The Mozilla Monster

My admiration for Mozilla and its flagship product, the Firefox web browser, has diminished greatly over the years. To learn why i have lost a lot of respect for Mozilla as a company we’ll explore what Mozilla is and some of its controversial activities.

Many of us probably tend to associate the free, open-source software (FOSS) community with individuals or small organizations which selflessly give away their work expecting nothing in return, however this perception is wildly inaccurate in the case of the Mozilla Foundation which rakes in hundreds of millions of dollars annually. The vast majority of this revenue is generated as a result of Mozilla’s partnerships with various ethically challenged and proprietary search engine companies such as Google, Yahoo, and others. You can read more about this in the article, Firefox Search Engine Cautions, Recommendations. As we now know, these corporations track our web activities and sell the collected data to advertisers, governments and intelligence communities and who knows who else. Other nefarious Mozilla partners have included Microsoft, Telefónica, LG Electronics, Sony, Verizon and Cisco. These kinds of partnerships could not be more at odds with statements Mozilla has made in its manifesto, including “Committed to you, your privacy and an open Web” and the current “Mozilla puts people before profit“. How can Mozilla claim to be a privacy and free speech advocate while cultivating relationships with a laundry list of entities who have little or no regard for privacy and free speech?

The Mozilla Foundation is a non-profit that owns the taxable subsidiary, Mozilla Corporation. The Foundation was launched in 2003 with financial and other assistance from AOL and the Mozilla Corporation was created two years later. It is the latter that controls the source code for Firefox.

I started using Firefox around the time version 1.0 hit the streets in 2004, a time when it enjoyed a small but dedicated audience comprised of people who appreciated its extensive customization capabilities. Indeed it was very hackable browser in that almost every element of its graphic interface as well as its core functionality could be heavily manipulated. While Firefox still remains one of the most customizable web browsers, Mozilla began restricting what users and add-on developers could do with it with the adoption of the Web Extension API in 2015 and later the release of Firefox Quantum in 2017.

The release of Firefox Quantum presented a very different graphic interface which was styled to look remarkably similar to Google Chrome and this caused quite a stir in the Firefox community. I think the uniqueness of Firefox was lost and this upset many users who liked it because it wasn’t Google Chrome. The fallout continued as Mozilla caused several non-trivial headaches for add-on developers by changing the APIs, eventually settling on the Web Extension API which is far less capable then the older XUL/XPCOM APIs. As a result some add-on developers tossed in the towel in frustration and thus the community suffered another hit with the loss of their work.

It has become quite apparent to me that the goals of the Mozilla Foundation clash with the ethics of some of the developers writing code for Firefox. While at least a portion of the developer community has a strong regard for user privacy, decisions at the corporate level have made it abundantly clear that they are quite willing to sacrifice privacy in return for financial gain and market share. Some of these decisions have resulted in severe backlash from the community and it seems management is rather incapable of acknowledging this. I think the driving force behind many of the poorer decisions is the perceived need to compete with Google Chrome which is by far the most popular web browser at this time (note that ‘popular’ does not equate to ‘good’).

StatCounter Browser Market Share

One of the problems that has caused numerous concerns regarding the ethics of Mozilla is the fact that Firefox ships with several ‘system add-ons‘ which are installed by default and without user permission. Worse, these add-ons do not appear in the extensions management interface (about:addons) and therefore there is no obvious way for the average user to disable or remove them, or even be aware that they’re installed at all in some cases. Even more worrying is the fact that these system add-ons have been used for very controversial purposes, including the mass collection of user data. Let’s take a look at a few of the more interesting developments in Mozilla’s history…

2014Mozilla CEO resigns over anti-same-sex-marriage controversy

Just ten days after taking the job, Brendan Eich has resigned as CEO of Mozilla after sparking outrage over his donation to an anti-same-sex marriage campaign.

In 2008, Eich donated $1,000 to California’s Proposition 8 campaign. Prop 8 was a ballot initiative that sought to make same-sex marriage illegal in the state. News of Eich’s donation was first made public in 2012, but attracted a new wave of attention last week when Eich was promoted to CEO from his previous job as chief technology officer.

There is actually a lot more to this story than meets the eye and frankly i find it a little odd that a donation to Prop 8 by Eich, who co-founded Mozilla, would be used against him six years later. Nevertheless, this incident upset many users but i would submit that their reasons were not entirely justified.

