past | web | favorite | 874 comments



Most of us are on flights today, hence the slow response, but I want to clarify two things:

1. The study is not "still active and ongoing." It was pulled yesterday after the backlash, though that may take up to 24 hours to propagate: https://gizmodo.com/after-blowback-firefox-will-move-mr-robo...

2. Even when "enabled" in the add-on manager, the add-on was completely inert unless a user also manually dove into about:config and specifically enabled a flag related to the add-on. Without taking that deliberate action, it didn't do anything but watch that flag. No headers, no word inversions, etc.

If you'd like to verify my claims, the source lives at https://github.com/mozilla/addon-wr, and initialization is controlled by addon/bootstrap.js.

This doesn't excuse our actions, but I hope it adds some context.


i have a question: why do any of this?

yahoo and google pay hundreds of millions, is this not sufficient? have any of these gimmicks actually helped gain users? it's likely that only Quantum - a purely technical improvement (plus marketing dollars) - made any dent in your user share. it's almost like mozilla keeps expanding into all the shady corners to use up its budget so it can have a bigger budget next year.

many users use firefox for ideological reasons, even when Chrome is/was technically superior. and these reasons are disintegrating at a ludicrous speed. you are throwing away the very users that helped you grow. we are telling you this here, directly and in plain language. much of the same group uses firefox because they can make it work exactly how they want with exactly 0 surprises. some of this died with the web extension addon transition, but it's at least justifiable from a technical & security perspective.

every time you force-feed what should be a visible and removable extension, i have less and less control over my browser and less incentive to to use or recommend it. it's heartbreaking, really. whoever is pushing forward on all this farcical marketing spin and bundling stunts needs to be shown the door, asap. call ads "ads", not "experience enhancements". it is not okay. you guys need to stop this before you lose your most dedicated users that have stuck with you through thick and thin. having been on firefox/nightly for over 10 years, deploying firefox on thousands of PCs, reporting many bugs, and making donations to mozilla, i am this close to saying "fuck it" and taking my friends, relatives and coworkers with me. i'm gonna be one user that costs you 2000 more.

please get this to whoever needs to hear it [and gives enough fucks to actually do something].


The core idea (deploy an easter egg via an add-on) seems pretty reasonable. Looking Glass is a really cool idea for users who want it.

But pushing it out broadly, even in an inert state, was not good.

I can assure you that there's an active internal discussion to that effect. I'm hopeful that we'll learn from this.


>The core idea (deploy an easter egg via an add-on) seems pretty reasonable

I don't understand why you believe that, especially when it's not an "easter egg" but actually an ad.

When's the last time I upgraded my linux kernel and it came bundled with an "easter egg" kmod, loaded by default, which made lightsaber noises if I wrote 1 to /sys/class/ad/starwars/enabled? Would you think that's appropriate?

You're developing a web browser, a critical piece of software. Almost an OS within an OS these days. You got rid of "cookies are delicious delicacies"[1] (an actual easter egg) because you deemed that the joke wasn't worth obfuscating an important piece of information. 15 years later you're adding stealthy extensions that look like backdoors. What changed?

I can assure you, people who want novelty extensions know where to find them.

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=213186


My impression (without any internal knowledge on the subject) is that this was intended as a way to promote Firefox to Mr Robot viewers. A lot of people in this thread seem to have this backwards, IIUC - it's not an ad for Mr Robot, it's the onboarding experience of an ad for Firefox that ran in Mr Robot.

The folks behind this presumably wanted this experience to be seamless, and were also trying to keep it under wraps to preserve the surprise factor. This meant that they bypassed the usual processes by which Firefox engineers would have had the opportunity to (a) raise concerns about the deployment approach, and (b) suggest other mechanisms that would have achieved the desired experience while keeping deployment appropriately scoped.

It's really heartbreaking that it ended up this way. The marketing team was trying to think outside the box to bring new users to Firefox, which is crucial if Quantum is to succeed. Surprises and stealth are the bread and butter of marketing, but they didn't think through the dangers of applying those things to engineering. Moreover, the very nature of surprise and stealth meant that they missed the chance for internal feedback before it went live.

A lot of us inside Mozilla are hurting right now. We poured our lives into Quantum for two years for the long-shot dream of giving Firefox a fresh start and saving the web from monopoly. It's frustrating to feel that all our hard-earned goodwill might be squandered by a few people and a botched marketing stunt. But the people behind that stunt were only trying to help, and I'm sure they feel especially terrible right now too.

Mozilla will learn from this. But the mistakes here are probably less sinister than they may appear, and it would be sad if they caused our most closely-aligned users to switch to Chrome.


Thanks for the balanced view of what probably happened here. The question I'm left with is: why can the marketing team deploy SHIELD Studies without engineering oversight? This seems like a policy 101 thing, and has me worried enough to untick the preference until this is (hopefully) addressed by a future statement.


I'd say that this procedural fail makes it impossible to recommend Firefox at present.


So what would you recommed for non-techical users? Does this put Firefox behind Chrome in your opinion?


I guess it has to be chromium. Unsatisfactory situation.


the problem is that this is recurring and the apologies are now mostly meaningless. action, not words are needed.

i would have been happy to write this one off, but the ship has all but sailed. the ice is so thin that you guys are one PR disaster away from a mass exodus of people who trust you.

if mozilla learned anything from the Pocket disaster, it would have immediately made it a removable addon and genuinely apologized. instead, there it is in my toolbar on nightly. i know you guys bought them, but that's a solution that only addresses the privacy aspect - you went from nonremovable Pocket to nonremovable Mozilla/Pocket.

every misstep that has happened with "enhancing the user experience" is an affront to the brilliant engineering you guys are doing. you're literally shedding user-engineers - not unlike yourselves - over these user choice, bundling/marketing double-speak, viralgrab and privacy fiascos.

i'm reasonable. i understood the DRM situation. the content providers make the rules and the consumers make the choices based on where they can consume the content. many people went apeshit with ideology. but mozilla is in full control of everything that is going on right now.

> This meant that they bypassed the usual processes by which Firefox engineers would have had the opportunity to (a) raise concerns about the deployment approach, and (b) suggest other mechanisms that would have achieved the desired experience while keeping deployment appropriately scoped.

i don't know what's worse, that users don't know what's going on, or that the engineers don't. here's an apt description for this: rgba(0,0,0,1)

rather than being delighted to discover features i didn't know where in there, i'm now horrified to discover them. i'm becoming mozilla's unwitting social testing platform and this is unacceptable. it is not what i signed up for with firefox 1.5. there's a reason that Tor's browser is firefox; i think this reason is ripe for re-evaluation.

mozilla is long overdue for automated regression tests of their core values.

plz don't take this comment personally. i have huge respect for the work you do. it's a shame the engineers are not in control of their destiny; they rarely are.


"Mozilla will learn from this" When, at 0.1% user share? Did you look at the browser usage graph recently? This is a pure CFIT action, and I doubt that the browser still has altitude to recover - especially as Mozilla has repeatedly shown that learning from such incident does not, in fact, happen. A single incident, back when FF had ~50% of the eyeballs, could have been acceptable^Wexcusable; in current situation, this seems like deliberate sabotage when seen from outside.

https://en.wikipedia.org/wiki/Controlled_flight_into_terrain


I got a sinking feeling reading this comment and realizing how easily I could imagine myself in this situation (especially as a Mr. Robot fan). While I do agree that transparency and user control are Firefox's most vital components as an alternative to non-free browsers and any failures there are very concerning, I'm also extremely impressed with the Moz foundation in general and the quality of the quantum updates in particular. I don't think this incident alone is enough to irreversibly tarnish Mozilla's reputation, but it's good to know the issue is being taken seriously internally.


Same. I've deployed some dumb stuff in my time, and when it hits the fan, that sinking feeling is just the worst.


Thanks for your hard work. I'm onboard since that 0.4 Phoenix version. Left you for Chrome for some time... now back to Firefox thanks to Quantum project. You should learn from these kind of mistakes, but I won't leave Firefox, nor stop recommending it instead of Chrome or Edge.


Thank you (and pault) for the kind word and understanding!


"But the people behind that stunt were only trying to help, and I'm sure they feel especially terrible right now too."

Are those responsible for this stunt still employed at mozilla? If so, you can say goodbye to trust of most of the technically aware world. I cannot recommend Firefox while idiotic stunts like this are institutionally viable - have you got the message?


It seems like you are saying: If anyone in an organisation does something stupid which makes a bad impact outside the organisation, then they must be punished by losing their job.

I humbly suggest that your message might be a little harsh and unforgiving. Is there anything I can say which will change your mind? Kindness has a place in the world. Please help me preserve it.


Nice explanation. I appreciate that. But it's too late to lock the stable door because the horse had bolted. Sorry guys.


Marketing... Look. Have everyone at job interviews create their own gpg key and send an encrypted and signed email to you. When they manage: welcome to Mozilla. You can't have some coked up marketing maniacs sitting making decisions like that.


The core problem is not Mr Robot but that Firefox contains a function to add and remove addons without even leaving the slightest notification.

This scares me an many others quite a lot.

Thanks for listening.


> ... it's not an ad for Mr Robot, it's the onboarding experience of an ad for Firefox that ran in Mr Robot.

That doesn't make any sense--if it's an ad for Firefox, why is it in Firefox, which is presumably already being used by the target audience? It should be in some other site or software set up by the Mr Robot production company which directed people to Firefox, no?


I'm not privy to the details, nor have I ever seen Mr Robot. That said, I believe there were hints in the show about using Firefox to solve some mystery. The idea was that users would then go open Firefox (which may have been sitting unused on their machine for years), and then discover that Firefox and Mr Robot were in cahoots. The viewers would presumably find this cool and exciting, but everyone else demonstrably found it creepy.

If I understand correctly, at some point when following the breadcrumbs the user is given the opportunity to opt in to the game. I think everyone now agrees that this opt-in step should have triggered the download and installation of the add-on, rather than the activation of a dormant add-on that was deployed to every single Firefox user.


If Firefox had been sitting unused on their machine for even a few months, they would quickly discover that it was outdated and would have to start a cycle of updating and restarting to get to Quantum (I assume this extension won't work on earlier versions). This would presumably quickly put off most users.


> I can assure you, people who want novelty extensions know where to find them.

I think you agree:

> But pushing it out broadly, even in an inert state, was not good.


> The core idea (deploy an easter egg via an add-on) seems pretty reasonable. Looking Glass is a really cool idea for users who want it.

But who actually wants it? Who wants a fundamental part of their daily work suddenly manipulated by somebody else at a whim?

What if Ford decided it would force-push add a cool "Star Wars" tie in to its cars (no pun intended on "force push")? That's a mission-critical part of my life, I drive my kids in it. Don't mess with my car over-the-air without telling me, I don't care if it's all fun and games to you, to me it's my life.

Same for my browser. It's not a toy I use for fun. It's how I see my medical records, pay bills, transport extremely sensitive and confidential information... I don't want anyone to suddenly push "cool fun easter eggs" to it, under any circumstance.


> What if Ford decided it would force-push add a cool "Star Wars" tie in to its cars (no pun intended on "force push")?

FWIW, Tesla includes easter eggs in its cars. You need to go out of your way to use them, and they're pretty much hidden unless you go looking for them, and they keep adding more via OTA updates.

If your question is "Who are easter eggs made for?" then the answer is "the people that care to go looking for them." The difference between a Tesla easter egg (which are almost entirely regarded as delightful) and this easter egg is that this easter egg was poorly executed.

A Tesla easter egg is silly and whimsical. This easter egg parodied something that's potentially threatening. And hell, Firefox has had easter eggs since its first release; go visit `about:mozilla` in your address bar. Saying easter eggs are bad outright is silly, but they should be done in a way that isn't concerning to users.


> The difference between a Tesla easter egg (which are almost entirely regarded as delightful) and this easter egg is that this easter egg was poorly executed.

I don't own a Tesla but I assume a key difference is that the easter eggs exist solely to delight the user whereas this was more of a partnership designed to make Mozilla money.


Per my comment above, there's a misunderstanding here. The goal was to delight Mr Robot viewers and turn them into Firefox users. This was about marketing, not revenue, and I believe no money changed hands.


"delight" viewers?

Hah, good one.


Using the rhetoric of the parent, in case that wasn't clear.


Tesla includes easter eggs in its cars.

Thanks for that warning. I was considering buying one, but now I'm certain that I won't.


Yeah, old chocolate under the seats is awful, I don't like it either.


Um, the parent addressed your comment's point already, and said "But pushing it out broadly, even in an inert state, was not good.". The comment said that addons are a good way of making this work; but disagrees with the mode of deployment (just flat out installing it everywhere, as opposed to a more conditional approach)

See also: https://news.ycombinator.com/item?id=15942722


Callahad agrees with you that "force pushing" the add-on was a terrible, terrible idea.

In the part you quoted they were just pointing out that an optional extension is the correct place to implement this sort of thing. I am sure that if they had just posted this as a separate extension from day one then the target audience of Mr Robot fans would have had fun with the ARG and everyone else would be totally unnafected.


> Callahad agrees with you that "force pushing" the add-on was a terrible, terrible idea.

That aren't Callahad's words. Here I quote him exactly:

"Looking Glass is a really cool idea for users who want it. But pushing it out broadly, even in an inert state, was not good."

Note, not even "bad." Just "not good." And far from "terrible, terrible."


This is really... well, I don't know. You're not comedians. You make the reliable, trustable browser. That's why people use Firefox. And you're spending that capital very generously. Firefox's privacy defaults are not that of a privacy-focused browser. Things like Hello or Pocket are not what people expect from you. Get your things together because there's nobody to push FF via default installs like Chrome, Safari or IE. If you alienate people, they have some nice options at present too.


let's not pretend this is some isolated incident. see: rest of this thread and many threads before it.

EDIT:

> The core idea (deploy an easter egg via an add-on) seems pretty reasonable.

no, no it doesn't. especially not when done silently, without confirmation and modifies headers and content on pages i visit.

in what alternate universe is this "reasonable"?

"reasonable" would be to push it to a tile on the new tab page.

EDIT 2: Mr Robot is the exact type of sensationalized shit i want to keep out of my tools.


I won't dispute that history; just trying to add context to this one and agree that it's disappointing.

As to your edit, I absolutely agree. That's what I meant when I said pushing the add-on was not good. I was only suggesting that an add-on is a reasonable place to implement an easter egg, since it's separate from the core browser code. Distributing that add-on is a different matter, and I personally disagree with what happened there.


> I was only suggesting that an add-on is a reasonable place to implement an easter egg, since it's separate from the core browser code.

It was not a common add-on but an ad disguised as a "study." The question is still: why?

Why did that marketing team need that treatment instead of giving to the interested users a link to the normal add on? What was the actually planned scenario? Was it planned that that "study" (the studies are apparently officially "a way of making more informed product decisions based on actual user needs") uses some functionality not available to the normal add-ons? Was it that the normal add-ons wouldn't have access to the API that the "study" would use but that is forbidden to the normal add-ons since v57?


Indeed, that was not a normal extension:

"The addon is actually deployed as an embedded WebExtension, which is subtly different. It has a 40-line legacy XUL/XPCOM bootstrapper controlling whether the WebExtension part of it runs. The legacy code actually could upload your hard drive and isn't bound by any of the WebExtension restrictions. We know it doesn't do anything harmful, but it could have done so.

The WebExtension itself also has <all_urls> and webRequest permissions, granting it the ability to sniff the content and headers of every page."

(Source: https://www.reddit.com/r/talesfromtechsupport/comments/7k7wu... )

The question is still: what was the goal?


I would also take issue with calling it an easter egg. It wasn't an easter egg. It was an advertisement. That they silently installed on people's computers without their notification or knowledge.

That's not okay.


Honest question:

Pretty much every site on the internet does that.

Why are we spending 500 replies and all this developer time on an issue that if done by, say google on their home page, would be considered at best a fun little doodle at worst business as usual?


Firefox isn't a website. This is contrary to user expectation.

There is some degree of deceit present here which bothers me. They pushed out this advertisement through user studies, a feature that ostensibly exists and is designed to improve Firefox. I take issue with it instead serving as a backdoor silently install an advertisement.

If I personally saw this in my add-on page without any knowledge of what it was, I would be alarmed. My first thought would be that my computer had been somehow compromised.

I'm also slightly sympathetic to the idea that these user studies / telemetry can be used to improve FF. By abusing the feature, they encourage people to disable it, which harms Firefox if you take the position that the data gained by telemetry is useful. I certainly no longer have it turned on.

I've seen people link to anecdotes about the user study feature being reenabled after an update was downloaded. All I'll say here is that this is not cool if true.

And really, at the end of the day, why should I put up with any form of advertisements in my actual browser software? Good alternatives exist that don't have advertisements. Advertisements embedded in the product is a huge part of the reason why I switched away from Windows 10 to Linux.

To me, it's a worrying trend between this, Cliqz, the initial integration of pocket, and the the advertisements on the default new tab page.

I'm not particularly sympathetic to the idea that Mozilla needs to pull these kind of anti-user stunts in order to function. We're talking about a foundation that saw revenue of 421 million US Dollars in 2015 and 520 million in 2016.[0]

[0] - https://www.ghacks.net/2017/12/02/mozillas-revenue-increased...


>> My first thought would be that my computer had been somehow compromised.

... your computer was compromised.

I think we should all expect a full accounting from Mozilla on their actions and what data and information was acquired by them or a 3rd party as a result of the 'study' as well as what steps they will take to prevent this from happening again (now that they have a proof of concept (MVP?) surely another 3rd party can plant their own easter eggs in the future.


>I'm also slightly sympathetic to the idea that these user studies / telemetry can be used to improve FF. By abusing the feature, they encourage people to disable it, which harms Firefox if you take the position that the data gained by telemetry is useful. I certainly no longer have it turned on.

Count me in here... I was opposed to this feature and commented about making it Opt-in when it was introduced, however I did leave it enabled on a few of my systems believing it would only be used to improve the technology of the browser.

It is now (or will be soon) disabled on every system I manage...

Good Job Mozilla...


I think it's about domains of control: I expect that Google controls which image appears on their home page; I expect that I control which add-ons are installed in my Firefox.

If this code had been in core-Firefox, we'd never have noticed it. Counter-intuitively, maybe it wouldn't have felt as invasive, because I know that Mozilla controls core-Firefox, not me. (And I choose to defer to their judgement, because my other options are to defer to Google or Apple.)


>If this code had been in core-Firefox, we'd never have noticed it. Counter-intuitively, maybe it wouldn't have felt as invasive, because I know that Mozilla controls core-Firefox, not me. (And I choose to defer to their judgement, because my other options are to defer to Google or Apple.)

The code is available. I'm pretty sure the tor project would have noticed it.


I expect advertisements from a website.

I do not expect advertisements from my web browser - and I don't think that's an unreasonable line to draw.


I feel like this is way overblown but I think the logic here is that Mozilla claims to be an ally of privacy and internet freedom. While Google obviously, does not.


It is not overblown. Many of us powerusers / influencers stood by Firefox because of privacy. Latest failures have damaged my trust considerably.

To add insult to injury I don't see an apology or anything similar from Mozilla (or callahad here on hn) that would show me they understand the extent of this issue - how badly they f* up on how many occasions.

It's ironic, right when browser can finally stand next to Chrome in terms of performance...


[flagged]


Then people need to learn to slow down and back off - my privacy is a major part of my time's value. I will gladly spend a few half-seconds longer to be more private and more secure on an XUL-based browser rather than ever use an insecure WebExtensions-backed multi-process mess that accesses the Web without my consent or control.


apart from the fact that mozilla has standards it (supposedly) holds itself to, firefox is a beloved tool. It's not a piece of content, it's a tool. My content can be messed with, for sure. My tools can not.


Because many people use Firefox precisely because it's not Google?


Because Google is an advertisement company.


> modifies headers and content

No, it doesn't do that until you explicitly activate it.

The "pretty reasonable" core idea is just having that flag available in about:config or on the addons website or similar.


Please note this comment isn't specifically to you, but, I guess more to any mozzarellian that comes across this comment

- - -

for other reasons I wanna comment on the "seems pretty reasonable" bit

"In this day and age" what with fear and stuff being a main chunk of news , perhaps using a webext (which can really only modify a page to do any tricky cool stuff) is a bad thing?

(especially when it plays off of the pre-existing FUD by referencing hacking n' stuff!, but not my point)

same for any unexpected icons appearing in the toolbars! People are being told to be weary when using their browsers: look out for signs the pages might be fake or messed with, look out for unexplained installation of programs and addons, being hammered in from every secure site!

Its worrying that, I know it would fuck with my parents pretty bad WHEN it would be enabled, because there isn't much point in developing something for it to not be enabled! Especially when money is probably on the table, when higher ups probably rammed this through normal steps designed to prevent this sort of stuff (again)

I need something to give my parents, something that is ethical, something that cares about them, and something that works: chrome still works better for them, and mozilla seems really really keen on blurring the lines for the other ones (I know I know, it requires users to opt into shield studies etc, but man, I had a talk with my ma, "do you wanna contribute back to mozilla in this way?", please don't punish us for asking other less-techy people that.)

If you guys need easter eggs, probably keep them off to the side, in the settings or about sections


> People are being told to be weary when using their browsers

Freudian typo.


Yes, after the Dark Ages, Browser Wars, and burying Opera, I am increasingly weary to use a browser, any browser. And I am getting weary of the new "this site best viewed in Chrome", but it's almost as if nobody else gives a damn. Off to Palemoon, I guess? (And just when I thought that the new FF was looking good)


> The core idea (deploy an easter egg via an add-on) seems pretty reasonable

Erm no. I don't use a browser to have fun. I certainly don't want any surprises, and coming from Firefox/Mozilla this is very, very disappointing. How can we trust you guys to do the right thing from now on?


I do use a browser to have fun. I still don't want the browser having fun at my expense, and certainly not for advertising.

(the upsidedownternet is over 10 years old at this point - http://www.ex-parrot.com/pete/upside-down-ternet.html is from at least 2006 - awkward out of touch big company advertising isn't fun)


That's why you'd want it as an add-on, as opposed to core browser code. It's reasonable for all the silly crap that no one wants to be in the add-on directory. It's not reasonable for them to push the add-on to people that didn't choose to install it. That's the part I'm upset about.


Did you read pass the first sentence?

He explains that including that addon for everyone by default is NOT OK. What he means by the first sentence is that using addon for easters eggs is OK (but users need to install it themselfs).


To be fair, Mozilla had a long history of easter eggs. So do other things that you'd want to take seriously (Tesla and Google for example). Easter eggs are a part of software culture whether you like it or not.

> How can we trust you guys to do the right thing from now on?

The same way you can continue to trust the GNU/Linux system which contains easter eggs.


Oh the same way I can trust Canonical to include advertisements in Ubuntu? ( https://www.theinquirer.net/inquirer/news/2221490/eff-urges-... )

Easter-eggs, to me, means something like "press a key combination, get a list of developers" or "go through the levels in a fast time, unlock a secret level" or "on march 14th there's a message about Pi day". It doesn't mean "if you change xyz settings, we'll sell some control to your system to a third party for our profit".


This is an advertisement in the form of an easter egg, that’s not common and not OK


>>To be fair, Mozilla had a long history of easter eggs.

This is not an easter Egg, I wish people would stop calling it that.

This is a Paid Advertisement, injected with out my permission into my software. AKA Malware or Adware.

Companies pay thousands of dollars a year to prevent that type of software from being loaded on their system.

Firefox DOES NOT have a long history of being a distributor or malware or adware...

Easter Eggs are funny things that Dev put into code that make people chuckle but have no impact on the actual software

To call this a "Easter egg" is naive and ignorant. This is a Paid Promotional Advertisement of a Large Commercial project not an Easter egg


> The same way you can continue to trust the GNU/Linux system which contains easter eggs.

By which you mean, not at all, I assume.


For me it's not about this particular oversight. As parent comment and the link mentions, it's about opening a tab and getting a bunch of distractions, adding pocket, hello, etc. It's about bad decision after bad decision. I get the feeling that the user experience in Firefox gets worse over time.


This.

Whenever a story like this happens, I'm left wondering who came up with those ideas and who okayed them. From my perspective, anyone who thinks those things (as they were implemented) were justified is not suited to make decisions in a project like Firefox, period.

Another comment in this thread asked what will be done to make sure something like this doesn't ever happen again. I am aware that probably, nobody here can answer that question. But in essence, this is the thing Mozilla should be considering and communicating clearly in the near future.


> But pushing it out broadly, even in an inert state, was not good.

I don't see how "push" is even useful here. It's ARG content; teasing players into actively seeking out content is the bread and butter of ARGs. While it's certainly part of the premise that they exist as a sort of overlay on top of reality, well-run ones usually have a clear concept of which media are "in-game" to discourage people getting off into the weeds of fan-made content and unintended red herrings. The game is typically not meant to leak into unrelated media (such as the add-ons tab of Firefox on my company-issued laptop). Good examples of wider distribution for the initial round of hints to advertise the existence of an ARG include the "corruption" in a Halo 2 trailer (I Love Bees) and the heat-sensitive ink on the Nine Inch Nails Year Zero CD.

> I can assure you that there's an active internal discussion to that effect. I'm hopeful that we'll learn from this.

