[AsusFan]

The irony is strong with this one.

By default, Firefox:

- Collects a bunch of telemetry data via several mechanisms and ships them to Mozilla HQ

- Provides Mozilla with remote code execution privileges on your machine via the shield (or normandy, or whatever they are calling it these days) mechanism, which can install and uninstall extensions and certificates, change browser settings, etc

- Uses Google as the default search engine, and search suggestions leak private data to Google

- Uses Google Location Services for their geolocation thingy, which - unsurprisingly - phones home to Google

- Ships closed source third party add-ons

- Comes with a bunch of "about:config" settings configured in sub-optimal ways, privacy wise - battery API enabled by default, accept all cookies by default and so on

Sure, Chrome is worse, but bringing that up that is like arguing that your pile of manure is better because it doesn't smell as bad: in the end, you are still arguing about shit.

[opencl]

There are some valid privacy complaints about Mozilla but I think they are severely overblown by a lot of people.

Mozilla is very up-front about exactly what telemetry data they're collecting and what it's used for, there's even a pop-up when you first install the browser about it telling you what's collected and how to disable it if you want to. And then when Mozilla makes decisions based on telemetry like removing features that 2% of people use the people who disabled telemetry complain that Mozilla is ignoring their opinions.

The optional syncing service is end to end encrypted so Mozilla can't see the data you're syncing.

Shield is a valid complaint, I am not a fan of it being opt-out.

Search suggestions are disabled by default in private browsing mode and probably a feature most people want anyway. Your query gets sent to the search engine when you hit enter either way.

The battery API was completely removed from Firefox two and a half years ago, that particular complaint is very outdated. Firefox has been tracking cookies by default for a while now too. More strict cookie policies would just annoy the vast majority of users.

[Paul-ish]

> Mozilla is very up-front about exactly what telemetry data they're collecting and what it's used for

You can see the telemetry data that engineers look at themselves (https://telemetry.mozilla.org/new-pipeline/dist.html). It's not very detailed.

[xvector]

> Mozilla is very up-front about exactly what telemetry data they're collecting and what it's used for,

I consider myself relatively technically inclined. When I started using Firefox, I absolutely did not know about

- Normandy as an RCE engine to install arbitrary extensions and customize random settings

- Google Location Services as the location backend

- Which about:config settings I need to change for a reasonable expectation of privacy

[orbital-decay]

Didn't you already trust Mozilla to execute their code on your machine when you installed the browser, in the first place? And to do it remotely with auto-updates.

[jedberg]

There is a big difference between them being able to activate a connection to my machine at their whim and execute code, vs me downloading their software or an update at a time of my choosing, especially since if I am very security conscience I can wait until an updated has been audited or tested.

With a remote code execution engine, someone could hack into their backend and then start running malicious code on thousands or millions of machines. If they compromise a software update, at least there is a chance it can be caught before it gets to me.

[Kalium]

There's a config-flag to turn it off. You could even deploy that enterprise-wide.

That said, every auto-update system is essentially an RCE system. For highly exposed and security-sensitive applications like browsers, the auto-update is a net win in many deployment scenarios.

[scarface74]

Isn’t it kind of ironic that you mention a user flag to turn off telemetry that is on by default on a post about “defaults matter”?

[roca]

If you're security-conscious then you'll install updates immediately, before you get compromised by whatever attack it might be fixing.

In reality no-one outside Mozilla is auditing updates (other than black-hats reverse-engineering security fixes to catch the people who don't update immediately). I don't think the situation for other browser vendors is any different.

[hartator]

The thing is - at the end of the day - there is no much difference between default Firefox and Chrome. Regarding data being sent to Google.

[SketchySeaBeast]

*If you use google search with Firefox.

[yholio]

In that fecal analogy, Mozilla is a fresh cup of coffee from squirrel-digested coffee beans, while Chrome is a neck deep swim in human sewage.

The privacy points you raise are significant but at no point discredit the very real privacy efforts made by Mozilla and in no way make it comparable to Google.

[xvector]

This is absolutely the truth. This blog post is an exercise in hypocrisy.

