> Mozilla expects that the add-on limits data collection whenever possible, in keeping with Mozilla's Lean Data Practices and Mozilla's Data Privacy Principles, and uses the data only for the purpose for which it was originally collected.
There are a number of browser extensions maintained by antivirus companies that use security as a disguise to collect and monetize user data. It is time for Google and Mozilla to act on this issue and protect users from these predatory practices.
Benign extensions that are genuinely useful and don't have a company behind them do not get this treatment [1], they are blocked whitout preliminary contact with developers [2].
I want to second this sentiment and EXPLICITLY call out Mozilla.
I am the lead dev for a relatively small Firefox extension. We do not do ANY tracking.
We were rejected and removed for simply including the sdk for Microsoft outlook addins as a script in one of our html pages (we share the codebase for an outlook addon as well). This script is well documented and published by Microsoft.
I find the hypocrisy here staggering.
I know that Firefox gets a lot of love, particularly on HN because it feels like Mozilla is still a trustworthy company. I want to clearly express that I no longer believe this. They want addons in the store that they can use for marketing and sales. Period.
Thanks for posting this. I have had similarly odd experiences recently with the Firefox addon store, which my startup has been in since 2013. All of a sudden we got yanked, among other things because we modify third party libraries. Apparently we would have been fine if we did exactly the same thing but wrote the code ourselves, but since we used a library, and then modified it, we were in violation. To be clear, we provide all our source code in the review process, so it is 100% clear what we are doing. And we don't do anything that is remotely privacy- or security-compromising, which is very clear from the code.
We tried to understand this bizarre no-modifying-third-party-libraries policy and see how we could fix it, but they stopped responding and eventually even deleted our extension from the browsers where our users had previously installed it. (Even Apple doesn't do this when it yanks apps — only rarely if there is proven bad behavior will the pull an already-installed/paid-for app from a device.)
I happen to know a couple very high-up people at Mozilla, and one of them was able to flag our mistreatment, and the reviewers now seem to be walking back the previously-described global ban on modifying third-party libraries, but we're still not back in the addon store (it's been months).
The (alleged?) policy makes no sense to me, and I also don't understand why Mozilla is now blocking users from installing any addon that hasn't been blessed by Mozilla. I understand that they want to vet addons that are listed in their store, but they've assured me that users can't even install off our website unless Mozilla signs off. That seems very un-Mozilla-ish to me. What happened to the open web?
For the record, I used to love Mozilla/Firefox, and have used their browsers for decades. I now use Brave, both because of experiences like this one, and because it's much faster on my Mac.
This article, along with some other sites and my own digging made me leave Firefox for good. It's a good read if you value privacy and think Mozilla is the good guy in a field dominated by evil corporations. At first it might seem biased, but the author makes very good points and backs them up with tons of sources that can't be really argued - most of the article is reviewing privacy policies and terms of service agreements that are available publicly to check.
For now I stuck with Pale Moon, but I'm considering some other browsers like Ungoogled Chromium for my daily private and work use. Pale Moon feels kinda janky and old-school in a not good way. But it's fast and (with some minor tweaking: https://spyware.neocities.org/guides/palemoon.html) respects your privacy 100%.
isn't this generally true of every extension/app/smart appliance? Everything wants to collect and sling your data on the side. Browser and phone vendors do try to protect users with permissions controls in addition to the store curation that you point out is imperfectly executed. How do you propose they enact a perfect system of vetting for the long tail of benign extensions?
Equally enforcing policies regardless of who's the publisher of an extension would be a good start.
This is how the Avast blocklisting request should have been handled:
- Immediately blocklist [1] the extension because it harvests personal data without user consent, notify Avast
- Offer to reenable the extension for the existing user base when Avast reaches out and stops data collection in an extension update
Because the extension was not blocklisted, but temporarily removed from the store, personal data was siphoned off without the consent of existing users for weeks, with the knowledge and implicit approval of Mozilla, until Avast has released an update.
