Recent searches
Search options
I'm really trying to make sense of the new @mozillaofficial privacy policy.
Here's where I'm getting tripped up:
> Mozilla doesn’t sell data about you (in the way that most people think about ‘selling data’)
OK, sure. But if Moz isn't "selling my data in the way that most people think about selling data" then how *is* Moz selling my data?
@pluralistic @mozillaofficial
Doesn't Google pay them to have their search bar defaulted? I wonder if it's related.
Plus all of the things they're saying about anonymized advertising tokens or whatever
Edit; I'm not interested to learn about the nuances of their pivot to advertising friendliness
@pluralistic @mozillaofficial in the way you’re least expecting it!
@inpc @pluralistic @mozillaofficial that's what I'm afraid of 
@kitten_tech @pluralistic @mozillaofficial at least it’s now mildly exciting as well as tragic…
Did the people responsible for Biden’s messaging jump over to Moz? 
(disclaimer, I worked at nscp and i want moz to succeed, despite themselves)
"Anonymizing" is nonsense in this context; they're providing user data to 3rd parties in exchange for something. This is a "sale" as reasonable people would understand it.
"We still put a lot of work into making sure that the data that we share with our partners (which we need to do to make Firefox commercially viable) is stripped of any identifying information, or shared only in the aggregate, or is put through our privacy preserving technologies (like OHTTP)."
Unfortunately, they're going about this in the same weasel way as Meta, Google, et al.
Author of these new terms is recent hire Ajit Varma.
"Varma, the author of the above announcements, as a Firefox veep after previously looking after WhatsApp for Meta, and before that, Gmail, and its related tools for Google."
2019 article about the realities of privacy of aggregated user data:
"... 99.98% of Americans would be correctly re-identified in any dataset using 15 demographic attributes."
![A screen capture of text from a section of an online report. One section of the text has been highlighted by a viewer:
"...99.98% of Americans would be correctly re-identified in any dataset using 15 demographic attributes"
The entire screen-captured text, including the highlighted section, is below:
"legitimate privacy concerns. Anonymizing datasets through de-identification and sampling before sharing them has been the main tool used to address those concerns. We here propose a generative copula-based method that can accurately estimate the likelihood of a specific person to be correctly re-identified, even in a heavily incomplete dataset. On 210 populations, our method obtains AUC scores for predicting individual uniqueness ranging from 0.84 to 0.97, with low false-discovery rate. Using our model, we find that [highlighted] 99.98% of Americans would be correctly re-identified in any dataset using 15 demographic attributes.[/highlighted] Our results suggest that even heavily sampled anonymized datasets are unlikely to satisfy the modern standards for anonymization set forth by GDPR and seriously challenge the technical and legal adequacy of the de-identification release-and-forget model."](https://games.ngo/system/media_attachments/files/114/093/454/204/947/385/original/49b6ef5b9fd54e4f.png "A screen capture of text from a section of an online report. One section of the text has been highlighted by a viewer:
\"...99.98% of Americans would be correctly re-identified in any dataset using 15 demographic attributes\"
The entire screen-captured text, including the highlighted section, is below:
\"legitimate privacy concerns. Anonymizing datasets through de-identification and sampling before sharing them has been the main tool used to address those concerns. We here propose a generative copula-based method that can accurately estimate the likelihood of a specific person to be correctly re-identified, even in a heavily incomplete dataset. On 210 populations, our method obtains AUC scores for predicting individual uniqueness ranging from 0.84 to 0.97, with low false-discovery rate. Using our model, we find that [highlighted] 99.98% of Americans would be correctly re-identified in any dataset using 15 demographic attributes.[/highlighted] Our results suggest that even heavily sampled anonymized datasets are unlikely to satisfy the modern standards for anonymization set forth by GDPR and seriously challenge the technical and legal adequacy of the de-identification release-and-forget model.\"")
@crecente @pluralistic @mozillaofficial What next? We find out they get paid half a billion dollars a year from Google and wouldn’t exist otherwise?
@pluralistic Mozilla leaves your data in a hollow tree in a nearby park, and then two weeks later it finds a fat brown envelope stuffed with dollar bills under the doormat. The two events could be quite unrelated, so it's hard to show that Mozilla’s really SELLING the data, per se.
Your data wants to be free. Mozilla accepts modest contributions to cover the costs of giving your data its liberty.
Mozilla is paid exclusively in eggs and maple syrup. It's more like barter than an actual sale.
@angusm @pluralistic
...and everyone LOVES eggs and maple syrup.
Especially CANADIAN maple syrup.
@angusm @pluralistic lmao this is the best
@angusm @pluralistic Aren't eggs the new oil?
@pluralistic @mozillaofficial a lot of us are right there with you. I ran a poll and most people are considering a change in browsers after this TOS update.
@boilingsteam has interesting insight on this as well.
Edit: to clarify "most people" are of those of took the poll and it was a small sample size.
@derrydavis @pluralistic @mozillaofficial @boilingsteam already jumped to Vivaldi on all devices. Never ever a good sign when ToS notice arrives...especially if cloaked in "not to worry" language.
