If you want to use Firefox sync IIUC you can define a new pref services.sync.prefs.sync.dom.private-attribution.submission.enabled. However this has always been flakey in the past for me. (I think maybe the sync prefs themselves don't sync?)
Now I install an organizational policy that sets the prefs. I use NixOS to apply this and it looks like this:
Basically, you need to create a `user.js` file in the root folder of your profile, you can find/open the profile folder using about:profiles or about:support (default path is `~/.mozilla/firefox/${profile-name}/user.js`).
You can sync it however you like, e.g. upload it to your dotfiles repo and symlink with stow, etc.
The syntax is:
user_pref("dom.private-attribution.submission.enabled", false); // Disable Privacy-Preserving Attribution
Thanks for providing these instructions. My usual way to get to some setting in Firefox is to use the search box but it seems that Mozilla is actively hiding this one by excluding it from search, ie if you type "advertising" into the settings search box then there are no results.
That is because "Allow web sites to perform privacy-preserving ad measurement" doesn't have the word "advertising" in it. Granted the current phrasing a bit awkward and may have a certain degree of deliberateness behind it.
It seems the search matches on the text of the option, not the section text. The text of the option is "Allow websites to perform privacy-preserving ad measurement" and the search for me brings up the option (and of course anything else that matches) when I search for any of that.
It's great that there is a way to turn it off, but the root problem, again and again, is that it is on by default without obtaining the user's opt-in consent. The company (again) made a unilateral decision about what the software should do, without asking the user. This is such a common, terrible practice of Silicon Valley.
I don't care if the feature cures cancer or gives me a free puppy. I don't want a feature running without my explicitly commanding it to run.
> It’s clear in retrospect that we should have communicated more on this one
What isn’t clear, in retrospect or otherwise, is why companies/apps/services need to keep learning this lesson. The user outcry was utterly predictable from even before the first web article was out. The fact that no one with decision power at Mozilla saw it coming is worrying: either they have zero understanding of people’s concerns for privacy or they don’t care. Neither is good.
> The fact that no one with decision power at Mozilla saw it coming is worrying: either they have zero understanding of people’s concerns for privacy or they don’t care.
Or the third option: they feel the tradeoff of HN & co's criticism style is not a big deal in the end. Criticism of Mozilla in general is very warranted right now, but the way(s) in which everyone is doing so just feels very out of touch with the actual situation. ;P
They're - by their own words - trying to do something in a privacy preserving way because the ad industry is not going away. They might fuck it up at first, and that's why it's an experiment. It's also possible to disable it, it's not like you're trapped in it.
This thread in general feels like it leaves Mozilla no room to experiment or find any form of growth. People want them to be "just a browser" but then also expect them to be stewards of the web - and then cry foul when they actually try to find a setup that fits into the current model of the web.
> Or the third option: they feel the tradeoff of HN & co's criticism style is not a big deal in the end.
That’s the second option: they don’t care.
> This thread in general feels like it leaves Mozilla no room to experiment
If you you’re going to experiment with something that’s going to cause this amount of backlash (and my criticism is that they didn’t take the obvious reaction into account), you show a dialog on first run that tells you what the feature is, perhaps include a “Learn More” link, and have an option to accept or deny. You can even have the former as the default. And do it in your betas first.
Would that still cause some backlash? Possibly. But it would’ve been significantly milder and you would have seen a lot more defence of Mozilla for not doing without asking.
Mozilla in particular is frequently pulling crap like this and getting flak for it. They have to constantly apologise and back track. After a while you’d expect they learned something.
> Mozilla in particular is frequently pulling crap like this and getting flak for it. They have to constantly apologise and back track. After a while you’d expect they learned something.
Well, they learned: they fuck up, backtrack & apologize (it is free, no real impact, so no worries), and life goes on.
> Or the third option: they feel the tradeoff of HN & co's criticism style is not a big deal in the end.
Well, right now, with their dwindling market cap, I feel like their only userbase is HN & co's type of user.
They repeatedly failed to increase their user base with non privacy conscious adjacent communities. So antagonizing the ONLY folks that go through the trouble of installing a non default browser to have a worse user experience seems like a big brain moment.
I wonder what the market share in that segment is? From my experience, startup types almost exclusively use Chrome or Safari. Firefox doesn't even register with most devs.
It seems somewhat questionable whether or not it is possible to sustain something as complex as Firefox based on users like us. There might not be enough, or enough people willing to pay.
They’d be really screwed if Google didn’t give them a good deal. Somewhat wondering if Google just keeps them around to stave off the appearance of being a monopoly.
The web seems to have gotten pretty unsustainable in general. Might consider upgrading to Lynx or something like that.
> It seems somewhat questionable whether or not it is possible to sustain something as complex as Firefox based on users like us.
I have this crazy theory that Firefox could be completely sustained by users willing to pay for it.
I mean... Mozilla Co definitely couldn't be sustained by users money only, but Firefox could.
The only path I can see for a healthy web (if this is even possible right now) is to completely liberate Firefox from Mozilla's shackles and mismanagement. A free and open-source browser should be treated more like a public good, such as a Linux distribution, than a money-making machine.
What you call Stockholm syndrome, I call reality. ;P
This is an area that we are stuck contending with. Legal solutions are needed here but that path is mired by complex and powerful lobbying. If Mozilla can push for a more private or more protective - even if not fully private or fully protective - then I’d like to see where it goes.
Firefox has 3% market share. Completely refusing to engage with your enemies only works when you have the actual guns to back that attitude up.
If you refuse to engage with the ad industry they just ignore you. Oh and the company that owns a large part of the world's ad industry and owns the browser that has 65% market share also pays like 90% of your bills.
I mean, what's step two of your glorious plan to charge fists raised into battle?
> The advertisers get your data either way, so why not use Chrome?
You might believe that the advertisers get less of your data if you use Firefox.
Similarly: you might be less likely to have your house burgled if there are locks on the doors and a burglar alarm, even though people with those things still get burgled sometimes. You might be less cold outdoors in winter if you wear a parka, even though it's still cold. You might be less bored if you buy/rent/stream some interesting books, music and movies, even though having those doesn't guarantee never being bored. You might be less likely to lose your next chess game if you practice tactics and learn openings, even though you'll still lose if you play Magnus Carlsen. You might be less likely to have a heart attack or stroke if you take those antihypertensives the doctor prescribed you, even though those are still tragically things that can happen to anyone. Etc., etc., etc.
Very few things are absolute and perfect. It's usually a matter of "less" versus "more".
This latest thing gives advertisers more information about me than they would have if Firefox didn't do it. (Unless I turn it off, which in fact I have done.) It doesn't give them very much information about me. I'm pretty sure they would get much more information about me if I switched to using Chrome (e.g., because Firefox supports better adblockers).
For the avoidance of doubt, I do think Mozilla should have made more noise about what they were doing, I do think there's a repeated pattern of them putting things into Firefox that their users don't really want and hoping no one will notice[1], I do think that says something bad about how Mozilla is run, and I would be happier if the Firefox project were run by people less inclined to do such things. But none of that means that you might as well use Chrome instead of Firefox, if you happen to value the things that Firefox still does better than Chrome.
[1] Actually, I think they know perfectly well that some users will notice, and they've decided it's overall better PR to do the thing quietly, wait for people to complain, and then say "oh, whoops, we should have been more open about this, we're so sorry and will totally not do the same thing again in six months".
> You might believe that the advertisers get less of your data if you use Firefox.
Shortly as Chrome implements Privacy Sandbox, both Chrome and Firefox will support the same levels of advertising tracking. For Chrome, this is a privacy upgrade of sorts, but for Firefox, this is a definite downgrade.
As Firefox converges on Chrome in this area, the privacy advantage evaporates.
Does Chrome do anything equivalent to Firefox's "Enhanced Tracking Protection"?
Chrome forces extensions to use "Manifest v3" rather than "v2", which cripples some ad-blockers; in particular, the full version of uBlock Origin will run on Firefox but not on Chrome. (I'm not sure of the details about the v2->v3 migration; maybe that isn't universally true yet. If not, it will be soon.)
"Reduces" and "evaporates" are not the same thing. I see the case for the former, not for the latter.
I dont believe that, and have no reason to believe that at this point.
Any browser that makes me monitor their changes for privacy destruction is basically just chrome with more steps.
Actually it's the other way around. As long as Firefox only has a negligible market share, advertisers are not going to care about it enough to work around Firefox-exclusive tracking protection forever. Regulators are also not going to be concerned that Firefox makes certain business models harder because it is insignificant.
I know it feels right to say that. But really, do you think the majority of people who switched from Firefox to Chrome did it because FF did not address their privacy concerns? Seems ridiculous. However bad FF is, Chrome is much worse.
It seems far more likely that the remaining 3% are the few people who care, and therefore, "pulling this shit" did not cause the current market share.
> This thread in general feels like it leaves Mozilla no room to experiment or find any form of growth.
Mozilla is welcome to experiment. The issue here is:
- The default opts the client in instead of the client making that choice to be a Guinea pig in the experiment
- I get emails almost weekly that amount to Mozilla playing the role of internet privacy police. They *are* well aware of the rights and wrongs. Are they going to call out themselves?
- As for growth? How about paid pro-privacy email hosting? And a suite of applications (a la Google docs)? Advertising might not be going away but there are still opportunities that align with Mozilla's ideals and brand... And they're too busy being hypocritical internet police???
I think the worst part of the funding equation is that had Mozilla stayed on mission and invested it's Google fees wisely, Firefox development could have been indefinitely funded.
Instead, we have had Mozilla sprawling in numerous directions secondary to the browser and failing in nearly all of them.
That is the problem, people want to run a modern corporation with its tentacles always reaching and growing instead of focusing on a core business proposition that they can win at.
If you dont grow at double digit percentages year of year, are you even trying?
> The default opts the client in instead of the client making that choice to be a Guinea pig in the experiment
I think this is a reasonable critique, even if I personally don't find it a big deal. If it's privacy preserving, I don't necessarily give a shit if it's defaulted on - especially if there's a way to disable it.
(IMO, defaulting it on and then widely announcing how to disable it is what they should have done, and their bungled communications on this is biting them)
> I get emails almost weekly that amount to Mozilla playing the role of internet privacy police. They are* well aware of the rights and wrongs. Are they going to call out themselves?*
Why would they call themselves out here...? They have stated, very bluntly, that they are trying to do something in a privacy preserving way. They are acting in line with their stated intentions/role/etc.
> As for growth? How about paid pro-privacy email hosting? And a suite of applications (a la Google docs)? Advertising might not be going away but there are still opportunities that align with Mozilla's ideals and brand... And they're too busy being hypocritical internet police???
Those are wholly separate business ventures, whereas dealing with the advertising behemoth is an unfortunate part of the browser ecosystem today. Someone, somewhere, is going to have to contend with this - and Mozilla is somewhat uniquely positioned to explore here.
If you think Apple or Google are going to do it without perverse incentives, then I don't know what to tell you.
We all lost our minds when Google tried to pull their privacy-preserving Federated Learning of Cohorts thing. I expect an even bigger outcry when Firefox, whose entire brand and reason for existence is privacy, quietly tries to do the same thing.
> People ... expect them to be stewards of the web
Do people really expect that? I'm glad they're part of whatwg etc., but I'd much prefer they just made a good browser instead of tooting their own horns about how much good they're doing for society. In the end I think society would have been better off if they'd just focus on good tech like Gecko/Servo and Rust and not bothered with all their side stuff.
One reason is that the people who would be promoting Firefox aren't.
Personally I feel mostly ashamed to admit I'm using Firefox. In theory Firefox is great. In practice they coming up with new ways to treat their core user base badly.
That is because Mozilla has consistently moved Firefox in the direction of a Chrome clone.
When Firefox started is was not a copy of existing browsers. There is no reason it would have to be now. But they have rejected their core users. So now the only option left is a Chrome clone because that is what people are used to.
People used to have a dozen different instances of IE6 open. It was a pain to switch between them and it made your computer run slow. Firefox had tabs. And it had AdBlock. Those were things people wanted.
But these days, Chrome is plenty good enough for most people. Even if Firefox had a perfect privacy story and focused on their core users’ every whim, I don’t think their market share would grow.
Well then they need to close up shop or think of something else, because adding more ad tracking isn't a feature to anyone but predatory advertisers, and they will only keep paying you if users keep showing up.
For what it’s worth, I agree. Adding more tracking definitely isn’t going to help. But I don’t think there are any easy solutions. I definitely don’t envy the people in charge of Firefox’s product strategy.
Even if it was a credible idea, how exactly do you think that Firefox - the browser that the minute anything changes, the internet blows up over - would significantly alter their product in a way to differentiate themselves from Chrome?
This isn’t even getting into base level stuff like available engineering resources, or the scenarios where the other vendors often control or have deals to give them favorable distribution on platforms.
This isn’t the IE6 era. It’s a significantly different and harder problem.
> Even if it was a credible idea, how exactly do you think that Firefox - the browser that the minute anything changes, the internet blows up over - would significantly alter their product in a way to differentiate themselves from Chrome?
You're presenting it as though any change would be met with hostility, but the alternative is that they're only met with hostility because they keep making changes that hurt the users. A little while ago they announced that they were working on properly supporting vertical tabs and tab groups; that wasn't met with any hostility. Of course, in the same announcement they said they were planning to dumb down the rest of the interface even more, which was. But the point stands; they can get a positive reaction by making changes their users actually like, they just don't do that as often as they do the other thing.
