You're too stupid for technology.
Figure 1: "Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand." – Archibald Putt
You're too stupid for technology. That's the opinion of The Mozilla Corporation, the company that make the Firefox web browser.
Beware the crafty Fox
I've used "Firefox" 1 for about 15 years, since it appeared in the early 2000s. Firefox is generally considered the least evil of the two leading web browsers. But like its rival Google Chrome, both are giant surveillance engines for scooping up data about your personal interests and behaviours and selling it to bad actors 2.
Firefox version 128, from the company that claims "No shady privacy policies or back doors for advertisers", now stealthily ships with "Privacy-Preserving Attribution" (PPA), an Orwellian name for simply tracking all your stuff but sending it via a centralised anonymising service. Mozilla's "announcement" consisted of two vague sentences buried at the bottom of the most recent release notes.
Worse, the technology is still labelled as "experimental", in other words it's full of bugs likely to cause a colossal breach at some point. And it's switched-on by default! I think what they really mean by "experimental" is tentative, pending the massive public outrage that will force them to withdraw it and apologise.
Too clever for you to understand
That's right, Mozilla - a company that has traded on end-user agency for almost 20 years - just flipped, or at least seriously revealed its true hand. They decided that you, the general public, are not capable of understanding and making adult decisions about technology. That's why they snuck in an egregious update and enabled it by default. Once again another spy technology that you need to "opt out" of. It's not the first time Mozilla have been caught at this.
In this article by Moritz Förster at Heise, Förster notes Bas Schouten the technical lead for Firefox, claims it's 'too difficult to explain a system like PPA. If users are not in a position to make an informed decision, an opt-in does not make sense.' (The only quote I can directly find from Schouten is that it's "too challenging").
Anyway, astute readers who dabble in fripperies like logic and reason may notice that if users are not in a position to make an informed decision, an opt-out makes no sense either. Schouten seems to be asserting that people are too stupid in defence of Mozilla's other motives. This quote from the Mozilla home page highlights their duplicity;
We are committed to an internet that elevates critical thinking, reasoned argument, shared knowledge, and verifiable facts. – Mozilla
This clearly highlights a weakness in how corporations use Free Open Source code. "Open source" exists precisely so that the end user can scrutinise the code and understand it - through critical thinking, reasoned argument, shared knowledge, and verifiable facts. The purpose of being "Free" (Libre) is so that end users can also change features they do not like or want. But this is incompatible with application code being taken by corporations whose real mission is supplicating the advertising industry.
In the words of Jonah Aragon "Mozilla constantly fails to understand the basic concept of consent". As we have analysed and repeatedly stated on Cybershow, security and protection are not the same thing. Because of the potential for complex deception, principal agent problems and perverse incentives, protection rackets run by "well meaning" people for "your own good" are often worse than no security at all.
Is it perhaps that Mozilla, and Schouten are not good technical communicators? Or worse, that they actually don't understand their new spy technology well enough to even attempt an explanation? Or is it, more likely, that the advertising industry at whose behest Mozilla operates do not want them letting the cat out of the bag? Telling people how it works would obviously give them an opportunity to object. What they'd understand is how Mozilla are setting themselves up as the worlds biggest data-brokers.
This doesn't even look like an inevitable and tragic slippery slope toward enshitification, more like full-on Vader style "I'm altering the bargain". Again from Aragon;
This is essentially a semantic trick Mozilla is trying to pull, by claiming the advertiser can't infer the behaviour of individual browsers by re-defining part of the advertising network to not be the advertiser.
Most foolishly of all, Mozilla have a small market share. Even the behemoth Google didn't get away with pulling this kind of stunt with its failed Federated Learning of Cohorts (FLoC) project. The contorted and risky gymnastics that search and browser companies will go through to satiate the advertising industry shows just how much they are under its boot.
Ironically, the very people Mozilla needs to retain, and be honest with, are actually the smarter-than-average users. Yet these are the people Mozilla keep insulting and alienating. It genuinely pains me to have to write this article - but Mozilla are becoming a security risk and that needs saying.