Mozilla does a lot of good things for privacy, but HN needs to see past their blind loyalty to Mozilla and criticize them where necessary.

[blitmap]

I get annoyed when I remove most of the default search providers, and then an update brings Google back. I specifically removed some of those providers so my searches would not be predicted with those services.

[bityard]

You forgot "Actively encourages search engines to track which pages users click on in search results"

Source: https://www.bleepingcomputer.com/news/software/mozilla-firef...

[roca]

Search engines are tracking that already and essentially always have. Enabling 'ping' doesn't change the privacy situation at all.

[inetknght]

You don't even mention Pocket or the stories they put on the default home page.

[slips]

How is that a privacy concern? You can also hide the stories if you don't want to see them.

[autoexec]

Any unwanted, unrequested connections to 3rd parties counts as a privacy concern. If I don't explicitly click a link or enter a URL in the address bar I don't expect traffic to be sent anywhere or any content at all downloaded.

[Kalium]

Mozilla owns Pocket, meaning it's a second party rather than a third. You and others may still choose to regard it as a concern, of course.

[wnevets]

>- Uses Google as the default search engine, and search suggestions leak private data to Google

Doesn't apple do the same thing?

[xvector]

Apple is not the one making a blog post about privacy-centric defaults.

[wnevets]

There's literally an article on the front page talking about how Apple is really a privacy as a service company based on all of their marketing talking points about privacy.

[xvector]

Still, Apple did not make a blog post about sane defaults. Mozilla did. Apple is completely besides the discussion here.

[graeme]

I think the implied point is that everyone (except microsoft) has google as a default.

[sp332]

It's been a while since I set up a new Firefox, but isn't the Search Suggestions feature opt-in?

[pythux]

No, this feature is opt-out. Just checked on a fresh profile and whatever you type in the URL triggers requests like: https://www.google.com/complete/search?client=firefox&q=quer... for each keystroke.

[icebraining]

What's your Firefox version? I just checked and "browser.urlbar.suggest.searches" still defaults to false on mine, and it doesn't show search suggestions.

[pythux]

Version 67.0 on Ubuntu, in Europe (maybe that makes a difference?). And this same preference is set to true for me in about:config.

[bradyd]

I'm running v67.0.1 on Windows in the US and my preference is also set to true and says it is the default.

[mintplant]

No, it's still opt-in. There's a prompt which asks you whether you'd like to enable search suggestions.

[pythux]

As said for the other comment, on my 67.0 installed on Ubuntu, from Europe (if that makes any difference), I have no prompt on new profile and the suggestions are enabled by default. Not sure if that changes per region, operating system, or other reasons to be honest.

[naranha]

> Sure, Chrome is worse

I'd like some clarification on that. Does Chrome send automated telemetry reports about my browsing to Google when you are not logged in with your Google account? Does Chrome give remote code excecution privileges to Google (Yeah, via the Updater, but that does not really count)? I searched but I found nothing on the net about telemetry.

I never use Firefox because it has these horrible defaults, and keeping up on all the about:config switches I need to toggle to be able to use it is just too much.

[mintplant]

> Does Chrome send automated telemetry reports about my browsing to Google when you are not logged in with your Google account?

Yes. And if you sign into Chrome (which now automatically happens if you sign into any Google website, IIRC), it uploads your full browsing history.

> Does Chrome give remote code excecution privileges to Google (Yeah, via the Updater, but that does not really count)?

Yes.

I don't see how you could have done honest research into this and arrived at the conclusions you have.

[naranha]

You can compare https://www.google.com/chrome/privacy/whitepaper.html. and https://www.mozilla.org/en-US/privacy/firefox/

maybe it's just me, but Google privacy note seems a lot more reasonable. And if it is correct, they ask if they may collect usage statistics during the installation, while Firefox does not.

[roca]

Why does "Updater" "not really count" as "remote code execution privileges"?

Either the vendor can remotely change your software and its configuration without user intervention, or it cannot. For any software that supports unattended updates, it can. End of story.