For one, not throwing out their only differentiated advantage versus Chrome. For two, not taking the option that removes user control and customization whenever there is an option to do so. They could have been the privacy-focused browser, but it is still full of crap like this and various bits of undisclosed telemetry.
There would be value in being the only browser to actually stop when users tell them no. But they seem incapable of listening.
> They could have been the privacy-focused browser
I don't see how trying to find a privacy-preserving way of dealing with the ad conundrum makes them not a privacy-focused browser/company.
You'd need to otherwise cite something re: undisclosed telemetry, considering the project is open source... so I'm not sure how exactly it'd be undisclosed.
> When Firefox started is was not a copy of existing browsers.
IIRC, when Firefox started, it was very similar to the full Mozilla Suite with some features removed (which is not surprising, since it started as a Mozilla Suite derivative and they shared a lot of code). It has a long lineage going back to the old-school Netscape Navigator.
I have already noted in my other comments that I think the desire for opt-in and/or way more notice with how to opt out is a very reasonable take, even if I don't necessarily agree with it.
There's no need to imply that people don't comprehend things here. ;P
> It's also possible to disable it, it's not like you're trapped in it.
Or so they say, in order to make people be OK with it. They might play the waiting game and in a year or two will make the setting not do anything and still collect / send data, hoping that by that time people have forgotten.
There is so much hypothetical-borderline-conspiracy-theory packed in to this single comment that I cannot find a charitable response.
I'd be fine to continue the discussion if you can find a way to engage without assuming that the people who build one of the last checks on the open internet are somehow trying to maliciously invade your privacy.
The days of Mozilla having earned the benefit of the doubt are long gone for most people.
The person you replied to made a reasonable point and your response reads as defensive and dismissive. Do you have an interest in Mozilla we should know about?
Eh, I don’t think my comment is defensive. I also could’ve just ignored the comment.
I explained to them that I’m open to discussing but there’s nothing to be gained when the comment starts off in conspiracy theory. It’s an open source project, people will 100% notice if they tried to do what the parent comment is suggesting.
> It’s an open source project, people will 100% notice if they tried to do what the parent comment is suggesting.
No-one thinks they'll lie about it. They'd announce it quietly just like this change, letting the fuss blow over. The average user would never even realise and Firefox would continue on its journey towards user hostility.
You’re certainly welcome to read it however you’d like.
OP specifically said “make the setting do nothing while still collecting the data”. I don’t know about you, but a setting that acts like that would be akin to lying.
> OP specifically said “make the setting do nothing while still collecting the data”. I don’t know about you, but a setting that acts like that would be akin to lying.
Well, that is what Firefox did here. They created a new feature, defaulted it to on, in direct contradiction to user choices. We know this because this Web Site Advertising feature defaults to on even where the user has the strictest level of tracking protection enabled and even when the DNT option is selected. Even so, Mozilla has decided that this form of tracking is not covered by those clear signals of user intent.
So why not believe that Mozilla will do this again. Deprecate existing tracking choices and enable Web Site Advertising tracking for everyone. Like this change, it would be announced and decried and ultimately used by the majority of users who don't follow browser changelogs.
What will happen is that privacy advocates like me will recommend not to use Firefox, as it's functionally equivalant to Chrome is this respect and far less supported, and Firefox will continue to die.
This pains me as a former contributor and advocate, but it's almost inevitable now unless a privacy-focused non-profit can fork Firefox and leave Mozilla to it's decline. I would even pay for a Firefox fork, but I will never donate to or purchase again from Mozilla.
No, let's be very clear here: what Mozilla/Firefox did here was default users in to a setting without good notice on how to opt out.
This is different from what was said in this thread, which is making the setting do nothing while still collecting the data. If you disable the setting/opt out, then the data isn't being collected.
> No, let's be very clear here: what Mozilla/Firefox did here was default users in to a setting without good notice on how to opt out.
That's a framing so charitable to Mozilla that it is untrue. Again, do you have an interest you should be declaring in this conversation?
> This is different from what was said in this thread, which is making the setting do nothing while still collecting the data.
No, it's not. It ignores the Strict Tracking Protection and DNT settings and opts in users to tracking. It's absolutely identical to possibility posited by the other commenter.
For all your pontificating above about other people's comments, it seems the only person commenting in bad faith is you.
I don't see how it's conspiracy theory. Firefox has done exactly this over and over again. (The latest example that annoyed me: browser.proton.enabled =false)
As a user of Firefox, I feel like I'm in a constant battle with Mozilla/FF to disable every new bad idea they have. Every time I'm forced into a surprise update I didn't ask for/try_to_install, something gets worse. This isn't an unusual state for commercial software, but Firefox is supposed to try to not be commercial.
Firefox is dependent on Google for ages, that should tell you all you need to know about "conspiracies".
I am not interested in a discussion with a person who gives the benefit of the doubt of a company who has clearly not only made a Faustian deal but is now looking to expand partnership with the people that nobody wants tracking their machines and activities.
Because as we both know, in the entire history of humanity there were NEVER any conspiracies when there is money to be made, right? Wink wink.
Well, no, that doesn’t tell us anything about conspiracies. That’s just Mozilla getting money from Google. You can argue that it’s problematic from the stance of Google using Firefox to argue they don’t hold a monopoly - and I’d agree with you there.
That deal with Google isn’t enough to leap to the conspiracy theory here though. The ad industry isn’t going away, Mozilla seems to want to try to make it work for all parties.
If you want to let perfect be the enemy of good, though, go for it. shrug
That is incredibly reductive and entirely misses the scope of the issue. It isn’t just HN. In case you’ve missed it, the article is not an HN page but a separate website. The comment I replied to linked to Reddit. It’s all over Mastodon. I’ve seen other blogs and publications commenting on it too.
Yes, of course a large number of people won’t talk about this in six weeks, let alone six months. On the other hand you’ll have ex-hardcore fans complaining about it for over six years. I still see people talking about the Mr Robot debacle and the other crap Mozilla has pulled to this day. If anything, Mozilla is more susceptible to this backlash than the average tech company. Regular computer users don’t give a rat’s ass about Firefox. The people Mozilla needs to convince are exactly the ones they keep alienating.
They might be correct but this thinking is also how Mozilla lost most of their German market share due to Cliqz. They assumed people would not care but they did. Also this is trending on /r/all on Reddit right now.
If this were, say, Adobe, I’d agree with you. HN as a community doesn’t have much clout in the design or video space.
This is Mozilla we’re talking about, though. HN is exactly the sort of audience they need on their side. That bunch of nerds is the same group they relied upon to evangelise for them during the IE era.
Mozilla might just have decided that that's no longer the case: that their funding from Google does not depend on nerds advocating for the browser. That is either they came to the conclusion that Google will continue to fund them even if the market share continues to fall or they have decided that the end is inevitable and are just trying to milk the cow for all that she's got.
This comment shows such a lack of context of the history of Firefox that I wonder if it's trolling?
Firefox exists and reached its peak because of the people that idealogically cared about the Web and interoperable,security, privacy, etc who contributed to and advocated for Firefox.
This bunch of nerds creates software, including for the web, and sometimes there's an option to test it on Firefox or not. Nerds also recommend browsers to friends and family.
Companies know this but they don't care because there are rarely any consequences that cannot easily be mitigated with cheap PR tactics. Even now you are responding to a PR statement that is trying to reframe the issue as users simply not understanding what Mozilla is doing when in reality Mozilla knows full well that this goes agains the explicit wishes of a large part of their userbase but have chosen to enable this anyway. This isn't a communitcation issue. This is a fundamental "who does Mozilla serve" issue.
> What isn’t clear, in retrospect or otherwise, is why companies/apps/services need to keep learning this lesson.
They are trying to find a funding model that makes them independent from Google.
- Building a fast, privacy-oriented browser that keeps up with web standards and fixes security bugs takes people, organisation and therefore money. Yes, much more than that CEO salary.
- No one wants to buy for a browser.
- No one wants to pay a subscription fee for a browser.
So you are left with ads. Mozilla is trying to find a balance there between privacy and ads with a clearing house approach. People who hate ads out of principle scream. How should browser development be funded?
One of the most common Mozilla complaints I see on the web is that you cannot fund Firefox development directly. People want to give money to it, but cannot.
Which makes sense, I guess. Anecdotally, Mozilla is by far the company I know with the most vocal users that get completely ignored.
Which is easy money that Apple uses for the company as a whole. They don’t make Safari because of Google’s money nor is it likely they would stop developing it if that money was no longer paid.
If the Mozilla foundation creates a donation button with the condition that the money goes solely to browser development (no CEO salary or political activism) I will donate.
Except that it's well-known fact that none of your donations for the foundation ever go anywhere near Firefox itself, since Firefox is spun off as their commercial sector to accept Google's money
Mozilla has tried experiment after experiment to try to earn money. Let's try forcing Pocket down people's throats. Let's automatically install Mr Robot. You know what people will love? Full-page ads for a VPN! No one has seen enough VPN ads!
The one funding model they haven't experimented with at all is actually asking people to pay for Firefox. Donations or subscription, they haven't even tried it once.
And yet people will over and over again insist that that would never work. Doesn't that strike you as odd? They're willing to flail about trying thing after thing after thing that their users hate and yell about and they end up having to pull back, they're willing to burn credibility over and over again, but the one funding model that their users keep telling them they want they refuse to even try on the grounds it would never work.
I do expect that's the next step at Mozilla - locking features behind paywall with some premium plan. Cloud sync probably will fall into that basket. And if that eventually won't work - they'll surely announce it's time to "sunset".
Personally, I think that's what they should've been doing all along. If it doesn't work at this point, it's because it's too late, and they've already burned enough of their credibility that people don't want to give them money anymore.
> And yet people will over and over again insist that that would never work. Doesn't that strike you as odd?
Not really. Perhaps they know enough about this that they believe it wouldn't work. How much would you pay for Firefox per year? How many people would pay that figure?
At the same time, even a tiny bit of friction is enough to get people over the mental hump of paying for something.
They could easily gate off certain features behind a paid build, so either you pay or compile it yourself from source. Downstream packagers could of course do whatever they want (eg Debian). However, it creates a minor amount of friction for a relatively large fraction of the user base, and moreover sets the baseline expectation that this is not really "free as in beer", even though it remains "free as in freedom".
See also: Sublime Text, which, despite being closed-source, is 100% free-as-in-beer to use in perpetuity, and yet somehow they make enough money To not only continue development, but even start developing other products (Sublime Merge), even as their brand recognition wanes and their competitive advantage shrinks.
It doesn't have to pay for the entire Mozilla organization, it just has to bring in more money than the random other stuff they've tried. That's not a very high bar to cross.
You can even donate money today: https://foundation.mozilla.org/en/donate/
From memory, Mozilla's spent years trying to get donations through asking people nicely and in relatively unobtrusive ways in-browser for years. You can even give monthly - a subscription, if you will.
Not only have they tried both donations and subscriptions, but their efforts have been resoundingly ignored. To the point where you are far from the first person to fault them for supposedly choosing to not do what they demonstrably do.
Perhaps people suggest that donations and subscriptions don't work well or reliably because there's history showing that.
> At one point Mozilla was literally selling a VPN subscription. That point is now - you can go buy one today.
I don't want a VPN. And I don't want to pay money to a Mozilla VPN of which some unspecified percentage will actually get used to pay for Firefox development (with the rest actually paying for the VPN). I honestly feel my money does more harm than good paying for the VPN because it creates a false impression of where the demand is.
I don't want a subscription to an unrelated service, I want a subscription to Firefox. I want my money to go into a stream that unambiguously shows my support for the single Mozilla project that I care about.
> You can even donate money today
That money will not (and I believe cannot) go to Firefox. As presently structured the corporation does all Firefox development, and the corporation cannot receive money from the foundation, so donations to Mozilla do nothing for Firefox.
> Not only have they tried both donations and subscriptions, but their efforts have been resoundingly ignored.
Not ignored, for the reasons stated above they haven't actually done what you say they've done.
Especially since this is very similar to what happened with Cliqz and that there likely are many at Mozilla who were around when that happened too. And the Cliqz scandal hurt Mozilla's market share a lot in Germany.
They don't care. It is not the first time, always the same excuse and blame the user to not be intelligent enough to understand (this is what communicated more means in their broken by profit minds).
> this is what communicated more means in their broken by profit minds
"We should have communicated more" seems like a passive-aggressive way of saying "Oh, you poor simpletons... We should have talked slower, used more, simple words, and been more persuasive. We failed to properly explain why you're wrong. If only we did that, you'd more readily accept what we're giving you."
> What isn’t clear, in retrospect or otherwise, is why companies/apps/services need to keep learning this lesson. The user outcry was utterly predictable from even before the first web article was out.
One possibility is they knew there would be an outcry but estimated that the loss in user support because of it would be limited enough that the upside of having the majority of users with the setting left on wins.
it's a classic abuse tactic: if you ask first, people will cry out and if you then do it, it'll be considered escalation on your part. so instead you do it first, and if possible, do something worse to begin with, and then when there's outcry, you take a small step back, claim to be the reasonable one, and then later on push the rest of the way.
> It’s clear in retrospect that we should have communicated more on this one
Oh maaaaaaaaaaaan do I despise hearing variations on this "non-pology."
It's never "Wow, we fucked up by doing something harmful to you." It's always, "My bad, I failed to explain exactly why you're wrong to think this is harming you. I take total responsibility for not explaining why this is actually good for you. I'll try again."