Here's one thing that somebody at Mozilla ought to learn (though I worry that the people who most need to learn this are going to be above the fray of the internal discussion): This was absolutely not a mere PR misstep, as the current non-apologies from official channels suggest. The primary problem now isn't that users misunderstood what Looking Glass is, it's that Mozilla management misunderstands what Looking Glass represents. If the Mozilla brand stands for anything at all, it stands for the mission of building the future of the web on behalf of the full spectrum of end users and developers instead of parochial and shortsighted corporate interests. The fact that Looking Glass was deployed in this way, with any internal alarm over it clearly either absent or overruled until after the fact, sends the opposite message. That message was further reinforced by the "clarifications" issued in response to the backlash.

Right now, I feel like any apology is likely to ring hollow. All indications so far are that upper management badly wants this sort of thing and that there will just be another flavor of it next year, as though it's just a matter of tweaking the recipe until they find a version of the pill that people will swallow.

I really love the work you guys do, but I feel like it's being undermined by exactly the sort of thing Mozilla is supposed to be the antidote to. I imagine many Mozillans feel the same way. So what the heck is going on?


> The core idea (deploy an easter egg via an add-on) seems pretty reasonable

It's fine if you believe this, but it means I'm not using your browser. I switched to Safari today.


I interpret this as you switching from an browser by a relatively small organization that has certainly made some mistakes but is backing down with a relatively small amount of user feedback to one by a much larger organization that has less motivation to acquiesce to users' desires and less motivation to respect users' privacy.

Also, as others pointed out, this sentence you quote (probably) isn't as bad as your interpretation (I think I interpreted as you did, too, on first read). If you want an easter egg in your browser, and you install an add-on to get it, what's bad about that? The interpretation that "add-on" means "installed by default by Mozilla" seems off compared to what was said elsewhere here (though as it happens, this add-on was installed by default, hence the interpretation that this was okay... but read on, and clearly callahad is saying that it wasn't okay to install by default).

I think the statement is poorly worded, but with the larger context, I'll give Mozilla a chance here... or else I'll use a browser that I think is more privacy conscious and that is more likely to listen to its users, not a browser that I think is less privacy conscious and less likely to listen to its users.


The problem is that you guys can't even see how wrong it was. Only when it is starting to gain publicity and blowing in your face, then you are even "starting" to have a discussion about it.

There were very disappointing answers by mozilla employees on r/firefox.


> I'm hopeful that we'll learn from this.

Consider for a moment what you think the lesson is.

Now that you have it...

(have it? great)

... is it different from the lesson when Pocket was made part of the browser?


I call shenanigans. about:mozilla is an Easter egg, this was an ad and it put a big dent on Mozilla's reputation. I hope said "active internal discussion" leads to something beyond a few corporate hollow apologies.


I think we're all sensitive to malware that installs Add-Ons. I just removed one from a friend's computer the other day.

What % of your users did you think you would frighten -- I guess it was acceptably low?


Then why were the tickets private?


> The core idea (deploy an easter egg via an add-on) seems pretty reasonable.

Yes, deploying an easter egg via an add-on is pretty reasonable, hell if it's out of the way enough even in the core browser. But Mozilla didn't deploy an easter egg: they deployed an advertisement.


> The core idea (deploy an easter egg via an add-on) seems pretty reasonable

I am stunned. I need to think about it for a few days, but this, to me is enough of a reason to stop using FF. Force feeding users this way is not even Chrome-style; it is early Internet Explorer like behavior.


What's unreasonable about deploying an easter egg via an add-on?

Dan is saying "Easter egg yay, auto-include in browser nay".


> Dan is saying "Easter egg yay, auto-include in browser nay".

Let me clarify: I do not want Easter eggs in my browser. At all. If you have to insert it, doing it via an add on is better than via core capability (I guess), but either way it is a very bad idea. And I think (correct me if I am wrong) that it is not "auto include nay". It is rather "Easter egg yay, auto-include yay, auto-activate nay".

At best an Easter egg is some useless junk and at worst it is a possible backdoor which can be activated by mistake on the developer side (as happened) or by a user fat fingering some input.

Sadly, I do not trust Mozilla anymore. It is just another evil empire competing to capture any user information it can. Any time there is another non-removable "feature" added I could bet 10:1 that the goal is to try putting yet another hook into the user and "good news: we are enhancing user experience again" is a clumsy PR. My 2c.


> I do not want Easter eggs in my browser

So don't install the addon. Why is everyone missing Dan's point? He's saying the current method (Available on AMO, you can install it if you want it) is what it should have been from the start.

BTW, they didn't get paid for this.


Yet, here we are.


You're missing the point.


> i have a question: why do any of this?

As far as I can tell, to get Mr. Robot viewers to try Firefox Quantum.

The Mr. Robot episode from Wednesday, as aired in the U.S., had a Firefox ad on a commercial break.

(Note that I'm not endorsing or excusing the ad extension or the manner in which it was delivered, or claiming a positive effect on the number of users. Having contributed to Quantum technically, I'm very upset about this.)


you mean the few remaining Mr. Robot users? Egads. Never in my life have I struggled to get through a season. Season 2 was just mind-numbingly slow. I quit for a while.


So sad to read stuff like this, but you're actually right.

This sucks.


> many users use firefox for ideological reasons, even when Chrome is/was technically superior.

I was here since Netscape, AOL, prodigy, and Mozilla save me from the hell of IE.

I didn't move to Chrome not cause Firefox was inferior. It's because firefox can handle 100s of tabs and Chrome crash when I have a fraction of that.

You're right on the ideology but it also can handle 100s tabs.


Thank you for your response. I wanted to add to what I'm sure is a chorus of commentary that your team is currently dealing with. But I don't know if this specific point has been made.

Your team has just ruined a huge amount of trust by not appropriately reviewing and documenting this feature. This goodwill is the most important capital Mozilla has.

Your team is continuing to make this situation worse by not posting any official response on Mozilla's communication channels, and by arbitrarily censoring incoming comments.

It would be appropriate for all members of your team to question the processes that led to this, and drive structural changes to ensure this never happens again. This includes the continued inaction of Mozilla's communications team.


I'm unsure if this was actually callahad's team doing this.

But regardless, basically the entire company is on flights right now, and it's the weekend after an intensive all-company event, and everyone is tired, and it's the freaking weekend. Wait a bit.

(Also, the Gizmodo article is an official response, as is https://support.mozilla.org/en-US/kb/lookingglass. There will probably be more, idk.)


You maybe "unsure", but for an outsider reading Callahad's response, it looks like so. Besides, it's meant to be read as: "one of your teams".

Also, your all-company event maybe "intensive", but it doesn't matter one whit. Why? When your corporation's actions are raising a damn ugly stink ruining Mozilla's good will, you're better off paying immediate attention even if it's the "freaking weekend".

It's elementary common sense.


Given the responses to emails folks have sent internally, they are paying immediate attention, they just haven't gotten to the point of making public statements aside from the Gizmodo article.


> The Mr. Robot series centers around the theme of online privacy and security. One of the 10 guiding principles of Mozilla's mission is that individuals' security and privacy on the internet are fundamental and must not be treated as optional.

Is this satire?


This incident did not, as far as I can tell, harm anyone's security or privacy. This add-on doesn't appear to track you, send your information to anyone, or grant access to your system to anyone else. People are upset to find the add-on on their systems, but what it actually does is not incompatible with the above paragraph.


Yea, I guess.


I am more and more under the impression that the best satire is written without the intention to do so. There are so many things said and written by public figures nowadays that a sane mind could never come up with, even if they tried.

So, from a certain perspective, yes it is.


Thank you for your comment. I'm sorry I hadn't seen this earlier; I stopped reading the HN thread a while ago. I have added this to my article:

>It has been clarified that an about:config flag must be set for this addon’s behavior to be visible. This improves the situation considerably, but I do not think it exenorates Mozilla and I stand firm behind most of my points. The study has also been rolled back by Mozilla, and Mozilla has issued statements [0] to the media [1] justifying the study (no apology has been issued).

[0] https://gizmodo.com/mozilla-slipped-a-mr-robot-promo-plugin-...

[1] https://gizmodo.com/after-blowback-firefox-will-move-mr-robo...


> no apology has been issued

This is my problem, right here. To err is human, but I would expect a level of contriteness, rather than doubling down on the "nothing to see here" attitude.


It doesn't improve the situation at all, which is that Mozilla has the capability to silently install addons in a default setting.


I am not a Firefox user[1], but the thing I am finding it difficult to understand about this brewhaha is:

1. Aside from how it reaches the users machine, is the extension on or off when it gets installed invisibly?

2. If it's off, why push it at all? If the user is expected to give consent at some point down the line for it to be on, why not just have the user actually install the extension at the time of consent, rather than prefetching?

[1] work gives me a Chrome OS laptop, and I find the lock-in of sync-ing bookmarks and things pretty real.


> Is the extension on or off when it gets installed invisibly?

You could argue technicalities for either, but semantically, it's off by default.

The add-on is implemented as an "embedded webextension" which is wholly contained by an outer "bootstrapped add-on." The bootstrapped add-on controls whether or not the embedded webextension gets initialized, and that's all it does.

The bootstrapped add-on is literally just this one file: https://github.com/mozilla/addon-wr/blob/59659431fd2a75c33ac...

The outer shell is on by default. The embedded webextension is only initialized by the bootstrapped add-on if the user manually flips the "extensions.pug.lookingglass" preference in about:config. That preference is off by default.

> why not just have the user actually install the extension at the time of consent, rather than prefetching?

That's what we're moving to by pulling the add-on from Firefox and posting it on AMO.


I just want to say thank you for engaging here!

Mozilla fucking up like this still feels like a friend fucking up. It's frustrating and disappointing precisely because I expect Mozilla to be better than this.


Err... No. The first time around (Pocket), yes. The second time (changing my explicitly set default search engine) - maybe. But this? Bundling ads with my browser? Not acknowledging it is a problem? No.


Don't forget the Cliqz debacle. And that in privacy oriented Germany. I'm in Berlin right now, and they don't appear to use a NFC card for public transport. In contrast to NL and UK they're still using tickets here.


> That's what we're moving to by pulling the add-on from Firefox and posting it on AMO.

Why was this not done in the first place?


I'm not personally aware of the answer to that question, but I expect it will be covered in a postmortem in the coming days.


I am anxiously waiting for the postmortem. As others have written, this is not a first such incident that goes against (perceived) core values of Mozilla. Either you need to pull your act together and change the process that leads to such decisions or you need to come clean (and admit that you are selling out your users for profit, the way Google does). Well, you can also ignore the situation and public will understand that you chose the latter...

If you do decide to come clean, it would help a lot if you gave assurances about what you have learned and how you will change the process so that this doesn't happen again. Trust is difficult to gain and easy to lose.

I must say I am sorry to see all this happening though. I have always hated Chrome (a bit less than IE, but for other reasons) and am (still) your loyal user. I even enabled telemetrics recently (which means _a lot_ - there is no other piece of software that gets this willingly from me) - needless to say, they are turned off again. We'll see how the postmortem turns out.


Gentle question:

was it a candid easter egg ?

I feel a bit distanced about the whole situation. The issues I've seen are:

- getting money from secret extension - potential security risk - bad will from mozilla

the name shield studies feels a bit scary, a CIA paranoia tone but anyway.. I believe that's the era that is tense and what seems to be an easter egg as you say, ends up as a brutally negative thing.


So basically, much ado about nothing. I am glad you engaged, thank you. People are too quick to overreact these days.


People are too quick to overreact these days. - it's as much fun a burst of dopamine and involvement as any gamified mobile game.

And it's not like we have any massive problems to unite against (that we can actually feel like we can help with).


> You could argue technicalities for either, but semantically, it's off by default.

That’s a very dangerous type of justification there, not one I expected someone at Mozilla to get that wrong.


He's being more generous than he needs to be. It is off by default.


> It was pulled yesterday after the backlash

The fact that it took a backlash to pull something that Mozilla engineers built and deployed is the worrisome element that the post and many people discussed.

> This event tells us that “Firefox studies” into a backdoor for advertisements, and I will never trust it again. But it doesn’t matter - you’re going to re-enable it on the next update. You know what that means? I will never trust Firefox again.

That's the real problem. There's already a strong negative taste after incidents like https://twitter.com/dherman76/status/433320156496789504

> Excited to share the launch of @mozilla @firefox Tiles program, the first of our user-enhancing programs

The default assumption that Mozilla is "one of the good guys" may have been there years ago, but in 2017 after many stumbles people are calling Mozilla's actions into question. The impression Mozilla's actions left upon 'sir_cmpwn wasn't based on an overnight reaction -- it was years of questionable actions. Trust is incredibly hard to earn, but very easy to lose


This looks like an authoritative answer from a Mozilla coworker, and it's totally incompatible with the message and tone of the linked article "Firefox is on a slippery slope" which makes it sound like the extension was on by default.

So who is telling the truth?

The one thing I know is that I am writing from a Firefox right now and don't see headers, inversions etc. at all. The examples given in the article should have all been inverted, right?


This discussion on Reddit[0] would indicate that quite a few people saw this behavior unexpectedly, so even though it was off by default, it came as an unpleasant surprise to people who had opted in. It seems that they thought they were opting into Mozilla-lab-like experiments for improving the browser. Instead, they get an ad/easter egg that makes them think they-- or the site they are visiting-- have been hacked.

[0] https://www.reddit.com/r/programming/comments/7k8pf7/firefox...


It has also already caused economic damage as well as waisting a lot of people's time. https://reddit.com/r/talesfromtechsupport/comments/7k7wum/wh...


This. Apparently, we're still waiting for a Therac-class incident before "don't mess with critical infrastructure for what seems harmless fun to you" will even register on the radar with the "move fast and break other people's things" crowd.


That story, uh. If you cut off the last couple sentences it would be somewhat convincing. In its entirety it just suggests a very broken process. Where an automatic extension invalidates firefox, but renaming chrome.exe to firefox doesn't invalidate firefox!?


Or, they have multiple scripts running in the background which assume there is a `firefox` process. In such a case the smallest (and quickest) change is to rename the binary.


Perhaps Chrome is also supported by the testing infrastructure, but they chose to use only firefox?


Incredible. Mozilla really screwed up on this one.


mozilla has something called "system-extension" (the name changes over the years) that never shows up to the end user, and sole purpose is to enable/disable things in the users browsers.

the use, as far as I know, has always been to disable broken features in older versions of users that do not update. pretty ok and necessary.

but this makes me think they are using it to a/b test or capacity plan for marketing campaigns now :(


I agree it is useful to disable broken features, or other things in software that is not getting updates

I completely disagree this need to be hidden from the end user, it should be FULLY and COMPLETELY transparent what is being disabled, added, or changed. There should be an "about/system-extension" page where a person could go and see everything that is doing or has done, and even optionally disable it if they desire.


> pretty ok and necessary.

There is NEVER a ethical reason for a dark update channel to exist. Altering the functionality of installed software without consent or notification is an act of sabotage, even when done by the vendor. If you want to disable broken features you prompt the user to have them disabled. Worst case (say something that allows malware to propagate or puts them or others at active risk) you disable it and display a message telling exactly what has happened.


Can you point to a specific comment where someone saw the behavior unexpectedly?

I've only seen people that saw the addon being installed unexpectedly.

That doesn't lead to thinking any sites have been hacked.


Even if the add-on is "enabled," it's doesn't initialize itself unless a specific about:config value is also manually flipped: https://github.com/mozilla/addon-wr/blob/59659431fd2a75c33ac...

And, for good measure, here's an official quote confirming that we're pulling the add-on from Firefox: https://gizmodo.com/after-blowback-firefox-will-move-mr-robo...


It would be easier to forgive if this was the first time Mozilla pulled this sort of thing. Instead, we see Mozilla making this same kind of mistake -- i.e. trying to turn what is otherwise a great browser into some kind of "platform" for things that do not actually serve users -- over and over again.

It's great that it was pulled, but what about removing the ability to silently install add-ons? Give up the power to make this mistake in the future if you want forgiveness.


Absolutely. The whole ordeal reminds me awfully of Ajit Pai's tone as he kills net neutrality, sounding as if everything was fine until net neutrality came along.

Although different, this too brushes off this one instance as a mistake, and entirely disregards the rest of the article, not even trying to address or explain the rest of Mozilla's recent borderline malicious behavior.

A serious fork is long overdue, if only it didn't take a corporation as big as Mozilla to undo their bad deeds.


I'm just one DevRel engineer on a layover; I'm not the right person to answer those broader questions. Not trying to be dismissive, just trying to engage in the areas where I'm most able.


Do you have an insight into whether or not Mozilla will issue an update that removes the ability to push add-ons in this fashion?


Bah. This was something that looked spooky but ran exactly zero payload by itself. It implies failed processes inside mozilla, but nothing malicious.

I still want a justification of the cliqz thing, sure, but I don't demand it in relation to this.


I'm glad it doesn't do anything, but if I saw this in my extensions list, I would think it was malware. That does have an impact. I could have spent hours with my hair on fire trying to figure out how my system was compromised, and I wouldn't be surprised if others have. I'd expect better from an org that has to deal with security issues all the time.


> callahad 4 hours ago [-]

Even if the add-on is "enabled," it's doesn't initialize itself unless a specific about:config value is also manually flipped

Attack surface 101 / reason nobody else does this


How is this a particular attack surface? Changing an about:config value requires quite a bit of effort from an attacker and enabling this extension would not actually pose a security risk either. There's plenty of better about:config values to be changing, too.


> The one thing I know is that I am writing from a Firefox right now and don't see headers, inversions etc. at all. The examples given in the article should have all been inverted, right?

"It involved sideloading a sketchy browser extension which will invert text that matches a list of Mr. Robot-related keywords like “fsociety”, “robot”, “undo”, and “fuck”, and does a number of other things like adding an HTTP header to certain sites you visit."

Only if HN is on the list of "certain sites". It's also irrelevant because the extension offers me no value so Mozilla was not acting in my best interest.


OK, so I got that wrong with the "certain sites".

But still, the fact that the extension was not active unless you mess around in about:config is a crucial fact, which should not have been omitted in an highly critical article, specially if they use words like "Mozilla, you fucked up bad, and you still haven’t apologised. The study is still active and ongoing".

I feel misinformed by that article, to say the less.


> Only if HN is on the list of "certain sites".

If that is the case (I'm not saying it's not, just that I don't know)... why did the extension even need to exist? Presumably "certain sites" are partner sites participating in the promotion. If they are participating and (I assume) they control their own content, why didn't they just invert those words or whatever else they wanted to do with the content when they served it?

I'm very confused about why this needed to roll out as a browser extension at all.


The articles on this whole controversy describe it as an ARG - an Alternate Reality Game. I don't know exactly how this ARG works, but ARGs in general are like scavenger hunts - players investigate what's causing the changes, which give them hints as to where to look next.

So presumably it was implemented as a browser extension so game players would be able to find the browser extension, which would give them hints about what to do next.


The add-on doesn't do anything unless you go to about:config and turn it on.


It seems that Mozilla didn't get paid to implement this extension and force it through channels reserved for usability studies:

"We didn't make any money off of this; it was intended as an easter egg in Firefox for fans of the show." https://www.metafilter.com/171227/Your-Reality-Is-Driven-By-...

"Mozilla wasn't paid for the Mr. Robot tie-in, Kaykas-Wolff [Jascha Kaykas-Wolff, Mozilla's chief marketing officer] said. "We've enjoyed a growing partnership with the show and the show's audience," he said." https://www.cnet.com/au/news/mozilla-backpedals-after-mr-rob...

It doesn't matter if the extension was not activated on installation because the check for the extensions.pug.lookingglass on line 22 https://github.com/mozilla/addon-wr/blob/master/addon/bootst... can easily be gone in the next version of the extension.

Not getting paid for this ad is even worse in my opinion. Mr. Robot is produced by Universal Cable Productions, which is part of NBCUniversal, which in turn is owned by Comcast.

Your marketing people are probably laughing behind your back, they got the dork developers to implement this ad for free, be proud of it and even defend it in online forums. As they say: "The intent is to provide players with a sense of pride and accomplishment for unlocking different heroes." https://www.reddit.com/r/StarWarsBattlefront/comments/7cff0b...

Your marketing people got to play with the big boys in mass media and are now owned some favors. Think about that for a minute.


So let me get this straight.

Mozilla did a free advertisement for Comcast owned TV Series Mr. Robot?

What The Proverbial F?


Thank you for your response but I don't trust you. I don't believe your characterization of how this extension works is correct. That is a huge problem, it means I do not trust Mozilla.

What's being done to make sure this never happens again? How could something like this happen after the Pocket fiasco?


You don't have to trust me, that's why I linked to the source. Check out L21-24 in bootstrap.js.

You can verify that this is the same code as your own local copy of the add-on by visiting about:debugging, clicking "enable add-on debugging," and hitting "Debug" under the Looking Glass add-on.

Here's a press release confirming that we're pulling the add-on: https://gizmodo.com/after-blowback-firefox-will-move-mr-robo...

I'm an engineer in Developer Relations. I'm not in management, I wasn't in the decision chain for this. I'm not here to defend that decision. I'm just here to try to explain, factually, the technical aspects of what happened, and to then reflect your sentiments internally.


I appreciate you taking the time and the work you do.

Let me state the obvious for your management: violating user trust is unacceptable. I expect Mozilla to be user-centric but I can no longer take that for granted.

This is a very dangerous action because it's not something that can be taken back. The addon can be removed but it shows very poor judgement on the part of Mozilla leadership and now I have to doubt all future motives.


I can assure you that such a sentiment has been expressed, and that the discussion is still active.


Can you provide more information on what is being discussed and what conclusions are being reached? From an outsider, it seems pretty cut-and-dry that this was a mistake and it should never happen again. If that premise is accepted, there really isn't much room for discussion. In the words of Tom Hanks - "I am not a smart man", so can you provide more insight into what is being discussed?


> If that premise is accepted, there really isn't much room for discussion.

How do you make sure it never happens again?

(That question alone deserves a lot of discussion)


Then I suggest that you open the bugs that are now private that discuss this.


When someone says "I don't trust you", "I don't believe you", spews a series of questions, and then responds by reiterating their statements without reference to your answers, that person is not so much listening to your perspective, as they are fantasizing about stepping on your face.

I actually appreciate your thoughts, but maybe it would be better to let Mozilla, the company, respond in a full blogpost.

One man does not stand well against an internet mob out for blood.


>I actually appreciate your thoughts, but maybe it would be better to let Mozilla, the company, respond in a full blogpost.

I agree, callahad is not responsible for this fiasco but I'm willing to bet Mozilla's response is gonna look something like this: https://m.imgur.com/obGMl8A

They keep pulling the same shit time after time... For me, it's time to abandon ship... (and I'm really sad to say that)


What are you engineering? Mozilla's relationship with other developers?


Regarding the "Pocket fiasco", I would suggest that Mozilla resolved that in the best way possible:

http://www.omgubuntu.co.uk/2017/02/mozilla-acquire-pocket-op...


The best way possible would involve learning a lesson that prevented it from happening again.


Pocket is a useful addition to Firefox. People just got a bee in their bonnet because it was a proprietary service that they didn't ask for. If a similar feature was rolled out that Mozilla developed internally, nobody would've batted an eyelid.

Now that Mozilla owns Pocket, and is open-sourcing the technology behind it, we get the best of all worlds, a useful addition to Firefox that is developed in line with the ethos of Mozilla.

Lastly, the whole Pocket saga was a storm in a teacup. Want to know what most people did when they didn't want to use it? They didn't click on it. If you're offended that a specific logo was present in your browser, I'd suggest you're in a vocal minority.


Thank you for the missing context.

Would you (or someone else in the know) please clarify what additional user data (if any) the default-enabled bootstrap add-on caused to be collected when the extensions.pug.lookingglass preference was disabled? I did some searching, but it's unclear to me whether SHIELD studies automatically cause any additional data to be collected and to whom that might go. I think the support site[1] could do a lot better addressing that topic. For example, it mentions (but does not link to) the default data collection policy.

Does the fact that this study didn't pop an opt-in UI definitively mean that whatever additional user data might be collected was all within Mozilla's privacy policy? The support site says that opt-in step, "will happen when a particular study needs to collect data that is not covered by default data collection policy." Does this apply when the study is just a bootstrap, and the actual extension is pref-enabled?

Lastly, I appreciate that you've being candid in sharing your personal feelings about the inappropriateness of pushing this extension. I'd like Mozilla to go one step further and comment on whether an extension of this nature is even appropriate to consider for a SHIELD study. Based on my reading of the feature's design and history (starting at the wiki[2] and branching out from there), as well as the aforementioned user-facing documentation, I believe SHIELD is intended for user research into features/ideas intended to be shipped to all Firefox users. I didn't find definitive guidelines on what constitutes an appropriate study for this program (if aren't publicly available, that's something Mozilla might want to address in the wake of this controversy), but I would disqualify Looking Glass in at least four different ways:

* Fleeting - whatever appeal it has to its target audience has a short shelf-life * Frivolous - it has no utility and doesn't substantially improve any aspect of the user experience * Hyper-targeted - it's only for Mr Robot fans * Advertising-related - this adds an extra level of privacy concern for users

User research is a delicate matter requiring a lot of care to balance collection with privacy. To enroll (or stay enrolled) in these programs, users must be confident that they aren't trading too much privacy and are getting tangible benefits in return. Looking Glass fails the privacy confidence test for being advertising. It fails the tangible benefit test for being fleeting, frivolous, and hyper-targeted.

