Email or username:

Password:

Forgot your password?
Jeff Martin

Yup, it's true. Firefox 128 includes new adtech features that are turned on by default and announced with very little fanfare, so most people might not even know they're there. :blobcatverysad:

Well, this is me telling you they're there. You might want to go ahead and take a minute to opt out.

Here's the little helpful explainer from Mozilla about how it all works:

support.mozilla.org/en-US/kb/p

My read seems to be: Mozilla says website surveillance is generally bad and should be defended against. Cool. No notes. Firefox actually has a lot of nice anti-tracking and privacy features there and that's the main reason why I like Firefox.

But, and I swear I'm not even joking a little bit here, Mozilla goes on to say that advertisers might be happier if Firefox itself just tracked you directly and sent activity reports back to them.

Doesn't that sound great?

Now, to Mozilla's credit, they claim to anonymize the activity reports. And you can still meaningfully opt out of the whole system.

But WTF, mate?! I use Firefox *because* it fights against adtech. Or at least it used to. Now, Mozilla just lets adtech right in the front door and hopes you won't notice? :blobcat_thisisfine:

Well, we noticed. Mozilla is damage and we need to route around it.

UPDATE: The about:config setting for this is `dom.private-attribution.submission.enabled`. It's a bool. Set it to false to turn it off.

203 comments
emeritrix

@vincent @cuchaz

Ok, so it's uncheck to opt out. Thanks.

Jeff Martin

There's hope tho.

In Mozilla's earlier days, they jettisoned a totally new web browser project called Servo. It's sort of a ground-up effort to build a browser using the latest safety tech, like the Rust programming language.

servo.org

And the best part is, Servo is totally independent from Mozilla now and they have * independent funding * !

Meaning, Google isn't bankrolling Servo as anti-trust insurance (*cough* Firefox *cough*), so there's a chance it might actually take a real stance against adtech on the web.

Servo is faaaar from ready for general use yet, but it's picking up development speed. Definitely an option to keep an eye on for the future. :blobcatthumbsup:

There's hope tho.

In Mozilla's earlier days, they jettisoned a totally new web browser project called Servo. It's sort of a ground-up effort to build a browser using the latest safety tech, like the Rust programming language.

servo.org

And the best part is, Servo is totally independent from Mozilla now and they have * independent funding * !

keithzg

@cuchaz@gladtech.social And with the development history of Gecko's attempts at becoming portable and embeddable into other applications and web browsers, Servo may overtake it for usability from a development perspective sooner rather than later ​:cat-tears-of-joy:​

funnymonkey

@cuchaz This looks really interesting. Thank you for sharing this.

And yeah - not loving the new "feature" in Firefox.

sparrows

@cuchaz does it have a new source of funding? we heard that the big grant it got a year or two ago had run out

πŸ§™β€β™€οΈ Klara! πŸŽƒ

@cuchaz Also, Ladybird just gained quite a few full time developers IIRC.

J. "Henry" Waugh

@boo_ and may or may not have lost them again due to drama (which I won't get into)

Albi :furry_pride: :neurodiversity: πŸ‡΅πŸ‡± :verified:

@cuchaz Ladybird browser has forked out of SerenityOS and is now aiming to be a completely independent browser.
ladybird.org/

m0xEE

@cuchaz
Okay, it looks like I'm staying on FF 118.2.0 on my Android and Windows devices β€” the last release to have a preference to disable WebP support, and on 124 on my Linux boxes β€” on which I could patch the option to disable WebP back in and build it myself, building FF for Android and Windows seems like going into too much trouble.
After 124 my userChrome.css hacks started breaking and I stopped updating β€” now I see that it's not even worth it. Thanks for bringing this to attention!

m0xEE

@bohwaz
Some think that I go way over the top, but I want to have as little Google in my life as possible. I do not consider it an open format: it only has one widely used implementation β€” the one developed and wholly controlled by Google.
I don't think we should depend on Google for codecs too, especially ones providing minimal compression benefits.
Now that JPEG XL and AV1 exist β€” better both compression-wise and in terms of governance, I see no point in adopting either WebP or VP9.

