[marichards]

Whatever Mozilla's focus is when you load Firefox you experience the following:

1. On ESR first time it loads two pages load including

https://www.mozilla.org/en-GB/firefox/60.8.0/firstrun/ https://www.mozilla.org/en-US/privacy/firefox/

You then find first party cookies are set by Google Analytics

_ga GA1.2.1671101194.1567114471 _gat_UA-36116321-1 1 _gid GA1.2.377831647.1567114471

In the EU this would breach the ePrivacy Directive - as there is neither consent or information supplied in advance. Privacy is not just about information captured about you, but about privacy of what you have stored on your electronic devices.

Note: https://ico.org.uk/about-the-ico/news-and-events/news-and-bl... Myth 2: Analytics cookies are strictly necessary so we do not need consent

2. If you then type "privacy" into the address bar, it loads https://www.google.com/search?q=privacy&ie=utf-8&oe=utf-8&cl... directing users into the most privacy invasive service on the internet with no advance warning. I now have a wealth of Google cookies from their search domain, but there are also cookies set for DoubleClick and Adservices.

I'm now enrolled into surveillance capitalism and all I did was open Firefox for the first time, type "privacy" and press enter.

Mozilla talk a lot about privacy, but their products and websites don't live up to the privacy standards we need and if anything they're on the wrong side of the fence when it comes to acting on privacy - they still make things worse and not better; although it has to be acknowledged that they have improved a lot with the tracking protection features that have slowly been making their way into Firefox.

You might find this interesting to read https://twitter.com/jonathansampson/status/11658588961766604...

[Vinnl]

Relevant context:

1. Mozilla only enabled Google Analytics after signing a contract with Google that that data would not be fed into Google's models. There's no reason to believe Google would violate that legal agreement.

2. The Twitter thread you linked is by a Brave employee. It should be judged by the facts it shows, but is good context to keep in mind w.r.t. their presentation.

[BrendanEich]

Are you at Mozilla? That contract was referenced in a bug long ago. I'm not sure it can be enforced, given how Google's revamped Analytics 360 works.

[Vinnl]

No I'm not. I'd imagine that a contract would be enforced by both parties respecting it, especially given that there's not that much to win for Google, and much to lose if, say, an employee would leak that it was being violated.

[BrendanEich]

Let's see the contract and its term, if not hear from Google that it is in effect. Sorry, but reputable blockers block GA because it is now tied into Google's overall ads/data business and they say as much in touting it, in their privacy policy even with its carve-outs, and in others' experience with it.

For Mozilla to use GA instead of self-hosted Matomo is odd to me as a founder of mozilla.org (none are left at Mozilla now, FYI). We do the latter at Brave. Is it just for convenience?

[kerkeslager]

You're right.

Do you have a better solution? I'm not asking to be glib, I actually want a browser that does a better job of protecting my privacy.

[marichards]

No solution, but I think we'll never find one if debate, about problems with web privacy, suggests Mozilla is the answer - until they put into actions their words, they shouldn't be seen as the way to go.

Whilst I have reservations about Brave, from a privacy standpoint they appear to be more trustworthy and some of the actions they are involved with, like complaints to regulators are far beyond anything we've seen of Mozilla - sure they may have corporate motives, but right now they appear to align far better with consumer privacy.

There are forks of Firefox that are trying to improve on delivery of privacy

https://tracker.pureos.net/w/pureos/policy/purebrowser/

https://github.com/intika/Librefox

I am not wholly comfortable using Brave because of its dependency on Chromium, too much of a dependency on a single web rendering engine reminds me of IE days.

I would suggest to anyone, install them both and more, you might love browsing the web in emacs (someone must) - if you find a website that doesn't work on Firefox and you need Chrome, then why not use Brave instead?

Personally I'm trying both, I also bought a Librem Laptop so I have PureBrowser too and I'm not afraid to throw some of my money and inconvenience at products that are better at protecting my privacy: for techies we can all do this with relative ease. For non-techies, which is where we really need the sea of change (and who are unlikely to read this), then we can advise them towards Apple's products and make them aware of products like Brave so it can be their "backup" browser if not their first choice - not perfect, but I'd prefer my family to browse using Safari, Firefox (with privacy settings I have to sit down and sort out for them) or Brave; than Chrome.