Worse security
The reality is that centralised aggregation of any use-data makes the security situation far worse than if advertisers are allowed to spy on you individually. Any central point of aggregation allows unparalleled inference and, even if Mozilla were honest and good at security, it nonetheless paints a giant target on a risky collection of data that need not exist.
In general, all web browsers are abominations. Both major vendors in the present duopoly long-ago sold-out their users to advertisers. The applications themselves are bloated, ill-behaved, poorly written collections of security holes that people are forced to install on their devices in order to claim "legitimate citizenship" in the technological nightmare we are building.
Truth is, the "Web" has been a software engineering catastrophe and even it's creator Sir Tim Berners-Lee says so. Here we have a perfect example of the failure of humans to coordinate on complex technology problems and avoid corruption in technology.
What Mozilla have become is a Trust Laundry, which like Apple is a means to abdicate responsibility for verified, earned trust in lieu of a bunch of vague ideological mission statements. People mistake this for actual security.
And their arrogance is galling. They think we are stupid and that they know more than us about how we want technology to serve us.
Is opt-out actually an option?
I personally have no confidence at all that any "opt-out" within Mozilla technology is meaningful.
Firefox is a particularly stubborn donkey of a program. No matter how many times one configures it for privacy by unchecking all the "spy on me" boxes, sooner or later it auto-updates and lo and behold it's reverted to treachery-mode. This habit of resetting to unsafe defaults, or having options that bypass already selected preferences goes back as far as 2017. Mozilla is stoking a bonfire of trust through its practices of;
- poor privacy defaults
- muted or hidden announcements
- activating experimental features without consent
- re-activating anti-privacy features behind our backs
Rolling out egregious technology by stealth using "updates" is the sort of behaviour we expect from Microsoft or Google, but now apparently Mozilla have lost our trust too. This means the only real opt-out is to opt-out of using Mozilla products.
Suggestions
If you're using Firefox as an alternative to Chrome we recommend you research and think about switching to one of the many Firefox variants or forks which better respect you as an end user. Some will claim that these are "less secure" than Firefox because they are "updated less often". Remember - there is no reason to suppose that because some software is "updated" often, it is more secure. The stability of code is also a factor in its quality. As we see today, many "updates" are themselves malicious. Among the variants are;
In particular we think IceCat is a good option because it is GNU software and free from hidden binary code and non-free software.
Alternatively, why not donate some money to the Ladybird project, or other FOSS teams trying to build actual privacy-friendly browsers.
Conclusions
It is tempting to say that by failing to anticipate Mozilla betraying users we really are too dumb for tech. But that would be blaming the victims instead of the abuser.
The average person may not understand hashes, encryption and zero knowledge proofs. But people do understand trust relations and sleights of hand. Humans are very astute at that. At Boudica and at the Cybershow we find Mozilla's stated values very appealing. But what they practice and say to defend that is totally against our own philosophy. We believe in empowering knowledge and excellent education for all as a basis for civic cybersecurity.
One of the essential components of trust is integrity, which means doing what you say and walking-the-walk. Trust laundries and protection rackets are no solution in security. We must trust but verify, and to verify we must understand. That means tech companies and their products, if they are to be considered secure, must be transparrent and able to explain what their code does. Any company that thinks it is too challenging to explain what it does for its customers is not worthy of trust.
Footnotes:
In fact I've used variations like IceWeasel and other forks for quite a while due to previous security and privacy gaffes by Mozilla.
The term "bad actors" has replaced "hackers", "spooks", "cybercriminals" and a dozen other useful labels as part of the deflation of language in cybersecurity. It's a perfectly wishy-washy term to describe "anyone using a computer for things we don't like". The reality is that "advertisers" - the data-brokers who buy and sell your data - is a vast gang of sleazy operators, credit agencies, bounty hunters, debt collectors, and for all we know anti-abortionists and the like. At the end of the day these people aren't fussy about who they sell data to, and so many transitory harms accrue.