The Mozilla Monster

In Mozilla We Trust

My admiration for Mozilla and its flagship product, the Firefox web browser, continues to diminish over the years. To understand why i have lost a huge amount of respect for Mozilla as a company, we'll explore what Mozilla is and some of the controversial activities it has engaged in.

Many of us probably tend to associate the free, open-source software (FOSS) community with individuals or small organizations that selflessly give away their work expecting little or nothing in return, however this perception is wildly inaccurate in the case of the Mozilla Foundation which rakes in hundreds of millions of dollars annually. The vast majority of this revenue is generated as a result of Mozilla's partnerships with various ethically challenged and proprietary search engine companies such as Google, Yahoo, and others (you can read more about this in the article, Firefox Search Engine Cautions, Recommendations). As a result of Snowden, many of the masses are now painfully aware that these corporations track our web activities and sell the collected data to advertisers, governments, intelligence communities and who knows who else or for what other purposes. Other nefarious Mozilla partners have included Microsoft, Telefónica, LG Electronics, Sony, Verizon and Cisco. These kinds of partnerships could hardly be more at odds with statements Mozilla has made in its manifesto, including "Committed to you, your privacy and an open Web" and the current "Mozilla puts people before profit". How can Mozilla claim to be a privacy and free speech advocate while cultivating relationships with a laundry list of companies who have little or no regard for privacy and free speech?

The Mozilla Foundation is a non-profit that owns the taxable subsidiary, Mozilla Corporation. The Foundation was launched in 2003 with financial and other assistance from AOL and the Mozilla Corporation was created two years later. It is the latter that controls the source code for Firefox.

I started using Firefox around the time version 1.0 hit the streets in 2004 during which it enjoyed a small but devoted audience comprised of people who appreciated its customization capabilities. Indeed it was very hackable browser in that almost every element of its graphic interface as well as its core functionality could be extensively modified. While Firefox still remains one of the most customizable web browsers, Mozilla began restricting what users and add-on developers could do with the adoption of the Web Extension API in 2015 and the release of Firefox Quantum in 2017.

The release of Quantum presented a very different graphic interface which was styled to look remarkably similar to Google Chrome and this caused quite a stir in the Firefox community. The uniqueness of Firefox was lost in the minds of many upset users who preferred Firefox because it wasn't Google Chrome. The fallout continued as Mozilla caused several non-trivial headaches for add-on developers by changing the API (Application Programming Interface), eventually settling on the Web Extension API which is far less capable then the older XUL/XPCOM API, albeit less risky as well. As a result many add-on developers tossed in the towel in frustration and thus the community suffered yet another hit with the loss of their work. Further controversy would soon follow.

It has become quite apparent to me that the goals of the Mozilla Foundation clash with the ethics of some of the developers writing code for Firefox. While at least a portion of the developer community has a strong regard for user privacy, decisions at the corporate level have made it abundantly clear they are quite willing to sacrifice privacy in return for financial gain and market share. Some of these decisions have resulted in well deserved and severe backlashes from the community and it seems management is rather incapable of owning up to their mistakes. I think the driving force behind many of the poorer decisions is the perceived need to compete with Google Chrome which is by far the most popular web browser at this time (note that 'popular' does not equate to 'good').

Another issue that has caused numerous concerns regarding the ethics of Mozilla is the fact that Firefox has long shipped with several 'system add-ons' which are installed by default and without user permission. Worse, these add-ons do not appear in the extensions management interface (about:addons) and therefore there is no obvious way for the average user to disable or remove them, or even be aware they're installed at all in some cases. These system add-ons have been used for highly controversial purposes, including the mass collection of user data.

Let's take a look at a bit of the darker side of Mozilla's history...

2014 - Mozilla CEO resigns over anti-same-sex-marriage controversy

Just ten days after taking the job, Brendan Eich has resigned as CEO of Mozilla after sparking outrage over his donation to an anti-same-sex marriage campaign.

In 2008, Eich donated $1,000 to California's Proposition 8 campaign. Prop 8 was a ballot initiative that sought to make same-sex marriage illegal in the state. News of Eich's donation was first made public in 2012, but attracted a new wave of attention last week when Eich was promoted to CEO from his previous job as chief technology officer.

There is actually a lot more to this story than meets the eye and frankly i find it a little odd that a donation to Prop 8 by Eich, who co-founded Mozilla, would be used against him six years later. Nevertheless, this incident upset many users but i would submit that their reasons were not entirely justified.

2014 - Mozilla Firefox's 'Sponsored Tabs' Stir up Controversy

Mozilla, the maker of the popular web browser Firefox, recently announced that it still plans to follow through on its controversial plan to sell advertisements on "sponsored tabs."

