I'm really trying to make sense of the new @mozillaofficial privacy policy.
Here's where I'm getting tripped up:
> Mozilla doesn’t sell data about you (in the way that most people think about ‘selling data’)
OK, sure. But if Moz isn't "selling my data in the way that most people think about selling data" then how *is* Moz selling my data?
@pluralistic @mozillaofficial
Doesn't Google pay them to have their search bar defaulted? I wonder if it's related.
Plus all of the things they're saying about anonymized advertising tokens or whatever
Edit; I'm not interested to learn about the nuances of their pivot to advertising friendliness
Did the people responsible for Biden’s messaging jump over to Moz? 🤦🏻
(disclaimer, I worked at nscp and i want moz to succeed, despite themselves)
"Anonymizing" is nonsense in this context; they're providing user data to 3rd parties in exchange for something. This is a "sale" as reasonable people would understand it.
"We still put a lot of work into making sure that the data that we share with our partners (which we need to do to make Firefox commercially viable) is stripped of any identifying information, or shared only in the aggregate, or is put through our privacy preserving technologies (like OHTTP)."
Unfortunately, they're going about this in the same weasel way as Meta, Google, et al.
🤥 Claims of end-user #privacy via data aggregation are disingenuous -- as we've seen repeatedly.
Author of these new terms is recent hire Ajit Varma.
"Varma, the author of the above announcements, as a Firefox veep after previously looking after WhatsApp for Meta, and before that, Gmail, and its related tools for Google."
⭐ Don't hire from bad actors lest you become one.
📚 Estimating the success of re-identifications in incomplete datasets using generative models [Nature][open access]
2019 article about the realities of privacy of aggregated user data:
"... 99.98% of Americans would be correctly re-identified in any dataset using 15 demographic attributes."
Anonymization has been the main means of addressing privacy concerns in sharing medical and socio-demographic data. Here, the authors estimate the likelihood that a specific person can be re-identified in heavily incomplete datasets, casting doubt on the adequacy of current anonymization practices.
@pluralistic Mozilla leaves your data in a hollow tree in a nearby park, and then two weeks later it finds a fat brown envelope stuffed with dollar bills under the doormat. The two events could be quite unrelated, so it's hard to show that Mozilla’s really SELLING the data, per se.
Your data wants to be free. Mozilla accepts modest contributions to cover the costs of giving your data its liberty.
Mozilla is paid exclusively in eggs and maple syrup. It's more like barter than an actual sale.
@angusm @pluralistic
...and everyone LOVES eggs and maple syrup.
Especially CANADIAN maple syrup.
🇨🇦 👍
@boutell @pluralistic @mozillaofficial Ladybird is a bunch of nazi fucks.
If you need a reference for this, see my thread where someone from the team is arguing that having nazis on the project is perfectly fine:
https://mastodon.gamedev.place/@psychpsyo/114088490933152222
@dalias@hachyderm.io I disagree on both accords. If Nazis have to leave their Nazi stuff at the door and be respectful and accepting, I do not see what good ostracizing them for unrelated-to-the-project views does. It will not change their views, it will not limit how they can spread their views and, at worst, push them into echo chambers and further worsen their opinions on people. (1/2)
@pluralistic @mozillaofficial "we promise we're not gonna do what you think we're gonna do, but we're not gonna tell you what we're going to actually do" shady af, poor communication at best
ima start packing
@pluralistic @mozillaofficial Can I raise a thought, not as an accusation, but as a question of 'is this a valid concern?'
We always assume data is for advertisers selling AI penis pills, but politics is big money. Possibly bigger.
If political parties or the like wanted to pay good money to profile the people who are trying not to be profiled, wouldn't buying Mozilla data be invaluable?
Especially since Big Tech is rapidly aligning with the new regime, it's hard to shake the thought.
They explained it in a blogpost that almost nobody read because it came too late and apparently isn’t linked in the right places:
https://blog.mozilla.org/en/products/firefox/update-on-terms-of-use/
@pluralistic @mozillaofficial Well yes, if it's worth something to the data market, then it's worth protection for the user.
The value of that data, whether anonymized or identifiable, translates into consumers paying (more).
It's leveraging gateway privilege, part of the 'walled garden' strategy.
Based on all their communications in the past few years I perceive that they are trying to set themselves up to be an advertising platform.
Your search queries and anything else you type in the url bar, for example, will be analyzed and the results shared with advertisers — without telling them more than what they need to know to best enhance your web experience with ads, so your privacy remains protected. This system will make Firefox commercially viable by rapidly shrinking its userbase down to a more sustainable size.
@pluralistic @mozillaofficial The whole thing is the wrong question. IDGAF if they're selling it or not. The problem is that they're claiming a right to even have it. Mozilla is not party to anything we do with Firefox, but they're trying to insert themselves there, and they can fuck right off about that.
You can't sell something you don't have. The problem isn't the selling but the having.