Lets be honest, the number of HNish folks running Firefox is insignificant, compared to number of people using Firefox because their friends recommended it. So even if lets say 1% of the users(HN and similar folks) perform an outcry and go ahead disabling it, the other 99% of the people will still be a huge moat of data. These strategies(though I am willing to give Mozilla the benefit of doubt), had been played out many times, "ops we did this ... emergency update to fix it ... we are releasing this now officially, agree to our terms if you want to continue ... you can always opt-out ... slow boiling frog metaphore ... this is now permanent with the option to disable is gone and forgotten about".
Y tho? I run firefox and chromium side by side all day to isolate personal from work and chromium crashes constantly on a 64GB machine. Chrome uses so much more memory.
> What isn’t clear, in retrospect or otherwise, is why companies/apps/services need to keep learning this lesson.
Please. This is never about learning and better communication. This is universal corporate English for: "you got us, but we really don't give a flying ef and we will fulfill our goals step by step - no matter what you say".
Step 1 - outrageous move
Step 2 - apologize, progressively pull back
Step 3 - people spread word they made it better
Step 4 - stick to still outrageous but comparatively better "middle" move
To really give it any excuse anymore. And so have you. If "Unity" tells you nothing... I'd like that rock, please, I'll need it to survive the incoming 4 years of social media.
Once you start assuming that every apology is fake and in bad faith, the world quickly goes to shit.
I'm not saying its impossible for apologies to be in bad faith, just that if it becomes impossible to apologize and move on after making a mistake, it becomes impossible to do anything productive.
Holding corporations (or anyone) to account requires having some way for them to rectify their past sins.
Otherwise this is just vengence. If you never forgive there is no rational reason for corporations (or anyone) to stop doing whatever objectionable things they are doing, since it would already be a sunk cost.
Honestly, having worked at companies that made unpopular product decisions (nothing like this, but still every company puts its foot in its mouth sometimes), it can be surprisingly non-obvious what gets people bothered and what doesn't.
We always see the decisions that blow up, but we dont notice the thousands of decisions nobody cares about. Sometimes it really does look like just another minor feature request at coding time.
> it can be surprisingly non-obvious what gets people bothered and what doesn't.
Agreed in general, disagreed in the specific Mozilla case. They’re an internet-related company where “privacy” is one of the stated core goals, yet they’ve stuck their foot in their mouth so often they could open a shoe shop. Failing to see this one is at best incompetence.
Key comment replying to him there which gets no reply from him: "Opt-out is NOT a consent".
This is very problematic, see my last comment: https://news.ycombinator.com/item?id=40966312
> First, in the absence of alternatives, there are enormous economic incentives for advertisers to try to bypass these countermeasures, leading to a perpetual arms race that we may not win.
It's very likely that this arms race will lead to DRM in web publications and video feeds (which Google is already experimenting with).
I will begrudgingly admit he has a point here. In a few years I imagine almost all sites will refuse to serve anything without WEI, and the "open" web will be the preserve of a few hobbyists. Annoyingly you'll still need to use a compromised browser (or worse, app) to do anything with your bank, etc.
Yes, the kneejerk reaction against FF here isn't really thinking things through. Mozilla has to walk this tight rope since ad companies own the web already.
Realistically, the best outcome at this point is that enough users are willing to send enough data to advertisers so they allow the open web to continue.
The alternative is that sites will eventually only work in Chrome or Safari on limited, locked down platforms (read: no Linux support at all).
This is an attempt to try. You don't win my being an immovable wall going against the biggest corporations. If the W3C manages to create a system that satisfies advertisers while preserving our privacy, that's how you win. There isn't a future where advertising will just disappear. I'm just being pragmatic here, as a user of ad blockers for 15 years.
It's not an attempt to try, it's reputation management. There is no 'anonymization' of data, because the advertising companies Mozilla is selling your data to now have almost 20 years of profiling that can effectively identify people through "anonymous" results. This has been known for years. Mozilla knows. They don't care.
Most advertisers will not be satisfied with that. The real question is if regulators will be and therefore can use this as a reason to clamp down on advertisers. If so this might work, but I am skeptical. And either way it was wrong of Mozilla to sneak this in as opt-out.
I can see the economic argument, but I am not sure that I buy it. W3C could push this as a standard, but surely anything that is privacy preserving will by its very definition provide less data for advertisement targeting, no? With less data, the targeting is likely to be worse in terms of advertisement efficiency. Thus, the economic incentive even in an ideal situation as with a W3C standard will be pushing any advertiser to "betray" the system and fall back on the very arms race that Mozilla is arguing that they are trying to avoid, no?
At best, politicians could jump on the "solution", but then why are Mozilla not already lobbying in that case? Why is the first party they are reaching out to the wolf in this drama?
Regardless, Mozilla has lost me at this point as a user. This being opt-out is inexcusable and I will find ways to gravitate away from them as I should not need my poor package maintainers to be paranoid with their upstream code in the same way they have to be with Chrome in order to protect us from developer abuse like this. Will try Mull on mobile now, hopefully it is viable, and see how I solve the desktop situation when I can find the time.
An immovable wall is exactly what is needed to confront big corporations when they behave abusively (and intrusive profiling is an example of this). 'Pragmatism' here is just acquiescence in creeping surrender. Look what advertising has already done to the web and privacy.
Except being uncompromising is exactly how free software won. And compromising on EME DRM did not make websites using that DRM any less restricted to popular platforms. Compromise is not a winning move when what you are fighting against is fundamentally unacceptable.
Which will lead to counter moves by alterative browsers and websites and Google risking the loss of browser market share. If you think this is unthinkable, just look back at Microsoft's dominance of the browser market twenty years ago. Exactly like Google is doing they were pushing through all sorts of user hostile stuff via internet explorer. Before Chrome came along, Firefox was one of the few holdouts against them. Internet explorer users were dealing with all sorts of crap. Popups, popunders, all sorts of viruses, cross site scripting attacks, etc. Mostly that was just a mix of poorly designed features but there was also MS trying to get into search and advertising and they were trying to abuse their defacto monopoly to do that.
I don’t disagree with you in principle, but this history is not quite right. IIRC the IE6 team was shut down. Basically only Mozilla and Apple were building browsers at scale until Chrome came along.
Yes, you are definitely missing a decade here. The internet explorer/edge team was shut down long after Google grabbed most of the market share.
Chrome was launched 2008; Safari had its first release in 2003. And I was using the early Phoenix builds (later the name change to Firefox happened) in 2001. The version of internet explorer around the time Chrome launched was v7. IE 6 was already old news by then. And IE 8 launched soon after the Chrome launch. 9, 10, and 11 followed. And then the switch to Edge happened; which was a complete rewrite of their browser engine. Only in 2020, MS announced switching to Chromium. So, that's about 12 years of MS trying to hold on before they finally gave up.
Wait aren't browsers already trying to implement anti-tracking measures? Are you saying Mozilla has been holding back improving anti-tracking for the benefit of advertisers until now? Now that is evil
> Wait aren't browsers already trying to implement anti-tracking measures?
Yes, and trackers are investing large sums of money into breaking those measures.
If you give advertisers a lawful non-user-threatening way to measure their ads performance, a lot of that money may disappear.
(Or it may not, or it may disappear either way. That one market is crazy and I know almost nothing about it. But the claim that the money may disappear is valid, and you have to provide a valid counter-claim if you want to contest it. Calling it evil doesn't cut it.)
But this is exactly what I wrote that I don't believe in my initial comment. There'll always be more money in more intrusive tracking. Why would they give that up? Surely Mozilla is selling out to advertisers based on something more substantive than "we hope that advertisers won't keep taking a mile if we give an inch"?
Which is one of the main reasons why it’s such a problem that the search engine with an overwhelming market share also owns the browser with overwhelming market share and is also the largest online ad company. Not to mention they pay billions each year to the other browsers. Google has a huge amount of control over every part of this.
google is the owner of the DRM verification system, they add exception for google robots, website only appears on google, kills other search engines in the process
If the DRM is coming from Google, I'm sure they'll take that into consideration when designing it. Feels ripe for an anti-trust lawsuit, but IANAL so who knows.
When I wrote the comment I was imagining Google using the tech as a moat to stop other search engines from indexing DRM protected content. I guess if they shared it and "all" search engines could index the content, it would probably be fine? I'm guessing that's why Widevine is "fine".
But like I said, I'm not a lawyer and have no idea what I'm talking about.
You’ll notice that Google search now shows excerpts from things you can’t actually see visiting the site (paywalled news, paywalled scientific articles). The age of “show us exactly what users see or get downranked into oblivion” is long gone, sadly.
This has happened before. Remember the critique against Encrypted Media Extensions (https://en.wikipedia.org/wiki/Encrypted_Media_Extensions): Oh no, DRM in the browser! But remember that web video used to require Adobe Flash for the longest time, and even after a decade of HTML5 video, sites were still clinging onto Adobe Flash (and later also Microsoft Silverlight) for what turned out to be DRM purposes. At the time, these plagued proprietary blobs were not going anywhere. Except, after EME had widely supplanted this last holdout usecase, they were quietly allowed to die. The result is that we have much smaller-scoped proprietary blobs in the form of content delivery modules with a lot fewer bugs and portability issues.
The situation with Flash and Silverlight was better than the situation currently is with EME. Before, you could implement a standard-compliant open source web browser, you just may not be able to view certain non-web embeds. Now, web browsers need permission from Google to view certain kinds of web content, and they can't be open source.
And that DRM will likely come anyway and restric users of niche browsers like Firefox and operatings systems no matter what Mozilla does - just look how EME implementations and Websites using it treat Linux users not to mention non-x86/ARM architectures. So best is to push back now while we still can instead of giving them an inch.
> doing something about [the massive web of surveillance] is a primary reason many of us are at Mozilla
> we consider modal consent dialogs to be a user-hostile distraction from better defaults, and do not believe such an experience would have been an improvement here.
You know what's user-hostile? Doing things without the user's knowledge or consent. The new tab page of Firefox after an update often advertises features of the release Mozilla sees important (their VPN offering, Firefox on mobile, etc.). This time the new tab page told me nothing about this change. Communicating it to me was "free" and they still actively refused to do it.
"Doing something" about surveillance starts with transparency but if Mozilla's leadership doesn't see this as important they have no place leading such a company. Mozilla doesn't seem to wrap its head around the fact that their users use Firefox because they don't want the same kind of shady tactics Google or Microsoft keep pulling, they don't want their browser control to be handed over to some guy in a board room who needs a PR team to give a lengthy non-answer to the problem.
I see a lot of words spent on why they came up with this technology but barely a mention about the biggest issue here especially from a company that presents itself as a champion of user rights: they pushed the change in the dead of night and took an actively hostile decision in the users' names by enabling a clearly controversial setting without any warning or communication.
> we should have communicated more on this one
This kind of PR speak for "we actively kept it hidden" is the best way to alienate the users who investigated and chose this browser for a reason.
> Most users just accept the defaults they’re given, and framing the issue as one of individual responsibility is a great way to mollify savvy users while ensuring that most peoples’ privacy remains compromised. Cookie banners are a good example of where this thinking ends up.
The problem we currently have with cookie banners is thanks to the browser vendors not caring about it.
An API could exist which a page can query, where the user has already pre-selected how they want to deal with cookies. For example reject all but the essential ones, reject none at all, reject some, according to certain criteria.
Even more, the browser could check if the page is adhering to the user's expectations, and if it doesn't, block it for a period of time, like a week or a month, and publish the fact that they ignored the user's wishes.
Possibly also give the user a signed document which claims that this page did not respect the user's privacy expectations, so that the user can use it in court.
This was already tried with the Do Not Track header. Websites simply ignore it. They don't want an easy way to get the user's preference. Because they know that most users would set it to decline tracking. Sites would rather annoy every visitor for the chance that they click 'accept'.
It is enforced, courts just work very slowly. Courts have already started interpreting the DNT header as GDPR-compliant opt-out that websites must follow.
If it wouldn't work, then I'd see no ads in my paper-based iX subscription, yet it is full of ads even though I'm paying for that paper.
But the paper has the benefit that the ads I see there don't collect information on me. This is what I want the internet to be.
Ads OK, but no tracking of me if I don't want it (which I express via cookies when in a browser).
Also, you should note how greedy these companies are that they show you the paywall after you have consented to the cookies in order to read the article. No hint on that accepting the cookies is only useful if you also have a subscription. When you can't read the article, they don't revert the setting of the cookies, but just pretend that they gave you access to the article and keep the cookies around for days or years.
It's not. Tracking leads to better targeting which leads to higher conversion ratios and overall higher "Cost Per 1000 Impressions" (CPM).
If you simply do "contextual" targeting, so targeting based on the page content, your CPM will go down and and the publisher will lose money.
> Also, you should note how greedy these companies are that they show you the paywall after you have consented to the cookies in order to read the article
Depends on the company. News media publishers use the same system but are usually barely profitable if at all.
> Also, you should note how greedy these companies are that they show you the paywall after you have consented to the cookies in order to read the article. No hint on that accepting the cookies is only useful if you also have a subscription. When you can't read the article, they don't revert the setting of the cookies, but just pretend that they gave you access to the article and keep the cookies around for days or years.
The EU Court of Law decided that offering a subscription or mandate for cookies to be enabled is not legal as an offer. So the transactional nature you propose is currently not allowed. What is allowed is a grey area which has yet to be explored.
Older folks might remember that there were a lot of people willing to make content free, just out of personal enthusiasm, and that this content was actually a lot higher quality than that pumped out by capitalist motivation.
