[AstralStorm]

They cannot, the studies use JS available to the browser though with internal APIs available. It is potent, but not quite as much as to allow running arbitrary executables outside the browser or usually bypass file system level protection. It can read and write files the user can access. (Which may or may not include /dev on *nix.) It can also exploit your OpenGL driver.

The difference between spyware and telemetry is intent - use of data - and anonymization measures.

If you don't trust the company making the browser with user studies (and their toggle), you probably shouldn't use their build - and you can disable study code completely on compile time.

If Mozilla decided to be evil like a certain Alphabet company, there is nothing to stop them but forking and writing another web browser.

[tripzilch]

Sounds like you're arguing against a very specific meaning of the term "spyware". One that I'm unfamiliar with. It's not even the historical meaning of the term. I remember when it used to mean any application that "phones home" for any reason whatsoever--when apps ran locally.

It's pretty clear what they are worried about. That's not really arguing in good faith. And "intent" has nothing to do with it--also there is no singular intent from an organisation, if it goes wrong it's just stuff that happened but nobody to point a finger at whose intent it was.

Also, anonymization measures are a joke. It just shows an "intent" to anonymize. But when it turns out that the data is in fact easily de-anonymized somewhere between the browser and the aggregation unit, or in combination with the newest "opt in" monitoring feature, again no fingers to point and your only recourse is better having been safe than sorry.