All telemetry at the very least transfers your IP address which is legally considered personal information. A browser can not therefore be considered privacy-respecting if it has telemetry turned on by default.
Respecting users' privacy at a fundamental level is important for a tool that is our most intimate window to the web (a web browser) even if you personally have 'nothing to hide'.
Burden of proof is not on the user. Burden is on Mozilla (and any browser vendor with telemetry ON by default) to prove that:
1) They are not misusing collected information in any way
2) They need it so badly that telemetry is ON by default, without the explicit consent of the user
Both of these are simply addressed by having no telemetry by default and all browser telemetry being completely opt-in.
Given that IP address is legally considered private information and Mozilla claims that Firefox is privacy respecting, becoming a zero-telemetry browser by default should be a no-brainer move to substantiate that claim, othwerise it is just empty words that further detoriate the trust in Mozilla.
It should also be noted that every browser with telemetry ON by default (which is almost every mainstream browser) is also directly or indirectly monetized by ad-tech, which does not help their case at all.
I'm sympathetic to your point of view, but I disagree.
Telemetry is a bit like DRM. Firefox strenuously avoided DRM for a long time, losing a lot of market share in the process, until it became clear that it could not stay relevant without being able to display DRM video. The pragmatic decision was either to (1) stay pure, forbid DRM, and disappear; or (2) give in and support DRM, accept that the battle was lost, and continue to survive in order to influence the battles that had not yet been lost.
The same could be said for telemetry, though it has less impact in either direction (it causes less harm, and not having it is less of an existential threat). And we (I work for Mozilla) did resist it for a long time, longer than was probably healthy for the market share, and eventually gave in. At least with telemetry it could be a somewhat principled capitulation—we are much more careful about avoiding tying together different measures that could be correlated to identify users, and we have a strict approval process when adding new telemetry (I've gone through it several times).
Telemetry is sadly necessary to stay competitive in today's landscape. For example, speed is the #1 reason that people report for switching browsers. Relying on either benchmarks or user reports for performance tuning simply isn't good enough. The signal is slow and massively lossy. We need to know what our actual users are experiencing, and whether a change had a positive impact on real-world usage or not. It's easy to come up with a change that improves benchmarks, at least a little. It's much harder to move the needle on what our users are experiencing. Without telemetry, we would make lots of changes that would overfit for benchmark behavior, adding complexity and producing very little benefit.
The other important piece: opt-in telemetry isn't telemetry. The sampling bias results in massive distortion. Being able to say "this change improves performance *for users who have opted in to telemetry*" is mostly useless. Users who opt in are going to have wildly different hardware, on average.
Opt out is much less problematic, even though it also introduces sampling bias, because in practice not that many people bother to opt out. It's definitely reasonable to argue that the opt out mechanisms should be simpler and more clear.
Though at the end of the day, it's much more important that we collect telemetry in a way that does not compromise the privacy of people who don't opt out, and (imho) we're doing pretty well there. https://www.mozilla.org/en-US/privacy/firefox/ gives a decent high-level overview. https://wiki.mozilla.org/Data_Collection gives more of the nitty gritty detail than you'd probably want.
I appreciate your pesonal perspective as an employee of the company I used to admire a lot. It looks like we disagree on the fundamental premise
To me, the golden age of tracking is over and the privacy of the user is the new gold standard. It doesn't matter that Firefox needs telemetry to survive (and the empirical evidence of Firefox still losing users left and right does not help that case), if it is going to violate someone's privacy over it.
It also does not matter what its privacy policy is (and they can change), the moment Firefox transferred user's personal information, which is the IP address, without their consent, it took away something private from them, that can potentially be used in the future against them.
Here is an analogy. Would you accept telemetry in your apartment or a house, that is built-in and enabled by default, without your consent? Would you freak out that it exists once you find out?
The builder will then try to explain they use it only to improve homes they make, for example to understand what rooms you use and how, and that without it, they would not survive on the market because their main competitors are using it too. Would you care about that or you would seek to find an apartment elsewhere?
The browser is no different. It is the most intimate tool we use in our daily lives. People are fed of our data being used without our consent.
A privacy respecting browser simply can not allow itself to have telemetry by default. Meaning Firefox simply can not call itself privacy respecting if it is transferring user's private information without their consent, by default - no matter what the economic or business justification are. If a browser is choosing to have telemetry for economic interest, it loses the privilege to call itself privacy-respecting or 'a force for the privacy on the web'. Respecting privacy is digital, it is either 0 or 1, you can't be 0.7 privacy-respecting.
Finally, I don't buy the argument that telemetry is helping FIrefox at all. All that telemetry for the last 10 years or so and Firefox is down to less than 5% market share. It lost 50 million users in the last two years alone.
Perhaps Mozilla should consider becoming more user-centric instead and start listening to the users, instead of using telemetry. Go back to its roots of innovation and experiments, to the golden age of Firefox between 2005-2010 when we got Firebug, Ubiquity, Panorama and go back to product annoncements that excite user about the browser.
It's sufficient to identify you since there is still all other tracking data any browser supplies as part of the HTTPs connection handshake [1].
It's also not necessary to have Mozilla be the bad actor. Anyone who has access to the information in the future is a possible bad actor as they might be able to cross-reference the allegedly "innocuous" information with some future, more-pervasive data.
Assuming they tag the browser install, that information could be used to track your location history. e.g. if you move from your home network to a store wifi.
From what I understand, Firefox does tag the initial browser install in order to track the marketing channel the install came from, but after the first run it stops sending it. So no, it cannot be correlated with location history. (And if you grab Firefox from https://www.mozilla.org/en-US/firefox/new/ it won't have the token.)
You'll have to rely on your phone's OS stalk you by location. ;-)
It's not Mozilla that learns about your IP address, it's all the hops between you and Mozilla. An encrypted HTTP request typially contains the following info:
- source IP:port
- source OS (through TCP fingerprints)
- destination IP:port
- destination hostname
Now you have to consider where your packets may be diverted and who might want to do what with them.
1. X sniffs my connection.
2. X learns my address uses Firefox on Linux.
3. X sells the data to Y, whom I never visit.
4. Y correlates the IP with Z's subscriber data, and adds Linux to my shadow profile.
As the sibling said, the burden of proof is on them. They are the ones who push that on users when there's no technical need.
If you decide to visit google, that's your problem. Visiting mozilla should be optional too. Otherwise it creates attack surface area that wasn't there before.
Okay, so in conclusion, the attack vector from analytics that people spill dozens of comments on in every Mozilla thread is not unique to Firefox but rather shared with every website on the planet.
Respecting users' privacy at a fundamental level is important for a tool that is our most intimate window to the web (a web browser) even if you personally have 'nothing to hide'.