@cuchaz

@bohwaz
Some think that I go way over the top, but I want to have as little Google in my life as possible. I do not consider it an open format: it only has one widely used implementation β€” the one developed and wholly controlled by Google.
I don't think we should depend on Google for codecs too, especially ones providing minimal compression benefits.
Now that JPEG XL and AV1 exist β€” better both compression-wise and in terms of governance, I see no point in adopting either WebP or VP9.

wizzwizz4

@cuchaz Do you know which about:config setting this is?

Jeff Martin

@wizzwizz4 I tried to look through my about:config for the setting (in the non-defaulted values area), but I couldn't find anything that sounded like it had the right name.

I'll try again on a clean profile and see if that helps cut down on the noise.

prettygood
@cuchaz obligatory librewolf mention. Removes all of the "what the fuck are you doing Mozilla" anti-features and keeps the useful ones that actually enhance privacy. https://librewolf.net/
OddOpinions5

@cuchaz

Jeff - thank you !!

If I may, as a non tech person, a guide to how to fill out all the other check boxes in privacy section of settings

for me, and I am sure most non tech people, the language and choices in settings are at best confusing and at worst opaque and totally un understandable

again, thanks

delvina ✨

@cuchaz Gonna add that config setting to my user.js file. Thanks!

Captain of the SS El Faro

@cuchaz I just know an org has my best interests at heart when they call selling my data to the highest bidder "privacy-preserving". Guess it's time to make my own browser, with blackjack and

Gemma πŸ‘½

@cuchaz
Thanks for the warning. :blobcat_owo:

Wasn't expecting this junk from Firefox, but I guess everyone has a price.

Jeff Martin

@prettyhuman Yeah. It didn't use to be like this. It all just makes me sad now. :blobcatverysad:

Bas Schouten

@prettyhuman @cuchaz This isn't about a price being paid. This is about finding ways web authors can monetize their content without payment portals and such things.

Making most content of the web sounds great to me. But I'm wealthy, the way things are, an ad-free web would lock most marginalized people out of the majority of web content. I know that isn't much of a concern to the generally wealthy folks on for example Mastodon.

But it's a reality the web needs to innovate for.

Bas Schouten

@prettyhuman @cuchaz (Possibly relevant, the reason this is opt-out is because the privacy technology used only works well with large submission counts. Using opt-in would reduce submissions and consequently reduce privacy of those users opting in. This is an unfortunate trade off.)

π‚π«π’π¦πžπƒπšπ

@Schouten_B @prettyhuman @cuchaz is there not an ethical way to serve ads based simply on the content of a given page, rather than any sort of tracking of the users visiting that page?

Bas Schouten

@fathermcgruder @prettyhuman @cuchaz Aiui the system isn't so much about tracking the people (the Google system is a little more geared that way I think, but this isn't my expertise).

The system is about understanding whether ads had clickthroughs, which is an important monatization step for content providers.

But my expertise is web performance, so I may be wrong :-).

disky

@Schouten_B @prettyhuman @cuchaz Wikipedia gets along just fine. Mastodon gets along just fine. There are lots of business models which don't employ ads and frankly, to me it seems like the companies serving them are not truly serving people anyway. I'm completely fine with a smaller internet which isn't run by data-hungry advertising services acting in the guise of social networks or search engines or video/streaming platforms. We can do it better (read: better for human beings) without ads.

disky

@Schouten_B @prettyhuman @cuchaz And if we must have ads, these companies can serve ads in ways which don't track, store and codify your interests.

disky

@Schouten_B @prettyhuman @cuchaz And to be clear, I am quite poor. Look at me go.

Bas Schouten

@disky00 @prettyhuman @cuchaz I suspect you are wealthy compared to 80% of the world's population (even if not the global North) πŸ™‚. But it is possible that your mastery of the English language is deceiving me. In which case I apologize.

disky

@Schouten_B @prettyhuman @cuchaz Without revealing the limitations of my bank account, I'll take the compliment.

Bas Schouten

@disky00 @prettyhuman @cuchaz Which is exactly what the technology here does. Although it does track conversions (which is a higher value, more fundamental metric).

disky

@Schouten_B @prettyhuman @cuchaz Of course you know better than I ever will how this actually works, but a browser-based ad feature which tracks any amount of data is unnecessary and bad for users, as far as I'm concerned. Firefox used to at least appear to care about that, which is why I used it for so long.