So, actually, users and sites both had what they wanted, just not corporations.
Although I agree that news media quality is not always great (really depends from one publisher to another), I would not really qualify random people on Twitter as "news coverage".
DNT was before the GDPR. The landscape has changed considerably since then and a standardized opt out signal being enforced is not out of the question.
He's talking about cookie banners. The issue with cookie banners are the dark patterns, but the end-goal is to obtain permission from the user to set cookies.
This requirement to constantly ask the user while using these dark patterns is what makes normal people just give up and "accept".
If the page is expected to ask the browser which preferences the user has set regarding the cookies, then this problem is gone, because the page no longer is expected to ask a person via a popup.
First there's a justification based on current anti-tracking system being bypassed:
> "there are enormous economic incentives for advertisers to try to bypass these countermeasures"
Then:
> We’ve been collaborating with Meta on this
Given Meta's track record with scooping up just about any personal data they can find, it's pretty obvious that this is just going to be yet another datapoint in Meta's collection.
To be honest, I would have used a different approach and browsers would very well be capable to give erroneous data and contaminate data from tracking users. This would be going on the offensive, and I don't believe there are any legal barriers that prevent users from "ad fraud".
I don't believe in cooperation with an industry that has shown no remorse with tracking users at all. That will not be successful. Advertisers will employ this and still track. And it is possible to not get tracked and deliver false data, even today.
Maybe I'm cynical, but the rationale given seems extremely naive. There's nothing stopping advertisers from using this new attribution mechanism and tracking users as much as possible. In fact that's probably exactly what they'll do since it's likely that not every browser will support this kind of attribution.
The arms race will continue as it does today, but advertisers will have yet another avenue to exploit in the form of the attribution API.
"The devil is in the details, and not everything that claims to be privacy-preserving actually is"
Yeah, like Mozilla.
This is not the first time they silently added tracking and avertisement. The toggle with "firefox shares basic telemetry with the adcompany Adjust" has been there activated by default since a while (among other stuff). This is just more tracking from them, while claiming to defend privacy. Another day, another scandal.
Wow. This represents a profound misunderstanding of the advertising industry.
Data is their edge. It's how they compete with each other.
The privacy "arms race" isn't just between the browser vendors and the trackers, it's also between tracker a and tracker b.
Giving them a new data point (no matter how """privacy preserving""" it is) is just that, another data point. It's not going to make them give up on the others.
Is it just me that sometimes get the feeling that when companies have to explain them selves with this amoubt of text, they actually know that they are doing something wrong but are trying to cover it up by these long and unnecessary explanations?
While the Wikimedia Foundation is often quoted as having cancer[1], I guess the Mozilla Foundation has Alzheimer's, constantly forgetting who they are and why they are here in the first place.
And the scandals they have been involved in the past. Cliqz was another attempt by Mozilla to invest in privacy preserving technology (that time search, this time ads) where they did a stealth launch without user consent.
Found it. Go to settings, type privacy into the search box.
The last item under "Firefox Data Collection and Use" is a check box labelled "Allow websites to perform privacy-preserving ad measurement".
It was already unchecked on mine when I looked just now.
Interestingly the option has a link to an explanation on how it works. Which was handy as I couldn't get past the German cookie dialogue on the original article.
I guess the question is whether the aggregation services can be persuaded by clever attribute manipulation to give the ad site a near unique report for a user across many sites.
Yeah on desktop. On mobile it's a lot harder. It's still turned on and you have to use a workaround to enable about: config because they don't bother to make this option visible in settings.
I don't know of any "good guys" whatsoever that ever managed to build and maintain a browser. Anyone?
Maybe one day we'll have a usable FOSS browser but I doubt it (the companies will fight tooth and nail against it including legal means, buying out companies, blocking content for them, etc.).
I think the guys that built WebKit originally (Konqueror) are kinda good guys. I still sponsor KDE with a monthly donation <3 But the browser wasn't really kept up, I don't think they had the money for it. It lives on in Safari though.
Yeah apparently you can use that to set: general.aboutConfig.enable to true
And then you can go to the normal about:config and set dom.private-attribution.submission.enabled to false
Only then is PPA actually off (apparently, I did not manage to test this yet but someone did confirm the default setting is true). Not cool. Especially because Mozilla provides instructions for the desktop version on their site but doesn't even mention the mobile version at all.
I had to go through some Gecko thing first like others mentioned, quite odd. Supposedly the setting to adjust is in there too, but I have no idea what applies here
Is there any reason to believe that the Servo project will produce a full independent browser, rather than a browser engine as their website states? The only likely outcome is that it be used in Firefox...
They really need to start adding windows as a build target at some near point in the future. As a webdev, that’s the only way I can convince the public to switch.
It's already too hard to convince public to switch from chrome to another chromium browser or firefox and you're talking about switching to browser that is at least several years away from feature parity
That would be a great day. Unfortunately the culture of Linux is still too much walled garden, not in the Apple-like commercial sense, but in the tech culture kind of way. We need a way to embrace the public without losing what makes Linux great (to hack it to your own specifications)
Because of the whole culture of GNU/FSF/Stallman, it can be a little funky at times. It has been a while but I think it still comes bundled with LibreJS, an addon that checks every Java script for Libre licensing. And yes it can be disabled.
I get it and I like the idea but it does make for a difficult up front experience.
There are surely to be diminishing returns for sure. Ladybird is clearly improving this fast right now because the devs are picking the low hanging fruit. But we also don't need 100% parity before Ladybird usable. And when users pick it up then it begets more donations and more devs resources, which mean more improvement. So there is reason to be optimistic.
Slow is the price we'll have to pay. Just like how VPNs slow down your connection
Or, if one dreams for a moment, if slower becomes the norm, web apps will have to become less complicated. Fast seems to just enable more and more ad tech
Or just don't access any content that is funded by advertising. The nonprofit web still exists. But for all content that's not someone's spare time passion project, someone's gotta foot the bill.
Yes. However, different protocols can be used for different purposes, but will need to be FOSS as well as not overly complicated specifications.
Some older protocols such as IRC, NNTP, Gopher, and email (especially plain text email and not HTML email), is one thing to be usable.
There are also some newer protocols and file formats for some uses, e.g.: Gemini protocol/file-format, Scorpion protocol/file-format, Spartan protocol (which uses the same file format as Gemini, although with an extra link type), Nightfall Express (probably the simplest one, although this means that virtual hosting will not be avavilable), and perhaps some others.
(One thing I have read somewhere (I cannot find it now) is three rules for making such a "small web" protocol: (1) Don't make it a subset; (2) Don't make it compatible; (3) Make it better for everyone (authors, readers, programmers, etc). They also discussed separation of "document web" from "application web"; I agree with that too, although of course there is the consideration of how such a separation should be working. I have ideas about this, and I believe my own designs do follow these three rules better than Gemini and Spartan do.)
I had written my own list of what "small web" protocols/file-formats that I am aware of: scorpion://zzo38computer.org/smallweb.txt (which was originally posted to Usenet, although it has been updated since then) One way to access this file would be a command such as:
echo 'R scorpion://zzo38computer.org/smallweb.txt' | nc zzo38computer.org 1517 | less
(If you have other mirrors of this document, perhaps with your own changes, you could tell me and I could add it to the list of mirrors.)
Another proposal is the following suggestion to make a "small web browser": gemini://xavi.privatedns.org/small-web-browser.gmi (the document I linked above describes how to access this file in case you don't know) I agree with some of the points made but disagree with others; I will comment about some of these points later. (However, you could use some of these ideas for the HTTP/HTML part of a multi-protocol browser.)
Comments about gemini://xavi.privatedns.org/small-web-browser.gmi :
I do not believe that just using this existing HTTP/HTML is the way to do it (and other people also agree with me about this), although it is one way to do it, and can be combined with others.
Such a "small web" browser could be designed to support multiple protocols and file formats. So, in addition to HTTP(S), also Gopher, Gemini, Spartan, Scorpion, Nex, local files, and possibly NNTP (although this would not be as good as a dedicated news reader software, it would at least allow to read articles from a NNTP server without needing to set up your dedicated NNTP client software; Lynx also supports NNTP).
> While I do think HTTP/1.1 is good enough for most tasks [...] there are several aspects that I do not particularly like: Cookies, User agent, Referer, Etag, Cross-origin requests
I do not like these features much either. HTTP/1.1 still is good enough for many tasks, although it is still messy in some ways and more complicated than it could be, although for the purpose of accessing services that use HTTP, it will be good enough for this purpose (which is what the article describes doing). (One feature of HTTP that I think is useful that Gemini, Spartan, and Gopher lack (but Scorpion does not lack) is Range requests, although that isn't that useful for a browser and is more useful for a download manager (including command-line programs such as curl). Multiple ranges in a single request seems an unnecessarily complexity to me, though.)
> Support a small subset of HTTP/1.1, supporting GET/POST, while effectively removing support for most HTTP headers.
Agree. (You could also suppport adding arbitrary extra headers by user configuration; e.g. the user could specify that they want to add a "Accept-Language" header or a "DNT" header or whatever other arbitrary headers they might want.)
> Support a subset of HTML5, so that embedded images, audio and video are possible.
Mostly agree. Embedded images would be useful to be able to switch on/off by the user; if off then they appear as links. Embedded audio/video is probably not useful at all; I would have <audio> and <video> commands to be displayed as a list of links (the audio/video can be viewed if you follow the links).
> Support modern CSS, possibly leaving deprecated or complex features out.
I would probably leave out most of the features, although you do not necessarily have to do so. However, important would be to allow disabling CSS (and ensure that "complying with the requirements above" (see below) means that it is guaranteed to work correctly if the user chooses to disable CSS).
> Support NO JavaScript at all, as JavaScript is one of the main sources of complexity behind a modern web browser, and is typically abused for user fingerprinting.
Agree.
> Mandate the use of TLS-encrypted connections.
Disagree. Encrypted and unencrypted connections are both useful (and the URI scheme would distinguish them; this allows end users to easily filter out any sites that do not support encryption from their local index).
> Allow integration with SOCKS5 proxies e.g.: Tor.
Agree, although in addition to this, it is also sometimes useful to be able to use local programs as proxies and to have the proxy to handle TLS (although there is some complication in handling client certificates when doing so).
> Provide passwordless authentication via client certificates, and always ask for user authorization beforehand.
Agree, with both parts. (Passwords might still be implemented too (although if you don't want to, then you don't have to); HTTP has a "Authorization" header for this purpose, and Scorpion also supports something similar (in addition to supporting client certificates if the connection is encrypted).) It will be necessary to ensure that the user can command the browser to log out at any time (both with passwords and with client certificates).
> Provide a local index of sites complying with the requirements above, so that sites can be found without the use of an external search engine. [...] Such index can be updated from third-parties, similarly to package managers like APT.
I think it is a good idea.
> Custom providers can be easily added by users, so the network remains decentralised.
This is important if you are doing the above. (Being able to manually adjust the index is also helpful; see the next paragraph for why this is helpful.)
In addition to this, there is another possibility of alternate service index; in case of a link to an unsupported service (i.e. one not in the index), it can interpret it using an alternate service (e.g. to a plain HTML version of Twitter or Mastodon, or a Gemini service that displays a proxied news article, etc). In some cases, it may be able to try to figure out from the retrieved HTML or HTTP response headers, e.g. if it is a Mastodon instance. Other times the user might manually specify them when viewing them.
> Sites accessible from it can still be accessed from traditional web browsers.
OK. (If you follow my multi-protocol suggestion above, then this is not always the case; I think it is useful to have multiple ways, and this is one of them.)
> It provides guarantees on a subset of features from the modern web that do not harm users.
OK.
> Users do no longer have to worry on inspecting which websites can be trusted, as such guarantees would be provided by the browser.
This is very helpful.
> It allows reusing existing tools, both web browsers and servers.
Yes, although it is not always desirable for several reasons, e.g. for testing compatibility. (Sometimes it is desirable, though.)
> Because of the smaller set of features, it also leads to simpler code, allowing more implementations to flourish over time.
This is also helped by my suggestion to require that it works correctly if the user chooses to disable CSS.
It additionally links to a "Native Web" document. I disagree with those ideas. It is not necessarily to only allow AGPL3, since it is possible to have source code available in such a way that is compatible with AGPL3 in other ways (e.g. public domain source code without patent restrictions etc). I would use uxn/varvara which is much simpler to implement, also being more portable and avoiding the other disadvantages listed there, but it is also not as "powerful" system and not native code, so is a different disadvantage. About hardware access, I think that it should not request hardware access but only e.g. if you request audio input, the user can specify a microphone or another program or an existing audio file etc. (Solving this also can be done in my way of designing a new operating system with "proxy capabilities"; such a system could run inside of other systems as well as stand-alone, and can run native code as well as being able to emulate non-native instruction sets, so that is another way to solve it, although it is more complicated than using uxn/varvara.)
I don't feel the need to fix the whole world. Just my corner of it.
I would use it to read my rss feeds. I'm sure we could make Hacker News discussions work. My mastodon feed could probably work too. That's 90% of my browser usage right there.
Just imagine how pleasant it would be to browse and navigate. Would be so fast, so responsive.
I really like https://geminiprotocol.net/ but I think they went too far removing images, sounds, video, and forms.
I appreciate Ladybird's initiative. But if they work with Servo, Ladybird can build the browser and Servo can focus on the engine. Also we can avoid C++ nightmare. Everybody wins.