SHIELD isn't some convenient way to push features. It's a user research tool. Studies ought to have the gravity that the term implies. Mozilla hasn't just failed to respect user's concern over their privacy, it has also undercut its own user research efforts.

[1] https://support.mozilla.org/en-US/kb/shield [2] https://wiki.mozilla.org/Firefox/Shield [3] https://support.mozilla.org/en-US/kb/lookingglass


> Would you (or someone else in the know) please clarify what additional user data (if any) the default-enabled bootstrap add-on caused to be collected when the extensions.pug.lookingglass preference was disabled?

It did not collect anything. It just checked whether that preference was enabled upon startup of the browser and then disabled itself, if it was not.


Respectfully, I don’t think this answers my question.

My question is not about what Looking Glass itself does. I can see that in its source. My question is whether Firefox or SHIELD collected additional data because the addon was enabled, even when the pref (and therefore) extension wasn’t. That’d require going through the source for the browser, SHIELD, and Normandy, which is quite a bit more challenging.

I’m hoping for a more authoritative answer with some evidence and preferably from a Mozilla representative.


I can see how you wanted to give people something fun, and I think firefox's heart is in the right place. But, Browsers are not games. It's a critical piece of software, like the operating system on an airplane. You wouldn't put an easter egg in an airline's operating system, would you?


I don't understand what makes this a "study". What were you studying?


"study" is just an internal term for the method of deploying addons that way; they're called "Shield Studies" and usually are for A/B testing. This wasn't an actual study, he's just using the internal term for that kind of addon.


> Even when "enabled" in the add-on manager, the add-on was completely inert unless a user also manually dove into about:config and specifically enabled a flag related to the add-on. Without taking that deliberate action, it didn't do anything but watch that flag. No headers, no word inversions, etc.

Wow. So is Drew DeVault lying, or confused? Was there a bug that turned it on for him? This is odd.


Embedded WebExtensions are a bit weird, since they're kind of a hybrid of our legacy and modern add-on APIs, so I'd just bet on confusion.

This is the only code that runs when the add-on is enabled: https://github.com/mozilla/addon-wr/blob/59659431fd2a75c33ac...

Lines 22 and 39 determine if the inner WebExtension starts up.


"Confused" is the correct answer. So was I, or I'd have called that out and asked that it be corrected in prepublication review - and it would have been.

As I apologize for the error, I'd also mention that the principle of charity is a thing for a reason. One may very usefully cite errors in published articles and request their correction without also suggesting their presence may be an attempt at deliberate deception. Certainly such things do occur, but we need not assume them, even provisionally, in the absence of any evidence that the error is anything other than an honest mistake. Such behavior when made a norm debases our discourse; such behavior when indulged even occasionally risks its normalization. I think the quality of discourse on Hacker News merits preservation and enhancement, rather than debasement. But perhaps you disagree.


> Certainly such things do occur, but we need not assume them, even provisionally, in the absence of any evidence that the error is anything other than an honest mistake.

Personally, I do not see "lying, confused, or bug? this is odd" as an accusation of lying.


hey just want to chime in to say thanks for adding the context.

do you know where i can read up on the decision being made to deploy this extension thru the shield thing?


"study"


It's just our internal jargon, nothing nefarious intended. Things shipped over Shield are called "studies," A/B tests in the installer are called "funnelcakes," etc.


Are you saying that you're communicating the word "studies" in place of "advertisement" when the Shield option is presented to users during installation of Firefox?


This is the first time that channel has been so misused. I participated for a long while, and stopped some months ago only because the studies I was getting weren't useful to me and tended to impair my experience, rather than because of any issue of trustworthiness. I certainly am less likely to reenable the shield channel now than previously, but I also don't see the sense in making more out of this than the already eminently sufficient debacle that it is.


While I agree, in this case I think he's just using the phrase from the end of the blog post.


[flagged]


Jesus man, have some respect for other humans, and some leniency where it's warranted. It's possible to be critical of Mozilla and still be courteous. (Also see: my own criticism of Mozilla in this thread)


You can treat people with decency, but respect has to be earned

Jordan Peterson to Student: "You can't force me to respect you" https://youtu.be/WDLIR71Pe0A?t=184


Cute video - You do you, I'll keep asking strangers on HN to not be dicks to people they've never met, who have nothing to do with the issue at hand.


Please tell me why anyone should bother being respectful of or lenient towards those who won't show the same decent behavior? They're messing with the tools people use to work. That alone earns them utter and complete disrespect. They've done this in a way that leaves them conspicuously unable to reply - they deserve no leniency for this.


> Please tell me why anyone should bother being respectful of or lenient towards those who won't show the same decent behavior?

First of all, Mozilla isn't being rude, they're being foolish. But to answer that question in general, the goal is to fix things, not make them generally shit, so one side has to show decency at least. Furthermore, even if you believe they're as bad as you say, that does not give everyone carte blanche to be awful.


Because you owe better to this community than to be brutally dismissive of others. If you want to post in a rage, please do so elsewhere; on HN commenters need a minimum level of self-control, quite independently of how wrong anybody else is.

https://news.ycombinator.com/newsguidelines.html


Shouldn't we consider it a giant, massive red flag that you need a corporation backing you to maintain one of the most critical pieces of web software?

That's how we ended up in this mess. You can't compete in the web browser battles unless you have hundreds of full time engineers behind you. That's a failure of the web.

None of this new decentralized technology is going to mean anything if we haven't learned that lesson. If you want free, open systems, competition needs to be easy. We need to be able to respond to a abusive platforms by making our own, and that means we need to live in an ecosystem where making our own platforms is easy enough that you can have 10-20 viable options simultaneously supported.

Linux distros are a fantastic example of this. It's easy enough to create a viable linux distro that there are 5+ popular ones, and if you don't like those there are 10+ less popular ones which are perfectly viable and reasonable choices for an OS.

We need to take the web back in that direction.


There are two internets now -- the internet of documents and the internet of applications. For reading documents, including somewhat dynamic documents like HN, all I need is w3m. But for the internet of applications you need a thin client: a javascript VM and layout engine. I regard anything that runs javascript as inherently malicious, out to violate my privacy and drain my battery. Of these, shenanigans notwithstanding, Firefox is still the least bad of the bad actors. Like most of the community, I'm disgusted but not surprised by this stupid stunt.


Actually it would be great - in the best interest of users - to make this distinction more pronounced. The "document web" should be a relatively safe space that you can comfortably browse with JS disabled. The "app web" is a different beast, and the trust of the user to turn on the JS engine should be earned. We could have "web browsers" and "app browsers", with the former being much more safe and less resource-consuming.


I really think there should be a .text TLD.

I don't know how you enforce it exactly, and maybe it's redundant with pastebin.

It still nags at me that sometimes I want to go to the web to just read a thing, measured in the tens of kilobytes, and all this other nonsense just gets in the way.

It's my kooky nostalgia probably. Old man yells at cloud. But other times, for fleeting moments, I think about applying for that TLD and feel just a bit like Ray Kinsella...


I really think there should be a .text TLD.

That would be great -- I'm imagining a whole TLD full of sites like http://text.npr.org and http://lite.cnn.io/en.


Doesn't have to be that minimalistic - I could see up-to-date CSS being a good member of a document-only web.


gopher://


I do find it interesting that within the last year, two new and viable gopher browsers have been created - one for Windows and one for Android.


There's .page that could work just as well. I'd be keen to see a movement like that too.


Good point. The commingling of the two is probably more the "failure" of the web than anything else.

There's no reason I should be required to go through the "app" web (Flash, JS, Silverlight) to get something off the "document" web.

... and most use cases don't require an "app" web.


The distinction isn't pronounced. Few sites are, distinctly, only "apps" or "documents." So how would one define an "app" in this case, in a way that wouldn't encompass most of the existing web as "apps?"


Anything that uses JavaScript?

Or allows only the minimal subset required to implement AJAX type functionality.

The argument for expanding web standards has always been "if we don't, then they'll just appify it and we won't have any say" (see DRM debate).

An explicit decoupling of information from interactivity would lessen the pressure for that.


"Anything that uses Javascript" would include, as I said, almost the entire web, including sites which primarily serve text and act as documents, including Hacker News. View the source - it even uses AJAX.


I've just replied to you with JS disabled. I also created this account with no JS (this was a year ago). Upvoting also works without JS.

In my experience, of all the websites that don't work without JS, only a minority actually need it. Most of the time it's silly things like articles and blog posts that just show a blank screen without JS, or drop-down menus that rely on JS even though there are perfectly fine non-JS ways to do it, etc.


"Anything that requires JavaScript" might be a better criteria. Hn gracefully falls back without JavaScript enabled because it's not necessary, just some added convenience.


Even then, sites which lack graceful degradation aren't so qualitatively different from the few that do that they need to be moved to an entirely different platform, viewed from a different device and considered "applications" and not "documents." That seems like throwing the baby out with the bathwater.

What does make sense to me is a new platform based on WASM, with related tooling. Photoshop in the browser or something running the Unreal Engine or .Net is not the web enough to maybe deserve its own thing. But a new platform based on what are essentially complaints about complexity or efficiency would be too messy.


Yes.

Right now there's next to zero incentive not to use JavaScript. And only slightly more to engineer a working fallback page.

Bifurcating the web would provide one.


You're arguing for a technical solution to what is essentially a cultural problem.


I'd argue that the cultural problem (sites being VM-tech-heavy) is caused by a technology choice (never saying "this much technology is sufficient for a large part of the web").

Or to put it another way, extrapolated down this path README.txt files on the web in the future will only be accessible with a pair of VR goggles.


A document is static. It's neither necessary nor desirable that we access documents over the internet by contacting their owners. It's better for both privacy and resilience to handle documents over something like IPFS.

The web as we know it is much better suited to applications, where websites have behavior as well as content. Whether the rendering is server-side like HN or client-side like Facebook is irrelevant.


I'd argue that most sites are "documents" that have had "apps" unnecessarily shoehorned into them for cosmetic or financial reasons.


Seems kind of silly to ignore that javascript enables much more robust user interfaces. It can and is used poorly or maliciously, but it's used for far more than cosmetic or financial reasons.


What is "much more robust" even supposed to mean? It sounds like meaningless marketingspeak. The countless number of sites that break the back button, scrolling, general navigation, showering my eyes with distracting animations, or show some stupid popup when I select text make me lean towards the UI being much better without JS, and indeed I keep it off by default.

I once had a site beg me to enable JS "for a better user experience", one which didn't need it to work. I did, and promptly turned it off again when I realised what the "better" actually meant (see above). Not going to fall for that one again...


When I want to read an article in a newspaper, I don't need a "robust" user interface, I need the text and (sometimes) the pictures. Links to other relevant content are a bonus. This could be done with the very first web browser.

Yet for some reason (hint: money) newspaper websites load megabytes worth of scripts to display kilobytes of text.


There isn't really any practical reason for most sites to support users with JS disabled, as they're a pretty small minority. So there isn't really any good reason sites or users would actually care about or bother making the distinction.

Just make a separate "document web", with a standard that isn't utterly lovecraftian and has all the functionality that current ostensibly "document-only" sites (i.e news, forums, etc) rely on JS for. Then, disguise it inside some hip web framework where the client end just acts as a viewer, client-side rendering to boot (with a fallback for users with JS disabled). Make sure an independent implementation can access the underlying "document" through the endpoints the clientside rendering uses. Now you're able to essentially fool people into supporting it.

Also, you could choose to represent your document sites as a pile of data and non-Turing-complete "scripts" that do the presentation, with state that can only change upon user interaction. That may seem like a really backwards way of doing it, but if done right, it would give you a really good bang for the buck in terms of functionality/UX vs implementation complexity.


Agree with this, but the problem is user demand in competitive markets.

> I regard anything that runs javascript as inherently malicious, out to violate my privacy and drain my battery.

Tech people like those on HN may understand the centralizing corporate control that's embedded in the current structure of the internet.

Average users a) have zero technical understanding b) mainly use JS-heavy, DRM/surveillance-loaded "big tech" websites c) lack the skills, awareness, and desire to change anything for increased user freedom. There's more reward for positive features than lack of negatives.

Unless a compelling case can be made to the minimally-competent user who sees only speed, usability, and immediate real-world social use (I can watch DRM movies, play DRM music, use FB / YT / Google Apps / other "big tech"), any shift seems unlikely.

The problem is less technical than social. DRM / surveillance tech crapware is now a social norm, and there's rarely a good time to have a discussion. Most non-technical people just don't know or care.


I would in fact be happy if we could just have a simple VM and a low level rendering engine, let's say something like a WASM based VM (or even JS if we really have to), and WebGL or similar for rendering. Define a standard way to provide (or refuse) access to local and remote resources and leave all the rest (HTML, CSS, Web Workers, Audio Playback, Video Playback etc) as software running on the VM. This way you would not need a few GB of memory if you need only to display a wall of text and it would be easier both to share code between implementations and contribute software (as libraries ? plugins?) to the platform.


Because then every site would need to include a CSS + HTML rendering library to be executed in this VM - it would be like every site needing to include their JS framework of choice except much heavier.


No they wouldn't need to. They'd just have to advertise CSS + HTML, and the app browser would just use their internal CSS + HTML engine (possibly written in WASM for better sandboxing). There are probably a whole spectrum between those two extremes (all the code in the server, or all the code in the client).


I was thinking about something more like a "flash plugin": you may have to install once (or it might be bundled with the installer) and then "it just works". The main difference would be that it would be sandboxed and so limited on what it can do.


Thanks for this! For years I've been looking for a unixy command line browser that cuts through all the web related cruft. W3m fits the bill nicely.


>Of these, shenanigans notwithstanding, Firefox is still the least bad of the bad actors.

I would say Brave is better here. By default Brave blocks 3rd party cookies and ads. Brave has browser fingerprint blocking as well, but that is not enabled by default, presumably because that would break a lot of web applications and give the users a bad first impression of Brave.

Brave also comes with built in cryptocurrency micropayments as an optional way to sustain websites without advertisements.

The least bad actor in my view currently, is Brave.


Yep, don't wonder about the downvotes.


From my observations, a brief stint interacting with standards bodies, and a lot strong opinions about API designs and specs:

The problem starts with regulatory capture of standards and standards bodies. It is in the interests of large organizations to pack a standard with every bit of code they have created internally. It slows down the other members and it keeps small groups and independents out entirely.

You could in many cases have a standard that five people sharing an apartment could implement. Or you could have one that only half a dozen groups could, which is just enough competition to make it sportsmanlike.


Do you have any ideas on how a standards body or its procedures could be structured to fight against this tendency?


For the most part, they can't, because a new standards body will spin up. The history of WHATWG [1] is illuminating; WHATWG being the community -- of largely browser-makers -- behind HTML5 and other specs that moved the web forward from 2004 to now; notwithstanding how you feel about W3C or WHATWG, it's impossible to deny that once a standards-setting group no longer meets the goals of its members, those same members are likely to go start something else.

[1] https://en.wikipedia.org/wiki/WHATWG#History


One problem with standards organizations is that they have a bunch of people whose job is to make new versions of the standard. Look at the evolution of openGL, the web, C++, Unicode (love hotel? Poop emoji?) and so on. Even ASCII evolved to 8bit and the got ansi escape codes, but it's stable now. C is fairly stable now but that's because all the new stuff is in C++ (much like HTML replaced ASCII).


We’re pretty bad about frog boiling. When we amend a spec we think about how much more we added, not how big it’s gotten.

It’s part of the disconnect between new and old employees. Everyone who has been there for three years learned the system one piece at a time. They don’t understand why the new people look at them like they’re crazy.


The emoji character set originated in Japan. When it was turned to Unicode, they weren't going to just remove characters because some of the world doesn't care for it.


What's wrong with the evolution of OpenGL? Everything from OpenGL 3 and on has simply been focused on fixing the API without completely breaking old code, or exposing new GPU features. All of that was necessary.


Emoji was clearly designed for a date when the Japanese phone and telcoms decided to set union all their icons as font glyphs. Why do you need both left and right magnifying glass, and so many variations of train?


Initially I was going to let the other responses stand on their own but I had a new thought.

Unfortunately it seems the spec by fiat process is the least problematic this way.

Someone standardizes a thing that has been working for them for a while and they want their partners and maybe competitors to work with it.

It has to be a fairly conservative spec as well, something that can be defined concisely.

And let me be clear: this is a necessary but insufficient quality of a good specification. Ramming an opinionated spec down everyone's throat that is clearly tilted to only be achievable with your company's patent portfolio is not playing nice, and people tend to sense the insincerity.


That's how we ended up in this mess. You can't compete in the web browser battles unless you have hundreds of full time engineers behind you. That's a failure of the web.

I continue to find it ironic that Mozilla (and to a lesser extent, Google) have been pretty much continuously complaining about Microsoft/IE "holding back the Web", with a lot of people in agreement, when MS/IE's lack of support for the latest standards (not authored by them, naturally) is what keeps the former from having too much power over the Web as a whole. Imagine the company with huge browser marketshare rejecting all proposals to add new and more complex things to the standard, or refusing to implement them.

If you want free, open systems, competition needs to be easy.

By MS/IE "holding back the Web", it's actually making it easier for alternative browsers to compete, and I think that's a good thing. Consider that the non-mainstream alternatives like NetSurf and Dillo are probably at a similar level of Web standards support as IE6/7.

Now that I think about it, I actually miss the Internet when the combination of XP and IE6 ruled --- certainly some sites tried to push the boundaries, but a lot of the rest remained "un-appified" and usable from other simple browsers too, with a bigger emphasis on content...


Except all Linux distros rely on the Linux kernel and repackage a vast number of GNU utilities which are maintained by... hundreds and hundreds of engineers.

If GNU/Linux were to die, so would all the distros, because it’s far too much work for any individual distro to maintain all that codebase. In much the same way, the intensive bit of maintenance work with Firefox is the rendering engine; there exist lots of “distros” (forks) of Firefox but they all rely on the same underlying codebase. It’s just not viable to have more than a small handful of rendering engines, much in the same way that there are only a very small handful of operating systems that can run on modern hardware.


> If GNU/Linux were to die

But there is no such entity as GNU/Linux. It's hundreds and hundreds of independently working engineers who would all have to be hit by buses at the same time.


10 companies are responsible for 57% of the changes to Linux. This is better than the typical 1 company responsible for the majority of changes in a browser, but it's not remotely close to "hundreds and hundreds of independently working engineers". Volunteers only make up ~8% of the changes.

What we don't have is any browser that's a multi-company project, though. WebKit used to almost be that, but then the blink fork happened. The closest currently would I suppose be Chromium as it's also backed by Opera.


I think we're in agreement that Linux is in a better state than the browser. To nit-pick at your argument, Linux development is driven by people who are interested in working on it; many of those are lucky enough to have employers who encourage them to use a company email address to submit changes, and part of their working hours. Nothing indicates they wouldn't still be contributing without the @intel.com attached to their name.

Furthermore in the study you are referencing, the "8% volunteers" is larger than any company's contribution besides Intel and RedHat - even more if you add in the individual "consultants".

https://www.linuxfoundation.org/blog/the-top-10-developers-a...


This is such a lovely idea on paper, but how do you put that into practice? Is the problem the monolithic design of a web browser, which now is basically an operating system all its own? Is the solution to break that into its component parts, so that each part can be maintained by a smaller group, and composed together to produce the browser as a whole?


The problem is the complexity of all the specifications that make up the Web. These specifications are heavily influenced by whatever major browsers already are doing (i.e. influenced by a handful of huge tech companies). These companies have a vested interest in making it hard to make a new, competitive browser.

I think the Web is unredeemable at this point; there is so much entrenched complexity, ugly hacks, centralization, and misuse of various technologies that it can never be undone. The only solution is to refuse to contribute to the Web at all, which is hardly an option for most of us here.


I think we could build a simple standard that does the useful parts of layout / CSS and includes a sane scripting language in a reasonable timeframe. It would need to be accessible both for users and developers.

The hard part would be enforcing behavior so you don't end up with venders adding their own bits which destroy the entire point of the thing.


I think the Web is unredeemable at this point; there is so much entrenched complexity, ugly hacks, centralization, and misuse of various technologies that it can never be undone.

Somewhere, an AMP developer coughs indignantly


The solution is to fork, or start over.

I like the latter idea.


Are there any ongoing efforts in that regard? I guess IPFS, but even then, you're serving html.


its slow going, but that's what i'm trying to do with heropunch[0]. our goal is to create a p2p application platform using a handful of libre technologies: secure scuttlebutt, ipfs, lxc, enlightenment foundation libraries, rust, and elixir.

[1]: https://www.heropunch.io


Great. I support this.

Go build your new web and leave those of us who believe the existing web, despite its faults, has value, be.


Well, I certainly don't want to do it alone, if I want to do it in the first place.

It sounds an awful lot like you are complaining, but about what, I am not sure.

I don't see how I am not letting you be, either. Creating a new system does not involve you at all, until you find a personal interest in that system, or its development.


just about anything people invest time into is going to have some sort of value, 'despite faults'.

that doesn't really speak to the value of progress, reflecting on the status quo, or creating something fresh with lessons learned from the past.

i don't really get the 'leave you be' bit.


>i don't really get the 'leave you be' bit.

Simple. More than a few people here seem to believe, as the grandparent comment suggests, that the web is a lost cause, or irredeemable, and all those people seem to want to do is to constantly complain about it.

I'm simply suggesting that if people feel the web has nothing to offer them, that it would be more productive for them to kindly leave it for a network that better suits their needs. Otherwise, rather than wanting to "fork the web and start over" they could consider working to improve what we have.


> all those people seem to want to do is to constantly complain about it.

Why are you taking those complaints so personally?

You don't need us to be content with the status quo. If all we are doing is complaining, we really aren't doing anything to you.


viewing the web as a lost cause or irredeemable is not the same as saying it has nothing to offer. 'leaving the web' also doesn't seem very pragmatic, at least until something better is available.


>viewing the web as a lost cause or irredeemable is not the same as saying it has nothing to offer

I disagree - if it has something to offer then it's not a lost cause. A lost cause by definition isn't worth saving, or even engaging with.

> 'leaving the web' also doesn't seem very pragmatic, at least until something better is available.

The comment I replied to earlier suggested that the only reasonable solution to the web was to fork it or start over, with starting over being preferable. I'm merely suggesting that someone should actually get started on that.

Or maybe revive Gopher. I hear that's still around.


people can get started on that, and probably are. but the web exists, and the web is pervasive. it doesn't make any sense to abandon it until a replacement arrives... just as it makes no sense to simply abandon gas engines (and what, walk?) before electric ones are ready to replace them.

the real question is whether the New Thing can avoid the problems of it's predecessor.


Design and create the equivalent of a web browser in a modular fashion.

Yes, that is a lofty goal. That does not make it unreasonable.

> Is the solution to break that into its component parts, so that each part can be maintained by a smaller group, and composed together to produce the browser as a whole?

Possibly, but currently, a "web" browser depends on its monolithic qualities. A web page is a DOM, defined by HTML, styled by CSS, and manipulated by JavaScript.

I think it may be time to start designing something less inherently monolithic.

One advantage to modularity is that we don't need to finish before we can use it.


That's very nontrivial task, if feasible at all, considering current overcomplicated state of affairs in CSS, HTML, JS, graphical, font-rendering and networking fields of browser's interest.

> Guys, there is a _reason_ why microkernels suck. This is an example of how things are _not_ "independent". The filesystems depend on the VM, and the VM depends on the filesystem. You can't just split them up as if they were two separate things (or rather: you _can_ split them up, but they still very much need to know about each other in very intimate ways).

http://yarchive.net/comp/linux/user_space_filesystems.html


> That's very nontrivial task

I imagine so.

And?


we are slowly working towards this goal[0], we try to team up with other projects and develop this stuff cooperatively. our focus is on the user and developer experience side of things. creating good comfy tools for developers and fighting for very high quality UX on the user side.

[0]: https://heropunch.io


James Mickens gave a great talk about how we could build a better browser: https://www.youtube.com/watch?v=1uflg7LDmzI


You're right, this is great. Is the Atlantis source code available?


I've looked for it previously and not found anything. I'm hoping that MS are working on it in secret, but seems unlikely.


Amazing talk, thanks!


I think this idea has some merit to it, but I don't have any experience in building that kind of software.

This is essentially how teams that build huge software systems work. Like for instance, operating systems like windows/linux. The various teams at Microsoft, or trusted comitters for Linux, organize their various modules, components, subsystems, etc. independently, and eventually compose them into a coherent functioning whole to ship the whole system.


The biggest difficulty is tying components together.

There are a few methods:

1. Libraries linked by binaries.

This is the usual method, but it generally demands modules share some things, which usually couples them too tightly to their implementation.

2. IPC (Inter-Process Communication)

There are a few ways to accomplish this. Some are OS specific (named pipes), others are fairly generic (sockets). This requires modules to share a language, and has some overhead, but at least they aren't coupled.

3. Microkernel

Essentially the best points of 1 and 2, but generally a design challenge itself.