Bas Schouten

@disky00 @prettyhuman @cuchaz Journalists might disagree. Running a service like Wikipedia (even without Jimmy's spammy self-advertising) or Mastodon requires significantly less means than the flak jackets, helmets and equipments required to document what's going on in the Gaza Strip.

disky

@Schouten_B @prettyhuman @cuchaz Wikipedia holds a semi-annual funding drive which I wouldn't consider the same as advertising, especially not targeted advertising the likes of which are implemented by companies like Google and Meta. As for funding journalism, are these companies actually doing this? I don't think they are, but if I'm wrong then I'm not following their outlets anyway and yet I remain informed.

Bas Schouten

@disky00 @prettyhuman @cuchaz I spend 'a lot' (by reasonable standards, not sacrificing anything to be clear, nothing virtuous here) of money on journalism outlets, and I'm very happy with the world they are doing.

And indeed, Wiki's funding drive is not the same, but their model is generic enough and attracts enough privileged people to fund their business model. Not so much for most authors :-).

Matthew

@cuchaz

Do you know where it is, in the android app?

Jeff Martin

@mrblissett Sadly, I don't. I stopped using Firefox on Android a while back in favor of a fork called Mull. So I don't know what the setting looks like on mobile, or if it's even there at all.

Matthew

@cuchaz
I was usibg Mull but it doesn't work with webassembly πŸ€·β€β™‚οΈ

HTPC NZ

@mrblissett @cuchaz about:config can be modified in firefox beta on android.

Phillip K Name

@cuchaz How does this compare to that google scheme to put FloC in chrome?

I don't have that setting, (ff128, distro package) but I disabled it in about:config.

Jeff Martin

@griibor Wow, that's a really good question. I don't know enough about either tech to give a good answer, but if you made me guess, I'd say they both sound pretty similar. In goal, if not implementation.

Jeff Martin

@griibor Also, what distro are you on? Linux Mint here, so I imagine everything Debian related would have the setting in 128?

Phillip K Name

@cuchaz ubuntu 23.10 They do separate packages to debian.

Phillip K Name

@cuchaz wait, no. I just found it, didn't see it when I used the search box. (only searched the setting name, not the heading)

Jeff Martin

@griibor Mint is downstream of Ubuntu. Weird that I get the setting and you don't. Maybe Mint pulls Firefox from Debian and not Ubuntu.

MrFrobozz

@griibor @cuchaz I was thinking that this sounded similar to FLoC as well, but not having taken a look at Firefox's... "feature"? I can't really say either.

tellyworth

@cuchaz surely β€œopt-in by default” just means opt-out?

Jeff Martin

@tellyworth Whoops, yeah. I could have probably written that better. Words are hard.

ToddZ

@tellyworth @cuchaz Yeah, the phrasing β€œopt-in by default” is the opposite of what the author means. "opt-in" means it arrives turned off.

This setting is "opt-out" or "on by default."

eanopolsky

@cuchaz I feel like I'm missing important discourse, a joke, or both.

Is this tracking tool on by default? If so, why call it "opt in by default" rather than "opt out"?

Jeff Martin

@eanopolsky Whoops, you're right. I could probably have written that better. Words are hard. =P

Simon

@cuchaz do you know what URL it’s posting the telemetry to?

Jeff Martin

@sigh_d Sorry, I don't know that one.

If you manage to catch Firefox in the act, you might be able to pull out URLs, domains, or maybe just IPs with a network traffic analyzer of some kind. But since the experiment is limited to a few participating advertisers they say, it might be hard to trigger the behavior intentionally until you know what websites trigger the reports.

Simon

@cuchaz thanks! I’ll have a dig.

F4GRX Sébastien

@cuchaz we expected such a built-in ads feature in chrome, but having it in firefox first is just awful.

aburka 🫣

@cuchaz what an incredible coincidence that this happened right after Mozilla acquired an adtech company!!

Tariq

@cuchaz

the need to

1. know this stuff is in there

2. do techie stuff like about:config

is a deliberate design decision that is user-hostile.

Ezekiel :swift:

@cuchaz @pauho this is a feature already in Safari that’s carefully designed to be a private way to attribute ad clicks without using invasive tracking mechanisms. A lot of work goes into making sure that user information can’t be exfiltrated to keep it completely private.

Edge

@cuchaz

Thanks so much, just did this!