Ladybird seems to have more momentum and be further along in development in my testing of visiting random websites. This may or may not have something to do with developer velocity of each language, genuinely I don't know but I think it's worth considering.
Regardless, from what I've gathered, Ladybird is going to ship of theseus their way into memory safety. It's not announced what the C++ replacement language will be, but they are working towards that.
In what way? Rendering pages CSS compatibility? I tried servo on Windows and it worked, not so much for Ladybird - granted, I wasn't feeling up to task of compiling it for Windows.
Ladybird doesn't support Windows yet because most developers use Linux or macOS. Ladybird has been progressing faster when it comes to CSS rendering and JavaScript support.
How would that solve the problem? Years down the road, if they actually finish their browser, what guarantee do you have against it being enshittified in some way? The only option I see is a project that exists to deshittify an open source browser.
So far the core idea is a sort of constitutional foundation to try and ensure it doesn't get absorbed into that think. Mind you, that was Mozilla 20 years ago.
Short term, deshittify Firefox. Mid term move to some like Lady bird. Long term, if Lady bird is corrupted, start on browser replacement number 2.
Alternatively, the hardest step of just walking away for heavy internet usage I guess.
And fallback to Firefox when things don't work. Which is usually on sketchy websites, websites that have heavy bot protection and fingerprinting or ones that use gpu APIs.
* There is no legal entity behind the project. Should anything ever happen with the project (it can happen, even if unlikely), there are no legal ramifications.
* The binaries aren't signed. Yes, code signing is a bit of a racket, but there is some merit in it.
* There is no auto-update mechanism. Might not seem like a big deal, but IMO it is, especially on Windows where you're recommended to rely on 3rd party client to update the browser for you. You've now added a middle man, and since the binaries are not signed... well there's no guarantee you aren't downloading a malicious binary.
>There is no auto-update mechanism. Might not seem like a big deal, but IMO it is, especially on Windows where you're recommended to rely on 3rd party client to update the browser for you. You've now added a middle man, and since the binaries are not signed... well there's no guarantee you aren't downloading a malicious binary.
To me, this seems like a plus. If you want users to update, provide them with something worth updating to. This tracking suddenly being enabled for a ton of users is the very result of automatic updates.
Also, for some software vendors, frequent/automatic upgrades are a great place to hide silent reconfiguration.
Mozilla has been repeatedly resetting "Always check if Firefox is your default browser" option to "yes" with upgrades. I don't see why "private-attribution submission enabled" wouldn't be reset in future in the same way.
As mentioned above, we aren't talking about Firefox's update mechanism here, but rather Librewolf's.
> Mozilla has been repeatedly resetting "Always check if Firefox is your default browser" option to "yes" with upgrades.
I'm sorry to say this, but this just seems to be misinformation.
I don't see that anywhere in the source code[1]? Anything I can find regarding prompting the user regarding the default browser is hidden behind an if guard to make sure the pref is `true` and not `false`.
The only scenarios I am aware of that will change the pref if the user has toggled one manually is the `_migrationUI`[2] function (as you can see, no changes relating to `browser.shell.checkDefaultBrowser`). Otherwise, untoggled prefs will be changed if the value in `firefox.js`[3] or `all.js`[4] is changed. As you can see, the last time the pref was modified was 2004.
But we're not talking about Firefox's update mechanism here, we're talking about Librewolf's. They are already the custodians of custom settings and making the choice for you, so it doesn't seem like a valid comparison here.
I would also say a web browser should be the one piece of software constantly updated due to the sheer volume of security patches issued every few weeks.
>But we're not talking about Firefox's update mechanism here, we're talking about Librewolf's.
Doesn't matter. I don't inherently trust any organization.
>They are already the custodians of custom settings and making the choice for you, so it doesn't seem like a valid comparison here.
I can make the choice to install software. I should be able to make the choice to upgrade it as I choose as well.
If I buy a chair from Crate+Barrel, I have given them the choice of designing and manufacturing that chair and all the decisions that went into it. But I do not give Crate+Barrel the choice of sneaking into my house and swapping it with some newer version of the chair that 51% of the population liked slightly better after 5 minutes of testing or that they think will make them more money somehow.
> I can make the choice to install software. I should be able to make the choice to upgrade it as I choose as well.
I think that's completely valid.
I was just assuming (maybe incorrectly?) we're talking about what should be happening in general (so what the experience for the layman should be). Now whether that applies to Librewolf is another story, but arguably it becoming fairly known, it should.
Side-note: In Waterfox, I've re-added the ability to disable auto-updating completely. I completely understand the want to manually update software.
> You know perfectly well that point 1 is completely irrelevant in the world of open-source.
Genuinely, why not? Open source projects go through ownership changes (as unlikely as they may be), social engineering, etc. In the unlikely chance something were to happen and anything malicious were to occur, what recourse is a user to have? And we are talking about a web browser here, which will be accessing peoples most sensitive data. I don't think this is an unreasonable stance.
> A UK Ltd. is less transparent than Librewolf, an open-source project run by many volunteers without the incentive to make any money.
Well this UK Ltd is still beholden to English law and UK GDPR. You could argue the merits and teeth that GDPR has, but I don't see why it's not a valid comparison? I can't just start processing personal data without complying with GDPR, for example.
> The risks you are talking about are not inherent to Librewolf, but to Linux and open-source, and thus are not legitimate criticisms of Librewolf.
Linux has the Linux foundation, which AFAIK is going to be beholden to California law? I don't see how that can't also be a criticism of Librewolf (and any OSS in a similar spot?).
> Point 3 is no longer true, the installer comes with the option to enable auto-update and on Linux, it also auto-updates, depending on distro, etc.
It seems to me to still true, because the installer is installing WinUpdater. Which, as it seems, is maintained by an individual developer?
> If you want LibreWolf to be automatically updated (recommended), you can choose to install the LibreWolf WinUpdater[1], which is included in the installer.
One of the few things about Firefox that made me attempt to tolerate its repeatedly slow, shitty performance and tendency to slow my whole device down, was the privacy angle. With that gone, why bother? Might as well use Chrome. At least it's light and fairly quick.
Firefox’s reputation got hit a decade or so ago by performance problems in popular extensions like AdBlock Plus, and it was common to see people mistake switching to a new browser as the reason for the speed up because the initial performance would be notably better before they loaded the new one up with extensions, too.
There are a lot of people who still think of Firefox from 5 years ago. Whatever else you can say about Mozilla (and I have a lot to say about Mozilla) they have actually really improved performance to where I'm not convinced it's any worse than Chrome. Browsers are just doing more than they used to.
Sorry folks but though i'm just speaking from personal experience, it's what I noticed time and time again. I've given Firefox multiple chances as my default browser over several years right up until maybe a year ago and the same problem presented itself across different laptops and FF versions (many after in those cases someone told me that FF was FINALLY fixed, oops). Were these laptops heavy duty models with serious CPU, GPU, RAM and etc power? Nope, but they shouldn't have to be for just running a browser.
Chrome on the other hand (and believe me I despise Google in so many different ways) has consistently been okay. Not great, but okay, and certainly better than Firefox. This while having the same browsing, tab and extension habits in both browsers.
With comments like my original above I've always seen a bunch of people come out with all sorts of caveats defending or justifying FF, but personal experience has consistently shown me differently.
This works by adding noise. Can't an attacker bypass it by boosting the signal? Assuming the attacker can create sybil advertisers/browsers, this should be totally doable:
1. Define some baseline set of M impressions with various ad identifiers and from various sybil advertisers.
2. For each target user, define some set of M marker impressions, also with various ad identifiers and from various and sybil advertisers.
3. Save all impressions (marker + baseline) on a bunch of sybil browsers to get above the reporting baseline with some probability.
4. If/when a target user visits a target website, request a conversion report for each ad/advertiser.
You now have a baseline signal (from the baseline ads/advertisers) and a marker signal (from the marker ads/advertisers). If this is one of your target users, you'd expect their "marker" signal signal to be stronger than the baseline.
I assume it’s the MPC part that would need the Sybil protection?
Also, another assumption, but it’s that doc still builds upon the W3C proposal - would it not be worth raising as an issue in the repo? Seems to still be active.
Firefox should integrate a tracker-blocker which blocks all ads which rely on executing Javascript as well as profiling-related 3rd-party code snippets, but leaves ad images which are integrated into the page, served exclusively by the owner of the page, and are based on the content offered by the page. Like magazine ads.
Everything else is just agreeing with the advertising industry on their idea that profile-building is fine.
These advertisers nowadays think they have they are entitled to everything, and Firefox just helped them.
They could offer a deal to Toyota and tell them they're offering image-only ad space on all car-related pages. For example images with deals. Toyota would know from the referrer that the click came from Wikipedia.
All the other images are hosted by Wikipedia themselves and are not ad-related, so I don't see where's the issue here.
I'm just saying that the domain that hosts the page and the domain that hosts the image are often not the same. Wikipedia hosts the articles, wikimedia hosts the images.
If a browser wants to be strict about what it loads, most of the web would appear broken. Maybe google could have the weight to force such change, but no way could mozilla impose such a strict rule.
Years ago I had a "Download Firefox" button on my Web-site. I have removed it because of similar incidents in the past. And I stopped recommending Firefox to friends and relatives, because I can no longer do it wholeheartedly. I am not even sure myself, whether it makes a big difference which browser you use nowadays. More out of tradition I am still using Firefox myself, but I know other technologically competent people who shifted away from it. I can only assume that this was for similar reasons: It is felt that Firefox gives no less cause for annoyance than other browsers. When Firefox gradually loses more and more dedicated supporters who become indifferent, I see a rather bleak future for it.
> By offering sites a non-invasive alternative to cross-site tracking, we hope to achieve a significant reduction in this harmful practice across the web.
Enough of this waiting for virtuous entities to address legitimate concerns of the public.
The "ad industry" is a cancer and we need legal protection against this "industry". The solution is political not technical and definitely can not be left to "the market".
Yep.
One of the things which the FSF did right was the GPL. They didn’t tried like programmers hack against bad things which never works in long term.
The bad people will change the API, lock the bootloader, implement a problematic standard (ACPI, SecureBoot) or add more DRM.
We cannot solve political issues (law) with technical solutions (programming). If we don’t like locked iPhones, the solution is a law. If we don’t like tracking, the solution is a law. But the EU Cookie-Directive of failed? Because malicious compliance, they made a business case out of it instead of ending it (cookies for logins are fine). And if we want public APIs, local computing and open-source the solutions are laws.
> One of the things which the FSF did right was the GPL
And the GPL is dying. Every year fewer projects are maintained under the GPL standard. Violations abound anyway. The MIT License and other permissive licenses; or commercially restrictive licenses like the SSPL, are the new go-to; because the GPL didn’t think about SaaS or “Tivoization” until it was too late.
AGPL is a lawyer’s nightmare. Not just because of the restrictions - but because it’s very, very sloppily put together.
Does connecting a AGPL-licensed database to your website make your whole website AGPL? What is the line between an innocent connection, or a viral integration?
What happens if you add a proprietary protocol to the database specifically for your app? Do you need to open source it, if that database is/isn’t publicly accessible? Why wouldn’t it be considered? Your project dependencies certainly aren’t directly publicly available, yet you agree the AGPL applies there.
Some have quoted the FSF about how “internal data structures” should be the distinction. But even that is something a lawyer could seriously bend - is JSON from your database, that only your app understands, such a structure?
The license is ridiculously vague in this regard. Not that it matters anyway - almost all of the big AGPL projects offer alternative proprietary licenses to paying customers, so it’s really more of a source available license.
Let's look at this paragraph, which is the only real difference between the GPL & AGPL, because I think the English is perfectly clear and understandable:
> Notwithstanding any other provision of this License, if you modify the Program, your modified version must prominently offer all users interacting with it remotely through a computer network (if your version supports such interaction) an opportunity to receive the Corresponding Source of your version by providing access to the Corresponding Source from a network server at no charge, through some standard or customary means of facilitating copying of software. This Corresponding Source shall include the Corresponding Source for any work covered by version 3 of the GNU General Public License that is incorporated pursuant to the following paragraph.
> Does connecting a AGPL-licensed database to your website make your whole website AGPL?
The user doesn't interact with the database, so no. Since the app server is not linking to the database, it also isn't subject to the AGPL from that direction.
> What is the line between an innocent connection, or a viral integration?
Exactly the same as the GPL, since that section has not changed.
> What happens if you add a proprietary protocol to the database specifically for your app? Do you need to open source it, if that database is/isn’t publicly accessible?
If the user can access the database, you must provide them with the combined source code under the AGPL. If the user cannot access the database, you do not need to do anything.
> Why wouldn’t it be considered? Your project dependencies certainly aren’t directly publicly available, yet you agree the AGPL applies there.
You are linking against those dependencies. Therefore the whole work is under the AGPL, through the same mechanism as the GPL. Now that the entire work is under the AGPL, you must provide users who access it over the network the source code.
> Some have quoted the FSF about how “internal data structures” should be the distinction.
See this is a real source of ambiguity. But it is an ambiguity that applies to every *GPL license, not just the AGPL. But it's really not as big of a deal as you make it out to be, using the documented public network APIs obviously is not linking.
> I think the English is perfectly clear and understandable.
Because you are not a lawyer. The points I’ve made have been cited by actual lawyers. Your opinion as a technologist blinds you to the degree of legal ambiguity.
Also, the very fact that these opinions exist shows this license is not safe. There’s never a correct interpretation that will perfectly win the day eventually, only rulings. As the AGPL has never been in court before, things could quickly go sideways.
