[Silhouette]

Of course, you may have installed Thunderbird prior to the privacy policy existing in that form with those details.

By quite a few years, and apparently I'm not the only one.

But that's really not the point anyway. Burying opt-out phone home behaviour in nothing but legalese small print is a dark pattern. Having no way to disable it without going into obscure parts of the UI that no normal user (or even normal power-user) is ever likely to find is also a dark pattern.

Again, I appreciate your taking the time to share the links, but this is still a screw-up if Mozilla are trying to convince people they care about privacy. I don't think anyone can effectively defend general purpose software that includes covert, opt-out surveillance in any form in 2015. It's not so much that this particular feature is causing clear harm -- maybe it really is just an innocent feature that happens to expose a user count as a side effect -- it's the principle that doing stuff behind your user's back is OK, in a world full of malware that does stuff that very much is not OK.

[asutherland]

> But that's really not the point anyway. Burying opt-out phone home behaviour in nothing but legalese small print is a dark pattern. Having no way to disable it without going into obscure parts of the UI that no normal user (or even normal power-user) is ever likely to find is also a dark pattern.

I agree that "Burying opt-out phone home behaviour in nothing but legalese small print is a dark pattern." But I think you're mis-characterizing this specific instance of the blocklist ping as "covert, opt-out surveillance" and the arguably fairly readable privacy policy as "legalese small print".

Specifically, I think the blocklist feature paragraph is quite good and not weasel-words. It explains:

- Tersely what/when/why Thunderbird does the blocklist ping: "Thunderbird also offers a Blocklist feature. With this feature, once a day Thunderbird does a regularly scheduled, automatic check to see if you have any harmful add-ons or plug-ins installed."

- What Thunderbird does with that information: "If so, this feature disables add-ons or plug-ins that Mozilla has determined contain known vulnerabilities or major user-facing issues or fatal bugs (e.g., Thunderbird crashes on startup or something causes an endless loop). You may view the current list of Blocklisted items."

- The information included in the blocklist ping: "This feature sends Non-Personal Information to Mozilla, including the version of Thunderbird you are using, operating system version, build ID and target, update channel, and your language preference. This feature also sends Potentially Personal Information to Mozilla in the form of your IP address and a cookie."

- What Mozilla does with the information (which is indeed not trivially obvious): "In addition, Mozilla also uses this feature to analyze Thunderbird usage patterns so we may improve our products and services, including planning features and capacity."

- A disclaimer about the lack of UI: "Currently there is no basic user interface to disable the Blocklist feature."

And then we have 2 more sentences:

- The link on disabling and why you wouldn't want to disable: "This feature can be disabled by following the instructions in this article. Disabling the Blocklist feature is not recommended as it may result in using extensions known to be untrustworthy."

And that was all of it.

In regards to the UI, if there had been a discussion about whether we should have a basic UI affordance for disabling the feature (there was not, to my knowledge), I think the bulk of the Thunderbird team would have argued against it because the risk to the user of rogue plugins/extensions was and continues to be serious. (Plugins probably more than extensions; Thunderbird tends to pick-up all the plugins that Firefox would see and most adware/malware implementors seemed otherwise unconcerned with Thunderbird.) Now if the checkbox also entirely disabled extensions and plugin loading, that could provide a safe trade-off for the user. But then we run into the whole "supported configuration problem". Every option adds new permutations that can lead to new failures, etc.

[Silhouette]

But I think you're mis-characterizing this specific instance of the blocklist ping as "covert, opt-out surveillance" and the arguably fairly readable privacy policy as "legalese small print".

For a long time, I didn't even know Thunderbird had a privacy policy, and I've been using it for years. Why would anyone expect software they installed locally to need one? Thunderbird is a mail client, so why would they expect it to send data to anyone other than e-mails to their chosen recipients? And even if they knew the privacy policy existed, did anything suggest to them that they might want re-read that policy to find these changes when they were added? I assume the details were also on display in my local planning department in Alpha Centauri.

Incidentally, if you're reading this and thinking that I'm naive and/or over-reacting, you might want to stop and consider the company you're keeping. What other types of people use software that does things the user doesn't expect, collect data without advertising it, and make arguments about implied consent, the relevant disclosure being available somewhere hardly anyone will ever look, or how it's all done to improve the user's experience somehow? How many of those people do most of us like?

In any case, from both a practical and probably a legal perspective, anything that is not actively presented to a user is the electronic version of small print at best. You can rationalise this as much as you like, but the facts are:

1. Thunderbird is phoning home.

2. The user is not informed of this explicitly.

3. The user is certainly not actively giving their consent.

4. This still appears to be the case even if the user has explicitly opted out of sending telemetry when the software was first installed.

IMHO, any such policy is indefensible in 2015 if you want to be taken seriously as an organisation that protects privacy. This particular behaviour may be a minor infraction, but it's the general principle (and, frankly, your enthusiasm for defending it) that is of greater concern.

Edit:

the risk to the user of rogue plugins/extensions was and continues to be serious. (Plugins probably more than extensions; Thunderbird tends to pick-up all the plugins that Firefox would see and most adware/malware implementors seemed otherwise unconcerned with Thunderbird.)

WTF??!! Thunderbird is apparently automatically running a whole bunch of plug-ins that I only installed for Firefox and have long ago set (in Firefox) not to run automatically, or in some cases that I didn't even voluntarily install at all. None of these things have any business being in any sort of e-mail client at all. When and how the [multiple expletives deleted] did this happen? I thought you (generic 'you') were concerned about someone installing an extension that had a buggy update and caused a hang on start-up or something. The idea that someone could send, say, an HTML e-mail with something like Flash/Java/Silverlight embedded in it and have it run by default is moderately terrifying.

[jcranmer]

One thing that Thunderbird reports back to servers is telemetry usage, which helps provide feedback on whether or not rare charsets (e.g., VISCII) need to be supported or how much weight should be placed on implementation of, say, NTLM or GSSAPI.

Also, Thunderbird permits neither JavaScript nor plugins to run in emails. It does permit plugins in cases such as displaying an RSS feed inline.

[narrowrail]

My solution to the plug-in problem (not Thunderbird specific) is to not install Flash/Java RE/Silverlight on my machine at all. Not that that helps you here, but I do wonder why more people don't just remove such software.

[Silhouette]

As it happens, on the machine in question I have valid reasons for needing all of the above at times, hence their presence in Firefox but with activation on demand only.

But I have eight plug-ins installed in Thunderbird, and some of them I don't even know what they do. Why does Google need an update plug-in that I never requested or gave permission for to be installed in Firefox and Thunderbird?