The biggest advantage to modular design is that you don't need to create all the modules before you get something useful.


Linux distros are a terrible example.

Not only do they all rely on Torvalds and everyone else for the kernel (heavily funded by donations, companies, etc), but most Linux distributions are just cosmetic variations of the largest upstream distros.

If Debian died tomorrow, Ubuntu is on life support.


> most Linux distributions are just cosmetic variations of the largest upstream distros.

Plenty are not. I am impressed by how usable community-based (non-corporate) distros are (e.g. Gentoo, Arch). This is truly indigenous technology.

> they all rely on Torvalds and everyone else for the kernel (heavily funded by donations, companies, etc)

This is an interesting thought. I believe the Linux kernel would continue to be viable on a purely volunteer basis, without corporate subsidies; I can't prove it though.


I suspect you're right, but it would certainly be a tectonic event, and could potentially affect Linux's competitiveness until equilibrium recovered.

And you're right about "most" being wrong. "Many" would have been a better word, particularly if talking about the most popular.

(Another non-upstream-reliant distro that I find fascinating is GoboLinux. Very against the grain/orthodoxy!)


Without corporate subsidies, corporate subsidies would soon reappear. If it's useful enough, corporations will pay to continue having it.


Kernels aren't any more important than compilers, xorg, user space utilities and so on. That Linux managed to get its name on the whole stack doesn't mean much. You might as well be complaining that linux distributions are vulnerable to power outages.

If anything the major distributions are defined by their package managers, of which there is a large and healthy number - aptitude, dnf, pacman, protage, and a heap of weird and wonderful other ones with minuscule usage.


> you need a corporation backing you to maintain one of the most critical pieces of web software

My understanding is that Mozilla is supposed to be a nonprofit first and foremost: the Mozilla Foundation. The for-profit Mozilla Corporation is a subsidiary which is owned by the Foundation. I don't know whether this is still reflected in practice nowadays, but this is how it's supposed to be structured...


> Linux distros are a fantastic example of this. It's easy enough to create a viable linux distro that there are 5+ popular ones, and if you don't like those there are 10+ less popular ones which are perfectly viable and reasonable choices for an OS.

But isn't this the same as all the Chromium/Firefox forks? I mean I understand they aren't as popular as the major players but you could say the same about all the Linux distributions compared to Windows or OS X.


This isn't just a problem with Web standards. Think of how few complete implementations of C, C++, Python, Java there are.

So yeah the web is complex but so are most popular runtimes.


The difference is that the web was originally designed to show documents, not build applications. The failings of the web are entirely a result of turning the browser into a VM for Javascript applivations.


I like the idea of having the web just being a static document format with hyperlinks and embeddable objects. No DOM just a tag for some narrowly defined supported formats (eg. .form, .game, .social, .store)


Think of how few complete implementations of C, C++, Python, Java there are.

C++ is at least an order of magnitude more complex, but there have been plenty of C implementations, some even entirely the work of a single person[1]. "I wrote my own C (subset) compiler" seems to be a reasonably common thing on HN too.[2][3][4][5][6][7]

On the other hand, I haven't see very many "truly independent" webpage rendering engine implementations (e.g. HTML4 or HTML5-subset, CSS2.x), so if anyone wants to give it a go (or Go, if you like...), they are more than welcome to, if only to increase the diversity of available implementations --- something that could probably handle HTML4/CSS2 might not be all that difficult, and especially so if you don't care for 100% identical results to the mainstream browsers (which often differ slightly too.)

[1] https://en.wikipedia.org/wiki/Tiny_C_Compiler

[2] https://news.ycombinator.com/item?id=13914137

[3] https://news.ycombinator.com/item?id=15463738

[4] https://news.ycombinator.com/item?id=13778353

[5] https://news.ycombinator.com/item?id=8558822

[6] https://news.ycombinator.com/item?id=11903674

[7] https://news.ycombinator.com/item?id=9125912


> something that could probably handle HTML4/CSS2 might not be all that difficult

As someone who did a lot of the work to implement a from-scratch HTML4/CSS2 engine, I struggle to come up with words that would adequately express to you just how much you are underestimating the difficulty of this.


Size is not a requirement of a programming language: look at Lisp, Smalltalk, Lua, etc to see simple systems that can be fully comprehended and are quite powerful.

If anything, the monstrosities produced by committees are less powerful and less beautiful. (That we put up with them says more about us.)


Have you seen the Common Lisp specification?


>Have you seen the Common Lisp specification?

Yes, it is huge and gigantic, but worth it's weight in gold. The stuff "just works" and has almost no limits. I'd say that spec is a masterpiece.


Common Lisp is big because it's a bridge between MacLisp and InterLisp communities of the 80s. There are much smaller (and just as powerful) Lisps like Scheme or ISLISP.


Scheme is poorly expressive for daily programming and it's because of its small size. The documentation quantity for a useful Scheme like Racket is much larger.

Also, do we count all the pages expended on SRFI's? Or not?


I think we should stop writing code, and start thinking about the future, and write draft specs for an open web, and build a platform to discuss those specs.

Mozilla is great because they have good management, not just because they have great coders. The rest of us should take an example if this. This means that we should stop scratching our itches, and do some real thinking and have discussions before engaging in our next side project.


> "start thinking about the future, and write draft specs for an open web..."

There has been tons of attempts at this. Maybe we should start examining why these attempts have failed to succeed.


“You never change things by fighting the existing reality. To change something, build a new model that makes the existing model obsolete.” - Fuller


One possible reason is that a truly open web would include things advocates for an open web don't want, such as advertising and commercial interests, or javascript.


Excellent point. I fear many attempts at the open web failed because they were a little too anti-capitalist or FOSS-purist and ignored basic economic realities.


> they have good management

In light of recent events, this would seem to be up for debate.


The comparison with linux distros isn't quite fair, as they are not full reimplementations of the same standard. They are are better compared with chromium based browsers, which are easy to create and of which there are many.

What do you suggest to do to make competition easy? We could throw out most of features, but then the resulting standard won't be useful, and almost no one will use it.


> Linux distros are a fantastic example of this.

I'm still looking for a Linux distro that runs on my phone without hassles.


This is because hardware manufacturers don't upstream drivers.


Or, for that matter, one that I can use for gaming.


What are you talking about? I've been gaming exclusively on Linux distros (Ubuntu, Fedora, SteamOS and Solus) for the last few years and it's been great. Site/community gamingonlinux.com is a testament to Linux gaming being a viable platform.


The sad truth is that some great titles only run on Windows.


If no one writes game for any given platform, is it the platform's fault? Network effect don't explain everything, but they do explain a lot.


There is more than 3000 games on Linux on Steam right now. A lot of it is indie, but still thats a lot of games.


i have used at least 4 different distros for gaming so I have no idea what your comment is supposed to be about.


Seems like we should expect that in a competitive market, production values will keep rising until it's no longer easy to compete? So the mystery isn't why browsers are so competitive, it's why other niches don't attract strong competitors.


"Shouldn't we consider it a giant, massive red flag that you need a corporation backing you to maintain one of the most critical pieces of web software?"

Yes.

Interestingly Mozilla Foundation is not asking for donations.

Mozilla Corporation is selling traffic to ad-supported search engines, and profiting handsomely.

Instead they are asking for user cooperation in their experiments.

Why not create a different breed of browser that does not expose users to advertising. Profit motive?

Let users support it with donations.

This should be the mission.


It might interest you that most Linux development is, in fact, done by corporations, and not by broke-ass developers funded by donations.


>Shouldn't we consider it a giant, massive red flag that you need a corporation backing you to maintain one of the most critical pieces of web software?

That's the price of doing business, isn't it? It's why communism doesn't pan out as well as capitalism. What's that a red flag against? The human animal?

I agree--let's replace 'em with super AI instead or something, but, in the interim...

>we need to live in an ecosystem where making our own platforms is easy enough that you can have 10-20 viable options simultaneously supported. Linux distros are a fantastic example of this.

They are not. Pale Moon is about as "viable" against Firefox or Chrome as Ubuntu or Mint are "viable" against Windows or MacOS for the average user. (And one of those [the better, much more popular one] has a corporation backing it!)


> Pale Moon is about as "viable" against Firefox or Chrome as Ubuntu or Mint are "viable" against Windows or MacOS for the average user. (And one of those [the better, much more popular one] has a corporation backing it!)

Funny, I appreciate the Pale Moon community (I'm "officially" part of it since I use the browser) more than I appreciate or support anything to do with Mozilla for years now. I don't see it being non-viable, because there are plenty of people who are actively involved in providing a better browser with specific goals. And, there are plenty more people on top of that who act as concerned watchdogs to make sure the browser doesn't lose sight of those goals. That's what Mozilla lost. When the powerusers turned into an echo chamber, Mozilla lost the way. When the community openly approved of the offloading of plugins (the start of multi-process nonsense), the new interface, the move to WebExtensions... this is the fault of the people who kept saying, 'yes keep changing stop being Mozilla stop being Firefox be Chrome-2'.


Watching the whole thing unfold has been heartbreaking. Most mozillians do not support this. This Twitter thread is one insight into it: https://twitter.com/steveklabnik/status/941709048529014784

Firefox 57 gained a ton of good will from a lot of users, and they pull this crap right after. They absolutely should know better. They should have known better with Pocket; they should have learned from Pocket.

"Fork it" is not an acceptable answer. The problem is not with Firefox, it's with Mozilla. Mozilla is a good company at heart and they're an important pillar of the web. Losing them to stupid stuff like this sucks, we should fight for them. There's tons of Firefox forks, none of them get the point though, you might as well use Chromium. If Firefox disappears and the fork remains, the fork dies because maintaining a web browser is work that needs a corporation's backing behind it (or a government's).

Mozilla's role goes beyond the web browser as well. Its mission was to "keep the web open", "keep the web free". This goal was reflected in projects such as Firefox OS, Hello and Persona (and to some extent, Thunderbird)... but atrocious management made those projects a waste of time and money.

It's not Firefox you need to fork, it's Mozilla.


It's surprising that people are surprised by these things. Mozilla is not on a slippery slope. That was true years ago, but it proceeded unmitigated. By now, though, these things are the natural result of that decay.

There's a lot of power in branding, apparently. People keep saying things like, "Mozilla is a good company at heart", and I'm at a loss. Mozilla 2017 is nothing like the Mozilla that existed when the Foundation was established, or when the Mozilla Manifesto was adopted. Tons of key people left in a few different waves: first when Google pulled them off the project to go build Chrome, and then lots more who trickled out over the years during and after the Kovacs/FirefoxOS era. What remains is (a derivative of) the codebase + the name "Mozilla" + and, like, Mitchell. But that's it. Keep calling it the same thing, though, and somehow folks act like we're talking about the same thing.

Mozilla imploded—or rather, got Netscapified—years ago. To believe that Mozilla or Firefox is your old friend who's still helping you fight the good fight is incredibly naive and can only come from someone who hasn't actually been paying attention and is easily fooled by (trivially contradicted) surface-level details (like a name). I mean, it's not even like some philosophically tricky ship-of-Theseus problem. Mozilla is dead, people, and this isn't news.


Sorry but where's your evidence?

Mozilla is still today doing incredible work. The work on Quantum was extremely forward-thinking in a way that most corporations cannot support; it brought us Rust, which is a fantastic contribution to the ecosystem.

Furthermore, Mozilla has always had troubles with judgement and mismanagement, this is not new. The problems that have been surfacing are old problems, they're just getting more severe.


If the yardstick for Mozilla's mission is how fast they can make a browser, why do we need Mozilla? There are arguably better equipped entities doing that.

Their whole mission is to have better judgement and management, advocating for the user instead of a corporation (or foundation). So it sounds like you're in agreement with the GP that Mozilla's decay is not news.


> If the yardstick for Mozilla's mission is how fast they can make a browser, why do we need Mozilla? There are arguably better equipped entities doing that.

Are there? I see no evidence to support that assertion and a lot of evidence against it.

Market share matters. The last vote at the W3C about DRM video being the most recent example.

I mean, I probably qualify as reasonably savvy, and I have used exactly 4 browsers in the last 10 years: Firefox, Chrome, IE/Edge, and Safari.


> I mean, I probably qualify as reasonably savvy, and I have used exactly 4 browsers in the last 10 years: Firefox, Chrome, IE/Edge, and Safari.

I probably don't count as savvy, but my browser experience over the last 10 years has been a somewhat broader list. Having started with Firefox at V2, I switched (around '06) to my primary browser being Opera, with SeaMonkey as a secondary - especially when I want IRC; Firefox, K-Meleon, and Links are all in the background ready to go. I also used QtWeb for a brief period.

When Opera switched to being a Chrome clone, I jumped ship. SeaMonkey didn't provide the ease-of-use I wanted for an everyday browser, so I went back to Firefox. I'm now more often on Pale Moon.


>>The last vote at the W3C about DRM video being the most recent example.

Which Mozilla enthusiastically and Fully supported Google, MS, and Netflix in support of DRM.

Their fake unwillingness from 2014 was about as transparent as netflix's where by netflix claims it is "all the MPAA/Studios" why at the same time closing down all Open Access API's, and Locking down all their own wholey owned content behind DRM

This is not the first time user privacy has been invaded on Firefox or by Mozilla and it will not be the last

The fact that these Data Reporting features, and allowing FF to run "studies" on you is a OPT-OUT setting not a OPT-IN setting is all the proof I need that the Mozilla of old is long dead.. A Privacy respecting company would make such things OPT-IN, not OPT-OUT..

That is with out even getting into the whole Orwellian Ministry of Truth they are creating, or about 100 other things


Evidence? How about the article link we're all commenting on? How is that not enough for you?


Uh, looking glass was not supported or worked on by the vast majority of the fantastic engineers at mozilla. This was a marketing stunt probably thrown together by a single intern, and greenlighted by an out-of-touch marketing department.

The engineers at mozilla are NOT the problem.


>"This was a marketing stunt probably thrown together by a single intern, and greenlighted by an out-of-touch marketing department."

Doesn't the fact that that's even allowed to happen point to a larger problem?


Ah, a privacy oriented browser where a single intern with an out-of-touch marketing department can push crap to millions of users.


Sorry, I don't care much about engineers. I care about people in charge. People high in decision making process. If intern and marketing department are able to do this it's really bad. No number of good engineers can change that.


> There's a lot of power in branding, apparently. People keep saying things like, "Mozilla is a good company at heart", and I'm at a loss. Mozilla 2017 is nothing like the Mozilla that existed when the Foundation was established, or when the Mozilla Manifesto was adopted.

I don't know, Rust and Servo seem to show that there's still the hacker spirit that was there at the beginning, it's just they accumulated a lot of 'business types' if you will over the years and they need to put that engineering face back at the top, instead of being too focused at running a multi-million dollar enterprise.


What good are Rust and Servo if they just use them to force unwanted extensions on me?

I hope you're not pretending that Servo is somehow the fastest way to browse the web...


Servo? No. Firefox 57+, which is based on it? Yes. But that's completely besides the point here, because yeah, serving unwanted extensions - which aren't even remotely useful - is ... stupid. I allow experiments so Mozilla can test new things which will benefit others later. But I don't see any world where the Mr. Robot extension will benefit anyone.


Have you tried Chrome?

Firefox 57+ is absolutely not the fastest way to browse the web. I'm sorry, I tried.


Yes. It's my second browser (and was my main browser until I switched to FF Nightly in the summer). And no, it isn't faster - at least not for me. And it hogs memory as if there's no other software running on my PC. I'm really happy that I can use FF again instead.


  it hogs my memory if there's no other software running
What exactly is wrong with that? Do you understand how RAM works on a computer?

Maybe your system is different, but for me, FF 57+ uses much more CPU than Chrome, and unlike RAM, that's a statistic that actually affects something in a meaningful way (increased power consumption).

If you're worried about Chrome using RAM when nothing else is, you might be fetishizing the concept of free RAM.


I wrote as if, not if - i.e. I run other programs that could use the RAM if Chrome wouldn't take it.


I think ultimately it's very dependant on which sites you frequent. Like with many things, it's absolutely a case where the only good answer is YMMV.


As far as I can tell, any website that uses a less than negligible amount of JS runs better on Chrome, and that's about 80% of the sites I visit.


FF nightly and now stable have been my default browser for almost a year, and I have to agree with you. FF in all variants (as of today) regularly consumes more RAM than Chrome for my day-to-day usage. FF crashes on me several times per week. Netflix, YouTube, and it seems most React sites consistently seem to just chug in FF, but do fine in Chrome. I'm not sure what's happening here, but the hype about FF's new performance gains has not been fulfilled in my experience.

I've stuck with FF because I'm a web developer-- sadly, the money led me there from other more interesting lines of dev work-- and I don't want to see a single browser dominate the web the way IE used to.


As far as Nightly goes, I'd always imagine a debug/testing build would use more RAM by a fair margin.

elsewise, I'd say, try creating a new FF profile, unfortunately afaik older profiles can still jank up the browser a bit


Chrome keeps asking me to log in to Google.


The ship exists but whether it remains the same ship is a matter of opinion; and yet Theseus sails onward.

I see Mozilla as suffering from a crisis of identity, internally; it's acting as though it is staffed by believers in the manifesto but is now steered by those enamoured with The Bay Area and its ways.

Rust, Firefox 57, and even FirefoxOS are/were noble efforts to succeed in delivering on the manifesto. Pocket and this latest advert update smack of an executive that is thirsty to exploit the Mozilla brand for profit.


The problem is that Theseus jumped the boat too.


Wait, just because the old guard is gone, implies that the people there no longer care at all about the original mission? I get where you're coming from, but throwing up ones hands and saying Mozilla is already fucked is not helpful—Mozilla is our best chance at maintaining an open web. If we just roll over and let Google have the web because things aren't perfect then we are well and truly fucked because there's really no question of the agenda there. No, we should be holding their feet to the fire, not giving up in impotent cynicism.


> There's a lot of power in branding, apparently.

The Iron Law of Bureaucracy applies to do-good missions just as easily as it does to the worst of avaricious corporations or bloated gov't depts.


"Pournelle's Iron Law of Bureaucracy states that in any bureaucratic organization there will be two kinds of people:

First, there will be those who are devoted to the goals of the organization. Examples are dedicated classroom teachers in an educational bureaucracy, many of the engineers and launch technicians and scientists at NASA, even some agricultural scientists and advisors in the former Soviet Union collective farming administration.

Secondly, there will be those dedicated to the organization itself. Examples are many of the administrators in the education system, many professors of education, many teachers union officials, much of the NASA headquarters staff, etc.

The Iron Law states that in every case the second group will gain and keep control of the organization. It will write the rules, and control promotions within the organization." [0]

[0] https://www.jerrypournelle.com/reports/jerryp/iron.html


More generic form of this would be to state that in any system, those who are willing to go furthest in protecting their position will usually have the upper hand.

E.g. the company owner remains a company owner only as long as they are willing to go sufficient far to keep the company profitable; those who don't go bankrupt and lose their position.

The bureaucrat is not special in that respect - they are "just" the natural foot soldier of those who want to maintain an organisation for the sake of the organisation.

As such the backbone of any long-lasting organisation will be made up of those who are good at both maintaining their position in an organisation, and in protecting the organisation against inside and outside "threats".

Unfortunately such threats can include those who want to focus resources on the original goal of the organisation, at the risk of diminishing the role of the organisation.

Since Pournelle mentions the Soviets: to me this is one of the most dangerous parts of Leninist party theory: it involves rules meant to strengthen a party organisation against the threat of outside force, but it also made the Bolshevik party ideally suited for party bureaucrats and power mongers, whose prime goal quickly became the perpetuation of the party and the privileges of power.

A lesson should be to make any organization as weak as it can possibly be while retaining its ability to function. Unfortunately to function that needs an even playing field, or "as weak as it can possibly be" in the face of competing with multinational corporations quickly means something much bigger than we might hope.


all things equal, one dedicated to get power in an organization will get power over those that are dedicated to produce for the organization

this works for company, bureaucracies and everything else in life and is part of the entropy an organization accrues with time.

giving bureaucrats a weaker initial position will only extend the time before takeover.


I usually refer to Stross's summary- "The iron law of bureaucracy states that for all organizations, most of their activity will be devoted to the perpetuation of the organization, not to the pursuit of its ostensible objective."

see: https://news.ycombinator.com/item?id=9106983


There is a natural tension between the desire to do good and the need to make money.

If you can't be financially self-sustaining, then no level of desire to do good in the world will result in the long term ability to continue doing good.

It is like the phrase, Justice without power is inefficient and power without justice is tyranny. You need both profit and philosophy to do good.


Exactly. I'm totally fed up with this "Mozilla is a good company at heart" contrary to every evidence (letting FF slip b/c of all the side projects, Pocket, now this).


Indeed. The first indication was perhaps when they freaked out and decided to chase Google on version numbers.

After that they got into all kinds of "social signaling" shenanigans, and the rest is history.


I miss Brendan Eich.


Certainly as CTO. If he had stayed on after suddenly having been declared CEO without so much as a review process, our opinions would probably be very different by now.


So, this is my fault, for leaving in 2014?


I strong disagree that Mozilla is a good company at heart.

They are horribly mismanaged on every level.

They have burned hundreds of millions of dollars to produce a second rate browser that has seen its market share collapse.

They took hundreds of millions from Google and in exchange unquestioningly supported Google's advertising and surveillance agenda.

They have consistently failed to introduce new features that would actually benefit new users.

They blame the "standards process" for their lack of innovation and features that benefit users when they know that the standards process is a b.s. game. For profit corporations break standards whenever it benefits them. Firefox is the only browser that follows standards written by Google, Microsoft, and Apple, while the other 3 break them, or force through their own changes whenever it benefits them.

Apple blocked 3rd party cookies and Microsoft defaulted to Do Not Track while Firefox kept doing Google's bidding to collect their checks. Just one example of many.

In the place of real innovation, being truly independent, and actually standing up for users Mozilla gives people dumb crusades like Net Neutrality.

Firefox could have used their market share to develop truly innovative features, like what Opera tried. For that matter they could have partnered with Opera to create standards for a true open web, but of course they never did that because the Google bucks were just to sweet for them.

Mozilla has been a failed organization for a long time. This is only the latest reminder.


The trouble is, it costs money (or a lot of time from talented people) to support a project the size of a browser. I would imagine getting some funding helps keep things afloat.

You even say, "maintaining a web browser is work that needs a corporation's backing behind it (or a government's)".

I suppose we should expect the goodwill of corporate sponsorship, but this relationship can quickly turn into the "sponsor" asking for things in exchange for donations.

This situation exposes a weakness and requires the recognition of the fragility of the open source model (at least for larger-scale projects). We've seen weird corporate-backed things in NPM projects before. It happens, but what is the better alternative? How do we prevent it? Most corporations only support open source projects out of self-interest: that is, they have a stake in seeing a particular project succeed because their stack may depend on the software.


There are plenty of open source companies. The company I founded is built on open source principles many of them inspired by Mozilla. It's a bigger challenge, because it restricts your freedoms as a company in favour of the user's freedoms. However Mozilla's mistakes are not due to the open source nature of the company at all, they are due to mismanagement.

They are due to poor understanding of your own userbase. Poor communication with users and employees. Complete lack of judgement.

These are sticks Mozilla puts in its own wheels. It's hard to make money, but it's easy to know what not to do. Simply asking your employees: "Is this a good idea?" would have yielded a clear "Fuck no". That they did not do that (or did, but chose to ignore it) is a terrible sign, open source or not.


https://twitter.com/dherman76/status/433320156496789504 exemplifies the poor misunderstanding of the userbase:

> Excited to share the launch of @mozilla @firefox Tiles program, the first of our user-enhancing programs

To call advertisements "user-enhancing" is an affront and betrays values like privacy that Mozilla claims to espouse


betrays values like privacy

I do not (now -- at the time that person made that tweet, I did, but not on the browser) work at Mozilla.

However. The "tiles" concept was literally an experiment in whether it's possible to construct an ad system that does respect privacy.

The basic idea was:

* Advertisers submit their ads to Mozilla. Mozilla wraps them up into "bundles", made up of a bunch of different ads along with metadata to use in determining which to show.

* The browser downloads the "bundles" from Mozilla, and caches them locally.

* The browser, based on local data only it has access to, and the metadata in the bundles, decides which ads to show.

In other words, unlike a Google-style model where the ads are stored remote, loaded on demand, and the decision of what to show is made on the server side, this stored all ad content locally and the decision of what to show was also made entirely locally. So neither the advertiser nor the distributor could know whether a particular person saw an ad or (if they happened to) why the decision was made to show them that ad rather than a different one.

You may not like that, and you're free not to like it. But to argue that it "betrays" privacy is simply factually false. And Mozilla's mission is, in large part, to find ways to advance and sustain the web in ways that respect the users. Trying to develop a privacy-respecting way to deliver ads -- since so much of the web is dependent on ads -- is entirely within that mission.


Time to do away with whoever led the charge on this one.


>Simply asking your employees: "Is this a good idea?" would have yielded a clear "Fuck no". That they did not do that (or did, but chose to ignore it) is a terrible sign, open source or not.

Running a company by polling random employees is not an established successful management style. Its only you who is suggesting it, and then claiming that because they didn't do it, its a bad sign.


