[opencl]

There are some valid privacy complaints about Mozilla but I think they are severely overblown by a lot of people.

Mozilla is very up-front about exactly what telemetry data they're collecting and what it's used for, there's even a pop-up when you first install the browser about it telling you what's collected and how to disable it if you want to. And then when Mozilla makes decisions based on telemetry like removing features that 2% of people use the people who disabled telemetry complain that Mozilla is ignoring their opinions.

The optional syncing service is end to end encrypted so Mozilla can't see the data you're syncing.

Shield is a valid complaint, I am not a fan of it being opt-out.

Search suggestions are disabled by default in private browsing mode and probably a feature most people want anyway. Your query gets sent to the search engine when you hit enter either way.

The battery API was completely removed from Firefox two and a half years ago, that particular complaint is very outdated. Firefox has been tracking cookies by default for a while now too. More strict cookie policies would just annoy the vast majority of users.

[Paul-ish]

> Mozilla is very up-front about exactly what telemetry data they're collecting and what it's used for

You can see the telemetry data that engineers look at themselves (https://telemetry.mozilla.org/new-pipeline/dist.html). It's not very detailed.

[xvector]

> Mozilla is very up-front about exactly what telemetry data they're collecting and what it's used for,

I consider myself relatively technically inclined. When I started using Firefox, I absolutely did not know about

- Normandy as an RCE engine to install arbitrary extensions and customize random settings

- Google Location Services as the location backend

- Which about:config settings I need to change for a reasonable expectation of privacy

[orbital-decay]

Didn't you already trust Mozilla to execute their code on your machine when you installed the browser, in the first place? And to do it remotely with auto-updates.

[jedberg]

There is a big difference between them being able to activate a connection to my machine at their whim and execute code, vs me downloading their software or an update at a time of my choosing, especially since if I am very security conscience I can wait until an updated has been audited or tested.

With a remote code execution engine, someone could hack into their backend and then start running malicious code on thousands or millions of machines. If they compromise a software update, at least there is a chance it can be caught before it gets to me.

[Kalium]

There's a config-flag to turn it off. You could even deploy that enterprise-wide.

That said, every auto-update system is essentially an RCE system. For highly exposed and security-sensitive applications like browsers, the auto-update is a net win in many deployment scenarios.

[scarface74]

Isn’t it kind of ironic that you mention a user flag to turn off telemetry that is on by default on a post about “defaults matter”?

[Kalium]

Yes.

Telemetry and auto-updates are important enough that having them on by default isn't wildly unreasonable.

[roca]

If you're security-conscious then you'll install updates immediately, before you get compromised by whatever attack it might be fixing.

In reality no-one outside Mozilla is auditing updates (other than black-hats reverse-engineering security fixes to catch the people who don't update immediately). I don't think the situation for other browser vendors is any different.

[hartator]

The thing is - at the end of the day - there is no much difference between default Firefox and Chrome. Regarding data being sent to Google.

[SketchySeaBeast]

*If you use google search with Firefox.