Renarde

@cuchaz
I would highly recommend using Librewolf to prevent future stuff like that.
Librewolf come privacy hardened out of the box and you can uncheck stuff that too constraining.

Romain Becker

@cuchaz That's the reason I started using #Vivaldi .
Not bad at all...

mvyrmnd :PUA:

@cuchaz You either die a hero, or you live long enough to see yourself become the villain.

elgregor

@cuchaz Preventing ad companies from tracking each user would be great. The problem is that you need to trust the aggregation service (which doesn't get any personal data, but still gets ad visibility and site conversion data).

Kevin Karhan :verified:

@cuchaz seriously, @mozilla , stop fucking around with #Firefox and keep it as secure and clean #Browser...

- I'll continue to spread using @torproject / #TorBrowser as main browser...

Magenta Rocks

@cuchaz
@phpete

Thank you! I also left them feedback on their info page.

Advertisers can get bent because I ad block everything so I never see them anyway.

FYI, it will be interesting to see what they do when they update the iOS version because the settings there are not as extensive as the browser.

Jeff Martin

@Schouten_B For the record, I am not at all interested in making advertisers happy here. They had their chance to do the right thing and they completely ruined it for everyone. I'm done with that.

Advertising existed loooong before conversion tracking or widespread individual surveillance was ever a thing. Let's go back to that. Ie, authors working directly with advertisers to sell content-based placement. That system was fine actually. Don't act like ending surveillance would destroy online advertising, because it totally won't.

Also, if making your feature opt-in would destroy the benefit of that feature (to you) because people wouldn't want to participate, then take a moment and reflect on why that is. And when the answer is obvious actually, and you push the feature on us anyway, don't get all surprised when we get pissed about it.

@Schouten_B For the record, I am not at all interested in making advertisers happy here. They had their chance to do the right thing and they completely ruined it for everyone. I'm done with that.

Advertising existed loooong before conversion tracking or widespread individual surveillance was ever a thing. Let's go back to that. Ie, authors working directly with advertisers to sell content-based placement. That system was fine actually. Don't act like ending surveillance would destroy online advertising,...

Bas Schouten

@cuchaz Well the reality is advertising companies are paying for all the content that vast amounts of people are consuming for free. (For better or worse, that's a fact, the sun comes up for free.. Beyond that.. Not so much)

I don't think the value of the feature to Firefox is not destroyed by fewer participants. From the perspective of Firefox there is no impact from the amount of participants. The way the math works is fewer participants has an impact on the users of the feature. Not Firefox

Victor S Sigmoid

@cuchaz Wouldn't be logical that setting my Tracking Protection to STRICT would opt out automatically? C'mon Mozilla this is invasive nonsense!

Shark Attak

@cuchaz
Can I say "fuck"? The one time I don't check the release notes and just press Update.. I could've waited some more.

DELETED

@cuchaz "opt out" for things they should be **asking for permission**, specially if its hidden, is such a nefarious practice.

DELETED

@cuchaz I used Firefox for 20 years. Lately it was poop. I had to quit because it kept crashing. Try Waterfox = fast and no crap. Or as you've been told, wait for Ladybird (3 years at least).

Bob πŸ‡ΊπŸ‡²β™’πŸ§πŸͺ–

@cuchaz

Not finding it in the android version but I'll need check the laptop tomorrow

Dan 🌻

@cuchaz @mozilla I'm disappointed that this was enabled by default (and added to Firefox at all, really). I also wouldn't have known that such a privacy invasive feature was added/enabled - I don't read every release notes post.

askiiart (fine, not cis)

@cuchaz@gladtech.social anyone know how to script ff config changes instead of doing them manually?

riderofbarrels

@cuchaz Thanks for bringing this to everyone's attention. I might buy that they're trying to learn if there's a less invasive way to get ad performance metrics, but I do not like at all the the web is driven so much by advertising.

So, yep, disabled.

Nazo

@cuchaz Anything affecting privacy should *ALWAYS* be opt in, not opt out. I get that people get annoyed at things popping up requests to access info (really irritating sometimes in Android with the several things some apps ask for) but it's worth having to keep tapping "allow only this time" and things just shouldn't ask any more than they have to to begin with.

Deus
Thanks for sharing. I don't recall enabling this, ever! Esp. this 'Crash report', which I always disable. They seem to be sneakily pushing these in the Privacy settings page - I mean 'New in this Release' notes are jargon for most of us.