You inserted the word "random" into the OP's statement in order to support your position. Your employees will ALWAYS have a better understanding of the state of affairs of projects they are developing, simply because they are the ones developing them. You cannot fully understand the complexities without doing the work yourself. Not factoring opinions about a product from the employees who are making it is incredibly irresponsible, and makes those employees much more likely to find an employer who will value them as subject matter experts.


>Not factoring opinions about a product from the employees who are making it is incredibly irresponsible, and makes those employees much more likely to find an employer who will value them as subject matter experts.

A developer is not a subject matter expert on how to market a product. Maybe you can restate your opinion.


Counter to your statement, "A developer is not a subject matter expert on how to market a product":

Most development experience I have had (open source, exclusively) comes with continual interaction with, and and feedback from, a subset of users who use the software. This subset is populated mostly by power users, those who rely on the software for work, and those who use it regularly. They are the ones who understand which needs the software is meeting and which it is failing to meet, and who ask for intelligent and sensible features to be added.

The marketing departments don't have this built in compass. They create ideas that they think will be profitable to the company, and they simply don't have the necessary connection with the users and with the software to know which of these ideas will be perceived as awful by the user.

The ones creating the software are the subject matter experts on what that software should do, how it should behave, and what the users will find most useful, in this instance.

The marketers are subject matter experts on... Other stuff? Advertisements and buzzwords and increasing revenues by targeting certain demographics of peoples? I have experience with the marketing side of business that has perhaps reflected poorly on that profession, so I'd love to hear from anyone that can fill my knowledge gap.


> Running a company by polling random employees is not an established successful management style. Its only you who is suggesting it,

He's suggesting that the most simple, stupid check one could think of (polling random employees) would already have shown this to be a terrible idea. They didn't even go that far. That is indeed a bad sign.


>would already have shown this to be a terrible idea.

What are you basing this on?

I'm just a FF user, and I don't think it was a terrible idea, even though I personally wouldn't have gone that route.


Plenty of companies conduct internal beta's. Plenty of companies conduct internal usability studies for new features or anything in their product they have the slightest worry could backfire. I mean they could have included this in the developer unpublished version for some time and just asked for general feedback before releasing it. These concepts are far from unheard of.


>These concepts are far from unheard of.

Sure, and not doing any of that isn't a "terrible sign" as the OP claimed. Which is the point I'm countering.


Joel Test step 12 is more or less "grab random people in your hallway and see if they approve of what you're working on".

https://www.joelonsoftware.com/2000/08/09/the-joel-test-12-s...


>Joel Test step 12 is more or less

That's brilliant!

"grab random people in your hallway and see if they approve of the new developer you hired" - HR

"grab random people in your hallway and see if they approve of the fan choice for the new cafeteria's HVAC system " - Building Management

"grab random people in your hallway and see if they approve of the calculations in the spreadsheets that the company CFO produced". - Finance department.

Hey, I think you're on to something here. We could eliminate entire departments here ! :)


Hmm, when you remove the expensive "we should hire a management consultant to tell us to ask employees about the new dev" it almost seems laughable, like people wouldn't trust or want a kind of 'democracy' and would prefer and respect 'dictates handed down from above'.

Maybe it needs to cost $100k for someone in a suit to say "ask your employees, make use of their knowledge" before it sounds respectable?


its not polling for running the company, its a disaster check. If most of your employees hate the idea, it should be a sign of something wrong because I would expect Mozillians to be also users of Firefox.


Most open-source software companies that are profitable rely on a consulting model. They develop and open-source the software, then work with clients to implement, customize and support it for them.

This clearly wouldn’t work for a consumer product like a web browser.


Thank you for this reply -- it illustrates why the model that works for other companies doesn't apply here.


> The trouble is, it costs money [..] I would imagine getting some funding helps keep things afloat.

Mozilla has accrued a lot of money over the years. So much money that they could have funded--just on interest--a comfortable loft somewhere filled with hackers on a decent salary who are fanatical about the open web, and maybe a single guy with a tie to "call google", in perpetuity.

That should have been the base case for Mozilla: open web, modern browser, users first.

Unfortunately, brass doesn't vote itself out for the greater good. A modern browser is a delivery platform. The "open web" is a marketing tool. And users are not as important as advertisers.

The rationale is that without clout, they'll be unable to prevent worse things from happening, so they have to allow for these compromises on the open web to maintain that clout, and every setback is relegated to "not our hill to die on," with every next hill becoming "not our hill."

It seems like an unavoidable tragedy, but if we look at similar organisations, can we imagine the FSF or the EFF making compromises on their respective missions, even if they lose popularity or even run out of funding?

I feel they would rather cease to exist than allow for corruption of their stated mission.


I noticed a similar thing with Wikipedia and the ACLU. Too much money seems to in some ways be a curse. Organizations seem unable to Instead of just put a bunch of money away for a rainy day and then stop fundraising for a while when there's enough money to carry out the core mission. Instead they find more and more missions to expand into in order to spend whatever level of money is coming in.

The problem with this is that the people working on this peripheral expansion missions don't think of themselves as peripheral. When there's a money crunch or a values conflict they will fight hard for theirs even at the expense of what the organization was always supposed to be about.


What is the Aclu doing that isn't part of its mission?


Everyone keeps coming with the money problem. But... how about they maintain a browser, with browser functions only? No PDF-JS, no Pocket, no Hello, etc. Just core browser functions and features.

Yes, it might mean scaling back, which is one of the swear words in a growth-oriented belief, but that way, the money should be enough - it was enough for a decade, what changed?


With all due respect, rendering PDFs is something I consider core browser functionality.

Pocket, most certainly not, though it's nice I suppose. Hello was... I don't know what it was. Checking if the market is there at all? Not something I expected to be in a browser.


I never understood why anyone wanted their browser to render pdfs. PDF.js is slow, buggy, and can’t edit documents. Every major OS ships with a better PDF reader, and there are still better open source PDF readers available on all major platforms.


> PDF.js is slow, buggy, and can’t edit documents.

That is leagues ahead of native PDF plugins which are slow, buggy, full of vulnerabilities, closed source, require a deprecated plugin infrastructure and usually can't edit documents either.

PDF.js is one of the better things to come out of Mozilla.


Okay. But the solution is to not involve the browser at all. It's there to browse. Once you find and download the file have it open in a real application designed for reading pdf.


Ideally, yeah. But often PDFs are integrated with the web experience as another web page. Or atleast that's how I treat them. I have 2-5 research papers open in my tabs at all times, and I browse through them like I would with any other article.

Sure if it piques my interest I would download it, organize it but I wouldn't go through the pains of doing that for every pdf I lay my eyes upon.


>download it, organize it but I wouldn't go through the pains of doing that for every pdf I lay my eyes upon.

You don't have to do that. Just set your browser to open the file in a real application. It'll automagically download to some temp dir (ie, /tmp) and you won't have to care about file paths or organization at all (unless you want to).

I have tens of research papers open in my tabs at all times. But for a good experience reading I open the full text in my pdf reader.


PDF.js has had a huge amount of its own vulnerabilities.


I don't think you've spent any time with regular people. The vast majority of the world finds computers to be confusing. The less buttons they have to click the better. All they want really is another appliance that has fixed functionality.


You're being needlessly down-voted here (I can only guess at what silly HN tripwire you've activated) but you're absolutely right. Tech people like us might think it's completely obvious that a browser shouldn't render pdfs or make your toast. But end users don't care. Browser x lets them read stuff quicker without switching to another app. They want the monolith.

We can dislike it, but we need to reconcile it.


Yeah, and I know this first hand. I work at a biotech startup and we have some super intelligent people who regularly get confused with modern UIs. For e.g. Not everyone understands that the hamburger menu is actually a menu. Or that flat shaded text can actually be a UI button element.


This gets to the heart of the matter: what is the core functionality?

For some saving bookmarks isn't effective while a solution like Pocket fits them better. Hello was an experiment to see if making video communication more accessible would connect people. Consider the saying about how no one uses every part of Microsoft Word, yet everyone uses a different ~10%.

Anyway, I think it's great that Mozilla experiment and try pushing the web forward. If only they were more transparent and consistently made these things opt in.


pdf.js seems to work quite nicely.

Seems that's no different than opening with external program, or using a plugin, or using an extension. After all,those things can be updated, whereas the browser should have more core functionality that enable new document types to being opened.


pdf.js performance is horrible, and now without NPAPI it is impossible to view PDF in firefox tab.


PDF.js performs quite well for me and works fine in tabs. It has always been a better experience for me than PDFium, for example.


Building a secure, fast, usable web browser is a near-impossible task on its own. Anything else they do involves a couple of orders of magnitude less effort. Mozilla would still need the vast majority of funding they currently get to do that.

The problem isn't that they're doing too much - it's that they have nearly no business model, and any attempt to create a business model appears to be selling out to users.


No. It is actually pretty easy. Just fork chromium, strip out the spyware, and add your own layer of features on top.

There are a lot of companies doing this now and Mozilla would be far more successful if they followed this model instead of trying to copy chrome's user experience on top of their inferior browser engine.


Yet we also need variety in our engines. Otherwise it's IE6 all over again. Diversity makes us stronger.


Then we get one company deciding which features should and should not be available to a web page.


ESPECIALLY since there exists a whole "add-ons" infrastructure to handle extras.


Are those things really taking up much employee time? Frankly, they don't seem like it. And some side projects are nice - like Rust and Servo. Persona too, even if it didn't caught on.


This is not interesting to the people involved.

They hijacked Mozilla to have a private playground for fun projects paid for by the search engine integration.


This.

I like my niche obscure anti marketing parasite browsers. But I am well aware there's a lot of Mozilla code in Waterfox and Pale Moon.

And ultimately its MS, Mozilla and Google who run this show. And out of those Mozilla is still the least bad.


I think the trouble is that the "web" is an overcomplicated BS clusterf___ for exploiting the plebes.

Some guy posted here a week ago in wonderment over how Mozilla can maintain a browser for a mere $400M+ a year. $400M+ a year!!!

If it takes that much engineering to deliver something which is not substantially different than what we were using 17 years ago, I'd count that as an engineering failure.


At a high level the needle hasn't moved much. But even little movements do add up. I'd rather not go back to a web before fuzz testing, fewer accessibility standards, and password managers. Not to mention AOL and its kind dividing the world into disconnected, walled gardens.


I don't know how your year 2000 was, but in my year 2000, I had broadband, no AOL, and a functioning web browser (which was not IE or Netscape), that could:

* Display web pages * Show images * Play songs and videos * Deliver applications (via Java instead of Javascript, granted) * Download files, and more!

Almost anywhere outside of NYC and SoCal, $400M is still an epic shitload of money.


> "Fork it" is not an acceptable answer. The problem is not with Firefox, it's with Mozilla. Mozilla is a good company at heart and they're an important pillar of the web. Losing them to stupid stuff like this sucks, we should fight for them.

Well, how do you suggest doing this when it appears that the relevant decision-making parts of Mozilla do not answer to anyone "on our side" in any meaningful way?

It seems to me that the only solution is to make an organisation with a fundamentally different system of governance. By virtue of institutional inertia, I figure it would be very hard to do this by actually raising a competing project from the ground up and hoping to capture any of Mozilla's market share or developer base (not to mention the amply made elsewhere in this thread point that Mozilla is big and expensive for a reason).

The far easier, and quite well-tried, solution is to put financial and social pressure on the current leadership to voluntarily open itself to downstream control. The former may be most easily achieved by having an Iceweasel-style "condom organisation" gain traction - that is, someone who tries their best to replicate all of Mozilla's user-facing I/O (releases, sync servers...) in a timely fashion, systematically acts as a QC layer to strip bad decisions like this or Cliqz and otherwise does not waste developer time on niche interests like classic UIs. For the latter, whatever you may think of the person of the tactic, the Brendan Eich story unfortunately shows that pitchfork mob tactics work on Mozilla. Even more cynically, it may be the case that they are the main way anything gets done these days. The (very significant, in my eyes) moral reservations aside, from a result-oriented perspective of what is most useful to reform Mozilla as an organisation, is there any good argument against the "identify a representative set of heads behind this latest measure and call for them" approach?


> the Brendan Eich story unfortunately shows that pitchfork mob tactics work on Mozilla.

Yes. If anyone wants to do a git bisect to find when the Mozilla Corporation lost its integrity, we can say it was definitely "bad" by the time they forced out Eich in April 2014.


How about when they implemented DRM in Firefox just roughly a month after Eich was ousted, which was the actual reason for his departure?

He was the only one higher up keeping that from happening and they didn't even wait until the body was cold to push that agenda.


> Firefox 57 gained a ton of good will from a lot of users

This was the new interface, right? I just saw this the other day and though it looked pretty good; was actually considering a trial switch back (after moving to chrome years ago, when a single bad tab would take down the entire browser).

That’s now put on hold - a compulsory extension is one thing, but having it be purely for advertising is a massive “No” flag to me.

I’m of the view that getting (most) people to consider switching browsers only comes every few years and requires a very large incentive; “We’ve fixed that one incremental problem” isn’t enough. A complete revamp would do it, but takes time to permeate into conciousness. And in the meantime they do this. “Squandered goodwill” seems to be spot-on.


> "That’s now put on hold - a compulsory extension is one thing, but having it be purely for advertising is a massive “No” flag to me."

so that's why you stick with chrome, a browser designed to send all your browsing habits straight to google, the largest online advertising company and commercial tracker in the world?


Chrome may be what you described, but Chromium is pretty reasonable.


The open source version of android used to be reasonable too. How long will that be true of Chromium without open source alternatives?


AOSP is still reasonable, though.


It's just increasingly more separate from what people usually call "Android".


It's what I call "Android." Google services were never part of AOSP. Bundling all the Google services together and naming the bundle didn't change anything in that respect.


If you care about that you just turn them off though.

https://www.google.com/chrome/browser/privacy/whitepaper.htm...


You actually don't have real control over Chrome. Only Chromium is open source, and then you won't have all the features you surely use. Like videos working.

Edit: (+) Sir_Cmpwn, At least not working for me when I try seeing the pages with H264 encoded ones, and when I search, this is what I find:

https://www.howtogeek.com/202825/what%E2%80%99s-the-differen...

"What Chrome Has That Chromium Doesn’t

AAC, H.264, and MP3 Support.

Adobe Flash (PPAPI)."

Chromium is not equal Chrome.


I use chromium on Linux as my main desktop browser. I assure you it plays videos. The only thing it doesn't do is play DRM'd video, which is a feature.


It plays non-DRM H.264 videos? Or maybe you're depending on sites to have multiple versions?


I just tested it, seems to work fine on Chromium.


Videos work on Chromium.


update your conciousness because a complete revamp is what happened. what mozilla did was stupid but its nothing compared to being tracked by google.


It was quantum. Firefox got faster than Chrome with it.


> a compulsory extension is one thing, but having it be purely for advertising is a massive “No” flag to me.

Remember, the extension was not there to advertise the show!

I don't know if that affects the way you're using the term "for advertising", but it affects how I care a lot.


Is Mozilla strapped for cash or something? I’m happy to donate a bit if it keeps them independent.

Google’s behavior with Android/AOSP suggests they’re more than willing to make the open source version of Chrome useless in practice the second there is no viable competition.

I don’t see any organization other than Mozilla that can keep them honest.


> Is Mozilla strapped for cash or something?

Nope. According to their financial statement, the Mozilla Foundation had $69M in "cash and cash equivalents" at the end of last year, about $329M in investments, and literally gave away millions of dollars in grant funding. It's not entirely clear to me how the financial interaction works between them, but the privately-held Mozilla Corporation (i.e. the 1000+(!) employee company that actually makes Firefox, and which the Foundation owns as a subsidiary) had over $500M in revenue from their search engine deals...

See "State of Mozilla 2016" https://www.mozilla.org/en-US/foundation/annualreport/2016/ and also check out the Foundation's financial statement and tax form PDFs on the bottom for more details.


For those that want to donate: https://donate.mozilla.org/en-US/


No, otherwise Mozilla C-Levels would not be getting $500000+ salaries (Google it, it is real) and flying on privately chartered business jets


If you can do the job at a lower salary, you should apply !


Well, they can't do that job as we all see.

The original reason behind them establishing Mozilla Corporation over Mozilla Foundation was that they can keep this practice going while being safe from taxmen reprimanding them for pocketing what is a charity income from tax standpoint.

Now, Mozilla Corporation bills Mozilla Foundation for "service offered at a market price" to do its "socially beneficial, free of charge and any expectation of remuneration" activity, which is selling ads.


> needs a corporation's backing behind it (or a government's)

You touch on an interesting point, maybe Firefox should be soliciting donations from governments who are concerned about the US surveillance state instead of relying so heavily on search ad revenue and being forced to turn to things like this to make a buck.


No offense, but "like, China?" I don't see how involving government(s) and therefore politicising the whole thing is going to make the situation any better. Even if it were support from a government you (but others not) would find acceptable.


TOR is funded by the government, among others (others including Mozilla, heh). https://www.torproject.org/about/sponsors.html.en

Although they should probably not be in charge of the actual development, is it really crazy to think that Firefox could be funded by governments? At some point it is a public service.


Noone can hate with more fierceness than someone that once loved. If you depend on your users to love you, be careful with their trust.


Firefox 57 gained a ton of good will from a lot of users

Let's not overstate things. Firefox 57 gained good will from some users. It also seriously annoyed others, both because of the loss of many useful extensions, and because the new version is horribly buggy and crashes all the time.

The one thing Mozilla still had going for them compared to Google or Microsoft was the emphasis on privacy and respecting the user, and yet I've read about several different cases in recent weeks where that trust has been undermined, this being the latest.


>because the new version is horribly buggy and crashes all the time.

Really? I haven't experienced a single crash, and I was on nightlies before 57 was released, so I could try Quantum.


Yes, sadly. I can't remember the last time Firefox crashed on me prior to 57. I've lost count of the number of crashes/hangs since the update, but it's well into double figures by now. Whether it's Firefox itself or the handful of extensions I have installed, I can't tell for sure, but it's much worse here on a Windows box with more extensions installed than a Linux box with just a few. In any case, if the new runtime model is supposed to make things more robust then unfortunately my experience has been quite the opposite.


57 user on OpenBSD here. No extension installed (at least to my knowledge ;)), no crash to report. It has been a pretty smooth experience so far.


> the new version is horribly buggy and crashes all the time

That has not been my experience, so let's not overstate personal anecdotes as facts.


Please don't quote things out of context in a way that changes the meaning. What I actually wrote contrasted some people's good experience with others' bad experience. It wasn't a blanket statement as it appears when selectively quoted.

I happen to be an existence proof for the bad experience group, but a few seconds with your favourite search engine will readily confirm that I am not alone. I don't know what the ratio of lucky to unlucky users is, nor did I claim to.


I've been using Firefox 57 since the release, and had zero crashes.


I've seen firefox running on computers everywhere during meetings and presentations which I haven't seen for a long time.


The business model of the Internet is surveillance and advertising. It's incredibly hard to resist. It seems like there's an infinite amount of money available if you're willing to surveil and sell out your users.


This is indeed comically sad after the nice Quantum boost.

It was a poor taste joke at the wrong time.. Mozilla is gonna regret this.


> https://twitter.com/steveklabnik/status/941709048529014784

This is such a terrible way to make an argument, present a case, or say anything that can't be said in a few dozen words. He has a blog, it's linked right there. I can't understand why people use twitter like this.


So, the first post in the thread was ~11:30am. The last one was about ~5pm. I basically appended to it during the day, as my thoughts and feelings evolved on an issue. It's not like I completely tossed out all these tweets at once.

That said, everyone uses Twitter differently. I tweet a lot. Some people don't. I personally blog when I have a long-form, well thought out thing to say. I tweet whatever is on my brain at a given moment. Twitter is more raw, more personal. This is a raw, personal issue for me.


I really didn't mind the Pocket integration, probably because I'm a Pocket user myself so can't see the problem.

This is pretty bad though, I'd say this is worse than the Pocket thing because it's abusing the trust and good will of their users


I made my warning about Mozilla Corp+Found a week ago, and as I recall, it was not warmly received... by anyone!

What a difference a week makes!


I feel really sorry for Steve and other real developers. Mozilla is not different from any other managers driven corporation. Very sad. I almost wonder if that's an organized action aiming at removing competition. It's too bad to be unintentional.


Firefox 57 was so nice I started using it every day and was actively migrating things to it from Chrome. I could live with the Pocket thing even though I wasn't wild about it. I hadn't gone as far as setting up a Mozilla cloud account because privacy was a high priority and I didn't want to swap one cloud service for another.

Then this thing blew my machine up the other day, I lost days of work, and...hmm. I don't know why a company would ever do something like this, it's incredibly foolish.


> If Firefox disappears and the fork remains, the fork dies because maintaining a web browser is work that needs a corporation's backing behind it (or a government's).

Perhaps the problem is the fact that the Web is so complex that popular web browsers could only possibly be developed by corporations to begin with.


I for one cannot stand the Pocket integration, I prefer Bookmark OS


I like Pocket.


> Mozilla is a good company

Not since the incident.


Firefox 57 has no love from a lot of web developers I know. It broke things that were working just fine before.


Curious what those things are, because all I can think of is workaround that exploited out-of-spec behaviour (and, of course, web extensions, which has been covered to such a degree it's not just a dead horse but a fresh patch of grass by now)


And the article doesn’t even mention the Cliqz controversy [1]. How can you try to promote your browser as the privacy-oriented, user-first alternative and at the same time run into shitstorms like this all the time? Shouldn’t there be someone who can properly judge the effect of decisions like this?

[1] https://news.ycombinator.com/item?id=15421708


They're ruining their brand image. It's hard to be considered trustworthy when it appears like you compromise your values due to financial hardship. It reminds me of the Ubuntu Amazon integration thing as well. One of the Cardinal rules of free software seems to be don't sell your users by forcing 3rd party integration nobody asked for.


It's always interesting how this happens. Is it new executives how come to power and they never realize what the brand meant to users but see a short term stunt to get some extra profit and go for it.

It happened to Lenovo and other laptops when they started installing spyware (Superfish) on their machines. They basically ruined the brand image that took years to build up.


In the case of Lenovo the brand was sold by IBM to a third party who immediately drove it into the ground.


funny thing is that none if the issues have ever been found on the thinkpad libe, only the ideapad line.


True and I'd still look at Thinkpads if I had to buy a new machine, but knowing what they did with the E, Y, G and Edge series would make me always look a bit harder at other brands first from now on.


Yeah I get impatient with the "they need to make money" apologist argument. Oh, I get it, you're saying I should trust them because they're in it for the money like everybody else. Makes sense thanx.


No, they're not in it for money. In the end (the foundation owns the corporation), Mozilla is a non-profit.

They need money to achieve their mission though: maintaining a browser (in a landscape of evolving security challenges, performance & web standards) and research (e.g. projects like Rust, Servo & pdf.js originated that way) is not cheap. And currently it mostly comes from search engine deals. If they cannot get a similar one, it all collapses.

I can see why they try to diversify their income. That said, I don't agree with the way they do it here.


"Non-profit" just means that shareholders don't profit. Nonprofits offer many opportunities for executives to personally profit.


If they want to diversify they can work on other projects making money instead of fucking up their current userbase.

IMO coding missile software to pay for those projects would be a lot more ethical than what they're doing. Yeah I consider the ad industry and its privacy crushing consequences worse than weapons almost never fired.


Especially as a company with over $440M in assets, $330M of which is invested, with less than $60M/year in accounts payable and liabilities, that received $500M in royalties last year.


I think the real issue is mozilla essentially gets an infinite supply of money from parties like Google, no matter how shockingly incompetent they are.


This is MoCo as usual: top notch engineering ruined by Dilbert-worthy high level management / executives.


Im not certain I buy the arguement that the decline of mozilla is purely a bad management situation. In threads about this, or pocket or cliqz or any of the other mozilla diasaters of the last while, you have a huge amount of what appear to be line level engineer employees defending this crap voraciously.

Something has gone very wrong with the culture of mozilla in general, I think its a copout to suggest that its merely some evil pointy haired boss.


The accountability is at the top. In this case, I would be very surprised if that was not greenlighted by Mozilla's CMO. Whether others down the chain complained or not doesn't matter much, since not everyone can vote with their feet.

But this is happening way to often lately, and the typical "I stay at Moz because we are still doing good stuff and no one else would step in" you hear from employees is exactly the card that the management plays. It's sad, because the mission from Mozilla's manifesto is more important than ever, but MoCo is not the place where this important things will happen.


The CMO was previously at BitTorrent which is fairly user hostile.


That correlates with the sudden switch from Firefox to Chrome in Germany: http://gs.statcounter.com/browser-market-share/desktop/germa...

If there is causality, Cliqz wasn't just a controversy, it was a loss that the benefit of Quantum will have a hard time counteracting.

We will have to see what drop, if any, the Robot controversy brings.


Switching from Firefox to Chrome is jumping from pan to flame. Google are at least as bad, and in all probability much worse. The Safari saga. In fact, the amount of protestations one here are deeply suspicious.


Their behavior here with regards to handling the bug tracker is exactly the same as with Cliqz. So this isn't a one off thing. It's the start of a pattern and a dark one at that.

And speaking of which, I made a post prior to FF57 asking where the Cliqz situation went and got no responses. Any idea as to what happened with it? I haven't seen any updates on the situation since and feel like it's just been swept under the rug.


