Firefox is a less bad option, even with the recent stupid policy changes they've made.
Or there are a bunch of other options that care about privacy (see https://privacytests.org/). Brave, Librewolf, Arc, Zen, Orion (Kagi's thing). I tried Orion for a few days recently, but it started crashing randomly and felt unstable and slowed down after real-world use (3-6 windows, many many tabs, dev tools, etc).
I really wish there was more competition here from the smaller, privacy focused players...but the reality is building a browser is insanely difficult for the modern web.
Firefox didn't make stupid policy changes. Firefox made policy changes they were legally required to in order to comply with a stupidly-worded California law.
And thank WHATWG for making it impossible for indie players to remain compliant with modern standards by turning W3C's eminently reasonable and wholly sufficient specifications into a hulking monstrosity that's simultaneously large enough to be used as a stress test for your mobile browser's rendering engine (seriously. go try to load up 'view-source:https://html.spec.whatwg.org/'. At the time of writing, the HTML for that single-page version is over 98,254 lines composing over 15MB of plain HTML) while simultaneously quite literally being defined as a continuously moving target.
> Firefox didn't make stupid policy changes. Firefox made policy changes they were legally required to in order to comply with a stupidly-worded California law.
They had other options, including not collecting and selling user data. The California law is working as intended.
They're not selling user data in any sense that any ordinary, reasonable person would understand, only in California's excessively broad definition that may technically cover a litany of entirely noncommercial uses, like using opt-in customer metadata to improve their own free product, without distributing it to any third party at all.
Businesses like to avoid risk where possible, and Mozilla's lawyers pushed this wording to ensure compliance with the riskiest possible interpretation of California's ambiguous and poorly-worded law.
The Mozilla Corporation sharing user metadata with the Mozilla Foundation to assist with internal decision making may technically meet California's definition of "sale of data" despite constituting absolutely nothing even vaguely resembling what laypeople would consider a "sale of data".
Note that the CCPA's "third party" clause is part of an "OR" set, alongside "another business". Mozilla Foundation and Mozilla Corporation are respectively "another business" relative to each one's self, despite not being unrelated third parties.
The problem is not that Mozilla is actually selling user data (they're not in the sense that any layperson would understand "selling data" to mean), the problem is the way the California law is worded.
As usual, tech-illiterate politicians aren't even competent enough to write laws with the nuance and understanding required to not botch the entirely good and justified intention without pointing a loaded legal gun at the heads of the genuinely innocent. Think along the lines of the CFAA's legal risks to good-faith security researchers¹, or how the DMCA would technically criminalize discussion of how to decode Pig Latin if that was used as a copyrighted media protection technique.
It appears you are trying to explain why CCPA's does not meet the laypersons definition of "selling data". After reading your explanation I'm none the wiser. Given no one has replied, I suspect that's true for most people. They've just scratched their head and moved on.
I was about to do that too, when it dawned you probably have no idea people don't understand what you are saying. Maybe an example would help. Its needs top be something a layman would not consider to be "selling data" but the CCPA defines that way.
Claiming that users just don't understand what selling their data means is incredibly patronizing. Everyone colloquially understands that "selling user data" isn't limited to just selling ZIP archives of our browsing history, but also includes e.g. targeted advertising by the likes of Google, which is precisely why we sought alternatives that explicitly promised not to sell our data.
I'm not making the claim that users don't understand what "selling their data" means, I'm making the claim that Mozilla is not doing anything that any reasonable person other than a lawyer interpreting the CCPA in the most unreasonable way possible would consider what Mozilla is doing to be "selling of data". It's an internal transfer between the Mozilla Foundation and the Mozilla Corporation that doesn't even involve money. No payments. No third parties whatsoever. In the CCPA's poor and ambiguous wording, this does technically constitute "sale of data", as the CCPA defines it. Please read my other newer posts in this thread.
> The reason we’ve stepped away from making blanket claims that “We never sell your data” is because, in some places, the LEGAL definition of “sale of data” is broad and evolving. As an example, the California Consumer Privacy Act (CCPA) defines “sale” as the “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by [a] business to another business or a third party” in exchange for “monetary” or “other valuable consideration.”
How is the CCPA stupidly-worded when that's what a layman would think "selling data" means?