Mozilla's original plan, introduced in February, called for new "Directory Tiles" to be added on a new tab for new users. In the past, these tiles were left blank until they were customized with recommendations based on a user's browsing history. Mozilla planned to sell these tiles to companies as sponsored ads, much to the chagrin of Firefox users.

[...]

In other words, Firefox plans to sell ad space on its tabs to monetize its user base of over 450 million users, who account for 17% of all web browsers used worldwide.

2015 - Mozilla responds to Firefox user backlash over Pocket integration

The complaints center around the fact Pocket is a proprietary third-party service, already exists as an add-on, and is not a required component for a browser. Integrating Pocket directly into Firefox means it cannot be removed, only disabled.

2017 - Mozilla Says It is Raising Privacy Awareness By Violating Privacy of Users

Mozilla’s latest Firefox release is better than Google Chrome, both in terms of speed and violating user’s privacy.

[...]

As Drew pointed out, this extension is actually an alternate reality Game. This extension will invert text that matches a list of Mr. Robot-related keywords like "fsociety", "robot", "undo", and "fuck", and does a number of other things like adding an HTTP header to certain sites you visit.

While this might sound fun, doing it without end user’s consent is a borderline privacy violation.

Let's be very clear here; what the corporate clowns at Mozilla did when they partnered with Mr. Robot for advertising purposes and forced the Looking Glass add-on on its users as part of that fiasco, was not "a borderline privacy violation", it was a flagrant violation of user privacy and trust, period. Ignoring the fact that these 'systems add-ons', 'experiments' and 'Shield Studies' are often enabled by default, manipulating HTTP headers for certain websites as the Looking Glass add-on did, was not only possibly breaking web standards, it was making Firefox uniquely identifiable. That they did this without warning users, some of which may have implemented precautions precisely to guard against such concerns, is unforgivable. The community backlash was immediate and widespread. As a result of the beating they took, Mozilla removed the add-on in the following version of Firefox and reworked their 'Shield Study' rules. The Looking Glass add-on is still available on AMO however where, as of this writing, 17 people gave it a 5 star rating and 52 a 1 star rating (make that 53 since i just dropped my two cents). Following are some of the comments left by disgruntled users...

Mozilla is not better than Google. It's maybe worse, because we expect it from Google but not from Mozilla. Mozilla has no ethics.

And...

Until today I thought that Mozilla's ethics would forbid this kind of action; indeed, it's the kind of thing I thought Mozilla would actively campaign against. I guess I'm disillusioned now.

I'm also concerned that Firefox is, on a technical level, able to install add-ons without explicit user/administrator approval. This seems like a MAJOR security vulnerability to me.

And...

This blunder is astonishing. It's not just that Mozilla installed it without permission or notification; it's also the implication that the company doesn't understand why this was a mistake. The apologies I've seen so far amount to "We're sorry we got caught. We didn't know better."

I don't like Chrome. And today I don't like Firefox. I have used Firefox from when it was Phoenix version 0.67. Last night I downloaded Vivaldi and Opera, and I will check them out.

2017 - Mozilla to launch Firefox Cliqz Experiment with data collecting

Mozilla notes that it is necessary to transfer address bar content to Cliqz servers to power the functionality. This means, essentially that anything that is entered into the address bar, either automatically or manually, is transferred to Cliqz.

In other words, users who are selected for participation are opted-in automatically in the data collecting.

2017 - The Mozilla Information Trust Initiative: Building a movement to fight misinformation online

Today, we are announcing the Mozilla Information Trust Initiative (MITI)—a comprehensive effort to keep the Internet credible and healthy. Mozilla is developing products, research, and communities to battle information pollution and so-called ‘fake news’ online. And we’re seeking partners and allies to help us do so.

So the company that is "committed to an open web" wants to limit how open it is. Mozilla lists a few potential partners they'd like to work with in this venture including one of the kings of mainstream news bias and propaganda, The Wall Street Journal, whom Mozilla sees as a "credible news-gathering organization". I have also seen an influx of 'fake news' detection add-ons in the AMO repository being developed by companies, including The Self Agency, LLC and Trustie, and many of these add-ons are flagging highly creditable websites run by battle scarred, independent, investigative journalists.