Users that have configured Firefox to update extensions manually may continue to use an extension version which steals personal data, despite Mozilla being capable of disabling those extension instances, and despite their recent commitment [2] to use blocklisting more proactively when an extension is circumventing user consent or control.
Mozilla did not respect its own policies and has put the interests of Avast before the privacy and safety of its users.
Well they could start by banning extensions that make the news for sending all of their visited urls to a third party.
Ultimately we need to give the user more control over what software on their system is doing. None of these entities (mozilla, google, apple, microsoft, amazon, facebook) can be trusted to act in our best interest
The article seems a little sensationalized, but even viewed in a generous light it's still downright creepy.
...clients include Google, Yelp, Microsoft, McKinsey, Pepsi, Sephora, Home Depot, Condé Nast, Intuit, and many others.
It is possible to determine from the collected data what date and time the anonymized user visited YouPorn and PornHub, and in some cases what search term they entered into the porn site and which specific video they watched.
Although the data does not include personal information such as users' names, it still contains a wealth of specific browsing data, and experts say it could be possible to deanonymize certain users.
The article is actually rather generous, particularly when it says "could be possible to deanonymize certain users." Having done my own research on that [1], I would have formulated this as "allowed to deanonymize most users."
IIUC, porn is used as an example to highlight that these are very personal details that are being sold, and porn preferences are things people often fear more of leaking than - for example - their financial data.
John Oliver, in his work on the NSA scandal had Snowden explain individual NSA programs based on "dick picks", to help people visualize and clarify the consequences of what otherwise is just generically described as "selling/stealing your data".
Why concentrate on intended use? More interesting is what, er, unanticipated value-add might be there.
Could a malicious actor create a blackmail-bot? It wouldn't even need to be that great - just something a little more believable than the "I took over your computer and videoed you masturbating" spam.
Could more subtle, targeted blackmail operation involve this data? There is a lot of this sort of thing in politics.
We know PIs, bail-bonders and other folks on the fuzzy LE/commercial coercion industry line were heavy users of realtime cellphone tracking. I imagine the more creative ones have considered the value of these data pits, too.
Avast/Jumpshot data is bought by many marketing companies too and packaged as SEO tools, market research/analysis. They've been really proud to talk about their ability to collect all this data in the past [1]. But recently it became clear that all the data is stolen without user permission.
My dad had me remove Avast (that he paid for) from his laptop over Christmas because he started to get mailers based on his browsing activity. It literally locked up his computer for an hour uninstalling and giving prompts that would try to get you to accidentally cancel the uninstall.
Kind of amusing that this is currently the #2 story, while #1 is "Trust Is at the Core of Software Marketing".
If you had told me five years ago that I would stand up exfil monitors on my home network because commercial and criminal surveillance was so pervasive, I would have said that would be crazy talk. And yet here we are.
Basically, DNS logging forwards to a daemon I wrote that detects Base64/UU/other encodings in DNS requests and asks the network manager[1] to shut off connectivity to the client asking such questions. There is a volume-of-queries timer, and I have some other ideas to add to it.
I'm working on a TLS-inspecting proxy with squid and sslsplit, as I expect there's a lot to look at. I very much want to know if something emits any of various magic numbers - SSN, bank account numbers, address book entries, IMEIs, etc.
As far as more general blocking, I use parts of Pihole, which merges with some other data sources, to defeat DNS resolution for folks I don't want on my internet. And I use Maxmind's geoip data to generate iptables rules to block most of the world on public facing infra - my tiny user base is not in most of it.
I've often felt that antivirus software is like the rock that keeps the tigers away. I haven't used it since the AOL days, and that's also the last time I was actually hit with Malware (something from Kazaa I would guess.)
It's also worth noting that every corporate IT department I've ever seen installs antivirus software on employee machines, so it must be good for something? I'm curious what the actual statistics are for caught viruses.
Antivirus was more necessary back in the days when firewalls and security elevation privileges were rarely enabled on consumer machines. But more modern security software has rather weakened the value proposition for AV, and they've started branching into areas that aren't really helpful at all and sometimes counterproductive (e.g., web browsing protection--your AV does a much, much worse job of validating TLS than browser vendors do).