2014Mozilla Firefox’s ‘Sponsored Tabs’ Stir up Controversy

Mozilla, the maker of the popular web browser Firefox, recently announced that it still plans to follow through on its controversial plan to sell advertisements on “sponsored tabs.”

Mozilla’s original plan, introduced in February, called for new “Directory Tiles” to be added on a new tab for new users. In the past, these tiles were left blank until they were customized with recommendations based on a user’s browsing history. Mozilla planned to sell these tiles to companies as sponsored ads, much to the chagrin of Firefox users.

[…]

In other words, Firefox plans to sell ad space on its tabs to monetize its user base of over 450 million users, who account for 17% of all web browsers used worldwide.

2015Mozilla responds to Firefox user backlash over Pocket integration

The complaints center around the fact Pocket is a proprietary third-party service, already exists as an add-on, and is not a required component for a browser. Integrating Pocket directly into Firefox means it cannot be removed, only disabled.

2017Mozilla Says It is Raising Privacy Awareness By Violating Privacy of Users

Mozilla’s latest Firefox release is better than Google Chrome, both in terms of speed and violating user’s privacy.

[…]

As Drew pointed out, this extension is actually an alternate reality Game. This extension will invert text that matches a list of Mr. Robot-related keywords like “fsociety”, “robot”, “undo”, and “fuck”, and does a number of other things like adding an HTTP header to certain sites you visit.

While this might sound fun, doing it without end user’s consent is a borderline privacy violation.

Let me be very clear here; what the corporate clowns at Mozilla did when they partnered with Mr. Robot for advertising purposes and shipped the Looking Glass add-on with Firefox as part of that fiasco, was not “a borderline privacy violation”, it was a flagrant violation of user privacy and trust, period. Ignoring the fact that these ‘systems add-ons’, ‘experiments’ and ‘Shield Studies’ are often enabled by default, manipulating HTTP headers for certain websites as the Looking Glass add-on did, was not only possibly breaking web standards, it was making Firefox uniquely identifiable. That they did this without warning users, some of which may have implemented precautions precisely to guard against such concerns, is unforgivable. The community backlash was immediate, widespread and harsh and Mozilla was forced to remove the add-on in the following version of Firefox and clarify their ‘Shield Study’ rules as a result. The Looking Glass add-on is still available on AMO where, as of this writing, 17 people gave it a 5 star rating and 52 a 1 star rating (make that 53 since i just dropped my two cents). Following are some of the comments left by disgruntled users…

Mozilla is not better than Google. It’s maybe worse, because we expect it from Google but not from Mozilla. Mozilla has no ethics.

And…

Until today I thought that Mozilla’s ethics would forbid this kind of action; indeed, it’s the kind of thing I thought Mozilla would actively campaign against. I guess I’m disillusioned now.

I’m also concerned that Firefox is, on a technical level, able to install add-ons without explicit user/administrator approval. This seems like a MAJOR security vulnerability to me.

And…

This blunder is astonishing. It’s not just that Mozilla installed it without permission or notification; it’s also the implication that the company doesn’t understand why this was a mistake. The apologies I’ve seen so far amount to “We’re sorry we got caught. We didn’t know better.”

I don’t like Chrome. And today I don’t like Firefox. I have used Firefox from when it was Phoenix version 0.67. Last night I downloaded Vivaldi and Opera, and I will check them out.

2017Mozilla to launch Firefox Cliqz Experiment with data collecting

Mozilla notes that it is necessary to transfer address bar content to Cliqz servers to power the functionality. This means, essentially that anything that is entered into the address bar, either automatically or manually, is transferred to Cliqz.

In other words, users who are selected for participation are opted-in automatically in the data collecting.

2017The Mozilla Information Trust Initiative: Building a movement to fight misinformation online

Today, we are announcing the Mozilla Information Trust Initiative (MITI)—a comprehensive effort to keep the Internet credible and healthy. Mozilla is developing products, research, and communities to battle information pollution and so-called ‘fake news’ online. And we’re seeking partners and allies to help us do so.

So the company that is “Committed to you, your privacy and an open Web” apparently wants to influence what news people read. Mozilla lists a few potential partners that they’d like to work with including one of the many kings of mainstream news bias and propaganda, The Wall Street Journal, whom Mozilla sees as a “credible news-gathering organization”. I have also seen an influx of ‘fake news’ detection add-ons in the AMO repository being developed by companies, including The Self Agency, LLC and Trustie, and many of these add-ons are warning users when they visit highly creditable websites run by battle scarred independent investigative journalists.