Should check out this Servo. No issues in checking out 'Yet Another' Firefox alternative (or its fork) πŸ™‚

https://coracle.social/nevent1qqsdzvd29xn8phm2vty2ympnp5jmyf9a5tqg39l5wkvfkrsgxd828nsprpmhxue69uhhyetvv9ujumt0d4hhxarj9ecxjmntdzlrhz

Thanks for sharing. I don't recall enabling this, ever! Esp. this 'Crash report', which I always disable. They seem to be sneakily pushing these in the Privacy settings page - I mean 'New in this Release' notes are jargon for most of us.

Mastodon's Billionaire Owner

@cuchaz Well that damaged my trust in Firefox a lot! That is the type of descipable behaviour you normally only expect from Chrome or Edge etc.

I've disabled it, but enabling by default is disgraceful.

foofy

@cuchaz oh :( this is saddening. thanks for letting me know tho, i would have had zero clue otherwise lol

Jarkko Sakkinen
@cuchaz I've moved on macOS to Safari and probably move to GNOME Web on Linux. The key element is that I've engineered myself out of browser sync feature and extensions by migrating all my passwords to https://www.passwordstore.org/. I still use browsers password manager for convenience and cache but not as an archive. I.e. they are not synced and I can delete all the passwords any time, as pass has the archive.

Other than I don't really care what the browser is as long as it is fairly modern (e.g. WebKit based). Safari and GNOME Web are reasonable, and I'd think that as they are not the selling product, they also minimize the harm, as it is not intended to make profit in any significant figures.

That said, not sure if I would trust Edge on Windows ;-)
@cuchaz I've moved on macOS to Safari and probably move to GNOME Web on Linux. The key element is that I've engineered myself out of browser sync feature and extensions by migrating all my passwords to https://www.passwordstore.org/. I still use browsers password manager for convenience and cache but not as an archive. I.e. they are not synced and I can delete all the passwords any time, as pass has the archive.
DELETED

@cuchaz There is no privacy, they're all vultures

NilaJones

@cuchaz

Anybody know why typing about:config in the address bar isn't working for me?

Used to work just fine!

Could this possibly be part of the update?

Is there an alternate route?

matt wilkie

@cuchaz I'm willing to grant that an organization that takes privacy seriously gathering, grouping, and anonymizing user traffic data before sending on to other companies could be a net gain and compromise users and companies.

Rolling such a feature out without fanfare or discussion and having it on by default kicks the legs out from underneath that chair with a sickening crunch.

I've been a Firefox die hard fan since before it was Firefox. I'm so disappointed in what Mozilla has become.

/me going to take a long look at servo...

@cuchaz I'm willing to grant that an organization that takes privacy seriously gathering, grouping, and anonymizing user traffic data before sending on to other companies could be a net gain and compromise users and companies.

Rolling such a feature out without fanfare or discussion and having it on by default kicks the legs out from underneath that chair with a sickening crunch.

Kaito

@cuchaz lost faith when they added Pocket

Bri πŸš΄βœ¨πŸ‡¨πŸ‡¦βœ¨πŸ³οΈβ€πŸŒˆβœ¨

@cuchaz Since ad servers have to be able to communicate with this feature, I wonder if it's possible to show a post like this to visitors of a site if they haven't disabled the setting. Hmm.

Oliver Calder :fedora: :popos:

@cuchaz Why is there not an option for this in the usual settings?? Only exposing this through about:config is really not acceptable. Hope some people make a stink...

@LateNightLinux @thelinuxEXP ;)

Michal :verified:

@cuchaz Thanks for the about:config reference. I could not find the option in Android Firefox settings, but when checking about:config it exists and was set to true.

Mo :ferris: :tux:

@cuchaz Don't get me wrong, I would much better prefer that web ads completely disappear and I block all of them anyway. But there are many people not willing to block ads for some reasons. For them, this is a huge privacy improvement, isn't it?

If Firefox starts to also block classic ads by default and only allow this kind of ads, I would be a supporter, but I would still opt out.

Andri

@cuchaz Judge companies not by the options to evade ad-tracking; but their defaults

LisPi
@cuchaz @dee So... "anonymized" (lol, lmao) data harvesting like that by an organization being opt-out is okay with EU regulations?
Paul Shryock

@cuchaz is there a setting for this on mobile?