Given the dirty things that AV does to "work" correctly, you can characterize modern AV as malware that tries to keep other malware out.
I don't think this is true. Generally, I think that privilege levels are a red herring, and that being able to get malware running at the privilege of the user installing it is sufficient; to the extent that this is changing, it's changing only recently.
I'd say that the problem with AV is that it has never worked at all; it's always been a "deck chairs on the Titanic" performative spot clean situation – at best, a smart team that reimages a machine with a confirmed "infection" can say they're using AV as a weak sort of host intrusion detection system.
AV or no AV, for as long as I can remember (back into the 1990s), if your desktop is "infectable", you're screwed. You'd think that the Summer of Worms would have confirmed that for everyone, but AV is an extremely powerful marketing product category, because of its built-in per-seat multiplier.
>It's also worth noting that every corporate IT department I've ever seen installs antivirus software on employee machines, so it must be good for something?
Yes, it absolutely is good for something. Antivirus software is excellent for making companies like McAfee highly profitable, and it's also really good for slowing down your computer.
Owners of the Avast, 2 Czech guys, are ranked among the wealthiest Czechs ever. I mean one has net worth over 1 billion USD, the other at least the same.
I had some respect for them some time ago, but these days their product is shit and worse than having nothing. Plus with Windows defender, who still actually pays for it?
For corporate IT, it’s a compliance requirement. It is the equivalent of putting a sign in the bathroom that says to wash your hands, only less effective. AV does almost nothing and costs almost nothing.
The newer products are different and more effective, and come with an appropriate price tag. (The Microsoft solution costs as much as O365!)
For those that might not understand the compliance requirement, PCI compliance is a good example. If you process credit card payments, you need to be PCI (Payment Card Industry) compliant. And PCI DSS Requirement 5.1 [1] states
>Deploy anti-virus software on all systems commonly affected by malicious software (particularly
personal computers and servers).
So most enterprise companies have to have AV on their workstation and servers (yes Mac and Linux too) in order to keep processing credit card payments.
> For corporate IT, it’s a compliance requirement. It is the equivalent of putting a sign in the bathroom that says to wash your hands, only less effective. AV does almost nothing and costs almost nothing.
Corporate IT at my previous employer even allowed and aided us in uninstalling the resource-hogging McAfee installation that comes default with a company machine. That stuff was crippling our machines.
Well... do you want to stand up in court some day and explain why you didn't install A/V software? It reduces risk, just maybe not the risk we expect it to.
Look at in Avast's privacy policy:
"Enable use of your personal data to create a de-identified data set that is provided to Jumpshot to build trend analytics products and services."[1]
Where does the "consent" mentioned there occur? They claim to be GPDR compliant; it has to be explicit and separate from other agreements.
Readit News
Blocklisting the extensions would disable existing installations and stop ancillary data collection, which is prohibited by Firefox Add-on Policies.
https://extensionworkshop.com/documentation/publish/add-on-p...
> Mozilla expects that the add-on limits data collection whenever possible, in keeping with Mozilla's Lean Data Practices and Mozilla's Data Privacy Principles, and uses the data only for the purpose for which it was originally collected.
There are a number of browser extensions maintained by antivirus companies that use security as a disguise to collect and monetize user data. It is time for Google and Mozilla to act on this issue and protect users from these predatory practices.
Benign extensions that are genuinely useful and don't have a company behind them do not get this treatment [1], they are blocked whitout preliminary contact with developers [2].
[1] https://www.jeremiahlee.com/posts/page-translator-is-dead/
[2] https://www.ghacks.net/2019/11/05/mozilla-bans-all-extension...
I am the lead dev for a relatively small Firefox extension. We do not do ANY tracking.
We were rejected and removed for simply including the sdk for Microsoft outlook addins as a script in one of our html pages (we share the codebase for an outlook addon as well). This script is well documented and published by Microsoft.
I find the hypocrisy here staggering.
