[tknkx]

I'm a privacy conscious person so I disabled all spyware that Firefox included. But I went to check, studies was enabled, probably because it was included and enabled by default in the last years and I didn't notice. So how long until Firefox adds something else to have remote code execution rights on my machine?

[AstralStorm]

Studies do send telemetry which is not quite the same as being spyware.

You can actually check what is sent, though there's no option to more finely disable studies requiring, say, cursor, keyboard or tab name monitoring. I haven't seen any such studies though.

The "remote code execution" thing is already there, it is called JavaScript. Almost every browser has it. Add-ons use it all the time.

As for browser code itself, it is open, go read the changelog. If you're extra paranoid, you can build it yourself. Study code is also fully readable.

[tknkx]

>Studies do send telemetry which is not quite the same as being spyware.

How is software whose sole purpose is to send my information to a third party not spyware?

>The "remote code execution" thing is already there, it is called JavaScript. Almost every browser has it. Add-ons use it all the time.

JS on any webpage can't do whatever it wants, since it's restrained to the webpage itself. otoh I'm sure this "studies" thing can change my browser configuration (including my certificates, making me vulnerable to MITM) and probably even execute any command with my current user privileges.

[AstralStorm]

They cannot, the studies use JS available to the browser though with internal APIs available. It is potent, but not quite as much as to allow running arbitrary executables outside the browser or usually bypass file system level protection. It can read and write files the user can access. (Which may or may not include /dev on *nix.) It can also exploit your OpenGL driver.

The difference between spyware and telemetry is intent - use of data - and anonymization measures.

If you don't trust the company making the browser with user studies (and their toggle), you probably shouldn't use their build - and you can disable study code completely on compile time.

If Mozilla decided to be evil like a certain Alphabet company, there is nothing to stop them but forking and writing another web browser.

[tripzilch]

Sounds like you're arguing against a very specific meaning of the term "spyware". One that I'm unfamiliar with. It's not even the historical meaning of the term. I remember when it used to mean any application that "phones home" for any reason whatsoever--when apps ran locally.

It's pretty clear what they are worried about. That's not really arguing in good faith. And "intent" has nothing to do with it--also there is no singular intent from an organisation, if it goes wrong it's just stuff that happened but nobody to point a finger at whose intent it was.

Also, anonymization measures are a joke. It just shows an "intent" to anonymize. But when it turns out that the data is in fact easily de-anonymized somewhere between the browser and the aggregation unit, or in combination with the newest "opt in" monitoring feature, again no fingers to point and your only recourse is better having been safe than sorry.

[detaro]

Sensitivity of data? I'd associate "spyware" with "collects personal information", whereas studies that do not require explicit opt-in are only allowed to collect things on a level of "how many tabs are open", "has the user enabled this feature", and things like web browsing history or data derived from the history are explicitly excluded. If you don't trust Mozilla to hold that standard, then yes, you probably shouldn't use their product.

(Which apparently played part in the Mr Robot idiocy: since it didn't collect any data, it was easy to get it through the process...)

I don't like lots of stuff Mozilla is doing, but I trust them more than the alternatives to actually do what they claim privacy-wise.