I do wholeheartedly agree with your sentiments about the WHATWG though, as someone who contributed to Pale Moon's development. That web browser cartel should be investigated by the US government for anti-competitive practices as they did with Google and Microsoft.
>How is the CCPA stupidly-worded when that's what a layman would think "selling data" means?
Because it is the twisty logic that lawyers can apply which is relevant to mitigate legal risk, not what a layman would think.
Where I work, our lawyers are convinced that running our code in the cloud to run our service counts as "distribution" under the terms of open source licenses. Because a cloud employee might accidentally look at it or something? Who knows. A lawyer sees legal risk in things you or I don't; they should know I guess!
The Mozilla Corporation sharing user metadata with the Mozilla Foundation to assist with internal decision making may technically meet California's definition of "sale of data" despite constituting absolutely nothing even vaguely resembling what laypeople would consider a "sale of data".
Note that the CCPA's "third party" clause is part of an "OR" set, alongside "another business". Mozilla Foundation and Mozilla Corporation are respectively "another business" relative to each one's self, despite not being unrelated third parties.
The problem is not that Mozilla is actually selling user data (they're not in the sense that any layperson would understand "selling data" to mean), the problem is the way the California law is worded.
As usual, tech-illiterate politicians aren't even competent enough to write laws with the nuance and understanding required to not botch the entirely good and justified intention without pointing a loaded legal gun at the heads of the genuinely innocent. Think along the lines of the CFAA's legal risks to good-faith security researchers¹, or how the DMCA would technically criminalize discussion of how to decode Pig Latin if that was used as a copyrighted media protection technique.
So I've read the CCPA again, and I've realized that Mozilla may have made an error in quoting the relevant part of the law in their blog. This part they quoted:
> As an example, the California Consumer Privacy Act (CCPA) defines “sale” as the “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by [a] business to another business or a third party” in exchange for “monetary” or “other valuable consideration.”
Anyway even then I'm not sure if the Foundation would've been considered "another business", since "business" is defined first as any "legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners", which MoFo clearly doesn't do. There's the second definition might've covered the Foundation (since they control the Corporation which is covered by the first definition), but AFAIK the Corp doesn't share any consumer personal info back into the Foundation (if it does that would be concerning)
I was sitting here thinking everyone else was wrong under the assunption that almost nobody here actually tried to read and interpret that wording in the least generous way possible (i.e. how lawyers intetpret everything), but I guess the joke's on Mozilla and I for reading the wrong version.
Your attention to detail here is exceptional and commendable. I used to feel that Mozilla's decision here was defensible and misunderstood, but it's now looking more like Mozilla and I are guilty of misunderstanding, after reviewing your claims here.
Thank you for having the patience to explain in such detail! Posts like yours here are part of the magic that elevates HN discussions over so many other forums on the web these days :)
The blog was written by product management, and most likely legal just generally told them that they got their justification from the CCPA's definition of sale, and the PR/marketing just searched for it and gave it to the blog post's author. Since Wikipedia is usually the first result in a search engine (and even has its own infobox), that's probably what they went with.
I've been using Firefox for the last 4+ years and it's been mostly fine. I have Chrome for the very occasional site that doesn't behave right, but they're few and far between (like maybe once a year).
Remember, the business model[1] of Brave Software, Inc. is various cryptocurrency schemes including the BAT currency ad scheme integrated into the Brave browser. Also, the CEO and co-founder of Brave Software, Inc. is Brendan Eich, a financial supporter[2] of the CA Proposition 8 same-sex marriage ban.
Brendan Eich is also the inventor of JavaScript and the former CTO of Mozilla.
While I don't support Prop 8 personally, I don't think we should judge technical products on political opinions of their author. You may think it's funny to advocate for bans and boycotts, until the other side does it too and we get a world split in 2 (or more).
There is nothing funny here at all. I'm so cynical about all of it that, as a many years long Brave user, I'm actively discouraging people from using it, because if Brave ever has enough users to be a problem for adtech, it will be destroyed. So if the crypto stink or ancient crimes against the progressive project can help forestall this for a few years, then at least they're good for something.
As for Eich and JavaScript; technically, I doubt more that 0.1% of working coders are fit to lace his boots. Myself included.
> While I don't support Prop 8 personally, I don't think we should judge technical products on political opinions of their author. You may think it's funny to advocate for bans and boycotts, until the other side does it too and we get a world split in 2 (or more).