I know that Firefox gets a lot of love, particularly on HN because it feels like Mozilla is still a trustworthy company. I want to clearly express that I no longer believe this. They want addons in the store that they can use for marketing and sales. Period.
We tried to understand this bizarre no-modifying-third-party-libraries policy and see how we could fix it, but they stopped responding and eventually even deleted our extension from the browsers where our users had previously installed it. (Even Apple doesn't do this when it yanks apps — only rarely if there is proven bad behavior will the pull an already-installed/paid-for app from a device.)
I happen to know a couple very high-up people at Mozilla, and one of them was able to flag our mistreatment, and the reviewers now seem to be walking back the previously-described global ban on modifying third-party libraries, but we're still not back in the addon store (it's been months).
The (alleged?) policy makes no sense to me, and I also don't understand why Mozilla is now blocking users from installing any addon that hasn't been blessed by Mozilla. I understand that they want to vet addons that are listed in their store, but they've assured me that users can't even install off our website unless Mozilla signs off. That seems very un-Mozilla-ish to me. What happened to the open web?
For the record, I used to love Mozilla/Firefox, and have used their browsers for decades. I now use Brave, both because of experiences like this one, and because it's much faster on my Mac.
This article, along with some other sites and my own digging made me leave Firefox for good. It's a good read if you value privacy and think Mozilla is the good guy in a field dominated by evil corporations. At first it might seem biased, but the author makes very good points and backs them up with tons of sources that can't be really argued - most of the article is reviewing privacy policies and terms of service agreements that are available publicly to check.
For now I stuck with Pale Moon, but I'm considering some other browsers like Ungoogled Chromium for my daily private and work use. Pale Moon feels kinda janky and old-school in a not good way. But it's fast and (with some minor tweaking: https://spyware.neocities.org/guides/palemoon.html) respects your privacy 100%.
It has been taken down occasionally, mostly months after the last version got released.
What annoys me most is that this happens out of the blue. There is no „pre-warning“.
The last times this happened, we told our customers to use Chrome instead. Never had a problem with them.
But if the takedown really happens months after the last update, then that would mean malicious add-ons are left on AMO for months?
This is how the Avast blocklisting request should have been handled:
- Immediately blocklist [1] the extension because it harvests personal data without user consent, notify Avast
- Offer to reenable the extension for the existing user base when Avast reaches out and stops data collection in an extension update
Because the extension was not blocklisted, but temporarily removed from the store, personal data was siphoned off without the consent of existing users for weeks, with the knowledge and implicit approval of Mozilla, until Avast has released an update.
Users that have configured Firefox to update extensions manually may continue to use an extension version which steals personal data, despite Mozilla being capable of disabling those extension instances, and despite their recent commitment [2] to use blocklisting more proactively when an extension is circumventing user consent or control.
Mozilla did not respect its own policies and has put the interests of Avast before the privacy and safety of its users.
[1] https://blocked.cdn.mozilla.net
[2] https://blog.mozilla.org/addons/2019/05/02/add-on-policy-and...
Ultimately we need to give the user more control over what software on their system is doing. None of these entities (mozilla, google, apple, microsoft, amazon, facebook) can be trusted to act in our best interest
...clients include Google, Yelp, Microsoft, McKinsey, Pepsi, Sephora, Home Depot, Condé Nast, Intuit, and many others.
It is possible to determine from the collected data what date and time the anonymized user visited YouPorn and PornHub, and in some cases what search term they entered into the porn site and which specific video they watched.
Although the data does not include personal information such as users' names, it still contains a wealth of specific browsing data, and experts say it could be possible to deanonymize certain users.
> Some past, present, and potential clients include...
Keyword "potential".
Although, the subtitle does say
> Its clients have included Home Depot, Google, Microsoft, Pepsi, and McKinsey.
[1] https://palant.de/2020/01/27/avasts-broken-data-anonymizatio...
John Oliver, in his work on the NSA scandal had Snowden explain individual NSA programs based on "dick picks", to help people visualize and clarify the consequences of what otherwise is just generically described as "selling/stealing your data".