I doubt they're going to change anything about Cliqz, as there's no actual privacy concern with it. There's the technological feasibility for Cliqz GmbH to steal user data, but Mozilla owns parts of Cliqz GmbH, so knows what's going on inside the company and they have a contract with Cliqz that prohibits the storing of personal data.

Mozilla has also made an official statement saying that no user data will be stored, so break that promise would be misleading of customers, and their Privacy Statement does not constitute the storing of such data, so allowing it anyways would count as violation of contract.

Additionally, they're testing it in Germany, where this sort of hidden collection of data either has to be obvious (for example, if you order something online, it's clear that they have to process your address), which is clearly not the case with Cliqz, or the user has to be prompted for opt-in, not either the case with Cliqz, or it may not be personal data. So, if it were personal data, they'd be violating German law.

And the handful of shitstorms in tech-focused online communities are hardly the end of the world for Mozilla. Making the internet rely less on search engines, which is what they're ultimately trying to achieve with Cliqz, is more important than that.


By it not actually being a privacy-concern and the "shitstorms" frankly being tiny. These are completely isolated to HN, Reddit, Slashdot and the like. No serious journalist is going to report on it, because doing even the tiniest bit of research shows you that there's nothing to report on. As such, the shitstorm is never going to reach roundabout 99% of their users.


I am deeply disappointed in so much software lately, especially by the folks who once championed software freedom, privacy, and quality.

A lot of people thought the Mr. Robot stunt meant that they had been hacked. Well, you know what? They were hacked. Someone installed software on their systems without their knowledge or explicit consent.

(Side note: I also discovered last night that Firefox Quantum does not use or support userContent.css - maybe this is a Stylo thing but it really annoyed me.)

(EDIT: per the below, my experience with userContent.css doesn't seem to be shared. I may have messed it up on my end. Will report back when I get a chance.)


Perhaps Stallman and the FSF are right?

We can fork Firefox, but I agree with many other commenters that a fork isn't sufficient.

It is the underlying concept I am trying to shine a light on: software should serve the user. When Mozilla becomes user-hostile, we can establish new guards for our future security. But if we, the software writers, become user-hostile, then there will be no one left.


Do people actually think Stallman was wrong?


Stallman is right about some things, but not everything.

He's right that proprietary software can be used for malicious purposes or evil intent, but he's incorrect that it must be.


> He's right that proprietary software can be used for malicious purposes or evil intent, but he's incorrect that it must be

Perhaps it must be simply because if it can be misused, it inevitably will be. Therefore, Stallman is correct.


That's an argument that can be just as easily applied to FOSS software, yet I see no one in the FOSS community warning against the slippery slope of evil that is free software.


No it can't. FOSS can't be misused to take away a user's access to the software and data produced by said software. Other types of misuse isn't relevant because FOSS can't do anything about them.


>No it can't. FOSS can't be misused to take away a user's access to the software and data produced by said software. Other types of misuse isn't relevant because FOSS can't do anything about them.

You're moving the goalposts now. You claimed that if proprietary software can be misused, it will be, and therefore therefore Stallman is right about all proprietary software being malicious - yet it's precisely those types of misuse you now want to deem irrelevant which underpin the entire moral argument behind the free software ethos.

The argument has never been that proprietary software is immoral merely because the code isn't free, but that the code not being free is what allows those other abuses to occur.


> You're moving the goalposts now. You claimed that if proprietary software can be misused, it will be, and therefore therefore Stallman is right about all proprietary software being malicious - yet it's precisely those types of misuse you now want to deem irrelevant which underpin the entire moral argument behind the free software ethos.

No, you just didn't understand the goalposts in the proper context. "Harm" and "misuse" in FOSS have never been about any type of harm in which software may take part, simply the types of harm that can be achieved by software and licensing.

In FOSS, harm means restricting a user's freedom and ability to control their information, privacy and the devices they own.


I'm saving you a t-shirt for when you finally see the light.


Stallman's issue is that he comes across as a fundamentalist extremist, and most of his suggestions require making huge sacrifices to one's quality of life.

Take Stallman's own website[1]. It is mostly text. While this makes it fast, it doesn't make it readable at all. And finding specific stuff is nearly impossible. Yeah, there is a search feature, but is extremely rudimentary and very user-hostile.

If it were up to Stallman, the entire Internet would look and work like this. This was OK in 1990. It no longer is. Sorry.

[1]https://stallman.org/


>It is mostly text [...] doesn't make it readable at all.

that is the weirdest comment ever. On HN no less which is literally just text.


HN has a coherent layout, nice spacing, a sensical grouping of content and functionality per component and view or page. stallman.org is a pile of unstyled textual content which was clearly assembled without actually being designed. Regardless of the validity of his site as an example of what he thinks everybody else on the internet needs to do, the two examples are not not in the same ballpark for readability. Between the two, the ratio of structural elements to textual elements isn't even close.


"makes it not readable" would be a weird contradiction.

"doesn't make it readable" is not weird at all.


I think Stallman's website says more about Stallman's design sensibilities than it does about the ability of plain text to be readable or for search to be effective.



Low contrast text is a downgrade. https://bestmotherfucking.website/ is a true upgrade.


Agreed, I knew there were more but didn't want to find the rest.


Wut? That's his website and he makes it however he likes. I haven't ever heard him telling people to make websites with default HTML layouts or not use interactivity or better search tools etc. WRT websites his opinions regard the tracking they force upon the users and the closed-source-ness of them. Maybe you should read things before you link them, eh?


I think the website is a bad example, but the above characterization of Stallman being a fanatic who is blind to other's needs is not incorrect. There have been multiple cases with him recommending people forgo having working software and hardware if it isn't 100% free. That might be the ideologically pure stance, but it's also massively impractical. As a true believer he just does not understand that the vast majority of the users just want to do work with their equipment, and that choosing to forgo working drivers for some abstract right to modify that 99.9999% of users will never exercise is just utter nonsense.

Also, Stallman is a grade A asshole. I've met him, and he is a deeply unpleasant man to be around.


WRT your first point, well, he's an eat-your-own-dogfood philosopher, and he sets an example to what is possible with his own behaviour. And he just does not make trade-offs in his views. What we should collect from them is what's useful to us. It would be kind of hypocritical if he was telling non-free software is evil, but recommended some such software.

WRT your second point, that is subjective and ad hominem. I live in Emacs and without GNU I was stuck with Windows. Without GNU none of the good things we have today would've existed, Linux wouldn't have existed, we were all programming in ASP.NET or C# or what not. So even if he is an asshole, he's a very, very, very important one.


You need extremists like him. If he was a moderate we'd have stayed in the corporate moderate ecosystem we had: everything proprietary.

When you want something to change you can't have only moderates as they're in fact happy with the status quo.


Stallman puts himself forward as an authority on the best way to use the internet, even though doesn't actually use the internet in any recognizable way.[1] He comes off like an internal combustion engine designer who has never been in a car, declaring himself a traffic flow expert.

[1] "I generally do not connect to web sites from my own machine, aside from a few sites I have some special relationship with. I usually fetch web pages from other sites by sending mail to a program (see https://git.savannah.gnu.org/git/womb/hacks.git) that fetches them, much like wget, and then mails them back to me. Then I look at them using a web browser, unless it is easy to see the text in the HTML page directly. I usually try lynx first, then a graphical browser if the page needs it (using konqueror, which won't fetch from other sites in such a situation)." (https://stallman.org/stallman-computing.html)


The fundamental problem is that the software that serves the user needs to be paid for. If every FF user would chip in a small sum, that might work, but people would rather switch to chrome.


That's a common misconception: software that is Libre can be bought and sold. It just comes with the source code.

(Libre is not the same as Gratis.)


It’s not a misconception. Firefox could be sold, the problem is that nobody would buy it. Opera tried to sell a browser, people stuck with the cost-free alternatives. People would rather use chrome than pay for FF.


This is nothing new. There has always been "sell offs" in the Open/Free Software sphere. An old-ish example that comes to mind is SourceForge. When it started, it was the place to host and search for Open Source or Free Software. It was amasing. Little by little, the service started to rot, became full of ads and just felt sketchy.

Then GitHub arrived, and a fresh platforfm for hosting open source software was born.


> Someone installed software on their systems without their knowledge or explicit consent.

this is what was wrong about the whole thing. What Jascha Kaykas-Wolff heard from the community, that "the experience [we] created caused confusion" is NOT the point.


That was my initial reaction too, but I think it misses a subtlety.

Mozilla installs software on our computers without our explicit consent all the time, each time you update Firefox; or when you visit mozilla.org and your browser downloads some JS.

It would be impossible for most people to give genuine informed consent, because they'd have to understand what each part of the software does. Most people have not learned to read source code and don't want to. (And the source is available for people sufficiently motivated.) Practically, there isn't time to personally code-review every software update on your system. We defer this to distributors we trust.

And in this case, Mozilla genuinely didn't run any questionable code. They could have done (and arguably have in the past), but didn't. They installed software that actually does nothing. (about:mozilla at least engages the CSS parser; this doesn't even do that.)

I think the problem is just that they're messing with our stuff. Like if someone rearranged the books on your bookshelf to spell out the name of your least favourite whatever, they haven't actually done you any practical damage, but it's really annoying and rude. On principle, it's my stuff and they should leave it alone. Stop being a bad roommate, Mozilla!


I'd never used userContent.css before, but just tried it and it works fine. 57.0.2 (64-bit) on Win7.

I'd suggest raising a bug.


> Someone installed software on their systems without their knowledge or explicit consent.

Auto-updating software has been the norm for a while. This is nothing new, just because it was put into an extension instead.


Auto-update doesn't carry the implicit moral right to install anything company behind it wants.

Auto-update is a consensual agreement with the user. If you use auto-update to deploy something that a vast majority of your users do not want and did not expect, and intentionally so (refusing to roll back a 'mistake'), then you have broken that agreement or moral code.

You cannot use the excuse of "oh well if they don't like it they can uninstall it and use another product" to condone this bait-and-switch behavior. Just because the behavior is legal does not make it moral.

This behavior is absolutely immoral and must be condemned.


>refusing to roll back a 'mistake'

Did they refuse to roll it back? It's marked as "complete" on my Firefox installation and is no longer present on the Extensions page.


Except this wasn’t an auto update - it’s a completely different infrastructure pushing stuff into the browser without affirmative consent or even knowledge. And in true malvertising fashion, this system is both opt-out and turns itself back on sometimes.


Also auto-update has a changelog. Users can get an idea of what changed, what the new buttons do, etc. This was unannounced and hidden from users.


Both userChrome and userContent work just fine on ff57(+). I'm using both right now with the nightly build. What are you having issues with?


(After others here said userContent.css was working for them, I fiddled a bit more. Found an earlier rule in the file that I had somehow mangled and it seems that somehow affected the parsing of the file. Removed the earlier lines, everything works great. So yeah, my fault, not Firefox's.)


"I am deeply disappointed in so much software lately, especially by the folks who once championed software freedom, privacy, and quality."

PAY. FOR. IT.

What can you expect from a group of people working for you for free, trying to scratch together their salaries from wherever they can.

The answer is not 'fork it' - because the existential question remains: who will develop the fork?

You?

Me?

A magical person who works without income?

More likely - someone who needs an income, and will have to find creative, weird ways like 'Mr Robot' to make it work.

A simple answer is 'pay for it'. A company / non-profit can still be committed to those things you mentioned.


Maybe that worked in the past, but these days, time and time again we see companies offering paid software and services with an extra layer of advertising on top. Old adages like "you're either a paying customer, or the one being sold" no longer apply, you can be a paying customer and sold for extra profit. Companies, by their nature, will try to maximize profits, and that translates to them using any means they can get away with.


I don't agree. This is entirely the choice of the team.

The idea that 'you are being sold' is not fair either.

You choose what to use, for how much, and the resulting product.

So if you want to pay $ a month AND have ads. Well, then do that. If not - don't.

If Mozilla wants to have an 'add free non-profit' they can do that.

But they can't because for whatever reasons - people won't pay.

Some people won't pay because they simply don't want to - and are willing to live with the alternative choice of 'having a sideload now and then'.

Other people use insufferable intellectualizations about all of it.

But mostly it's kind of greedy and irrational.

We get immense value out of web browsers. A $1 a month fee would enable Mozilla to forge ahead being the best browser, free for those who can't afford it - and ad free.

But we can't have that because we are not as intelligently organized as we need to be.


I'm still not really sure what would lead you to believe that they would even consider ceasing their advertising schemes if they had this additional income. You seem to be admonishing people for not taking nonexistent steps that would probably never exist to begin with.


"I'm still not really sure what would lead you to believe that "they would even consider ceasing their advertising schemes if they had this additional income. "

For the same reason Mozilla exists today as 'kind of a non-profit' in the first place without tons of ads.

For the same reason that Wikipedia has no ads.

I'm not 'admonishing' anyone so much as pointing out we can't seem to grasp that nothing is going to happen for free.

The only path to 'ad free' is for someone to pay for it - and that's going to have to be users - or in the very rare case -a 'Big Corp' who sees the strategic value in it.

And yes - I do agree that 'most corps' would try to stick in ads.

Heck - even 'non-profits' like Mozilla - are sticking in ads!

But given what Mozilla is today, if they had the resources necessary, I suggest they would not be pushing ads. It's the last thing they want to do.

Finally - there are tons of services that people pay for that are not full of ads.

I don't get ads when I buy MP3s, and none of my paid apps have ads.

Do you think there are ads for t-shirts in my Salesforce app? Or SAP? Of course not.

Likely because the 'profit maximizing' option for Salesforce is to not put ads there in the first place.

So 'big corp' incentives can definitely align with user needs if things are right.


Xbox Live Gold is $60 a year and still has ads.


It would be cool if someone with insight into the mozilla community's structure could elaborate on how consensus to deploy experiments like this is established. I know that mozilla is very open, but as a fairly huge community it's still somewhat opaque to outsiders like me and I wouldn't know where to start looking. Are there pertinent mailing lists? Are things like this hatchd out on bug comments filed against the Shield product on bugzilla?


I'm pretty curious about this as well. I sent an email to their governance list[0] a number of months ago that never got any reply. As someone who's not involved in day-to-day, it would be extremely entitled if me to expect my views to be automatically taken on board, but the absolute silence (and general low level of activity) gave me the vague impression there must be discussion taking place elsewhere.

I've also tried lurking on a few IRC channels, which were similarly lacking in content on this (beyond idle chat, or helping out beginners new to the channels).

If the answer is that I need to email some individual to get into some private group to participate in (or even just to observe) discussion on governance, then that really isn't very transparent. Certainly public mailing lists I've checked don't seem to contain enormous amounts of contextual content on these kinds of things.

[0] https://groups.google.com/forum/m/#!forum/mozilla.governance


Mozilla Corporation is, well, a corporation. There was almost certainly not any sort of community governance process involved. The marketing department presumably got a "cool" idea and had someone implement it. How they got the OK to deploy it to everybody is another question but that process doesn't involve the greater community either.


Did anyone actually see this extension run rather than just be downloaded?

When the article says “it was sideloaded without consent [...] this is what it looks like” etc - does that mean that’s what it looks like to users that did not opt in?

I get that just having it listed is creepy and wrong, but I fail to see why we’d scream about forking Firefox unless anyone actually had an extension do anything without their consent.

I don’t want unwanted extensions downloaded either but as long as they aren’t being run I’m not switching back to Chrome over it.


For me (beta channel FWIW) the extension was installed and enabled. Apparently the code wouldn't modify page contents unless an additional setting was set, but yes it was installed and run without permission.


The Looking Glass extension doesn't do anything unless the user manually sets an about:config flag.


No.

It was "enabled" in the add on menu but you would actually need to muck around in about:config to get it to "run".

Fear and hatred has erased those distinctions in the mob's mind however.


The fact that it even got as far as "Mr robot Easter egg extension? Great!" boggles the mind


Let's not forget that the whole idea of a FOSS company making it in the marketplace is sort of squaring a circle. It's amazing that we got this far. Unless we have better ideas, we should expect more things like this.

I personally think we should all try to come up with better ideas. In the mean time, we should have some tolerance for things like the privacy respecting advertising scheme they came up with. I agree that this Mr. Robot thing crosses some sort of line. But I don't think our response should look anything like "How dare you try to make money!" lest our critique be useless.


I think your response is reasonable. People will be happy to play games with their browsers as long as they trust the game and have control over when to play and not. Maybe firefox becomes the "fun" browser and we end up with a web version of a pokemon go type game. (Would be cool, huh? Websites would "trend" as people flocked to find $pattern and shared their discoveries.) Or some other game. Or a game-of-the-week, that advertisers can sponsor.

But transparency, opt-in, and ease of use are all key to this working.


I'd like to have the option to pay for getting a browser without unwantedwares guarantied, let say a 5$ per month subscription.

Not sure they would be enough people that would pay though.


Also the article itself is quite poalarising. Its basically suggesting that there is zero room for disagreement over a decision. And that you either agree or you're an idiot who should be fired.


At this point, I think we should all slow down and wait until Mozilla does their internal investigation and makes some sort of statement. It's clear that a screwup occurred, but not clear precisely what the screwup was.

From the outside, it looks like something that was unfinished and supposed to be opt-in was accidentally rolled out to everyone, which suggests a problem with release management or code review process, combined with human error. But this is speculation. Whatever happened, scaring people with something that looks kinda like malware and having a PR shitstorm was clearly not the intent.


Mozilla's CMO already defended their behavior in a statement to Gizmodo [1], claiming in effect that the malware they silently injected into people's browsers didn't harm people's privacy, and thus was OK. Mozilla's CMO believes that Mozilla did nothing fundamentally wrong.

That shows a cultural disconnect between Mozilla's management and Firefox users.

Privacy is one important feature, but trust is what was violated here.

[1]: https://gizmodo.com/mozilla-slipped-a-mr-robot-promo-plugin-...


> claiming in effect that the malware they silently injected into people's browsers

It's not malware - please stop calling it that.


It does some arguable unwanted things with text and is rather underperformant in doing so. a It is "off by default" except for some users reporting it as not (and except for nightly?), which is once again pegged as some vaporous bug that we will likely see no followup on. It is unfortunately like much modern software in that vein.

Not quite malware, but very undesirable.


Can you give a reasonable definition of malware that doesn’t include this plugin?


"software which is specifically designed to disrupt, damage, or gain authorized access to a computer system."

Not malware for me. Definitely confidence shaking bloatware and adware though.


Disrupting webpages was specifically what that thing was designed to achieve, right?


Damn. This sound like the actions of a few inside Mozilla... Cause it's definitely not in line with the organization's stated goals. So where's the accountability? The people who made these decisions should be held accountable.

Also, even since 57, this week Firefox ("stable" build) consistently gets hung up with just one tab open and spins 100% CPU on one thread. I hope it isn't trying to invert the word "robot" when the thread gets stuck.


I am also concerned about the accountability. It's been some time -- 48 hours or so, and not even a brief statement from management?

This is like PR 101 to me. The most shocking thing so far is their silence -- Mozilla is not a new organization!!


Here is the closest I've seen to a statement: https://support.mozilla.org/en-US/kb/lookingglass. I don't think the explanation that "The Mr. Robot series centers around the theme of online privacy and security" is what the users were looking for...


So ironic. "Hey the show's about privacy, WE'RE about privacy! Let's invade everybody's privacy to talk about privacy!"

Not uninstalling or anything but now I'm keeping an eye on my about:preferences


Well, I am uninstalling and switching to Iridium right now and it's not JUST because of this Mr Robot thing. I wasn't happy with the direction of Firefox for a while but waited for Quantum to see if things would change. The technology improved, but everything else got worse. So it's time for me to say 'bye, bye' to a browser I've used for more than a decade.


I also think it was a silly thing to do, but it is not the case that the additional code violated anyone’s privacy.

There’s no need to be hyperbolic.


But they brought into their "experience" to become one with the mr robot brand in a unique and intuitive way which lines up perfectly with the Mozilla manifesto!


It's the weekend. Execs don't work on weekends.


It does not matter how few they are, if they are the ones making the decisions then they represent Mozilla. Unless dramatic change occurs immediately, we can only conclude that Mozilla is shoveling crapware into Firefox.


Ultimately, and I don't say this as an excuse but as reality: if you're not paying for it, you're not the customer. Yes Mozilla is a foundation and gets a lot of donations but you'd have a much stronger leg to stand on if you paid for the browser. Are you willing to pay $50 or more for a web browser so that there's no temptation for the vendor to sell out to advertisers?


Yes, actually. At the same time though, we see examples of trust eroded even with payment (cable companies, or the latest Windows 10 crap). I suspect that it’s no longer enough to merely pay for such things; you need a way to verify trustworthy behavior top to bottom.


Oh, stop that stupid trope already. There are many other ways of sustainable FOSS development, proven for decades. Look at sqlite, the Linux kernel, the GNU ecosystem etc.


Do we really need an update to a web browser every 6 weeks?

A web browser should display information FULL STOP. When the new HTML standard comes out, implement it. Until then just provide security fixes.

It's really not that hard or expensive (500 Million USD should be enough).

Stop changing the UI, adding crap that should be addons (that's why there's addons), adding adverts, adding spyware ("telemetry"), etc.

---

Curiously all the Mozilla developers and apologists who are so enthusiastic about defending Firefox (and down voting critical comments) have taken the day off...


> Curiously all the Mozilla developers and apologists who are so enthusiastic about defending Firefox (and down voting critical comments) have taken the day off...

I mean, it's Saturday, so yeah, they probably did. This comments section looks more like a pitchfork mob than a group that wants to have a reasonable and civil conversation about embedded extension policy and revenue models. I myself would prefer to spend it with my loved ones than arguing with a comments section mob on the internet.


It's interesting you choose to frame overwhelming dissent and anger at shady behavior as a 'mob'.

By summarily dismissing a bunch of legitimate concerns by multiple users you are basically saying users don't matter.

That kind of ivory tower attitude never worked well without leverage.


Mozilla still makes SeaMonkey, which might be what you're looking for:

https://www.seamonkey-project.org/

Up to date browser engine (at least it seems that way, it does pretty well on https://html5test.com/), still gets security fixes, but the UI hasn't been changed significantly in years.


But you realise, that the web today is a bit more than static HTML and that it doesn't upgrade step by step with arbitrary standards, but rather all the time?


> Until then just provide security fixes.

You'd lose the non-security bug fixes and the performance improvements. I wouldn't like it, and it would surely be obsolete/irrelevant extremely fast.


Regarding the performance improvements.

Sometimes it seems it's more about job security. How many rewrites do you need?

Mozilla's Law:

(Use McConaughey Voice)

As Intel processors get faster... Mozilla's software stays the same... speed.

https://en.wikipedia.org/wiki/Wirth%27s_law


> if you're not paying for it, you're not the customer

Debian. FreeBSD. OpenBSD. Dillo. Netsurf.

Or, Windows 10.

Sometimes, free stuff is a product. Sometimes, you pay and are still the product.


All of those projects have their constituencies, and it isn't always the typical end-user.


I've donated/paid more than $50 to open source projects that are less useful to me than Firefox. So yes, I would. While I know that Mozilla accepts donations, I don't think they've ever asked me for one.


I see asking for domation in firefox bottom quite often


If it was a one time payment of $50 then the answer is yes, of course.

How many people would need to pay that to fund the Firefox team for the next five years though? My guess is: not enough.


Yes I am. But I am a small minority.


How about if I pay for pretty Apple hardware? Also I just used lynx yesterday and it was fine.


> Also, even since 57, this week Firefox ("stable" build) consistently gets hung up with just one tab open and spins 100% CPU on one thread.

I mean, this probably isn't the right venue to ask about this, but that sounds rather serious. I know you're probably a bit disenfranchised at this point, but could I ask you to capture a profile using https://perf-html.io and file a bug?

If filing a bug is too much work, you can email me (email in profile), but filing a bug will get more eyes on it quicker.


I'll try and reproduce/file a bug when I get a chance! I know that's a meaningful contribution to the project!


It is, thanks.


Yeah, same here. Awful performance and stability on MacOS. Going to back to Chrome <sigh>


I am reminded of when Apple stuck U2 into everyone's iTunes library (though I actually think this is weirder and worse). It seems like an inviolable, cardinal rule is "don't push things on me that I didn't ask for".


> Mozilla and Fox Entertainment did a “collaboration” (read: promotion) for the TV show Mr. Robot

This is just a side issue (I agree with the OP's main point) but Jesus, how do you make an error like this in the beginning of the post? Mr. Robot is from USA Network, which is owned by NBC Universal. Fox has nothing to do with it. The technical problem here is clear to me as a techie. I was going to post this to r/mrrobot but realized it'd have no credibility among show's fans -- would you read past such a major error on a topic you cared about even if it eventually got to a correct core point? e.g. a rant about YouTube censoring videos of a certain political bent that began with "YouTube, a subsidiary of Baidu..."


Shit. I'll get that fixed ASAP. I don't know why I thought it was Fox.


too much simpsons?


> updates have been known to re-enable it if you turn it off ... But it doesn’t matter - you’re going to re-enable it on the next update.

It's surprising how ... trustworthy Chrome is in this regard. My default search engine is set to DDG and through countless updates Chrome has never once attempted to reset it to Google.