Eh. It's one to not knowingly support a bad person, e.g. if they kept their opinions to themselves. But once an individual has made their positions crystal clear, it's a lot harder to morally support their innovations. Someone can do great work in tech, but if they are a known total piece of shit, I may/probably will avoid their products. I find a lot of tech-types try hard to decouple the humanity aspect from the innovation aspect - I presume this is a veiled attempt to get an "be an asshole" pass. Reality is people won't want to be around us if we suck as a humans, no matter how much code any of us put down.
Brendan Eich was against Gay Marriage at the same time that Barrack Obama himself was against Gay Marriage. A detail often forgotten in the rehashing of old grievances.
IMO, calling Brendan evil or bad is the kind of moral shortcut that Progressives love taking. A microcosm of the election, really: all the capable moderates were effectively canceled or marginalized by self-righteous radicals, who deemed that the only "good" candidate was someone who couldn't even win a primary.
The controversy was misinformation, and the parent post wasn't even what the controversy was. People thought FF had been doing it before. The reality is, as I understand, they just updated their terms to cover all possible legal issues - including that some things you command Firefox to do involves using your data.
> including that some things you command Firefox to do involves using your data.
Mozilla has never used the data you upload/send via Firefox to non-Mozilla websites (as it should be), and they shouldn't have that permission just as Epson the company shouldn't have the right to use for any purpose a paper marked as classified just because some fed employee sent a digital copy of it to an Epson printer.
And they don’t have that permission. Why is everyone skipping over the part of the sentence that specifies that this is only “for the purpose of doing as you request”. As you request! This is night and day to any other TOS I’ve ever read.
Seriously. Imagine the despair at Mozilla as no matter what they do, people they help and who support FOSS and privacy, tear them apart - seemingly out of habit, or like it's the cool thing to do.
"for the purpose of doing as you request" is still permission for using my own content, no matter how limited the scope they want to make it look like. It's not Mozilla Corp itself that is processing my inputs behind the scenes when I upload my photos to Imgur, is it? It's my own locally installed copy of Firefox.
See my reply to the other comment. They still have permission, and it doesn't matter how limited they try to scope it. It should be none because they have no business having a license over my own content I upload to non-Mozilla websites: https://news.ycombinator.com/item?id=43263232
Except for the specific cases where their Privacy Notice does give them permission to collect and sell user information, such as collecting information about what topics users are making search queries about.
Excerpts from the Privacy Notice that I have read, and attempted to get you to read:
> Mozilla processes certain technical and interaction data, such as how many searches you perform, how many sponsored suggestions you see and whether you interact with them. Mozilla's partners receive de-identified information about interactions with the suggestions they've served.
> Depending on your location, Mozilla derives the high level category (e.g., travel, shopping) of your search from keywords in that query, in order to understand the types and number of searches being made.
> Mozilla may also receive location-related keywords from your search (such as when you search for “Boston”) and share this with our partners to provide recommended and sponsored content.
Your claim "That data doesn't leave the user's computer" is simply not true. Mozilla isn't selling empty files to their advertising partners. The only true and valid defense you've put up for Mozilla in the past week is that they're trying to anonymize the data before they sell it, but that's not nearly as strong an argument as you seem to think it is.
> Nothing personal or valuable leaves your computer. Maybe the location queries, but I expect they are anonymized.
You said "That data doesn't leave the user's computer". It does. You may not consider it personal or valuable and may trust Mozilla's anonymization to be sufficient, but well-written privacy laws rightly do not grant Mozilla (or anyone less trustworthy than Mozilla) that kind of wiggle room.
This is high and mighty, but didn’t they fire security team a year or so ago (couldn’t afford pay for higher ups)? I like how everyone just memory-holed that part and moved on… why would you recommend that to anyone?
I have very high hopes for Ladybird as it's being developed, but it's not really fair to call it Tier 1 when it's pre-alpha stage and not really suitable for general use yet...
Brave is definitely not a 'tier 1' browser in any world. Their whole existence had been mired in controversy after controversy[1], lots of these incidents involving privacy and general shady behavior.
Arc is kind of promising, but I never really tried it after discovering that it's the only browser I've ever seen that requires (!) you to have an account with them. The obvious next question is 'what for?'
Short, we need to ditch chrome, but what is best alternative?