Could a malicious actor create a blackmail-bot? It wouldn't even need to be that great - just something a little more believable than the "I took over your computer and videoed you masturbating" spam.
Could more subtle, targeted blackmail operation involve this data? There is a lot of this sort of thing in politics.
We know PIs, bail-bonders and other folks on the fuzzy LE/commercial coercion industry line were heavy users of realtime cellphone tracking. I imagine the more creative ones have considered the value of these data pits, too.
[1] "Jumpshot Knows What You're Buying, Browsing, Searching" https://www.cmswire.com/digital-marketing/jumpshot-knows-wha...
I emailed some journalists about Jumpshot a few years back. It’s good that everyone now understands what is going on.
If you had told me five years ago that I would stand up exfil monitors on my home network because commercial and criminal surveillance was so pervasive, I would have said that would be crazy talk. And yet here we are.
Basically, DNS logging forwards to a daemon I wrote that detects Base64/UU/other encodings in DNS requests and asks the network manager[1] to shut off connectivity to the client asking such questions. There is a volume-of-queries timer, and I have some other ideas to add to it.
I'm working on a TLS-inspecting proxy with squid and sslsplit, as I expect there's a lot to look at. I very much want to know if something emits any of various magic numbers - SSN, bank account numbers, address book entries, IMEIs, etc.
As far as more general blocking, I use parts of Pihole, which merges with some other data sources, to defeat DNS resolution for folks I don't want on my internet. And I use Maxmind's geoip data to generate iptables rules to block most of the world on public facing infra - my tiny user base is not in most of it.
[1] I use Unifi gear, this will do you no good if you don't: https://github.com/Art-of-WiFi/UniFi-API-client
Deleted Comment
It's also worth noting that every corporate IT department I've ever seen installs antivirus software on employee machines, so it must be good for something? I'm curious what the actual statistics are for caught viruses.
For prevention, limited roles/access and patching does all the heavy lifting.
Detection happens on the server and network side. Otherwise we are expecting a compromised device to know/report itself.
Remediation is a wipe and reload from known sources. When properly automated it is faster than running a full AV scan, and much more reliable.
Ding! Ding! Ding!
Does your company need to accept credit cards? Guess what? You must have AV as there are only two choices in a self assessment form:
[ ] Anti-virus and anti-malware software is deployed on all systems used by the company staff.
[ ] Anti-virus and anti-malware software is not deployed on all systems used by the company staff.
Selecting the 2nd makes one fail self-assessment which in turn denies company's ability to accept credit cards.
Security is a charade.
Given the dirty things that AV does to "work" correctly, you can characterize modern AV as malware that tries to keep other malware out.
I'd say that the problem with AV is that it has never worked at all; it's always been a "deck chairs on the Titanic" performative spot clean situation – at best, a smart team that reimages a machine with a confirmed "infection" can say they're using AV as a weak sort of host intrusion detection system.
AV or no AV, for as long as I can remember (back into the 1990s), if your desktop is "infectable", you're screwed. You'd think that the Summer of Worms would have confirmed that for everyone, but AV is an extremely powerful marketing product category, because of its built-in per-seat multiplier.
Yes, it absolutely is good for something. Antivirus software is excellent for making companies like McAfee highly profitable, and it's also really good for slowing down your computer.
I had some respect for them some time ago, but these days their product is shit and worse than having nothing. Plus with Windows defender, who still actually pays for it?
The newer products are different and more effective, and come with an appropriate price tag. (The Microsoft solution costs as much as O365!)
>Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers).
So most enterprise companies have to have AV on their workstation and servers (yes Mac and Linux too) in order to keep processing credit card payments.
[1] https://www.pcisecuritystandards.org/documents/PCIDSS_QRGv3_...
Corporate IT at my previous employer even allowed and aided us in uninstalling the resource-hogging McAfee installation that comes default with a company machine. That stuff was crippling our machines.
Where does the "consent" mentioned there occur? They claim to be GPDR compliant; it has to be explicit and separate from other agreements.
[1] https://www.avast.com/privacy-policy