My default search engine is set to DDG on Firefox and through countless updates Firefox has never once attempted to reset it to whatever Mozilla are taking money to promote now.


I know it’s kind of the opposite action, but I lost trust in Chrome over it persistently and repeatedly deleting my extensions. Searching for help reveals I have to “sign in” to keep my extensions. When a browser built by an advertising company wants me to sign in, the only conclusion I can make is they want to track my browsing behavior. I probably consented to that through the click wrap agreement, or maybe not. Who knows? I’m not about to spend a whole day reading 10 miles of legalese to find out.


"Sign in" as in into Chrome Sync?


Try

Firefox 24 in a VM

It's insecure, slow, but it's the last good version of Firefox.

Anything after 24, has Australis, which is the beginning of the end of Mozilla IMHO.


You'll have to deal with warnings from websites that you're using an "insecure" browser. And eventually it will stop working at all because it lacks features that web developers assume everyone has.


You can disable most of Australis with a bit of css, so using firefox 24 for that reason is pretty heavy on the cutting off your nose to spite your face.


Or go Pale Moon, as it forked off from around that point but has gotten security fixes etc.


I think it's time there was a legitimate, organized fork of Firefox. None of this Iceweasel nonsense, but a proper, mature, organized initiative to diverge from Mozilla's codebase. They've made it very clear with the addition of Pocket, suggested sites, and now this addon that their calling has been diluted in pursuit of sustaining their own existence.


So what's the plan to sustain the existence of the fork?

Browsers are very complex and expensive to keep cutting edge.


Maybe we need a stable browser without surprises. Less cutting edge. Maybe.


Like Konqueror? It isn't going that well. The web is evolving fast, and for good reasons.


Could you please expand those 'good reasons'? I honestly don't see them. I see a world in 2017 where my instant messenger lacks functions I had in ICQ in 2000 (p2p file sharing, for example); I see video conferencing struggle to work which I had in 2007 (p2p skype); I see my browser spying on me and coming with baked in backdoors.


Actually a big part of the problem is hinted in your examples: feature creep from native programs into the browser.

I think it would be an interesting, more private, and safer online world if browsers only displayed HTML and a minimum of JS rather than being entire operating systems, and anything like media playing and high interactivity occurred in native programs.


The only one of those that is about the web is the sites spying on you. And JS has been evolving better sandboxes, not worse.


Erm... no. The trouble with video calls is that it's webrtc these days and melting CPUs with their inefficiency. The messenger apps are built on electron, and a unicorns with rainbows IRC client can eat 4GB of memory (yes, I'm talking about Slack). Everything is forced through HTTP. Those were only examples though.


Don't stable and cutting-edge go hand-in-hand for browsers as the most "compatible" browsers must properly implement the latest web standards?


It is impossible to fork Firefox and survive. If you destroy Mozilla all the users will migrate to Chrome. There is no successful financial model for browser development. Browser development is a financial black hole and requires alternative revenue streams for developers to put food on the table.


A real fork might be impossible, but a soft fork that just disables features like this should be possible.


Indeed, this is how IceCat works: by taking the Firefox ESR release and sed'ing out things like EME and telemetry.

https://git.savannah.gnu.org/cgit/gnuzilla.git/tree/makeicec...


"It is impossible to fork Firefox and survive"

Pale Moon did this a while ago and is still around, although in need of donations as many other volunteer-driven projects. https://www.palemoon.org/


Pale Moon would sink in a week if Mozilla closes, it does not have the resources to implement or influence new standards.


That wasn't a Mozilla vs Pale Moon contest, anyway if Mozilla would close Pale Moon would likely inherit at least part of its developers and user base. Surviving economically however would be a totally different beast.


And Mozilla has?!


Certainly more so than Pale Moon.


What's wrong with Pocket?


The fact it ought to be an extension that pocket users could add by visiting addons.mozilla.org but instead it was rolled into the core browser.

People assume Pocket offered Mozilla a lot of money, as there's really no other reason Pocket shouldn't be an extension.

People are naturally nervous when browsers start deploying third-party code in exchange for cash. Especially when auto-update mechanisms are used.

Some would see that as an important line to cross - will they be able to resist the much larger sums they'll be offered to "help users see more relevant ads" and "help users keep safe from viruses"?


Mozilla owns Pocket, though. It's more of a bookmarking UI/service than a 3rd party add-on. Sort of like Safari's Reading List feature.

That's how I've always seen it anyway. I didn't know there was controversy around it, but I can understand how people would be sensitive to seeing another company's logo in the URL bar.


Mozilla bought pocket early this year. The pocket integration was before that in mid-2015.


It makes a fine browser extension. It ABSOLUTELY does not make good embedded code.

There is no good reason for it to be "core functionality" in a browser, other than the fact that Moz://a got a fistfull of dollars and foisted it upon us.

EDIT: For example, what would be a good use of core functionality, is if Moz://a included IPFS resolution and native support. That is a protocol level support, and thus would need native support rather than plugins. Plugins do indeed work, but require significant workarounds. For example, native could be ipfs://hash whereas the plugins need to specify http://127.0.0.1:8080/ipfs/hash


I respect that everyone does not want it in their browser, but you could also say that about developer tools, screenshots, even bookmarks are not "core browsing". By this point Pocket is just another feature, fully owned and developed by Mozilla.


And you don't see a problem with having no money for actually developing the browser?


How many years of work did it take to get to the surge in good will around Firefox 57 in recent months?

All that can disappear overnight if they're not careful. Don't fuck this up, Mozilla.


For the first time since monthly browser usage statistics exist, Firefox is not the #1 browser in Germany anymore.

CliqZ alone has cost them 5% of the market share – 15% of Firefox users – within of 2 months.

This, too, will just accelerate that.


And this despite the push for Firefox 57, meaning the loss was probably even higher.


From the article:

Frankly, whoever was in charge should be fired over this

They won’t be. But do you know who was forced out there? Its former CEO, Brendan Eich, for making a $1,000 donation to a conservative political cause years before he became CEO. Yet this kind of thing, which actually has an impact on their user base and their market prospects, was allowed to happen and it is likely nobody will pay for it.

If priorities are this out of whack at all Silicon Valley companies, the world that relies on them is in serious trouble.


I've been looking for some time now for an alternative to Firefox. The integration of Pocket was the big red flag that made me start to doubt Mozillas intentions.

- My focus is not on performance or compatibility, but usability, privacy and security.

- The interface must be graphical.

- Native cookie management. I can't fathom how bad FireFox is at that.

- Support for JavaScript is not necessary. It's mostly used against my interest anyways.

- I don't want want my Browser to make any unsolicited access to check for updates or metrics or anything of that sort, at all.

- Of course, it must be free software.

Any ideas?


I linked this in the article, but the browser I use now is qutebrowser: https://qutebrowser.org

It's not something I suggest for muggles, but for the HN audience it's probably suitable. I love it.


Forks seem to be the best option right now.

Fork of Firefox: https://www.waterfoxproject.org

Fork of Chrome: https://github.com/Eloston/ungoogled-chromium


I personally don't see a problem with what Mozilla is doing, but I really don't care what browser people are using, as long as it's not from a for-profit, so: https://otter-browser.org/


I made one based on Chromium: https://cretz.github.io/doogie/. I don't have cookie management per se beyond dev tools. Also it's not the most mature/stable yet.


What's your beef with Firefox's cookie management? :-/


I can't whitelist/blacklist domains for cookies.


You can. At least my version of FF can. There's an "Exceptions" button next to the "Accept cookies from sites" button.


I thought unmarking the option to accept cookies would just completely disable cookies. Now, it makes sense. My fault.


Dillo was awesome last time I have checked.


Midori maybe?


Pale Moon. A fork of Firefox from back when Mozilla going off the rails.


Whats all the hate for Pocket anyway?

Isn't it just like the Reading List feature of Safari (or other Browsers) only more open (syncs with various devices, even some eBook readers which I think is quite nice). Also its owned by Mozilla[1].

1) https://blog.mozilla.org/blog/2017/02/27/mozilla-acquires-po...


"We've putting this thing that nobody asked for in everyone's toolbar, with no option to remove it, because we think everyone should use it"

That was the hate. If they released it as an official extension, fine, but they baked it into the browser and didn't let you opt out.


> with no option to remove it

I just try to remove it after seeing your comment. You can simply right click the pocket icon and choose to remove it.


I'm pretty sure that is new. When 57 released it was possible to remove it from the address bar but not from the context menu of the address bar.


But they bought the company, now they are an extension to the company. What the hell is the difference?


I still don't understand that move. If Mozilla needs money, why spend whay they already have on these useless thigs?


What did they have before buying pocket?


I mean the money they spent to buy Pocket could've been spent on other things.


Yeah but they didn't. Money in the bank doesn't do any good, I'm glad they moving it around. Do you think it halted other things because they did this purchase? This year they advanced pretty well so I don't really see what could they be missing.


If they had money in the bank, maybe they wouldn't need to run these kind of NBC promotions? Maybe they wouldn't need to place advertisements in the new tab window?


Why not? More exposure => more users => more ad income => ROI => GOTO 10


If you honestly think the old saying, "all publicity is good publicity" applies here, then I'm going to strongly disagree. I think this is going to be a black mark on their reputation for the next decade. The worst part is that it hurts one of their biggest selling points over the competition, and that's the trust of the community.


they bought the company years after the fact, and seemingly as a rebuttal to the people constantly complaining about it.


I'm not a Firefox user, sorry. Was it integrated before the purchase?


Since you trivially remove it, I don't see the big deal.

I notice my parents using the built-in Reader Mode and PDF reader. Those could've been extensions too, but I don't know who that services.


Its just a small icon in the Address Bar and it can be removed with a right click on the icon and selecting "Remove from Address Bar".


It's also in the right-click context menu, right below Save Page. Save Page to Pocket.


Mozilla must believe that privacy conscious users make up a small percentage of their user base. There's no other explanation for moves like this and their "differential privacy" fiasco from August.

Between that, broken U2F support in FF57, and pages that are broken in FF but work fine in Chrome (I assume due to devs catering to the huge market share) it's becoming increasingly difficult to stick with Firefox.


Or that the privacy conscious people don't bring in revenue. As soon as the foundation/corporation split happened, some people warned that the end game would be the corporation seeking profits at all costs.


Seeking profits at all costs is a bit much. Mozilla isnt great here or in several past instances, but they are still above many other corporations.


It's hard to identify with the vitriol in response to this thread, yeah it was dumb and silly but, without reading Hacker News, it would have been a completely invisible event for me. I've been totally in love with FF57 since release and this doesn't really detract from it at all. Very happy to have a fast, open browser that keeps me from needing to rely on Google, Apple, or Microsoft for web browsing, even if Mozilla doesn't always act perfectly.


Some people think Mozilla is different than the other browser makers, that it protects the internet in some way.

Personally I don't see how Mozilla could have any impact on important decisions about internet governance, DRM, etc. with such a small marketshare, and I believe the internet would have turned out the same even if Mozilla had never existed. I can't think of a single case in which Mozilla prevented some standard from being adopted when Microsoft and Google wanted it to happen.

In any case, Mozilla differentiated itself because of that image, and that was one of a small number of reasons people stuck with Firefox through the past several years. I bet a lot of those people are now thinking that they might as well use Chrome because Mozilla is the same as every other commercial vendor.


Last time I took a peek at Chromium (yeah, not even Chrome. Chromium!) I was still getting pummelled with nonsense about the need for me to open some sort of Google or AppStore (or whatever they call it) account. I'm not joining that universe.

So where to go? At the moment I'm happy with my Waterfox. And there's the somewhat similar Basilisk-project from the Pale Moon camp. But I realize these are overwhelmingly likely to be dead ends in the slightly longer run. There'll come a day when recent uMatrix et alia will no longer work. And a day when the dev-teams themselves throw in their towels.

The FF57-thing is just depressing in its own right, even without this added round of Mozila idiocy. They couldn't offer us just the option of an extra toolbar, or any customization worth the name, really. Firefox of ten years ago had vastly better UI than this latest, dumbed-down iteration.

But I suspect I shall sooner or later have to return.

[Edit: typo]



Iridium seems far better maintained in AUR [Arch Linux User Repo]. I shall give it a spin. Thanks for the reminder.

https://iridiumbrowser.de/


"Ungoogled" is actually a superset of Iridium, and includes patches from it.


And way behind on Chromium version.


How's Brave doing?


Not too well, last time I looked. And my irrational distaste for its Chromium heritage.

But probably time to take another peek.


I hope you will take another look in the new year, if not sooner. Some bugs to fix & missing features to support, but we will not pull any stunts like this MrRobot one. All our user-private/anonymous contributions and ads are opt in and will remain that way. Consent from users and publishers is not optional to us. Brave by default has strong ad/tracker blocking on by default, which gives a 3-7x speedup vs. Chrome on Android, 3-8x on iOS, and 2x or so on desktop.


A voice from on high has now commanded me. I most certainly will :)


I have been using Brave on my mobile and love it. Thank you for what you do!


Chrome pushes you to create a Google account to sync. Firefox pushes you to create a Firefox account to sync. You'll tell me where the difference is.

At least Google does not also push you to create a Pocket account... ;^)


One of them syncs your tabs and bookmarks, and the other one syncs you tabs and bookmarks and can create stronger links with their already extremely prevalent browser tracking technologies which they then can tie in to their analytics on your email to support their largely advertising-driven, for-profit enterprise?


Firefox sync is encrypted client-side so Mozilla can't access your data. And the server is open source and self-hostable:

https://mozilla-services.readthedocs.io/en/latest/howtos/run...


So is the google sync. Especially if you set an extra passphrase to decode.


Oh, cool - it sounds like the passphrase is mandatory to encrypt your synced data, it doesn't happen by default, but that's still a good start. TIL.

(I still like having the option to run my own sync server though.)


It does, but by default, it uses your google account password.


> Chrome pushes you to create a Google account to sync. Firefox pushes you to create a Firefox account to sync. You'll tell me where the difference is.

With Firefox account, Mozilla is not selling any of your data data, a Google account not only is a goldmine of data to sell, but you're signing for a lot more services than just Sync itself.


You mean, except for shipping CliqZ, a cooperative project between Mozilla, and the German ad, tracking and publishing house Burda, which receives all the URLs your visit (as a test, this was bundled with 1% of German Firefox installs)?


While bundling CliqZ was certainly a poor decision that does not inspire confidence, my comment above fast specifically in regards to Firefox Sync.

If you honestly believe that Google is less or equal in terms of user data privacy as Mozilla, then I'm not sure I can convince you otherwise, but despite all the recent blunders, I still trust Mozilla more in this regard, be it with a watchful eye.


Well, I don't have a choice, do I?

about:addons uses Google Analytics, and yes, I know Google promised Mozilla not to look at that data.

But either I have to trust Google that they don't use the data from Chrome's Enterprise and Chromium builds. Or I have to trust Google that they don't use the data from Firefox' about:addons and Firefox Focus, and that CliqZ doesn't use the data from Firefox.

If I have to trust Google anyway, I can just use Chrome.


Google doesn't sell data. Chrome, however, isn't silently installing extensions without people's permission, though.


Chromium pushed (and kept pushing) me to open an account in order to install addons. I never used the Mozilla sync-feature, but have no problem with it announcing its availability once in a new install. And likewise for the Google-browser, if that's what it does.


I use Chrome (not Chromium) and it has never asked me to create an account to download addons. :/


using Chrome means you've embraced the botnet

and with the browser phoning home constantly, they know which account to associate your browsing behavior with, no account creation required ;)


Mr Robot is created by Universal, which is owned by Comcast, who helped destroy net neutrality. Besides the fact that Mozilla abused my trust in "user studies" to show me advertising -- when Mozilla's lack of connection to advertising is precisely why I use Firefox -- support for this show funds the very people Mozilla has been fighting! On top of that, Jascha Kaykas-Wolff's non-apology is a whole other level of disdain for users. How am I supposed to explain to people who trusted my knowledge of tech that they should install Firefox because of Mozilla's ideals, but to be sure to say no to user studies because Mozilla uses it for advertising?


What makes this really stupid is that Mozilla is compromising user trust for what is undoubtedly a tiny payment from Mr. Robot. At least Google and friends are the wealthiest companies the world has ever seen as a result of their data shenanigans...


Apparently, there wasn't even any payment involved, which is probably even worse, since it's pushback for nothing.


I was a very strong supporter of Mozilla in the early days when it was a scrappy nonprofit dependent on donations of time and money from its users (I proudly gave them both). Today's Mozilla by comparison comes across as bulky and wasteful and to have lost its way. It doesn't in any meaningful way depend on code contributions from outside the organization anymore. It is opaque and unengaged with it's users compared to the old days -- remember the success of the spread Firefox campaign?

I'm not sure what the solution is, but from outside, it seems like Mozilla should become a much leaner, more focused organization. Move out of that cushy building on the SF waterfront to somewhere where your neighbors are ordinary people, have employees want to work for you because they believe in open source and and the open web, not for the trips to Paris and the fat pay packages. Trim down management and all the other fat that has accumulated over the years. It won't happen, of course.


I still don't understand why this is such a big deal - here's what it reads on my `about:studies` page:

looking-glass-2 Active • MY REALITY IS JUST DIFFERENT THAN YOURS.

Looking Glass is a collaboration between Mozilla and the makers of Mr. Robot to provide a shared world experience. Are you a fan of Mr. Robot? If so, join the hunt for answers!

Participating in this shared world experience requires explicit user opt in. If you are not actively participating in the ARG no modifications will be made to firefox.

https://support.mozilla.org/kb/lookingglass

---

Here's more about shield studies: https://support.mozilla.org/en-US/kb/shield

It also lists some previous studies that ran on my browser. I have never noticed any of these.


On the "About SHIELD Studies" page it says:

"SHIELD studies let you try out different features and ideas before they are released to all Firefox users. Using your feedback, we can make more informed decisions based on what you actually need."

This wasn't a feature and it wasn't an idea to be released to all Firefox users.

It was an ad placement for the Mr. Robot show; that seems to be the crux of the issue.

They abused a channel meant to improve Firefox and test new features and in doing so violated the trust of the users.

I didn't have this installed because I disable all telemetry however it doesn't take away from the bad taste of Mozilla's actions.


a) It was rolled out appearing as a normal plugin, out of the blue, without the additional context information, so many people assumed it's malware. Don't make your users panic for no good reason.

b) It's using a mechanism intended for helping improve the browser to roll out advertisements. Even those that were aware of the studies did consent to Mozilla pushing out changes to help them study improvements, they did not consent to Mozilla using this permission to roll out ads.

c) For many users, this is the first time they realize Firefox has these things turned on by default, instead of them being opt-in. Opt-in for unnecessary data collection is privacy design 101, privacy being a large part of Mozilla's advertising. (The ad in specific does not collect data, but the mechanisms it directed attention to do)

d) Mozilla running advertisements for a Comcast-owned product is somewhat at odds with #NetNeutrality messages.


Note that the details you're seeing which explain what it is were added after the fuss got kicked up. All you could see yesterday was

"Looking Glass: MY REALITY IS JUST DIFFERENT THAN YOURS."

Can you see why that would be concerning?


On my `about:addons` page under `Extensions` I see an entry for `Looking Glass`. It has no icon. If you click it, it expands to read:

Looking Glass

By PUG Experience Group (list of names) <a contact email>

MY REALITY IS JUST DIFFERENT THAN YOURS.

Looking Glass is a collaboration between Mozilla and the makers of Mr. Robot to provide a shared world experience. Are you a fan of Mr. Robot? If so, join the hunt for answers!

Participating in this shared world experience requires explicit user opt in. If you are not actively participating in the ARG (Augmented Reality Game) no modifications will be made to Firefox.

https://support.mozilla.org/kb/lookingglass

---

I do think they should have added an icon and NOT used the extensions as a delivery channel but I also don't think it screams malware. There is a contact email and a link to a page explaining the extension.


As I said, they added the additional information after people started complaining. It only said "Looking Glas - MY REALITY IS JUST DIFFERENT THAN YOURS" as the description, no clear reference to the show, no link to additional info, ...


Me neither. It could have been communicated / written better, but it does not equate them to Nazi Germany like some people paints them because if this.


Mozilla is an embarrassment of an organization run by people paying themselves $1 million/year for years of gross mismanagement.


Given they'd just one a lot of people back with 57, this was a pretty dumb thing to do.


I gave it a good strong shot when 57 came out (I had been on Vivaldi for a while). The performance was way better for sure, but it still wasn't quite there. I also hate how default zoom level still requires a plugin and isn't built into the browser.


Same, I had it as my default browser for a few weeks and it was a huge improvement, but ultimately I had to switch back to Chrome.

No default zoom or pinch-to-zoom were my biggest pain points, then performance (mostly comparable with Chrome, except videos consistently spike the CPU above 100%), and the last straw was the ridiculous number of OS X kernel panics I was getting. Beyond that, a lot of little enhancements would make a huge difference, like support for pasting without formatting, support for whatever clipboard APIs Google Docs needs, U2F support, and top-level await in the console.

I generally love the new Firefox and got my configuration in a state where I was sad to leave the UI/UX for Chrome's, but there were too many downsides to the point where it was becoming an obstacle to doing my job. Really hoping these issues can all be sorted out relatively soon.


Sorry, but how are kernel panics related to userspace software? Isn't it just the indicator that your operating system is somehow broken?


Yeah, that part is more OS X's fault, but either way it makes Firefox unusable for me. It seems like it may be related to Firefox's video CPU spiking issue.


I just switched back to Firefox too :/


*one -> won


Yes. Oops.


I pledge to give $20 to Mozilla once: - they apologized for the fuck-up - they pledge to stop doing that kind of stupidity - they reconsider the employment of those really responsible for it. Not just the ones that wrote the code, the ones that asked for it which are likely more paid than the coders anyway.

#firefoxpledge

Many of us here are Firefox users, but I'm sure most of us are really happy to use it for free.

If Mozilla is desperate enough to agree to some big cable companies, or some big search engine marketing contracts. Why do the users blame them? Maybe we should support them instead and help them to get out of that vicious circle so we can all enjoy a less corporate internet.


> I pledge to give $20 to Mozilla once: - they apologized for the fuck-up - they pledge to stop doing that kind of stupidity - they reconsider the employment of those really responsible for it.

I was indeed considering making a recurring donation after their work on Quantum. But I won't bribe an organization into abiding by its own mission statement and I won't give money to an organization that cannot keep its promises.

I wish the technical folk at Mozilla, who are literally building the browser, would split out, join in with FSF or EFF, and create the fork that we all would switch over to in an instant.


It's really an astounding accomplishment to make a browser developed by a non-profit less trustworthy in this respect than the one developed by the world's largest advertising company.


I don't think firefox is spying on you in the same way. Let's remember the bigger picture.


No, they just show less respect for me.


People in this thread are really overdoing it. Mozilla and Firefox are still nothing close to what major tech companies do with user privacy.


"Not only are these experiments enabled by default, but updates have been known to re-enable it if you turn it off."

are you kidding me? Mozilla risks our opsec and I did't even know?


The author really gets the underlying issue, and it's an issue that is extremely common amongst software, hardware, and vendors, tech and non-tech alike: trust. Almost every major issue with software boils down to trust. Do I trust this browser, or more specifically, the people that develop it? Do I trust this database / people that develop it? Do I trust technology X? These are the types of decisions we have to make everyday and that the tech world is forcing upon billions of people, most of whom are simply not informed enough to make them. Free software is about trust. Open source is about trust.

So many "tech" issues boil down to trust, that I'd say trust is the primary issue in tech and has been for quite awhile. Therefore, it's interesting to see that companies simply ignore this issue, don't care about it, and openly violate the trust of their customers, employees, partners, etc. I see very few organizations that consider the implications of lost trust to their business. Just like car mechanics who lie and say they fixed something they didn't, companies break users' trust by hiding malware in their products, spying on them, collecting data without their knowledge, releasing bad products etc.

In the end, it doesn't matter how trust is broken because once it's broken, it's extremely difficult, if not impossible to reestablish. That's something a lot of companies don't think about with the philosophy being that lost customers will be replaced by new waves of ignorant customers who don't know any better and don't know who to trust. Then they wonder why their market share slips when the company's main purpose is to scam people.


I'm I the only one who thought the little easter egg was interesting. I am a fan of the show.


I haven't seen the series, but I also find the idea of ARGs interesting.

What it's being discussed here is not if the addon is interesting or not, it's the fact that Mozilla, a supposedly freedom and privacy advocate has installed something in all of our computers, without our knowledge or permission as a publicity stunt for a different company and, when found out, the best explanation we've received is "Oops! You guys shouldn't have seen that".


I don't agree with the "without our permission" thing. You installed Firefox — you gave them permission.


If they roll out the "Firefox user affluence survey" and start reading all your bank account balances (or do whatever you would find objectionable) I'll make sure to remind you of this post.


Personally, I'd much rather have them make money through these sort of small tidbits than rely entirely on Google money. If they actually were on a slippery slope and selling out user privacy or whatnot for profit, I'd also not think of it to be acceptable, but to me there's always a clear distance from that slope in anything that Mozilla does, by ensuring that no privacy violations or anything along those lines happen. Specifically with things that people will spin conspiracy theories about and bring out the pitchforks, they always go the extra mile to ensure that really nothing is actually bad about it.


