It SAYS it is disabled, but do you know if it can be remotely enabled at will or if they mean it is disabled only to send your search terms and open a google.com page but still enabled for spying?
Theoretically you could build firefox from source..
But yes, it's still an issue. Does anyone have a solution to trusting GPG keys on company websites? If their website gets hacked, the key could be replaced, the source-control could be replaced and you'd never know..