Here’s a question — Mozilla is motivated by money to be “viable” — if every user paid $1/month, they’d be overflowing with cash. How many people need to spend $10/month to adequately fund Firefox to be a private and secure browser?
@JustinDerrick @pluralistic @mozillaofficial they'd need every user they have to be putting in at least three dollars a month. I did some napkin math here:
@pluralistic @mozillaofficial smells like selling training data to LLM companies or training LLMs themselves to sell as a service.
Also i absolutely resent the "oh, we are so sorry you were confused by our statement"
I HATE that patronizing double speak corporate PR bullshit.
@pluralistic @mozillaofficial Apparently it has to do with CCPA’s definition of “selling data” which simply includes data being transferred to any third party for any reason. Because Mozilla uses tools for collecting usage metrics and has some marketing and tracking stuff built in, any third party involved in this would receive this data, and the CCPA considers this “selling data”.
It can apparently be so over-broad that service providers have included this kind of language simply for your data being hosted in their services in a third party provider like Hetzner, AWS, etc.
So it appears to be some potentially over-broad definitions in law.
@bedast @pluralistic @mozillaofficial Couldn't they have just been mildly more specific in the privacy policy to state as such to avoid such a panic response?
A lot of these laws could be complied with easily by explicitly listing what is collected, how it is processed/anoymized, and who/what/how it's shared. In other words, proper disclosure instead of masking with legalese to avoid it.
@bedast @pluralistic @mozillaofficial I don't buy it, sorry to say. There are graceful ways for orgs + lawyers to handle this. Rather than a broad clause like that, you can separate collection & usage into sections and describe it.
For ex, in cases where data is necessary for payment processing, email subs etc my orgs specify that collection + usage and the reason it's warranted.
Mozilla does telemetry I won't do, but still could've written that in specific terms. No one would have bat an eye.
@profdiggity @bedast @pluralistic @mozillaofficial
The question I have is what contract lawyers might make of the "and never will" and "that's a promise" bits of the old statement.
It was taken by the users as a binding commitment. We agreed (as much as anybody really does with shrink-wrap*) to those terms.
*One day I need to see this argument taken to a real judgement instead of a slimy settlement. A contract requires equity and a meeting of minds, not drive-by binding of victims.
@Fuzz_Ra @bedast @pluralistic @mozillaofficial Disclaimer: IANAL.
Those statements are less vague than "don't be evil" so possible it's actionable. But I very much doubt it.
ToU often have a clause that allows for updates without notification (because how would you notify a past visitor to a website or a browser user? etc) and it's probably proper for marketing copy that aligns with that ToU to then be changed to align with a new one... 1/2
@Fuzz_Ra @bedast @pluralistic @mozillaofficial ...plus those statements might be considered "puffery" though it's a weak argument.
Nearly all ToU and FOSS licenses have a disclaimer of warranty and/or limitation of liability - in MIT license it's most of the text. GPL and MPL have them. etc.
So proving injury would likely only be for extreme cases, not for data harvesting.
ToS with Mozilla customers is different and between those parties. Not sure if they sell services, FFox ESR, etc. 2/2
@profdiggity @bedast @pluralistic @mozillaofficial
I'm also (even more) very much not a lawyer and we're under related but diverged legal systems.
Where I am (UK) the Unfair Contract Terms Act (1977) binds companies while bouncing consumers out to the Consumer Rights Act (2015) with much looser terms for nopeing out of thieving bullshit. It would be nice to see that applied to the modern reality.
@bedast @pluralistic @mozillaofficial it's a hard explanation for me to accept given my experience with Mozilla and folks at Mozilla. They know this stuff re: data and licensing extremely well.
This response seems like a smokescreen, and one with multiple iterations.
I wish Mozilla and Firefox well. There might be some soul-searching here to do and some re-centering of the org around its core values.
@profdiggity @pluralistic @mozillaofficial I'm a user of medical devices and I ran across someone complaining that Abbott has similar data sharing boilerplate in order to use their Libre sensors. Though it's worth noting Abbott has a bit more regulation to follow via HIPAA.
But one thing they do is host a page that explains all of the ways they use your data with adequate detail. It's possible HIPAA requires this, but it's something other companies could follow to help with trust.
Cory Doctorow
2xfo
inpc
Alaric Snell-Pym
joriki
Dan Hugo
Drew Crecente (they/them)
Aral Balkan
Angus McIntyre
Kid Mania
Sensitivityi
Dieu
Me 🐶
mimiimim
Tom Boutell
Cassandrich
Mohab
Jason Bowen 🇺🇦
boiga
Bill Zaumen
Airikr 
Sharp Leaves
gregg r
Andrew 🌻 Brandt 🐇
Alex Block 🇨🇦🍁🇨🇦
Slatian
Ride Theory
Sibshops
j5v
kbal
Urzl
Jorge Vilar Palop
+>e
Justin Derrick
Preston Maness ☭
Alien software, human hardware
BedastGPT
Sean O'Brien
Fuzz-Ra
ShutterBugged
Andrew Zonenberg