You shouldn't allow Firefox to recommend things to you any more

January 2, 2019

The sad Firefox news of the time interval is Mozilla: Ad on Firefox’s new tab page was just another experiment, and also on Reddit. The important quote from the article is:

Some Firefox users yesterday started seeing an ad in the desktop version of the browser. It offers users a $20 Amazon gift card in return for booking your next hotel stay via Booking.com. We reached out to Mozilla, which confirmed the ad was a Firefox experiment and that no user data was being shared with its partners.

Mozilla of course claims that this was not an "ad"; to quote their spokesperson from the article:

“This snippet was an experiment to provide more value to Firefox users through offers provided by a partner,” a Mozilla spokesperson told VentureBeat. “It was not a paid placement or advertisement. [...]

This is horseshit, as the article notes. Regardless of whether Mozilla was getting paid for it, it was totally an ad, and that means that it is on the slippery slope towards all of the things that come with ads in general, including and especially ad-driven surveillance and data gathering. Mozilla even admitted that there was some degree of data gathering involved:

“About 25 percent of the U.S. audience who were using the latest edition of Firefox within the past five days were eligible to see it.”

In order to know who is in 'the US audience', Mozilla is collecting data on you and using it for ad targeting.

So, sadly, we've reached the point where you should go into your Firefox Preferences and disable every single thing that Mozilla would like to 'recommend' to you on your home page (or elsewhere). At the moment that is in the Home tab of Preferences, and is only 'Recommended by Pocket' and 'Snippets'; however, you should probably check back in every new version of Firefox to see if Mozilla has added anything new. This goes along with turning off Mozilla's ability to run Firefox studies and collect data from you and probably not running Firefox Nightly.

This may or may not prevent Mozilla from gathering data on you, but at least you've made your views clear to Mozilla and they can't honestly claim that they're acting innocently (as with SHIELD studies). They'll do so anyway, because that's how Mozilla is now, but we do what we can do. In fact, this specific issue is a manifestation of what I wrote in the aftermath of last year's explosion, where Mozilla promised to stop abusing the SHIELD system but that was mostly empty because they had other mechanisms available that would abuse people's trust in them. They have now demonstrated this by their use of the 'Snippets' system to push ads on people, and they're probably going to use every other technical mechanism that they have sooner or later.

The obvious end point is that Mozilla will resort to pushing this sort of thing as part of Firefox version updates, which means that you will have to inspect every new version carefully (at least all of the preferences) and perhaps stop upgrading or switch to custom builds of Firefox that have things stripped out, perhaps GNU IceCat.

(Possibly Debian will strip these things out of their version of Firefox should this come to pass. I wouldn't count on Ubuntu to do so. People on Windows or OS X are unfortunately on their own.)

PS: Chrome and Chromium are still probably worse from a privacy perspective, and they are certainly worse for addons safety, which you should definitely be worried about if you use addons at all.


Comments on this page:

By Michael at 2019-01-02 16:52:30:

The version of firefox-esr (at package version 60.4.0esr-1~deb9u1) in Debian Stretch says "Data reporting is disabled for this build configuration" under "Firefox Data Collection and Use". Looks like Debian has already disabled that in their build.

By cks at 2019-01-02 16:56:55:

My hand-built Firefox also says the same thing. It's possible that Mozilla (currently) only collects data from their own builds, which would make a certain amount of sense (and probably make Mozilla's life easier, because who knows what modifications lurk in other people's builds that might invalidate various pieces of the data).

Mozilla might change this in the future, but I suspect that usage of non-Mozilla builds (on any platform) is so low that it's not worth their time.

By Jukka at 2019-01-03 04:19:31:

Indeed: I have long disabled every entry with a "http" or "https" prefix in the so-called 'about:config' (and furher verified that nothing is sent back to the Mozilla-mothership). I started doing this already when they decided to adopt for telemetry (without fully disclosing what is being slurped and for what purpose, of course).

Once again, this post reminds me of my TODO entry about writing my own browser. Apparently, only a few open source options remain for privacy conscious users.

Jukka, which are those? I'd been considering a jump to Brave, but they've been in the news recently (and for non-good things). I also rely on GhostText, since I do a lot of web form entry (our request tracking system), for which I could find no equivalent.

By Jukka at 2019-01-03 10:02:28:

MikeP: I use multiple browsers for different things, but for day-to-day browsing I use Falkon (https://www.falkon.org/) as I am a KDE/Linux/Unix user. It works quite well. The code base is also no-nonsense and fairly understandable, although I haven't done any real auditing.

For these reasons, I have a TODO entry about writing a minimalistic "browser" (i.e., WebKit-frontend) with Python (i.e., PyQT5).

But as Chris writes, non-programmers and non-*nix users are pretty much on their own. Nor would I personally wholeheartedly trust any of the privacy-related Firefox forks due to security and related reasons.

Jukka, yep, that's what I was afraid of. Mac-user here. I could sort out a KDE desktop with no worries, but... that's not really an environment I like very much. :( Thanks though.

By Some Anon at 2019-01-03 17:20:14:

Part of me thinks that this is because the Mozilla Foundation has been basically funded by big ad companies for many years now - currently Google, formerly Yahoo - that the same "collect all the data, on everything you possibly can!" view of the world has seeped in. And, well, any organization gets addicted to money and comes to serve the interests of the place where the money comes from. Which definitely isn't Firefox users.

Anyway, something I've found very useful for keeping track of the innumerable things you have to disable in modern Firefox is the GHacks user.js, which is so called since it originated with a contributor to that site. It's a Firefox preferences file, very generously commented, that you can drop into your Firefox profile to avoid having to do all the rummaging in about:config. It's pretty well set out-of-the-box for privacy improvements, and disabling telemetry, the "health report", studies, "experiments", and so on, but you'll still want to go over the (many, many...) settings, since some of them can break things.

You can find it at their github page.

Written on 02 January 2019.
« How I get a copy of the Ubuntu kernel source code (as of Ubuntu 18.04)
Planning ahead in documentation worked out for us »

Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Wed Jan 2 16:12:56 2019
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.