As Mozilla correctly recognizes, there is indeed a massive amount of misinformation, disinformation and heavily biased information floating around on the web in the alternative news scene, however they conveniently ignore the fact that some of the most dangerous offenders are the mainstream new corporations which they want to partner with, including those that promoted the Iraqi chemical weapons bullshit and subsequent invasion of the country, the regime change wars in Syria and Libya, and which are currently frothing at the mouth over the nuclear weapons that Iran doesn't posses and how terrible the elected president of Venezuela is because he's not another puppet of the U.S.. The solution to this problem is not censorship and revenue generation under the laughably transparent guise of "community service", but rather to educate people on how to identify unreliable news sources which obviously Mozilla is in no position to do given its desire to partner with those same sources.

2019 - Firefox caves to pressure, to shut down controversial screenshot upload feature

Mozilla has positioned Firefox as the champion of privacy and independence on the internet but appears to be increasingly at risk of losing the trust of users.

The latest controversy regarding the company is its implementation of the screenshot feature, which uses clear dark patterns to trick users into uploading screenshots to their online screenshot gallery screenshots.firefox.com, which promoted but does not require the use of your Firefox Account.

2019 - Mozilla apologizes for recent add-on disabling issue and provides details

The last week has not been great for Mozilla. Last Friday, reports started to come in from around the world that installed add-ons would not verify anymore and were disabled as a consequence. Users could not download and install add-ons from Mozilla AMO anymore either.

Latest figures show that about 60% of Firefox users install add-ons in the browser; any issue affecting 60% of the user base, especially when it comes to personal choices made by those users, is as critical as it gets.

I was one of the millions of victims of this stupidity upon which i elaborated in the post, Mozilla showed me what the interwebs look like and now i have mad cow disease.

The future

Meanwhile the market share for Firefox continues to sink like a lead balloon in a vacuum. I don't think the hardcore audience that has stuck with Firefox through the years cared much about how popular it was, but like any corporate behemoth, what the users care about is of secondary importance; growth, market share, revenue and other useless corporate statistics seem to be the primary drivers of the Mozilla Foundation and i think this has caused the gap between Mozilla and its user base to widen even further. I know it has for me. The question is, how much more self-inflicted blow-back can Mozilla handle before it decides to end development of Firefox entirely? I think Mozilla has stabbed its users in the back enough times that the demise of the Firefox brand is imminent absent a radical shift in corporate overlord ethics. That said, i still use and recommend Firefox because i think it is better suited to security and privacy hardening than anything the mainstream competition has to offer, at least for the time being.

11 thoughts on “The Mozilla Monster”

  1. What do you think about Mozilla/FF soft-forcing its freedom-jeopardizing hyper-centralized DoH “in the name of privacy” upon its users by default? 99% of users can’t be bothered changing it to regular DNS even if they did realize what’s going on, because they don’t truly care about privacy enough, and the fact that it’s mirror-world and supposed to be better for privacy, and Mozilla knows it IMHO. It’s a super effective way to change the way the internet is used, just “default on” a feature of an application millions of people are using because the technicality/laziness/etc. will prevent 99% of them from turning it off.

    The proto-state, Mozilla, Alphabet, Twitter, Facebook, et al. have the shared objective of total control over the flow of ideas, that’s why they need everything and everyone centralized.

    1. i think there could be several answers to address your concern – i’ll give you one of them…

      Mozilla is certainly deserving of a good bashing now and again, however something needs to be done with DNS

      you said that “99% of users can’t be bothered changing it to regular DNS …” – well, on the flip side, that same 99% (very roughly) is currently using their ISP to provide lookups

      Whether Moz’s handling of DNS is a good idea depends on how that data is treated throughout the chain and i really don’t know enough about that to provide an intelligent answer, though i believe i recall Cloudflare being mentioned as a DNS provider which i think is pretty damned rotten, but it is it more rotten than using an ISP???

      also you don’t have to stick with whatever provider Moz assigns by default – you can set it to one of your choosing, or, as you said, disable it altogether

      The proto-state, Mozilla, Alphabet, Twitter, Facebook, et al. have the shared objective of total control over the flow of ideas, that’s why they need everything and everyone centralized.

      i certainly wouldn’t disagree – i hate to see Mozilla lumped in with those other companies, but they’ve proven to me that the ethics at Moz corporate aren’t all that ethical, particularly when they announced their ludicrous initiative to jump on the “fake news” bullshit bandwagon (which, by the way, they seem to be keeping quiet about)

      in short, i don’t think the DoH stuff may be as bad as you think, but i’m not certain of how good it is either – i haven’t payed much attention to it because i use the DNS service provided by VPN

      1. The purported idea is that DoH right away has a few big entities serving as endpoints, like Cloudflare, and “the intention” is for it to spread out and become more decentralized with time, that i’m not buying even a bit. The current trend is to offload your needs to someone else’s computers, leading to massive centralization, not the other way around. You’re right about the tradeoff between using your ISP for DNS which is probably selling your queries versus using currently centralized DoH facilitating central control and also probably selling your queries in one way or another, but the thing is, the power that centralization gives to only a few people scares me way more than my (decentralized) ISP taking advantage of me, at least my ISP has no real power to control what I say or what I can see or look up compared to a global mega-entity like Cloudflare. If your local ISP blocks something it might affect at most (generously) 100k people, but if cloudflare blocks or redirects something it will affect easily billions of users especially if Alphabet/Google hop on the centralization wagon with DoH too.