As my second link, written by an actual lawyer, puts it: “Inebriated aliens might as well have beamed it down from space as a kind of practical joke.”
If you have some background knowledge of Google's architecture, this explains exactly why the AGPL is banned there: all code is built from one monorepo where everything is linked together.
At least on my Debian I retain full control using the shim and my own enrolled keys. So seems less an issue with the technology but perhaps with how some vendors (that are already locking you in anyway) use secureboot?
>> Shim then becomes the root of trust for all the other distro-provided UEFI programs. It embeds a further distro-specific CA key that is itself used for as a trust root for signing further programs (e.g. Linux, GRUB, fwupdate). This allows for a clean delegation of trust - the distros are then responsible for signing the rest of their packages. Shim itself should ideally not need to be updated very often, reducing the workload on the central auditing and CA teams.
In theory the benefits of secureboot around attestation and hashing/measuring of boot components do not require a secure/verifiable chain of custody. You could self verify using PCRs. The boot loader signing aspects were always for control and restricting devices, IMO.
> The boot loader signing aspects were always for control and restricting devices
Not surprising, given the huge role Microsoft had in developing this.
You can't enroll your MOK without booting up, and you can't boot up if Microsoft hasn't signed your bootloader/kernel... It used to be an no-brainer and now its difficult.
only using self verifying of PCRs is not an effective protecting against most attacks. (Against which a secure boot chain is supposed to help.)
Sure it depends a bit on what you want from secure boot. But in general if you need PCRs you also need to make sure only verified code can run. If you don't, you likely don't need PCRs either, and some simple flawed secure module key storage would work as good.
In a certain way having a trust verification of the boot loader is the most important part. Everything after that depends on how the boot loader is implemented, through having PCRs is still helpful.
Through this is where secure boot failed (very hard), as long as you don't enroll your own keys you are not really getting a secure boot chain. Something which IMHO is fundamental requirement for any company laptops and similar. (Or, instead of using custom PKs, you are MS and disable all 3rd party keys and disable any BIOS option to add/enroll 3rd party keys, like they did on some older ARM devices).
I.e. IMHO a secure boot chain and protocols related to it are a must have, but the current implementation is garbage, especially for most Windows users.
If you want to know in which direction things could be done you could look a ARM Mac Books more specifically the documentation Asahi Linux created for it. Through just the direction not the exact design.
Basically for PCs (even in huge companies with MDA) you don't need global trust chains, just local per-system trust automatically setup on first boot after "reset" and making sure a "reset" is roughly like a wipe (by using full disk encryption) is all you need (and want). The devil is in the details, but it isn't really that hard to make it work.
Personally I don't get any benefits from secure boot and it is already used to verify the alleged integrity of systems. Not sure how using your own keys would work for remote attestation, it probably wouldn't. Healthy experience with the industry and the market tells me the future if such systems are widely adapted. And that would be a net negative for software freedom that is beyond the security gains, which can be reached through other means as well.
"ad industry" is a cancer and we need legal protection..."
Absolutely true, but how do you expect that to happen or come about?
Rampant advertising is similar to the copyright law problem. The majority of users may not like what's happening but their opposition and or dislike is but mild so when it comes to political action it collectively amounts to little more than nought.
On the other hand, advertisers, like copyright holders, have strong vested interests thus are highly motivated to ensure politicians act in their favor (one only has to look at the lopsidedness of lobbying interests to see that).
The real enemy is indifference, as a whole the citizenry is not motivated enough for things to change. Simply, we have ourselves to blame.
> Absolutely true, but how do you expect that to happen or come about?
In the same manner through which legal protection for various other matters have come about. By raising awareness, sharing thoughts and solutions, and organizing.
When it comes to the internet... I'd prefer it to stay like the wild west. Least amount of regulation beyond something like net neutrality. People forget that the reason we have all of these "free" services is because of ads and that's coming from someone who hates ads. Every streaming subscription I have, I pay for the ad-free service. Let the people who don't know how to install a browser extension or change a few settings pay for these things for the rest of us.
I observed a friend of mine click on a malicious ad link recently in front of me when driving a presentation for a community meeting. It was shown as an overlay for a seemingly harmless site I found. In my home with a pihole I didn't see any of the ads.
I felt terrible that I was partially responsible for her clicking it. This knowledge and habit of ad-blocking and secure computer usage takes factors of time, effort, and money to learn, and not everyone is going to, or is capable of, devoting what's needed.
I agree; it seems worth it. My wife, who resisted dropping cable for the longest time, now prefers adless streaming and asks if wifi is down, because ads popped on her phone. If it has a downside, it is that my kid now is fascinated by ads, when we are in the wild. She normally does not see them and thus has no internal firewall built up.
It's an understandable reaction against a loud and aggressive (political) minority we've been seeing for the past four years. Thanks for the link, this finally pushed me to support the developer.
"The market" needs to be checked in so many ways. You'd think that by now we could learn to take what works and modify the rest but apparently everything has to be black and white and even a concept like "the market" ends up bound by dogma.
Yes, yes! Excellent! Then that system can also be improved, so that important websites get more money from a visit because they need the support more. For example the Arch Linux wiki. And also the system should have a blocklist so that dangerous and undemocratic websites do not get any money from the visitors.
Also, individuals who are richer should have more of their salary deducted, since they can afford it, and people who have low income or belong to groups who need special protection should not have to pay, instead they should be paid a monthly internet allowance by the government, which can increase if they visit websites who are beneficial to them and to society. For example the Arch Linux wiki.
Nah, there should be a max upper limit. So if you have a cooking site and you run it as one person you couldn't get more than, let's say 3k eur monthly. Arch linux wiki needs love, I agree.
There are nuances that need to be ironed out with this approach, but at least we can guarantee that if someone works for the common good, that individual also gets something back, can keep a straight backbone and not beg for money.
How would that legal "protection" work in practice? What would it protect against? Who would it protect?
What you say sounds reasonable. And I'm not trying to say "well, it's impossible because of some current status quo", because we could change that.
What I'm trying to say is that we need this "industry" to work out the practicalities. Otherwise we are "protected" in a same way the GDPR protects us against 3rd part trackers (you don't need a cookie banner if you don't allow 3rd parties to track your users. Yet here we are...)
Full liability for secondary harms caused by the leak of data that wasn’t directly required to provide a service to those same end users. Selling of data to third parties doesn’t transfer this liability but expands it to include any leaks or misuse coming from the entities the data is sold to. No statute of limitations.
So if company X sells data to company Y and then Y sells to company Z then company X has full liability for leaks or misuse from all entities in the chain.
No more free credit monitoring. Banks, credit card companies, and end users get to directly sue these companies. May not completely solve it but you can try to make it so expensive to mine data you don’t truly need that it ends the whole industry.
I am sure there are holes in this but we can at least try to kill the data brokers and bad actors.
We don't need more laws to solve this if your concern is a more harsh punishment for data leaks, we need to remove existing laws that limit the damages a company can be liable for and we need consumers that care enough to sue when they are harmed.
That is what I am saying above. Full liability for the data stored and shared with others. Transitive liability would need to be a new law though as I don’t believe that currently exists.
EDIT: forgot to mention consumers don’t need to care much for this to be effective. If there are damages to be had law firms are incentivized to file class action lawsuits and recruit affected customers. So, there is an incentivized actor within this framework to do the leg work to get a big payday.
> Transitive liability would need to be a new law though as I don’t believe that currently exists.
That likely would end up just being case law rather than legislation. Meaning, a lawsuit can be filed for it today and its up to the courts to decide if that liability is reasonable.
We don't necessarily need the ad industry to work out the practicalities if we simply do away with the whole ad industry. We could quite easily outlaw receiving payments from a third party in exchange for displaying information to your users.
There is a (lazy) line of argument related to GDPR, cookie banners, etc. that goes something like this: "That legislation failed, thus any legislation will fail." It was a while since I did proof by induction, but I do believe there is some step missing here.
Personally, I am open to an argument that any legislation is folly. But we need to raise the discourse rather than just bash legislative failures (or merely partial successes) of the past.
I wasn't trying to make the argument that since some parts of the GDPR didn't work out as intentended/hoped, other legislation will fail too.
My point was specifically that the GDPR put a law in place that when you send private data from users to third parties, you must ask the user for permission and allow that user to decline this and then not send that users' private data to these third parties.
The idea and intention and hope is clear: that site/app/platform owners don't send/sell data to other parties. Or, if they still do so, are punished by having to nag users with popups/banners etc.
The ad industry then spun this around, ensured that virtually every site nags users (mitigating that punishment), continue harvesting data exactly like before, and -above all- pursuade the general public that "the EU is forcing you to click cookie banners all day" or similar double-speak.
With which I was trying to put forward that any legislation must be a lot better than what the GDPR did here. So as to avoid being circumvented by the industry and also hated by the public.
Ok, sure, but that's exactly what I said: simply outlawing advertising leaves a lot less wiggle room than allowing it but with some minor semblance of consent.
My perfect world would have a law against advertising in general. If someone's paying you to say something, it's a conflict of interest and illegal.
Hopefully, the vacuum of people needing to know things would result in better independent Product reviews.
And the vacuum of not spending 30% of your company budget on advertising would hopefully lead to sinking prices and people being more willing to spend on things that were previously funded by advertising.
> If someone's paying you to say something, it's a conflict of interest and illegal.
That already misses a huge problem though, I don't pay Mozilla for Firefox and I don't pay most online sites and services that gobble up my data and sell it off.
Sure, but I don't think that really changes anything here. The idea of a law that bans advertising when the customer pays you would miss a huge portion of advertising and data collection including Firefox.
Is the concern you want fixed only that paid products still collect and sell data?
I may have misunderstood you, but my read on the third paragraph was mainly that Firefox, in this case, could still have a free browser that collects and sells data. That rule would just add one more fsctor for them to consider if they ever want a paid browser, they both need a viable market and be willing to give up the option to sell data.
Please don't engage in this blatant political activism and flamebait here. This is anti-intellectual and not what I want to see on HN.
I agree that something needs to be done about the ad industry and rampant data collection, but your emotionally manipulative comments are not it, and actively make it harder to discuss solutions to the problem.
Anyone bothered enough by advertising can stop using whatever product has been ruined by ads, or find ways to remove the advertising.
More laws and larger governments doesn't have to be the answer to all problems. If consumers care enough they'll change their usage, if they don't change their usage they likely don't care enough.
I don't particularly have an issue with advertising itself. If adverts get on my nerves on a product or page I just leave, as you suggest: problem solved.
The actual issue is the stalky tracking of me throughout my life that is currently inseparable from the advertising. I can't just walk away from that: it happens behind my back, it has happened before I get the chance to walk away.
> can stop using whatever product has been ruined by ads
Which will not stop the stalky behaviour of the ad industry. They'll still track me if I happen to click the wrong thing, or track me through my connections to other people. I suppose I could walk away from life and become a hermit, but that would be just a little extreme.
> or find ways to remove the advertising.
Which is, while I do take part, an ultimately fruitless task. Every block we make for the stalky behaviour, be it technical or legislative (other than outright banning the tracking of personal data except with explicit opt-in without exceptions, and properly enforcing punishments for breaking the ban), they'll find a way around. Removing it is not a long term solution, it is a war or attrition where we have to have our guard up all the time and they only have to get lucky, or just be particularly sneaky, every now and again.
> More laws and larger governments doesn't have to be the answer to all problems.
This has often been said by companies and their shills. Oddly, they are all in favour of extra laws and government reach when it is, for example, to protect what they consider to be their intellectual property.
> Which will not stop the stalky behaviour of the ad industry. They'll still track me if I happen to click the wrong thing, or track me through my connections to other people. I suppose I could walk away from life and become a hermit, but that would be just a little extreme.
You could make some real progress without being a hermit though, it doesn't have to be all or nothing. Don't use a smartphone, limit as much of your time online as you can, and pay in cash when you can. Those wouldn't make you a hermit but would seriously limit the data you make available to be gobbled up in the first place.
> This has often been said by companies and their shills. Oddly, they are all in favour of extra laws and government reach when it is, for example, to protect what they consider to be their intellectual property.
Well that's actually what I see as a better approach, remove protections for those companies and industries rather than trying to create new laws to limit them. Its a strange balancing act to attempt to both protect and limit an industry with different laws, we would be better off not doing either.
If I walk outside I'm bombarded by ads. Almost all websites have been tailored to include ads and hide information. You're tracked on all devices you touch.
Vaguely referencing more laws or larger government doesn't mean anything. We're not talking about all problems but a specific one. There is an obvious imbalance between the power and information an individual consumer can use to shield themselves from activities by companies that are detrimental to them. We are also not expected to test our own food for toxins.
More platitudes and soundbites doesn't have to be the answer to all problems.
Seeing ads outside likely doesn't harm you though, you can ignore them. If your city is plastered with ads to a point at where you can't stand it you can always move, that's just another part of a city that someone may decide they don't like and want something different.
> Almost all websites have been tailored to include ads and hide information. You're tracked on all devices you touch.
That's really the crux of it though. The problem isn't just that companies are gobbling up all this data, it's also that we make the data available in the first place.
Stop using a smartphone and taking it everywhere with you, limit what you do online in general, and pay cash when you can. A few simple changes would really reduce the data you make available, I'm sure there are other simple changes I'm missing here but the point is that we don't have to protect data that doesn't exist.
> Seeing ads outside likely doesn't harm you though, you can ignore them.