As Mozilla correctly recognizes, there is indeed a massive amount of misinformation, disinformation and heavily biased information floating around on the web in the alternative news scene, however they conveniently ignore the fact that some of the most dangerous offenders are the mainstream new corporations which they want to partner with, including those that promoted the invasion of Iraq, Syria and Libya and are currently fostering aggression toward Iran and Venezuela. The solution to this problem is not censorship or manipulation under the transparent guise of community service, but rather to educate people on how to identify unreliable resources which obviously Mozilla is in no position to do given its desire to partner with those same unreliable sources.

2019Firefox caves to pressure, to shut down controversial screenshot upload feature

Mozilla has positioned Firefox as the champion of privacy and independence on the internet but appears to be increasingly at risk of losing the trust of users.

The latest controversy regarding the company is its implementation of the screenshot feature, which uses clear dark patterns to trick users into uploading screenshots to their online screenshot gallery screenshots.firefox.com, which promoted but does not require the use of your Firefox Account.

2019Mozilla apologizes for recent add-on disabling issue and provides details

The last week has not been great for Mozilla. Last Friday, reports started to come in from around the world that installed add-ons would not verify anymore and were disabled as a consequence. Users could not download and install add-ons from Mozilla AMO anymore either.

Latest figures show that about 60% of Firefox users install add-ons in the browser; any issue affecting 60% of the user base, especially when it comes to personal choices made by those users, is as critical as it gets.

I was one of the millions of victims of this stupidity which you can read about in the post, Mozilla showed me what the interwebs look like and now i have mad cow disease.

The future

Meanwhile the market share for Firefox continues to sink like a lead balloon. I don’t think the hardcore audience that has stuck with Firefox through the years cared much about how popular it was, but like any corporate behemoth, what the users care about is of secondary importance; growth, market share, revenue and other useless corporate statistics seem to drive the Mozilla Foundation to a worrying extent and i think this has caused the gap between Mozilla and its user base to widen even further. I know it has for me. The question is, how much more self-inflicted blow-back can Mozilla handle before it is forced to end development of Firefox? I think the answer is ‘less than none’. I think Mozilla has pissed off enough people and stabbed its users in the back enough times that the demise of the Firefox brand is imminent absent a radical shift in ethics. That said, i still use and recommend Firefox because i think it is better suited to security and privacy hardening than the competition, for the time being anyway.

PSA: Firefox extensions wonkiness – recovering from extensions.json hack

UPDATE: deleting extensions.json did not work by itself – i ended up rebuilding my Firefox profile and importing on the necessities

In a previous post i offered a quick tutorial that i scarfed from ghacks.net which would re-enable all the add-ons that Mozilla disabled because of their certificate blunder. The file we manipulated in order to achieve this was extensions.json. Well, i started noticing some weirdness in that extensions that i installed post-fix weren’t showing up in about:addons after a browser restart.

If you also employed the extensions.json hack to get your add-ons re-enabled, i suggest backing up your profile, deleting extensions.json and restarting the browser. There should be nothing more to do.

Article update: Firefox Extensions – My Picks

Firefox Extensions – My Picks was updated. The changes…

  • removed Don’t touch my tabs! – not needed if using CanvasBlocker
  • removed Header Editor
  • moved Extension source viewer to the added functionality section
  • moved Violentmonkey to the added functionality section
  • added Maximize All Windows (Minimalist Version)
  • added mozlz4-edit
  • added Scroll Up Folder
  • minor edits

If you typically maximize Firefox and you have privacy.firstparty.isolate enabled, you may be annoyed when it fails to remember its state after restart. The Maximize All Windows (Minimalist Version) add-on solves the problem, but know that Firefox may be greatly more vulnerable to fingerprinting as a result.

Article update: Firefox Configuration Guide for Privacy Freaks and Performance Buffs

I added a bit of information to the Firefox Configuration Guide for Privacy Freaks and Performance Buffs regarding a serious problem with Firefox and add-ons that use Content Security Policy (CSP) to modify HTTP headers. Read the 2nd paragraph here if interested. Mozilla has done nothing about this for a year and the clock continues to tick. Chromium is apparently not affected by this issue, but its got its own problems.