        1. in general i totally agree with what you’ve said – you’re right, and it’s obvious that you’re right

          however i would point out that centralization has become a major factor for ISPs as well i think, at least in the U.S. where there are, what, a half-dozen or so major providers (and some of them may be owned by the same company) and they have been shaping and injecting and doing whatever else they do to the data for a long time now

          it’s a very, VERY bad situation all around and it’s getting worse

    1. hi Ferd – i personally don’t recommend any Firefox derivative for 2 reasons; 1) they are often not kept up to date and therefore may contain security vulnerabilities and 2) there are few or no advantages to using them

      i used to use WF myself and i totally get your crapware point, however these concerns are easily addressed with proper config settings and junk like the system add-ons are easily deleted – also i had problems with WF that i didn’t with FF and at one point WF development was paused and fell much too far behind for my liking

      as ‘pants’ from the ghacks user.js project has essentially said, the security of our browsers is much too important to be left to 3rd parties that don’t keep up with patches and he’s in a position to know

        1. i thank you for the links – i read the entire 2 forum posts and the Reddit post and i have some comments…

          in addressing security concerns, ‘Moonchild’ stated the following…

          “…by e.g. adding TLS 1.3 support the moment it was standardized, by keeping a close eye on encryption and the browser’s security by continuing to port or re-implement security fixes that apply to Pale Moon […] it does not use obsolete technologies and does not have known security holes or vulnerabilities.”

          PM can afford to implement new toys much faster because the user base is insignificant compared to any mainstream browser

          as for the comment on security holes/vulnerabilities, who’s testing it? is the code audited? is there a bug bounty? and then there’s this…

          “It was reported on 10th July, 2019 that a data breach of the archive server holding previous binaries of the Pale Moon browser had occurred and malware inserted into the executables. This breach was discovered on the previous day. It is unknown when the breach first occurred.”

          while i cannot state for certain that PM is less secure than FF, i think we can agree that the resources available to the PM project are minuscule compared to Moz

          ‘Moonchild’ also comments on a Reddit post where the commenter stated that PM is “supporting a dying infrastructure” and, in one *very* significant way, it is, and that is in the extension dept. – i am certainly not saying that WebExtensions are better, though because of the API limitations they are apparently inherently more secure – still, i hate the limitations and i agree totally with MC that Moz has stuck its corporate nose right up Googles ass – nevertheless, it’s what we have currently and MC’s decision to never, ever support WebExt makes absolutely zero sense to me and ensures its audience will, at best, remain very small and, at worst, eventually transition thus ensuring its death

          i browsed through PMs extension repo a bit – there are a grand total of 41 in the security/privacy section and most of them haven’t been updated in 2-3 years (one since 2014) – as long as MC refuses to adopt WebExtensions, PM isn’t even a blip on the radar as far as i’m concerned

          the forum posts were a very good read and i would agree that maybe i’ve been too hard on PM, however my overall opinion hasn’t changed, not at all – i use FF not because i like it, but because i feel it’s the best candidate for the job and it offers a whole lot of flexibility in the add-on dept. that PM doesn’t and apparently never will

          again i thank you for the links however

          on a totally different note, i searched your name and found a post you apparently made regarding Tor where you responded to another comment…

          > There have been many exploits and Tor users who have been de-anonymized by US gov

          you replied with…

          “All of those users have been de-anonymized because of their own bad op-sec, not because of Tor by itself. Even the NSA has admitted that they cannot efficiently de-anonymize Tor users.”

          how do you know that it was the fault of every user that they got nicked? and on a whole other level, how could anyone possibly know the NSA’s capabilities? do you trust what they say?

          that said, if the NSA can crack Tor encryption, and i have less and less doubt that they can as time goes by, then they can certainly crack the common encryption algo’s used for the web, so maybe one is better off using Tor regardless

          but again, we cannot possibly know the capabilities of the NSA and therefore i think it’s very dangerous to assume anything – and if they have broken Tor, they’re certainly and obviously not about to let that leak

Leave a Reply

Your email address will not be published. Required fields are marked *