[kerkeslager]

> Whilst I have reservations about Brave, from a privacy standpoint they appear to be more trustworthy and some of the actions they are involved with, like complaints to regulators are far beyond anything we've seen of Mozilla - sure they may have corporate motives, but right now they appear to align far better with consumer privacy.

There's a lot for me to think about in your post, and most of it I agree with, but I wanted to comment on this bit. While I agree that Firefox has made some very problematic decisions over the years, Brave is far worse in my opinion. My biggest 3 objections are here:

https://news.ycombinator.com/item?id=20830069#20833942

[BrendanEich]

I can't find anything from you at that link.

Would you mind inlining your biggest 3 objections? Thanks.

[kerkeslager]

It looks like my post fell off the front page, so the hashtag link doesn't work. :/ Copy-pasting my comment here:

Looking into this only briefly, it didn't take long to find a lot of very questionable decisions made by Brave:

1. They're positioning themselves as both an advertiser and a privacy advocate[1], which strikes me as more of a strategy for bootstrapping revenue than a trustworthy moral position. The entire point of crypto micropayments is to pay for content with crypto rather than attention/privacy. Why should I view Brave's ads rather than the other ads on the internet from advertisers who also claim their ads respect privacy? The fact that Brave has decided to get into bed with advertisers at all shows they're committed to profit, not to users: micropayments are just a way to diversify for Brave, which will quickly fall to the wayside if it fails to provide the revenue they want.

2. The entire concept of a Brave Verified Publisher stinks. It positions Brave as a censor. If this system takes off, then suddenly Brave has control over who gets paid for content on the internet, and can censor content they don't like. And this isn't hypothetical, they plan to do this: their TOS[2] explicitly contains a code of conduct which contains a long list of things they will terminate your account for: they promise to use their power as censors to enforce of US copyright/patent law and also a wide variety of subjective social norms. This also shows their commitment to being an advertiser rather than an application that serves users: if you're serving users then you let them pay for the content they want to pay for, but if you're serving advertisers, then you can't let advertisers brands be seen as supporting questionable content.

3. BAT based in Ethereum seems to be basically a way to ride the wave of cryptocurrency hype while still positioning themselves as a central authority/middleman. If they weren't trying to position themselves as a middleman, they would just make the micropayments in Ether directly, or better yet, in a cryptocurrency that doesn't have a history of forking the blockchain to fix an bug in a major users' contract[3]. If they weren't trying to ride cryptocurrency hype, they'd just allow micropayments via a much-simpler-and-more-reliable REST API or similar since they're already the central authority anyway.

I don't think we can trust Brave with our privacy or attention. I don't think we can trust Brave with the decision of who gets paid for content. I don't think we need Brave as a middleman to pay content publishers. I don't like the state of how content is paid for on the internet, but I don't think Brave is the solution.

It's disappointing to me that Wikipedia has decided to associate their name with Brave's. A big part of why I respect Wikipedia is their long-standing policy of keeping independent from advertisers, and it seems naive of them to have not realized that Brave is an advertiser. I can understand why Wikipedia has made this decision, but I still think it is a compromise of Wikipedia's values, and I hope they'll reverse their decision in the future.

[1] https://brave.com/brave-ads-waitlist/

[2] https://brave.com/terms-of-use/

[3] https://www.coindesk.com/ethereum-executes-blockchain-hard-f...

[BrendanEich]

Too many words, I'll use fewer.

1. Ad spend last year was over $100M in the US alone, ~$300M globally. Heading toward $1T globally. Users subscribing or paying out of goodwill won't cover this if we block it all and corner the market. We are doing anonymous and private ads (also donations and subscriptions, note well), no conflict with user in data or revenue share. Read my comments here, e.g., https://news.ycombinator.com/item?id=20841558. For you to claim a conflict, you have to show we make more than the user, cheat the user, or somehow steal or leak data to our advantage.

2. We are in the middle phase of a multiyear roadmap, where the last phase will distribute domain verification to many oracles, if we can't bake it into validators on-chain. If you know of an existing blockchain solution, please lay it on us. Also for handling OFAC and other KYC regulations (where we use Uphold today). We cannot intermediate ad revshares, and no blockchain today can either. We do not censor, our test for domain ownership or channel control is objective. If you think we won't get on to phase 3 of our roadmap, fine -- but don't use your speculations as if they were facts.