Just for a different perspective, I can't ignore them. I read more-or-less all text that comes into my field of vision, and cannot help but look at bright flashing lights. To my knowledge this isn't recognized anywhere as a disability (though it is associated with a standard diagnosis).
For me, and presumably others like me, flashing road signs that tell me I'm driving the right speed thanks are a serious dustraction even though I've seen the same one hundreds of times. I stopped watching association football when animated sideline ads became common because I could mot focus on the game.
If it makes sense to put in wheelchair ramps at the stadium couldn't it make sense to accommodate me, even if most people can redirect their attention just as easily as walking up the stairs?
When it comes to driving, that's seems like a totally reasonable concern. I also find roadside signs, digital boards, etc really distracting when driving. That one falls into a safety concern for everyone on the road too, where as ads in general may just be distracting, that distrsction could literally kill someone on the road.
In general, it is a really tough line to draw what is considered a protected disability. I don't know where I would draw the line, and it just gets harder as we create more diagnoses. I don't mean that to demonize the diagnoses at all, but it does make drawing a line for what to legally protect that much harder.
<< Seeing ads outside likely doesn't harm you though, you can ignore them.
I honestly do not think it is possible to ignore ads unless you do not see/smell/hear/experience them. Even if you dismiss them, you have received an impression of that ad. Your mind has been affected. It just happens that we normalized it as a normal function of society ( not completely unlike how we normalized cameras everywhere including on doorbell ). I have no interest in dating farmers, but I still remember being exposed to farmers only ad.
edit:
<< Stop using a smartphone and taking it everywhere with you.
It seems less and less of an option. Amtrak gatekeeps its best prices behind an app. Parking lot wants me to use an app. My workplace now effectively forced me to have phone on me ( even if I come into office.. I can understand the need for it while remote ).
The current societal construct practically requires a smartphone. You could technically go on without it the same way you COULD technically not have a car. It is possible, but very, very limiting. And I would argue that not having a car now is way more forgiving than not having a cell and that is saying something.
> I honestly do not think it is possible to ignore ads unless you do not see/smell/hear/experience them
While we can't avoid seeing ads in a public place, we can manage how we respond to them. That's really not much different than not liking what someone else says. We can try to regulate everything such that people can be comfortable and never have to build a thick skin, or we can trust that people can and should be able to manage their emotions well enough to ignore things they don't like.
> It seems less and less of an option. Amtrak gatekeeps its best prices behind an app. Parking lot wants me to use an app. My workplace now effectively forced me to have phone on me ( even if I come into office.. I can understand the need for it while remote
I can't stand when companies do this stuff, assuming that everyone has a smartphone and is willing to give them access to it. I choose not to patronize companies that do it, but yeah that's harder when your office building requires a smartphone to enter. When push comes to shove, I wonder what the employer would say if someone raised that it isn't an option for them and they need a different way to enter.
Broadly, we have a real issue today with society allowing conveniences to become necessities. We do it to ourselves, but just because smartphones and cars are convenient doesn't mean we should build a world where everyone has to have them. It locks us into certain paths, and when concerns like climate change come up for example we're hamstrung because we can't imagine giving up things like personal vehicles, air travel, smartphones, etc.
So because we want to keep government small and ad companies can get so big they basically invade every part of your life you have to leave your phone, close your eyes, stay offline, just move bro. This doesn't seem like a very serious or productive line of reasoning.
Sure. A phone is a product, it isn't a right or necessity. I get that they are very convenient, and addictive, but they're a very new novelty on the scale of a legal system. There are good arguments for wanting to limit advertising and data privacy, but protecting our right to use a certain piece of technology really just isn't very compelling IMO.
> close your eyes
Advertising is nothing new though. If your concern is even just seeing ads at all, that's a problem that has existed much longer than digital data brokers.
> stay offline
Similar to smartphones, being online isn't a right and is a very new concept. We don't have to be online to live our lives, and we shouldn't expect that everyone is online.
> just move bro
Moving isn't easy, and may not be cheap depending on how you do it, but is there really something wrong with moving when you don't like the area you live in? To me that seems like a totally reasonable response for anyone that's able, and for those that aren't willing to move they can try to change the place they live. Moving is just easier than somehow convincing a locality to limit or remove advertising.
> More laws and larger governments doesn't have to be the answer to all problems
More laws and larger governments are generally undesirable (for obvious reasons) but saying that we shouldn't make any laws at all is throwing the baby out of the bathwater.
If you're thoughtful and deliberate about how you write your legislation, you can have a disproportionately positive impact with a very small amount of additional weight.
For instance, instead of trying to enumerate every single way that data could be leaked and forbid that (see: HIPAA), you should just make the end state (PII in the hands of someone the user didn't explicitly authorize it to be in) illegal and mandate a fine per unit of information (e.g. 1% of the median US salary for SSN) to every entity in the leak chain (because a chain of custody for personal information is just about mandatory at this point).
Details will vary, but this general approach is vastly better than the crazy laws we have in other areas that attempt to "enumerate badness" in the intermediate rather than the end state.
I wasn't arguing for no laws though, only that we don't need to resch for them as quickly as we often do or want to do. I thought the topic here was about banning advertising as a whole, if we want to zoom into privacy concerns relates to the retention of PII data that is more doable and we already have a framework to start with based on the EU.
> If you're thoughtful and deliberate about how you write your legislation, you can have a disproportionately positive impact with a very small amount of additional weight.
Unfortunately that really is a non-starter in the US today. I have very little faith that Congress is interested in carefully considering and clarifying. I have even less faith that any bill with thousands of pages of text, which is how they appear to do business these days, could ever be clearly defined and scoped to avoid obvious unintended consequences or misplaced boundaries.
We can, but, as OP noted, the change is only temporary, while political change is harder, but also tends to last longer. I still remember when pihole worked on most things. These days it is just a part of adblocking approach for me.
tldr: Some of us are tired of fiddling with things where were we shouldn't have to.
<< More laws and larger governments doesn't have to be the answer to all problems.
If market participants can't behave ( and they clearly can't help themselves ), it is the only real answer.
<< If consumers care enough they'll change their usage, if they don't change their usage they likely don't care enough.
Or.. options for consumers are limited, which affects what they do. In all seriousness, streaming execs seemed to admit the ads simply bring more money for them so they don't care if non-ad version is profitable. It is not enough.
My household dropped Netflix and Prime over their silliness. We currently still have Disney until they get too greedy. And that is just streaming. Regular net is soooo much worse without a way to scrub the ads away.
> My household dropped Netflix and Prime over their silliness. We currently still have Disney until they get too greedy. And that is just streaming. Regular net is soooo much worse without a way to scrub the ads away.
Isn't that a good example of consumers exercising their right to not patronize companies they don't agree with? You didn't need a law stopping you from using Prime, and you don't have a right to use it, you just decided you didn't like their product anymore.
The blindspot missing in a ban of advertising is what that does to the viability and price of a product. Prime and Netflix as it is today is built based partly on the advertising revenue. Presumably if that money disappears the product would get worse, disappear, or become more expensive.
>Regular net is soooo much worse without a way to scrub the ads away.
Hmm, there are ways: I browse with NoScript and unlock Origin installed and see almost no ads. If a website doesn't work and I really need to visit it for some reason, I selectively enable part of the JS they want me to load. Other sites simply don't get my attention.
It works for now and note that there already were some attempts to have solutions like origin stop working[1]. Unsuccessful, for now, but the intent is there and I am starting to get tired of the whack a mole.
Greeted by a cookie banner in a different language when I open. I swear cookie banners are the biggest problem facing the internet. We need to do something about this!
EU created a task force in 2021 to address the cookie banner, which gave a report last year that basically said that all current form of cookie banners are practically not legal in terms of giving consent.
As with this kind of regulations, we now have to wait for the law suits to target a few select large companies, then the courts to reconfirm that the regulations says what it says, and then appeals, and then finally the large companies will pay a large fine and then comply, followed then by the industry in large.
Delay, delay and then delay some more has been the response from the data collection industry for the past 10 years. Same for right to repair regulations and smartphones.
What's dumb is that Firefox is not the freedom browser people think it is. Mozilla is a crappy organization. Firefox has extension signing, it's as restrictive as installing apps on iOS where only approved apps can be installed, without a setting to easily disable it. Mozilla can also remotely install extensions by default (opt out) called "experiments" or something. Their anti-tracking is purposefully weak because of their dealings with Google. Now this data collection for ads. They didn't enable DNS-over-HTTPS by default specifically in the UK. And Mozilla leadership is associated with radical left politics, just as an extra.
Maybe check out Brave Browser, LibreWolf or Vivaldi.
>And Mozilla leadership is associated with radical left politics, just as an extra.
Do you have proof for this? I'd be curious.
I also fail to see how is that related to the collecting data by default thing. Is that a leftist thing now?
Whether you agree or disagree with what the Mozilla foundation does, it seems fairly matter of fact to say that they are pursuing liberal policies and that posts from the leadership, like the couple below, employ a good bit of leftist rhetoric.
Getting people to identify corporate PR speak with "radical leftist rhetoric" is perhaps one of the most darkly genius angles of the conservative culture war in recent memory.
Who even read these dumb company blogs before this?
Radical right: “Almost nothing great has ever been done in the world except by the genius and firmness of a single man combating the prejudices of the multitude.”
Far-right: “I know there are some who become sick when they see black uniforms… but those who come to fear us at any time must have a guilty conscience before the nation.”
Right: “This means that every Canadian will see their income taxes go down. This means more money to pay the bills, to save up for your kids' education or maybe even finally afford a family vacation.”
Centre: “There is nothing which I dread so much as a division of the republic into two great parties, each arranged under its leader, and concerting measures in opposition to each other.”
Left: “To put it bluntly, no one should be faced with a choice that says, in effect, “your money or your life”. “
far left: “ The role of the police and the military is growing, and the links between these enforcers of ruling class power and far-right and fascist parties and movements, are becoming more visible.”
Radical left: “ They openly declare that their ends can be attained only by the forcible overthrow of all existing social conditions.”
Socially left in the American sense (same with "liberal"). You're just insisting on the Old World economic sense, which is totally irrelevant in America.
Oppressing workers is fine, but it better be inclusive oppression.
I daily drive Vivaldi, for about 2 years now. I was a bit concerned with the closed source part but the experience is great, it's fast and with plenty of features. I don't know how good they are with regards to privacy but on the other hand I do not need to install any plugin as everything is integrated so at least my data is contained with them.
While the jokes is appreciated, I'm also half-serious in considering just using Links/Elinks or w3m and just use whatever is the default browser on my OS for those cases where I need to book ticket or do banking.
I'm sadly falling out of love with the web. So much fun and enjoyment have left the web in the past 20 years and I don't enjoy or to some extend even benefit from the modern hellscape of modern commercial web.
I think Mozilla Firefox has long been positioned as a browser focused on user privacy and data protection... This decision is indeed a significant breach of trust
The article links to Mozilla’s press release / blog entry about the acquisition of Anonym [0]. It’s pretty dystopian reading. The last three paragraphs and the summary of Anonym are more worrying than anything else I’ve read on this so far:
> This acquisition marks a significant step in addressing the urgent need for privacy-preserving advertising solutions. By combining Mozilla’s scale and trusted reputation with Anonym’s cutting-edge technology, we can enhance user privacy and advertising effectiveness, leveling the playing field for all stakeholders.
I can only interpret this as the urgent need is money, and wants to sell its "scale and trusted reputation". Mozilla has been down this road before. It was not good for them.
> Anonym was founded with two core beliefs: First, that people have a fundamental right to privacy in online interactions and second, that digital advertising is critical for the sustainability of free content, services and experiences. Mozilla and Anonym share the belief that advanced technologies can enable relevant and measurable advertising while still preserving user privacy.
This is some pretty weak wording for a press release. The economics of the situation are that advertising will always trump privacy. Researchers have successfully de-anonymized anonymised data sets, including medical records. Why would these data be any different?
> As we integrate Anonym into the Mozilla family, we are excited about the possibilities this partnership brings. While Anonym will continue to serve its customer base, together, we are poised to lead the industry toward a future where privacy and effective advertising go hand in hand, supporting a free and open internet.
Anonym’s customers are advertisers, right? The same people who for decades poured money into eroding that free and open internet that we had…
> About Anonym: Anonym was founded in 2022 by former Meta executives Brad Smallwood and Graham Mudd. The company was backed by Griffin Gaming Partners, Norwest Venture Partners, Heracles Capital as well as a number of strategic individual investors.
Well, it seems Anonym, Smallwood and Mudd had a nice piece about them written in the Wall Street Journal [1]. From the second paragraph:
> Graham Mudd and Brad Smallwood each spent more than a decade building Meta’s advertising system, which allowed the company to offer granular data about how ad campaigns worked with individual users, often by tracking their web and mobile activity.
The whole acquiring Anonym thing is almost guaranteed to go wrong. Either Mozilla just wasted a lot of money buying the company as it fails to be profitable or privacy will be eroded as Mozilla starts profiting from ad sales.
The companies buying ads aren't keen on privacy, at least not if it comes at the cost of optimizing sales, so I don't see anyone but small "do good" niche companies would buy into what Anonym is selling. Alternatively Mozilla will make money and start relaxing privacy restriction in order to extract even greater profits. I don't see them stopping half-way. The Mozilla leadership has again and again shown that they do not understand their user base.