Let me propose an experiment: fire up wire shark and start your favourite browser and revel in the boatload of encrypted traffic that gets phoned home on startup.

Now turn off updates, telemetry and a bunch of other built in features and do the same with Mozilla: the tcp connections out of your system are zero, nada. You can literally turn off everything.


Mostly. There are some exceptions, mostly not easily detectable by wireshark while Firefox is idling. These are things like extra requests made while browsing ancillary to the requests you're explicitly making, certain browser functions needlessly requiring an internet connection when they could well work fine without, and also in the form of "bugs" that slipped into the browser largely out of a lack of consideration for users' privacy by devs.

The point here is that, while competitors' browsers might be worse, this doesn't mean that being "almost private" should be good enough for Firefox.

Saying "but Firefox is still better than X at privacy" doesn't mean they can't be better. X is setting a very low bar.


>and also in the form of "bugs" that slipped into the browser largely out of a lack of consideration for users' privacy by devs.

Tor Browser is based on Firefox. Human lifes would be at risk, if Tor Browser were to send additional data over the net that it's not supposed to send. So, Firefox is going to be very well vetted for whatever kind of bugs you imagine to be there.


If Tor browser sends additional data over the net, it does so via the Tor network, so you are at no more risk than any other explicit requests you make via Tor browser. Unless you're using uMatrix in advanced mode with extra strict content settings enabled, Tor browser won't keep your session completely private. It isn't designed to do so. It's designed to keep a single session isolated and - if you're careful - anonymous within itself, but any activity within that session can still be easily associated with other activity within that session, unless you're selectively blocking 3rd parties. NoScript (bundled with TorBrowser) does this partially but not fully.

Beyond the above (that TorBrowser isn't designed to protect from what we're discussing here, and as such their vetting won't be overly concerned with it), there's also the fact that they track ESR which is likely to have less of these issues since they'll usually be fixed before feature releases are backported.

Edit: In case you're still of the view these bugs are "imagined", here's two small (related) examples: [0], [1] though not the only ones. The "lack of consideration" I referred to in my above post that imo causes these bugs is the language seen in the second one of those bugs:

> It's not tracking but I'd imagine users who were uncomfortable submitting usage data from the app to GA also don't want to log their errors in Sentry

This is a Mozilla developer who seems to fundamentally disagree with (I'd guess most) users on what tracking means.

[0] https://bugzilla.mozilla.org/show_bug.cgi?id=1380754

[1] https://github.com/mozilla/addons-frontend/issues/2802


Until it gets activated again with the next restart or update.


Please, if anyone has steps to reproduce this behavior (beyond anecdotes of other people experiencing it), please file a bug. We engineers (I work on spidermonkey) put a lot of effort into making sure opt-in things are truly opt-in, and make sacrifices as well. (I would love to be able to automatically gather cpu or memory profiles with full urls included, to make it easier to reproduce field problems. Heck, we can't even tell if a set of crash reports comes from the same user. But I'd rather not have any of that, given the privacy risks. )


The Mr. Robot thing is not the first one of these issues we've seen with Firefox, but most of them (from my anecdotal perspective) seem to be either with web dev (teams managing moz web properties), ui design (e.g. the privacy issues in about:addons I linked to in a comment above) or extensions development* (this Mr. Robot thing, Pocket, and a lot of issues with the entire Test Pilot project).

I'm curious about whether the problems being discussed in the article above are not so much systemic to Mozilla itself (as many commenting here fear), but rather an issue with management of certain teams within the organisation.

* I refer here to teams working on web extensions, rather than those working on web extensions APIs.


Did they actually acknowledge that it was a paid advertising campaign?


I’m not sure if there was an official announcement, but:

> We didn't make any money off of this; it was intended as an easter egg in Firefox for fans of the show. https://www.metafilter.com/171227/Your-Reality-Is-Driven-By-...


That’s even dumber then.


That's what you get when technologists no longer run companies, but trendy "cool gals/guys". Mr. Robot is on decline as well; maybe one Mozilla exec knows another at Mr. Robot production and decided to return a favor? Can't wait to get Watchdogs 2 on WebAssembly playing in Firefox next...


I've given money to FOSS projects before (last time $5 for a really basic color picker for elementary OS).

I'm sure people would give something if Mozilla asked--kind of like Wikipedia do it with a message on their site.

Why can't they just do that? It doesn't look like it could hurt more than this.


> I'm sure people would give something if Mozilla asked--kind of like Wikipedia do it with a message on their site.

They do ask, I have a Mozilla request for donations today on FF57's about:newtab, yes every time I open a a new tab.

There is a blue button to 'make a donation' once I have selected the appropriate amount ( 50, 25, 10 or 3 Euros ). Apparently this goes towards protecting my privacy on the Internet.

There is no button to say 'no thanks' or 'already did' or 'that's a bit hypocritical given your latest stunt'


Ah. Never seen that.

So, I assume the donation strategy is not working.


This appears to not have been about money[0]. It was supposed to be an easter egg written by some folks at FireFox who were fans of Mr. Robot. It wasn't supposed to be the bomb that it turned out to be. Shame, really.

[0] https://www.metafilter.com/171227/Your-Reality-Is-Driven-By-...


I don't think the problem is sourci g individual donations. It's more of a predictable revenue model they can make decisions on. Crowd funding the expenses of a whole corporation seems a difficult process to take on every year.

Sustainability is something that plagues every open source project.


Well, I don't think the add-on promotion/spam was funding the expenses of the whole corporation. Perhaps they can augment their business model with donations instead of crazy initiatives that alienate their users?

I also wonder if--once they figure out what percentage of users donates--donations couldn't be predictable.

By basing their business model on donations (at least in part), their focus would shift to getting more users (or making existing users like them more), which would in turn mean creating a better product. I don't see how that would not be a huge gain for everyone.

DISCLAIMER: I have never run a corporation though, so I have no idea :-)


Those a good points. These sort of experiments seem to be them trying to find a revenue model that works. The way they are handling it sends a signal of desperation. Which should be the question here. Why does Mozilla need to do this? Why dowe the tech community praise open source in one hand and abandon it on the other?


They probably are, desperate.

The phone project has been a pretty bad hit for them.

They so seemed to be able to be successful again with FF 57... I guess it was luck.


I hope this incident makes people realize what a farce the Web has become given the incentives for Web browsers and sites. And we're working hard to make the Web even more complicated, so it's becoming impossible to develop a new browser from scratch.


Unfortunately I've not had time to do browser research, what are people switching to?


Drew changed to qutebrowser

Source: the blog post


Interestingly, the qutebrowser repo has a list of similar projects: https://github.com/qutebrowser/qutebrowser#similar-projects


I started trying Vivaldi a while back, mainly due to performance issues. It's missing some of the features I've grown to like about Firefox and has some additional bugs, but overall it's considerably faster.


Faster than Quantum?


Vivaldi is Chromium but without google, a ton of cool power user features, and closed source. It's fast if Chrome is fast.


I get that, but I'm surprised that anyone would call Chrome or any of its derivatives "considerably faster" than Firefox >= 57


Somehow I'm not getting much improvement in speed with 57, it's been a bad transition technically for me too, aside from the privacy/marketing - lost addons (expected, but still), broken fonts, bookmarks not working, one users profile completely broken (other ones on same computer are fine), slow page load, lots of freezes, ... reversing the changes to the newtabpage and such.

Worst update in ages for me, only one as bad was one of the teens (19.0?) which needed new profiles making. I've only been using it since v0.6 or so though ^_^


[flagged]


Opera can’t be considered trustworthy as of this event (cribbed from Wikipedia):

On 18 July 2016, Opera announced it had sold its browser, privacy and performance apps, and its name to Golden Brick Capital Private Equity Fund I Limited Partnership (a consortium of Chinese investors including Qihoo 360) for an amount of $600 million USD.


Why does a new owner make them untrustworthy?!


Because it's impossible to run a >$600 million US-Dollar business in China without involvement from the Chinese government. The same government that heavily spies on its citizens and blocks access to the internet with a huge firewall.


Can you elaborate on the concern? Not challenging your point, just trying to understand how concerned I should be.


Not a downvoter, but I wouldn't change browser over those things, the browser is too important to any real computer nerd. An alternative browser would have to be open source, maintained by a major group, and have functionality that even the big two only achieve via third party addons.


That's not a reason not to use a fork though, I'm looking at Waterfox, but need to assess if I can trust the devs.

It's a huge annoyance, Mozilla seemed to have kept their ethics intact even with all the Google money but this is the last of several marketing blunders that to me show controlling forces on Firefox have sold out to commercialism over ideals.

Ideally Firefox will root out whoever has lead this current thrust towards selling out users.

You're right, the browser is so vital, that's why I've stuck with FF through technical issues in the past. I really don't trust them now.


You're making a fool of yourself, if you think that other browsers are better in any way, shape or form.


Please don't post like this here.


Very strange to see that. Are the managers responsible at Mozilla not aware that a significant part of the appeal of Firefox is user autonomy and privacy? No reason to gamble away your reputation by violating user trust like that.

I understand they need money to develop a browser, but surely there must be better ways to promote partnerships. I personally probably wouldn't have a problem with Firefox asking me to opt-in to ads and promotions in the new tab page at first startup to support Firefox, for instance.


While I can agree with author on some points, I don't understand why everyone bashes Mozilla for Pocket so much, they have bought it and I thought it is part of Mozilla now: https://blog.mozilla.org/blog/2017/02/27/mozilla-acquires-po... Plase correct me if I'm wrong.


When Pocket was first added, it was an independent company with no signs of any acquisition by Mozilla.

It was not added to the browser as an "add-on" but as core code. Sure, you could hide the button, but... it's still there, attack surface and all.

Plus, it's a product in a competition-rich field. Adding first class support almost certainly affected adoption for competitors like Instapaper, Pinboard, etc, who still had to play by the rules. Hardly what you'd expect from a "choice centric" company like Mozilla, and it screamed of a cash bribe.


While I understand the technical merits of the switch to the Quantum/Rust/WebExtensions/Electrolysis thing, and while I also understand that this "ad" add-on is not enabled by default, I can't stop thinking that in one month or so, I went from having very useful add-ons to one that is completely useless and pushed to its users without consent.


Agreed, I now NEVER trust any company or startup anymore with my data. Everyone is involved with spyware of some sort.

I thought Mozilla was an exception, Oh well. :/


Good luck in the jungle. I suggest to download the Primitive Technology channel first from YouTube.


What do you use to browse the web? A self compiled version of curl? wget?


May I suggest dillo where possible, and icecat everywhere else?


"Study" is doublespeak for "ad". Let me write that down into my dictionary, thanks Mozilla for the info!


I agree with the complaints but I also wonder how else Mozilla is supposed to financially support their work.

It is an unfortunate reality that donations alone don't tend to work on things of this scale. Humans don't work like that....most people are not going to send a significant amount of money to make an insignificant impact on browser quality. (i.e. if I donate $5000, would I even be able to tell the difference between the Firefox without my donation, and the Firefox with my donation?)

This is pretty basic game theory (Tragedy of the Commons, Prisoners' Dilemma, etc). Nobody wants to be the sucker when most people are being freeloaders.

So we have things like this. They are trying whatever they can do to get revenue. Bake shit in that increases their corporate sponsor's bottom line. Ugggh.

I don't have a solution (short of government grants and the like) but I wish more smart people would work on this sort of problem.


I've always left "Allow Firefox to send technical and interaction data to Mozilla" and "Allow Firefox to send crash reports to Mozilla" enabled, and I've been using Firefox since it was Phoenix (beta) in the early oughts.

I just like to make sure they get the info they need to improve it and also, advocate in that way for the features within the browser that I use- so they don't remove them. After this study add-on, I disabled all of those settings.

I'm not moving to Chrome (and I never did all these years, FF has features that Chrome never will like toolbar RSS feed support), but now I'm probably withholding legitimately helpful information from Mozilla. I'm willing to do that because I don't feel like they can be trusted right now.


Mozilla needs to get rid of the people responsible for this and specifically the rogue marketing team members that have been the source for much of Mozilla's missteps such as the tone def attack ads on Chrome which deeply embarrassed a lot of the Mozilla engineers.


So much Mozilla bashing in the comments here. And in general.

Mozilla doesn't improve Firefox: FF is so slow I am using only Chrome now. Mozilla improves Firefox: why did you break my extensions. Mozilla add data collection: you are no better than Chrome. And so on...

Meanwhile Google is doing most of these things with Chrome and nobody complains.

The title is correct, Firefox is on a slippery slope. But this is slippery slope to oblivion. Whatever Mozilla does is wrong. But see now, the game is very different nowadays. The browser is not simply a renderer for Html. The browser has turned into the TV from 1984. And the Web game is very very different. So no need to be angry at Mozilla, they are just a player trying to adapt to this new reality.


The fact that FF users are so critical is a positive feature of the community in my opinion. It's the only thing putting the breaks on Mozilla's campaign to turn FF into a clone of Chrome.


After how they have locked down the marketplace to prevent malware this is really ironic.

FTR: Usually a huge Firefox fan and still thinks it is better than sending everything wholesale to Google like Chrome does.

But wow, this seems like an amazingly dumb move..!


Firefox keeps acting like they desperately need money, but there are clear paths to monetization with a freemium model.

The simplest method is to limit the browser sync capabilities (bookmarks, passwords, settings, etc) and charge a small fee for improved sync. Limitation might be sync frequency or storage space.

For Thunderbird, they could roll in an advanced spam blocker system and make it subscription-based. Or they could create a single button in commercial buttons to automatically unsubscribe from the content.

Or, for the simplest model, just charge $10 a year for access to binaries from the beta + nightly + dev channels


Building a web browser is potentially the most complicated application to build nowadays, it can't be sustained just by a community of volunteers and Firefox has to maintain a payroll of at least a thousand extremely highly paid engineers.

They're needed for a proper free and open internet which is independent from the needs of corporations but they also need to pay their bills.

It's a fine line that they have to tread, maybe they overstepped the boundary this time but I'd rather there was a firefox that can afford to innovate and push forward the web platform as a whole than not one.


I think arguments like this would go better if they created some space for the other side. Like, we all know that there's arguments on the other side about making money to pay the bills, and about experimenting with new ideas about how to do that. Almost no one thinks that Mozilla shouldn't try to make any money at all. But this argument doesn't explicitly lay out any space for that. So then it's hard for someone to talk about that side of the question, without feeling defensive from the very beginning.


My search for a "just a browser" browser lead me to this: https://github.com/Eloston/ungoogled-chromium

It's a fork of Chrome, with all links and connections to Google compiled out.

I'm not a fan of using a fork of a major browser for the same reason that a fork of Firefox relies on the continued existence of Mozilla - but I guess I trust Google to continue existing more than I trust Mozilla.

It's a shame. I want to like Firefox. But I'm finding it hard to find the trust.


I've been an overly faithful Firefox user since the first versions, through all of its performance problems and lagging behind Chrome. 12+ or whatever years of daily use. I was thrilled with the quantum update, finally Firefox was competitive again.

I agree with the article. Whoever signed off on this obvious user abuse, should be immediately fired. It's inexcusable. I use Firefox so I don't have to use Google's Chrome as my primary browser. If Mozilla keeps behaving badly, I have no reason to use Firefox, it's that simple.


Gah, the worst part of this is Firefox 57 is good enough that I want to switch to it. I wish they would at least issue a "that was dumb we won't do it again" statement or something.


I'd happily pay to use a Firefox that doesn't do this. There's the Mozilla monetization problem solved and upholds trust and supports more good development like 57.


Lets compare Firefox with Windows or Mac or any other popular software that you guys pour money on. What I find most interesting is why you pay premium to get locked into a propriety closed source platform, getting "updates" pushed to your systems all the time, like force feeding chickens. While I'm most likely wrong I think this is actually a PR stunt, that somewhat backfired. At least they got you talking about these issues.


We now get ads bundled with OS (Windows 10, Android sort of, Amazon with Ubuntu), ads bundled with browsers is just a little step further...


Eich says Mozilla is interested in integrating their BAT token into Firefox in the future too. His ability to make that happen is partly why they got so much funding and token sale proceeds.

https://mobile.twitter.com/BrendanEich/status/94211584408716...


> Mozilla, this is not okay. This is wrong on so many levels. Frankly, whoever was in charge should be fired over this - which is not something I call for lightly.

Whoho, calm down cowboy. Some of us don't live in the far west, and have better, proper, and more civilized ways of dealing with work issues than your "All-American-Fire-Everyone-Style".


Everyone in Mozilla management has to go.

Mozilla again needs to be about a browser not about making money.

If $500M per year from G is not enough you're doing it wrong.


How on earth is this related to money?


Mozilla has taken on all of the worst qualities of a modern University...ostensibly for the "public good", but really just a vehicle for the whims of a few "enlightened intellectuals" who will "save us all" (from ourselves apparently)

but hey, Mr Robot uses Kali Linux (they only show us this about twenty times per episode) so he should be fine


I thought he used Mint.


Maybe instead of a litmus test on their political donations, Mozilla needs one on whether its executives respect users.


With behavior like this (and previous acts) I view Mozilla as less trustworthy than Google.

Wouldn't Chromium be a better option for those who still don't like Google?

I'm still glad that Firefox mobile is available since Chrome mobile doesn't support extensions (e.g. for ad blocking).


As it happens, I posted http://yuhongbao.blogspot.com/2017/12/google-mozilla-and-deb... around the same time.


Is there anything wrong with pocket itself? Or is it just that it was forced into the browser?


I don't think people have much problems with Pocket itself, especially now that it's owned by Mozilla, it was mostly about it being a default addon. I don't personally mind it, since it's a lot better than just having a full bookmarks bar, but can see why some people would.


It was never an add on. It's built into the core of the browser.

You can hide its button, but all the code is still there.


No, it's a great product. Everyone complains that bookmarking is broken then here's an alternative, then some naysayers find a hole in it too. Some folks are impossible to please.


I get that everyone is pissed, but can someone explain what looking glass does? After reading the article and the comments I get that it’s like an ad/game, but that’s it.


I've used FF since the beginning. I've installed it on a lot of computers for friends and family.

Today I uninstalled it, and that was before I found out about this latest sneaky trick.


Completely unacceptable. But with how much disrespect Windows 10 gives users in terms of forcing distracting ads into faces, I can see why they think it's open season on us.


Mozilla does seem to be trying very hard to make those of us who have been trying to lead people away from Google/etc and onto their browser look like hypocrites.


I've been a die-hard Firefox guy for a long time ... I stuck around while the browser was being surpassed in performance by Chrome[0]. I left briefly when developer edition was updated in a manner that prevented my most relied upon add-ons from working.

This move, when I first read about it, rubbed me the wrong way. As things have settled out, though, I'm a lot less quick to want to jump ship. In the context of a simple "easter egg" kind of thing, it's actually somewhat cool (I'm a fan of Mr. Robot, personally, so hey -- that helps a little)[1]. I think what bugged me the most is the lack of communication. Upon first reading about the "bug", it sounded like it was something that was "on by default" and potentially being used to collect data. It at least sounds like it was disabled unless you intentionally turned a setting on in about:config. OK, I guess. It would have been nice if there was better communication once the crap hit the fan and The Internet started panicking.

The "easter egg" idea isn't something most of us would complain about if a very clear explanation was available upon discovery, but the fact that it was a promotion with NBC Universal, I think, is where a lot of folks got seriously upset. I know it was the first red flag I latched onto. Frankly, it's hard to imagine a worse company to enter into this kind of an agreement with and the way this was implemented just looks really bad -- as an add-on that appears to be a telemetry-type service.

I think NBC Universal and the first two things that come to mind are the MPAA and their desire to burn down the internet if it keeps people from downloading movies ... and Comcast -- bandwidth caps, JavaScript injection, abysmal customer service, ever rising Internet bills (especially if -- as is often the case -- you live in an area where they are the only provider). It's a shame they had to suffer such a poor lapse of judgement at a time when the press around Firefox was turning so heavily in its favor. This was, hopefully, a painful enough shot in the foot that something like this won't happen, again. But who knows? Out of the options, available, I'm sticking with Firefox for now.

[0] Part of this was my stubborn refusal to import my bookmarks mixed with the convenience of sync being setup everywhere I used it, part of it was a general dirty feeling I got from using a browser from a company (Google) who's becoming increasingly aggressive in asserting their monopoly positions.

[1] And there's no irony lost about the fact that a show that would directly appeal to security engineers was being promoted in a way that would cause a security engineer to lose his/her mind.


Thanks for writing this to inform the community. I had no idea this was even going on before reading your article. What browser do you use now?


The author mentioned http://qutebrowser.org/ in the article :-)


Brave browser looks more appealing all of a sudden


I disagree that they are on a slippery slope. They were on a slippery slope, then they slipped on it and fell into the crevasse.


Waaaay too much false information (or lack of) by the author and respondents here.If people would read before installing things they would be aware of this. It is right out in the open in plain comprehendbale wording (not bunched together like a legal doc). So anyone that took the time to read the small paragraph would be fully aware of what's going on, or at least know they will be guinnea pigs for testing out the new tech...

#1 If you download the Developers Edition, Beta or Nightly edition, you agree to share crash data, new feature rollouts and participate in sheild test (which you can still opt out of). They tell you flat out these things will happen by participating in these previews (Which what this addon was part of and was tested by a measy 1% of the user base)

#2 By the screenshot provided, this user has "Legacy Extentions" enabled, which means they have to be using a Nightly build, as that is the only way you can still enable this feature. Hence they did not read the details on the possible trials they might be joined in. If they were part of say the Electrolysis trial I doubt there would be concern like this.

#2 In a full public release you are opted out of these by default, but can opt in if you wish.

#3 If you download the official release you are not subjected to any of this unless you decide to manually opt-in. It's not hidden, it's on the privacy page in the main preferences. For the pioneer experiments you have to go manually download a full extention to opt-in.

#4 If you downloaded the beta to check things out, then when 57 rolled out and you decided to stay on the release channel, you would have to manually go and switch the experimental pioneer off manually or refresh your profile as it keeps all your custom profile data. Same if you shared a single profile between all your installs instead on creating multipile profile.

#5 Firefox keeps a list of which experiements are on the way, details about it and you can see which ones you are taking part in in your about:support and also in about:studies

Info about this study taken from their study page: https://www.dropbox.com/s/vu2n2llbfyyyv1x/Screen%20Shot%2020...

Info detailing how to opt-in: https://www.dropbox.com/s/sk48o3fgookin4i/Screen%20Shot%2020...

Proof of my default settings on Nightly which opts me in my default: https://www.dropbox.com/s/blar0u0jdrzw37b/Screen%20Shot%2020...

An finally proof you are opted out by default on the public release of 57: https://www.dropbox.com/s/3zpwunknngy71pw/Screen%20Shot%2020...


You aren't even comparing the same setting in your screenshots. app.shield.optoutstudies.enabled is set to true in stable and nightly.

> An finally proof you are opted out by default on the public release of 57: https://www.dropbox.com/s/3zpwunknngy71pw/Screen%20Shot%2020....

This actually seems to mean that you are opted in. The setting is extremely poorly named. "app.shield.optoutstudies.enabled" must mean "Are Studies, which are "opt-out", enabled"?

Here's a brand new profile on firefox stable, downloaded a few moments ago:

https://i.imgur.com/kZiGAjG.png

Or see this privacy guide which recommends false for this setting: https://aaronhorler.com/articles/firefox-privacy.html


I'm afraid that, despite your screenshots, a lot of your information is inaccurate.

Developer edition download page: https://www.mozilla.org/en-US/firefox/developer/ 0 mentions of "shield", "studies", "study, "crash", "experiment" two mentions of data in the context of developer features: "Storage panel: Add, modify and remove cache, cookies, databases and session data."

Beta and Nightly download page: https://www.mozilla.org/en-US/firefox/channel/desktop/ 0 mentions of "shield", "studies", "study", "data", "crash". 1 mention of experiment/test pilot way at the bottom of the page, unconnected to any version. The Mr Robot addon was not part of test pilot and is not listed on the test pilot experiments page. https://testpilot.firefox.com/

> Info about this study taken from their study page: AFAIK this information was added after people started asking questions.

Furthermore, just look at the confusion here from people at Mozilla who understand the shield policies and can't find the correct "paperwork" for this study:

https://bugzilla.mozilla.org/show_bug.cgi?id=1424977

Also see Mozilla's CMO stating this:

> The experience was kept under wraps to be introduced at the conclusion of the season of Mr. Robot.

https://gizmodo.com/mozilla-slipped-a-mr-robot-promo-plugin-...


This was rolled out to Firefox stable and you're opted-in by default on stable too.


Why are people not calling this adware? This is silently installed, extra-creepy adware, promoting a TV show. Disgraceful.


Being able to switch between Google accounts in Chrome is so huge to me now that I can't use anything else.


You can do that in Firefox, too. Use this [1] addon and you can create as many containers as you'd like and log into different Google accounts.

1: https://addons.mozilla.org/en-US/firefox/addon/multi-account...


i don't understand why folks are upset. opensource + nonprofit can't prevent corruption. it has nothing to do with technology, management, personality, good will or anything. it's about power. given enough power and time, what left is either marketing or corruption.