Xeno Danger Evil

@cuchaz yeah but they did have a deal with Google to be the default search engine that funded, I think, a majority of their staff. I use it too because I respect it. They should, ethically, put some pop-ups and opt out by default behavior. They're still not as bad as most. Sigh....

Andre Geißler

@cuchaz No, Firefox does NOT send the report back

Firefox creates a report based on what the website asks, but does not give the result to the website. Instead, FF encrypts the report and anonymously submits it using the Distributed Aggregation Protocol to an β€œaggregation service”.

Your results are combined with many similar reports by the aggregation service. The destination website periodically receives a summary of the reports. The summary includes noise that provides differential privacy.

DigitalStefan

@cuchaz I'm biased, so take this with a hefty handful of salt...

Advertisers *really* want data and despite it becoming ever more difficult to lawfully obtain data, the big brands are generally still satisfied with the volume and quality of the data they are collecting.

There is a real apocalypse moment approaching when 3rd-party cookies are killed in Chrome.

Google are *really* pushing for Enhanced Conversions, which is passing (hashed) PII to ther platforms (Google Ads, DV360...

Yksteldus

@cuchaz Since about config is disabled on Firefox mobile, can this be disabled there, or is it even present?

mschomm

@cuchaz Yet another reason why I'm happy that I switched to the LibreWolf fork as my main browser a while ago.
librewolf.net/

Jakob Buron

@cuchaz Super important discussion. Honest question, though: In what ways is this a bad compromise between privacy and ad-tech? Assuming absolute privacy will not be a tenable outcome for the majority of regular users, due to the immense commercial incentive for the adtech industry, how would a better solution look?

stellarorion πŸ›°οΈ

@cuchaz I assume this is just another revenue stream for Mozilla.

Andy

@cuchaz thanks for the heads up, can't see this on Android Firefox 128 but may be missing it in the settings.

RejZoR

@cuchaz Thanks for this. It being inside actual GUI and not mentioned at all is just baffling. I didn't even spot it because I don't go into settings daily.

Varia

@cuchaz@gladtech.social I think that is a bit misleading, firefox does not track you in general, this is only about tracking how well an ad performed

Andreas Sturm πŸ’šπŸš΄πŸ» πŸ§—β€β™‚οΈ πŸ₯‹

@cuchaz I will look around for another browser. I don't like this way of doing things.

Dave/Loebas :verified_pride:

@cuchaz Thanks for the headsup. I just turned this off.

Gamey :thisisfine:

@cuchaz I didn't read the article to find out details but that sounds awfully similar to Chrome's replacement for cross site cookies! I had issues with Mozillla for a long time but it's always sad to see them do even more stupid garbage especially because there isn't really any proper alternative!

Micha Silver

@cuchaz Any opinions on Vivaldi as a replacent for Firefox?

jonny (good kind)

@cuchaz i buy the mozilla internally compromised argument now @hipsterelectron

ynym

@cuchaz any idea how many bits of fingerprinting disabling that shit will cause?
Because it sounds like a case of bad, or worse.

VerΔ‘andi K Soldusty

@cuchaz
Glad I spodded this. Much appreciated, thanks.πŸ˜ƒ
Have also noticed that FF had switched it's, "Allow Firefox to send technical and interaction data to Mozilla" and, "Allow Firefox to install and run studies" back on.🀬

Paul Schoonhoven πŸ‰ πŸ‹

@cuchaz @keesjanb that sounds about the same as Google does.. They also want to 'protect you' from harm from others. πŸ™ˆπŸ™ˆ

But it is complicated.. This is Duckduckgo:
(duckduckgo.com/duckduckgo-help)

Asta [AMP]

@cuchaz@gladtech.social interestingly, the flag was indeed set to true in about:config, but the supposed option in settings->privacy... was not there. Am I misreading? Or is just not actually able to disabled while they're in "limited test mode"?

Captain Packrat

@cuchaz I have 129 beta 2 for Android and I can't find that setting anywhere in the menu, but it is hiding in about:config.

Richardus

@cuchaz Why does Firefox add the same evil thing google did. Thanks for warning. Need to turn it off straight away.

Steve Woods

@cuchaz Thanks for the warning.

Settings changed. :)

Go Up