Firefox is a great browser, but so it all Chromium based browsers. Mozilla apparently never considered why someone might stick with or switch to Firefox, when Chrome, Edge, Safari and other browsers do the exact same thing, sometimes perhaps better. I really want to ask the Mozilla CTO and upper management what they think their product is, because I got a in increasing hunch that Firefox isn't the first thing that would come across their lips.
Personally, right now the only reason I'm not switching to something like Vivaldi is my desire to ensure that rendering engines beyond Blink is represented in statistics.
Chrome, which meant Mozilla managed to scare people away from their own browser into a using a browser which respects user privacy even less. Great job there Mozilla!
> Chrome, which meant Mozilla managed to scare people away from their own browser into a using a browser which puts less PR focus on claiming to respect user privacy. Great job there Mozilla!
FTFY. Both browsers have been pretty bad for privacy for a long time and are more than happy to exfiltrate your data to the respective operators without your consent.
I would say, average user is using Microsoft Edge(whatever that comes default with their OS) on their desktops and a combo of Chrome/Samsung/Safari on the mobile.
While Chrome adverts and fearmongering campaigns are now everywhere and people seem to be taking interest in Chrome, but Edge is probably the most common, as I see it literally everywhere(including public service office facilities).
I've been wondering about this whole affair. The thing that got me wondering is this: Is this really interesting for advertisers?
I mean, let's imagine this works as explained -whatever, let's imagine it does and with no downsides even-. Now as far as I can understand this aggregate information ends up producing something like "this particular ad placed here ends up producing this number of conversions". Is this really something an advertiser wants to know? Maybe to some extent, but to me it sounds a lot more like something an advertising platform would want to know. Which is why I'm not surprised by Meta's interest.
To me this feels like a good tool to avoid paying small websites at all for just having ads. Impressions would be finally and completely discarded as something payable. Now for the ads on your site to earn you something at all you need conversions that you can now reliably track. For a site owner to be paid, they'd need to increase the CTR; they can't just "provide ad space", they have to work to earn clicks.
So maybe -probably- I'm way off here. Maybe someone can correct me. But as I see this, this tool seems very specifically made for the big advertising platforms.
>But how does the PPA actually work? There is an aggregation server between the advertising provider and the users or their data, which anonymizes the information from the individual app browsers. Only then does it make the data available to the participating advertising customers.
What do you expect from a company indirectly owned and controlled by Google money?
I can't wait for Ladybird to get good, in a decade realistically, swimming against a massive current of Google pushing its unstandardised nonsense on Chrome, and web developers jumping on the bandwagon, making web standards more and more complex by the day so no one ever is able to catch up.
You can add to the dead internet theory the fact that the Web is now maliciously impossible to recreate and access from scratch if you are unable to compete with the billions Google spend to maintain their hegemony. Heck, even Microsoft found it was more efficient to join Google rather than to try and direct what they laughably call "an open standard." There is more competition to build reusable space rockets than in web browsers.
A sad day, and sadder days await us. Shame of Mozilla, and on the CTO trying to sell this feature as a good thing.
They aren't owned nor controlled by Google. And certainly not directly.
I presume you refer to the fact that most income of Mozilla comes from Google paying a fee to have their search be the default. While that is worrysome, it's not control nor ownership. Let alone direct control. At most it gives Google leverage.
Can companies not see how their ads are performing by looking at their income statements? An ad campaign costs x dollars. Widget sales increase by y dollars. Companies were able to run this method for a long time. I think ads have gone way too far. It’s shocking we’ve gotten to the point of this discussion on data collection to fuel ads.
In the aggregate, yes, but in the specific, no. Companies nowadays want to see which advertising channels and specific ads, over a given period of time, are performing, so as to decide how to better invest their ad spend
I kind of like how this has dominated the 'active' section ever since it started and it's, barely a news story everywhere else.
Honestly I don't have much to add to the conversation. Mozilla made a bad move, Firefox's big thing was privacy and not being Chromium and it's lost the first thing.
I've been looking at it and they are fortunately very open about how they are funded (search engines and bookmarks). Opera was my browser of choice, back in the days of Presto, so I trust the Vivaldi CEO/CTO who also ran Opera. My main annoyance with Vivaldi is that it's Chromium based, I really don't like the idea of a monoculture of rendering engines.
Maybe I don't fully understand the technical implementation, but as far as I have read about the implementation this gives personal information to a third-party. This should automatically mean that Firefox would violate European GDPR laws, they clearly need to get consent from the user before collecting anything. Not just a moral issue, but can quickly become a legal one as well.
I see this as an attempt at a lesser evil, and I would support that (see my EME DRM comment), but I have one concern:
Does this new "privacy preserving attribution" feature respect multi-account containers? Or is it somehow not considered necessary, because it's meant to be less invasive than the tracking cookies it's supposed to replace? Call me skeptical for now.
I'm a happy user of multi-account containers, which lets me separate my cookie identities in Firefox. Before, I had to use different browsers for work and private, and yes, it solves this problem, but the best part is that I don't have to worry about tracking cookies, because they aren't tied to my personal accounts: In my experience, I can to a great extent escape the echo chamber I'm in, and the ads I see in it, by just deleting the cookies of my sacrificial default container.
Other than that, considering the status quo – that the web is already an unfriendly GDPR nightmare, I'm positive to the initiative. And because of the power of the default, I can understand that the feature wouldn't likely take off if it was opt-in, so I won't criticize Mozilla for that move either.
Says the site that only offers one big button "accept" to its cookies :( :( There's no "Nope".
Edit: Weird, some people seem to have received more options than me. For me there was just one option to accept (Zustimmen) and nothing else. Everything was in German but I read German anyway. I was on mobile though, perhaps this is why? I can't see it again because I already pressed it.
A practice (pay or accept cookies) which was actually ruled in breach with GDPR but many German sites seem to do this somehow.
I agree with the criticism on Firefox but this is very hypocritical. Heise used to be a good company. I even used to subscribe to C'T and iX.
My current process for "modal asking any consent when I just jumped in the page and don’t have any certainty there is something there I am looking for" is
- does reader view toggle works? if yes, consult, end here
- am I really looking for some information that might be there? if "no I just clicked a link from somewhere on the internet", then end here
- still here? Hey, what about looking at the DOM, if the information looked for is not a simple small segment of text, there are good chances a few CSS/HTML tweak will reveal this. Got it? end here, though you might consider to automate this process with Greasemonkey if this domain often fall in your research.
- no luck so far? It’s ok, you know Internet is vast, there are plenty of other page to visit. WTF are you doing here anyway, don’t you have a job, hobbies and people to cherish? And what about a small walk, you look like you need some fresh air, you know?
I get a different banner - it's a huge square with a wall of German text that I can't understand. There are three buttons, also in German, and I have no idea which button to press. Guess I won't be reading the article.
These dark patterns will prevail. However, I honestly expect their reasoning to be "every single user reading heise.de should have a cookie banner blocking enabled in their Ad Blocker". Also, I think you can accept it for free when you click "Einstellungen", this is not golem.de.
they will not prevail, unless we collectively let them do so. they are already probably in breach of GDPR, and I don't see the EU backing down on this stuff.
Collectively? More people have no idea what the GSPR even is, what cookies are, what the question even means, and just randomly click a button.
The only way to get some collective action from 99.999% of web users, would be to get multiple high profile media personalities to endlessly, repeatedly tweet about it... along with a catchy jingle.
Users would still have no idea about anything privacy related, but maybe 10% would do as commanded by their idols.
But even then, it's a bit hypocritical writing an article slamming firefox for this at least allegedly privacy-sensitive adtracking. While requiring readers to consent to tracking from your however many ad partners :P
Having only "accept all" and say "configure", or even a highlighted "accept all" and a very small or even just unhighlighted "deny all" is against GDPR. IIRC:
- choices presented must have the same visual weight (e.g for buttons)
- there must be no default choice preselected (e.g for radio/toggles)
- the fallback when no choice is made (e.g a dismissal or a "failure to display" a.k.a bug or nag blocker) must be equivalent to deny all
Instead we get this mess because enforcement requires litigation from users and these companies make just enough to claim "oh we thought it was Ok plus we go through a off the shelf pluggable third party so not on us" plausible deniability.
> If the data subject's consent is to be
given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive
to the use of the service for which it is provided.
> Consent should not be regarded as freely given if the data subject has no genuine or free choice or is
unable to refuse or withdraw consent without detriment.
> Example 6a: A website provider puts into place a script that will block content from being visible except
for a request to accept cookies and the information about which cookies are being set and for what
purposes data will be processed. There is no possibility to access the content without clicking on the
“Accept cookies” button. Since the data subject is not presented with a genuine choice, its consent is
not freely given.
> 41. This does not constitute valid consent, as the provision of the service relies on the data subject clicking
the “Accept cookies” button. It is not presented with a genuine choice.
> The use of pre-ticked opt-in boxes is invalid under the GDPR. Silence or inactivity on the part of the data subject, as well as merely proceeding with a service cannot be regarded as an active indication of choice.
> In the digital context, many services need personal data to function, hence, data subjects receive multiple consent requests that need answers through clicks and swipes every day. This may result in a certain degree of click fatigue: when encountered too many times, the actual warning effect of consent mechanisms is diminishing.
> This results in a situation where consent questions are no longer read. This is a particular risk to data subjects, as, typically, consent is asked for actions that are in principle unlawful without their consent. The GDPR places upon controllers the obligation to develop ways to tackle this issue
I wish there was a serious conversation on how a browser can be productivized and make actual profits. I think that model has the best chances of working out over the long-term in guarding user's privacy - at least for those users willing to pay for it.
Most (all?) companies which developed a browser have lax policies on data privacy. At most those are inline with major directives like GDPR. However, it's not in their best interest to protect / not leverage user data. So the real discussion should've been about the set of features that would attract a sufficiently large user base who would pay ~10$ per month subscription in order to make the model sustainable on the long-term.
At this point Firefox is just a brand for Mozilla to do with as they please. All the talk about a non-Chrome browser with defacto privacy features was just bait to get loyal followers and later on down the road sell them something. Seems ads is just their newest offering.
If 1% of regular Firefox users just donated the equivalent of 10USD per year to mozilla, they would not have the need to find ...eyebrow-raising... ways to earn money.
Only if they'd also spin off the browser from all the political activism and NGO cash grabbing, and let people choose themselves to which of the two their money goes.
On the other hand, people would be more inclined to donate money if they could trust Mozilla to value the privacy of their users, which is one of the biggest reasons people choose FF in the first place.
I wonder why they claim they need this... Tor seems to be doing fine as an organization without collecting user data? Why maintaining Firefox is much more expensive?
I guess the codebase for Firefox is much larger and in the end Tor is a fork of Firefox, right? So maybe they do need much more resources?
Not to say I'm not disappointed with Mozilla once again.
Tor is (was?) heavily subsidised by secret services in a.o. the US.
> likewise, agencies within the U.S. government variously fund Tor (the U.S. State Department, the National Science Foundation, and – through the Broadcasting Board of Governors, which itself partially funded Tor until October 2012 https://en.wikipedia.org/wiki/Tor_%28network%29?wprov=sfla1
While it has had funding from some sources we don’t necessarily trust, it’s still entirely open source and the code has been combed through repeatedly.
When it comes to privacy apps, I’d place significantly more trust in something like that than literally anything closed source or unscrutinized to that degree.
Sorry, I wasn't trying to imply that we should not trust it.
I was merely implying that there's a major difference between the model behind TOR and that of Firefox.
And also similarities: if TOR is funded by entitities we don't trust and it turns out to work fine, then Firefox, being "funded" by Google should not have to be a severe problem either.
I always think it's ironic when these things are reported on by websites that force you into accepting their ad tracking which really should be illegal under the GDPR.
> Our hope is that if we develop a good attribution solution, it will offer a real alternative to more objectionable practices like tracking.
There is no negotiating with the advertising industry. No system will stop them from acting unethically to gain an edge.
--
My idea for such a system: random GUID added to each ad. Browser plugin collects GUIDs. Client protects itself with random GUIDs removed and new random GUIDs added. Client sends GUIDs to a Collector they choose. Collectors run client GUIDs against Advertisers lists (bloom filters). Advertisers pay Collectors, and Collectors give to orgs.
Edit: replace GUIDs with 6 random bytes, so the existence of an id is not proof of it's being viewed. it needs to be plausible that the client added an id randomly, and that's not the case with a GUID.
Spyware is illegal. Jail all CEOs, managers, engineers that worked on spying features at google, ms, etc
They are repleaceble and next gen will not dare to spy on users.
Fines are stupid and don't work anyway.
This is in full compliance with the democratic process, judicial tradition, etc so I'm not ranting, instead it is that we have been so removed by the idea of punishing the actual people that do actual crimes just because they work in megacorps that any suggestion to do so sounds like a commie rant.
Out of the frying pan and into the fire. With regards to privacy and tracking Chrome/Chromium is so much worse than Firefox. Whether it be terrible defaults, exceptions which allow Google to see your system info, or an incognito mode which is a misnomer, Chrome just doesn't do privacy at all.
I can sympathise about general usability concerns but they don't really relate to the OP.
I personally run Ungoogled Chromium for anything that doesn't work in LibreWolf, which is fortunately not too much.
1) Hamburger menu -> Settings -> Privacy & Security
2) scroll down to the new section entitled "Web Site Advertising Preferences".
3) Make sure the box marked "Allow web sites to perform privacy-preserving ad measurement" is not checked.
[1] https://support.mozilla.org/en-US/kb/privacy-preserving-attr...