3. Here is a chart from end of 2017 showing relative volatility. BAT was 2nd least volatile above USDT, we beat Bitcoin and Ether. But we also have other advantages via BAT, including our user growth pool. If you discount that then you are arguing we should find a billionaire to replace it with Ether out of the grace of his or her charity. Who might that person be? Your argument here is cheap unless it's you.

https://twitter.com/woonomic/status/942921951252709376

I don't find these to be objections based on reason so much as misunderstandings or hostile speculations that we will fail. You aren't required to agree with us, we're not imposing any system on you. If you don't like BAT, just use Brave with its default settings. If you don't like Brave, there are lots of other browsers. If you have rational arguments against any bug or design flaw in our intentional work to replace surveillance with privacy tech for donating and advertising, I'm all ears.

[aaron_m04]

I have a collective solution but not an individual solution: pressure Mozilla to change.

[kerkeslager]

This is the direction I'm currently on.

[pastastickers]

They might need an Apple-like "courage" moment, and replace Google with DuckDuckGo or Startpage as their default search service.

Come to think of it, I would expect the same move from Apple as well, on Safari.

[snazz]

That would kill their primary revenue source. I agree, it needs to be done. Hopefully the new Mozilla CEO will figure out a way to do it.

[doctor_eval]

Safari/DDG user here. Presumably Firefox could load the search results into a container that throws away all the cookies after the search is done. Doesn’t it work like that for FB?

Presumably, the real problem is that this would be against Google’s terms of the agreement between google and. moz, but - at least technically - there is no reason to throw away access to google if that’s seen to be a desirable default.

Of course - I’m guessing that google is gonna add its own tracking variables to URLs, so any search result returned by google really is going to be suspect regardless of what we do.

[ksynwa]

GNU Icecat?

[codehalo]

The downvotes you are receiving for pointing out facts illustrates the cesspool of Firefox hypocrisy that hacker news has become.

[nothrabannosir]

Honestly typing "privacy" into a UI that is designed to act as a search field for Google, and blaming that on Mozilla somehow, that's a stretch. What's next? Typing "which company faked the moon landing" and WOW you're redirect to Google! It must have been them.

It's nothing but opinionated. You can't honestly call this a "fact" and go on to claim that HN is hypocritical. That's... is there a word for hypocrisy about hypocrisy?

(The first point made is not even that bad, it's just that quagmire following it which dilutes the whole thing)

[marichards]

If Mozilla wanted to respect privacy the "UI that is designed to act as a search field for Google" could be a "UI that is designed to act as a search field for DuckDuckGo", it wasn't that long ago it was a search field for Yahoo. What's notable here is that Google is the default and in doing so is endorsed and recommended by Mozilla for its users.

So the fact here is that Mozilla made that choice to be in bed with Google.

The sad irony is Chrome on Android will insist on asking users for the default search engine choice (in the EU at least https://www.techspot.com/news/81273-google-android-users-eur... ).

Maybe think about it another way. Imagine Greenpeace defaulted to offering to book supporters private planes to get to every protest. It is this nature of extreme distance from organisational values that Mozilla is expressing when it defaults to Google search.

[riquito]

Let's completely neglect in those "facts" that Google offers the best search engine and that people want to use it

[BrendanEich]

Brave defaults to Google in most countries, but we get paid $0 for it. We also disable auto-suggestions based on key by key tracking to Google as you type your search term, leaving it as an option some users choose to enable.

This isn't that hard (except for doing without the big bucks, which is hard: Brave is building up small revenue to large, not profitable yet -- again, we pay the user >= what we make, 70% of gross revenue for user-private ads, 15% for publisher partnered ads [not yet launched]).

[marichards]

I'm saddened that Google is the default. I hope Brave asks users in the future, but understand there are probably a few different goals being juggled whilst Brave grows.

[rjf72]

I think that ship has pretty much sailed, but in either case that has nothing to do with Firefox's decision. If they wanted to use Google, for whatever reason, they could do so while supporting user privacy by piping it through e.g. Startpage.

They just want the Google $$$, privacy be damned.

[BrendanEich]

I won't violate any NDA still binding me to Mozilla by agreeing that the default search deal in Mozilla is and historically has been done for funding the company. If they wanted to switch, they could -- but it would hurt financially, big time. That could imperil the project as a whole. It would definitely limit salaries at the top.

[reportgunner]

What happens when you turn on chrome or brave ?