@pluralistic @mozillaofficial Ladybird is a wildly audacious project, creating a fully independent browser in 2024, but I really like their commitment to true nonprofit governance, and people who have already built operating systems from scratch do tend to possess follow-through...
@boutell @pluralistic @mozillaofficial Ladybird is a bunch of nazi fucks.
If you need a reference for this, see my thread where someone from the team is arguing that having nazis on the project is perfectly fine:
https://mastodon.gamedev.place/@psychpsyo/114088490933152222
@dalias @pluralistic @mozillaofficial oh no! God damn it. I actually thought to myself, I should really check if I'm about to be milkshake ducked, and then I thought seriously, what are the odds? Stupid planet we live on.
@boutell @pluralistic @mozillaofficial You're in luck. They just followed up with a 10 part trestise on why we should include the nazis so they realize their misunderstandings. 
@pluralistic @mozillaofficial "we promise we're not gonna do what you think we're gonna do, but we're not gonna tell you what we're going to actually do" shady af, poor communication at best
ima start packing
@mohab @pluralistic @mozillaofficial Yeah, that's my take. They don't have the benefit of the doubt at this point.
@pluralistic @mozillaofficial i'm slowly moving my bookmarks to Tor browser. But I don't know much about Tor, is it better and safer? Will it stops websites from tracking, pushing ads on me and selling my data? I hate ads.
@boiga @pluralistic @mozillaofficial I tried Tor yesterday, installing it from a Debian repository, and it didn't work: torbrowser-launcher tried to download something from the Tor web site and it failed with a 404 HTTP error. So I deleted the newly installed packages and gave up on it.
@pluralistic @mozillaofficial I have no clue. I moved over to LibreWolf instead.
@pluralistic @mozillaofficial Can I raise a thought, not as an accusation, but as a question of 'is this a valid concern?'
We always assume data is for advertisers selling AI penis pills, but politics is big money. Possibly bigger.
If political parties or the like wanted to pay good money to profile the people who are trying not to be profiled, wouldn't buying Mozilla data be invaluable?
Especially since Big Tech is rapidly aligning with the new regime, it's hard to shake the thought.
@pluralistic @mozillaofficial Bafflegab of the highest quality; whatevs. Bye Moz, I'm out.
@pluralistic @mozillaofficial Time to add all of Mozilla's domains to the ol' PiHole
@threatresearch @pluralistic @mozillaofficial Do we have a list anywhere of what those domains would be?
@alexblock @pluralistic @mozillaofficial DomainTools would be a good place to start a hunt. Or VirusTotal. Or their domain registrar. Using any domain they own it's easy to pivot using OSINT CTI tools like these.
They explained it in a blogpost that almost nobody read because it came too late and apparently isn’t linked in the right places:
https://blog.mozilla.org/en/products/firefox/update-on-terms-of-use/
@pluralistic @mozillaofficial The way people who /buy/ data think about it, obvs.
@pluralistic @mozillaofficial They are selling trends, like how many people clicked on an ad.
@pluralistic @mozillaofficial Well yes, if it's worth something to the data market, then it's worth protection for the user.
The value of that data, whether anonymized or identifiable, translates into consumers paying (more).
It's leveraging gateway privilege, part of the 'walled garden' strategy.
Based on all their communications in the past few years I perceive that they are trying to set themselves up to be an advertising platform.
Your search queries and anything else you type in the url bar, for example, will be analyzed and the results shared with advertisers — without telling them more than what they need to know to best enhance your web experience with ads, so your privacy remains protected. This system will make Firefox commercially viable by rapidly shrinking its userbase down to a more sustainable size.
@pluralistic @mozillaofficial The whole thing is the wrong question. IDGAF if they're selling it or not. The problem is that they're claiming a right to even have it. Mozilla is not party to anything we do with Firefox, but they're trying to insert themselves there, and they can fuck right off about that.
You can't sell something you don't have. The problem isn't the selling but the having.
@pluralistic @mozillaofficial Their overall language makes it sound like they're selling telemetry data which is weird and intrusive in a slightly different way than is typical.
@pluralistic @mozillaofficial it's pretty obvious they winked and smiled while they were writing this.
@pluralistic they don't sell your data, they may give it for free (to the government)
Here’s a question — Mozilla is motivated by money to be “viable” — if every user paid $1/month, they’d be overflowing with cash. How many people need to spend $10/month to adequately fund Firefox to be a private and secure browser?
@JustinDerrick @pluralistic @mozillaofficial they'd need every user they have to be putting in at least three dollars a month. I did some napkin math here:
@pluralistic @mozillaofficial they’re probably using it to train ai models if not selling it
@pluralistic @mozillaofficial smells like selling training data to LLM companies or training LLMs themselves to sell as a service.
Also i absolutely resent the "oh, we are so sorry you were confused by our statement"
I HATE that patronizing double speak corporate PR bullshit.
@pluralistic @mozillaofficial Apparently it has to do with CCPA’s definition of “selling data” which simply includes data being transferred to any third party for any reason. Because Mozilla uses tools for collecting usage metrics and has some marketing and tracking stuff built in, any third party involved in this would receive this data, and the CCPA considers this “selling data”.
It can apparently be so over-broad that service providers have included this kind of language simply for your data being hosted in their services in a third party provider like Hetzner, AWS, etc.
So it appears to be some potentially over-broad definitions in law.
@bedast @pluralistic @mozillaofficial Why is Mozilla using these third-party providers when there are many, many alternatives that would not require distributing personal information to other organisations?
@wizzwizz4 @pluralistic @mozillaofficial The problem is the moment you use a third party, it has to be disclosed. Firefox has a sync feature. Where are those services hosted? Firefox has Pocket, which has had its own controversies in the past. Where is that hosted?
It’s not always about telemetry. But in the case of Mozilla, it definitely includes telemetry.
@bedast Sync is supposed to be encrypted data that Mozilla can't read, so neither should the server owner be able to, and Pocket is one of the services, but that sentence is not in the part specific to Mozilla services.
@wizzwizz4 @pluralistic @mozillaofficial
@ciourte @bedast @wizzwizz4 @pluralistic @mozillaofficial When in doubt, you could use a project like this; https://www.xbrowsersync.org/
@RandamuMaki Firefox Sync is Open Source as well though, and encrypted client side too. You can run your own server (if you really want to https://github.com/mozilla-services/syncstorage-rs) and change identity.sync.tokenserver.uri in about:config to point to it. The biggest differences are the supported browsers are not the same (Firefox, most of its forks, Epiphany and Gnome Web, but not Google Chrome/Chromium) and the fact that it's built-in so it doesn't need a browser extension.
@bedast @wizzwizz4 @pluralistic @mozillaofficial
@bedast @pluralistic @mozillaofficial Couldn't they have just been mildly more specific in the privacy policy to state as such to avoid such a panic response?
A lot of these laws could be complied with easily by explicitly listing what is collected, how it is processed/anoymized, and who/what/how it's shared. In other words, proper disclosure instead of masking with legalese to avoid it.
@baibold @pluralistic @mozillaofficial The issue is they used boilerplate legal nonsense. It’s been argued that they communicated this poorly, which is valid. But a lot of companies use this to state “we’re using third party hosting” in a lot of cases. Though Mozilla has admitted, many times in the past, that they use third party telemetry.
@bedast @pluralistic @mozillaofficial I don't buy it, sorry to say. There are graceful ways for orgs + lawyers to handle this. Rather than a broad clause like that, you can separate collection & usage into sections and describe it.
For ex, in cases where data is necessary for payment processing, email subs etc my orgs specify that collection + usage and the reason it's warranted.
Mozilla does telemetry I won't do, but still could've written that in specific terms. No one would have bat an eye.
@profdiggity @bedast @pluralistic @mozillaofficial Not only can you do this, GDPR requires it, per article 5(1)(b) "purpose limitation" and article 13(1)(c,e).
@wizzwizz4 @bedast @pluralistic @mozillaofficial Yes, as does the CCPA (what I like to call "GDPR lite"). However, there may have also been a plan to write that language into product-specific policies when features were implemented + shipped.
The real question for me is why this blanket clause existed, and marketing copy on websites altered, if there were not a wider plan (e.g. feeding data into an LLM).
I suspect they were caught asking for the cookie jar, maybe not with a hand in it.
@profdiggity @bedast @pluralistic @mozillaofficial
The question I have is what contract lawyers might make of the "and never will" and "that's a promise" bits of the old statement.
It was taken by the users as a binding commitment. We agreed (as much as anybody really does with shrink-wrap*) to those terms.
*One day I need to see this argument taken to a real judgement instead of a slimy settlement. A contract requires equity and a meeting of minds, not drive-by binding of victims.
@Fuzz_Ra @bedast @pluralistic @mozillaofficial Disclaimer: IANAL.
Those statements are less vague than "don't be evil" so possible it's actionable. But I very much doubt it.
ToU often have a clause that allows for updates without notification (because how would you notify a past visitor to a website or a browser user? etc) and it's probably proper for marketing copy that aligns with that ToU to then be changed to align with a new one... 1/2
@Fuzz_Ra @bedast @pluralistic @mozillaofficial ...plus those statements might be considered "puffery" though it's a weak argument.
Nearly all ToU and FOSS licenses have a disclaimer of warranty and/or limitation of liability - in MIT license it's most of the text. GPL and MPL have them. etc.
So proving injury would likely only be for extreme cases, not for data harvesting.
ToS with Mozilla customers is different and between those parties. Not sure if they sell services, FFox ESR, etc. 2/2
@profdiggity @bedast @pluralistic @mozillaofficial
I'm also (even more) very much not a lawyer and we're under related but diverged legal systems.
Where I am (UK) the Unfair Contract Terms Act (1977) binds companies while bouncing consumers out to the Consumer Rights Act (2015) with much looser terms for nopeing out of thieving bullshit. It would be nice to see that applied to the modern reality.
@profdiggity @pluralistic @mozillaofficial There have certainly been arguments that Mozilla communicated this poorly. They used boilerplate legal nonsense in their terms of use that tends to frighten a lot of people who don’t understand that hosting solutions such as AWS are “third parties” which you have to disclose sharing data to.