Many people seem to be shocked because Mozilla installed an add-on automatically. In my opinion, it doesn't really matter since the code is coming from Mozilla - they're building the whole browser, so they could introduce functionality anywhere. If someone distrusts their add-ons, why trust their browser at all?<p>The main question is what behavior is being introduced. I haven't researched deeply, but apparently the add-on does nothing until the user opts-in on studies.
Previously:<p>* <a href="https://news.ycombinator.com/item?id=15921134" rel="nofollow">https://news.ycombinator.com/item?id=15921134</a><p>This is a link to the GitHub issue:<p>* <a href="https://github.com/gregglind/addon-wr/issues/36" rel="nofollow">https://github.com/gregglind/addon-wr/issues/36</a><p>There are several scary things about this:<p>- Unknown Mozilla developers can distribute addons to users without their permission<p>- Mozilla developers can distribute addons to users <i>without their knowledge</i><p>- Mozilla developers themselves <i>don't realise the consequences of doing this</i><p>- Experiments are not explicitly enabled by users<p>- Opening the addons window <i>reverts configuration changes which disable experiments</i><p>- The only way to properly disable this requires fairly arcane knowledge Firefox preferences (lockpref(), which I'd never heard of until today)
Looks like it's a promo for Mr Robot, which is really not ok.<p>> What's happening?
Are you a fan of Mr Robot? Are you trying to solve one of the many puzzles that the Mr Robot team has built? You’re on the right track. Firefox and Mr Robot have collaborated on a shared experience to further your immersion into the Mr Robot universe, also known as an Alternate Reality Game (ARG). The effects you’re seeing are a part of this shared experience.[0]<p>EDIT: looking at this[1] comment, perhaps it's not a promo?<p>[0]: <a href="https://support.mozilla.org/en-US/kb/lookingglass" rel="nofollow">https://support.mozilla.org/en-US/kb/lookingglass</a>
[1]: <a href="https://www.reddit.com/r/firefox/comments/7jh9rv/what_is_looking_glass/dr6fiaz/" rel="nofollow">https://www.reddit.com/r/firefox/comments/7jh9rv/what_is_loo...</a>
This happened to me yesterday, so I looked for it.<p>The Extension actually does nothing, but invert (make them upside down) a few words on specific sites.<p>It's an experiment called "PUG ARG" to check whether page contents sniffing works. Its page doesn't reference any Bugzilla issue or Wiki page, while <a href="https://wiki.mozilla.org/Firefox/Shield/Shield_Studies/Queue" rel="nofollow">https://wiki.mozilla.org/Firefox/Shield/Shield_Studies/Queue</a> doesn't list it.<p>The source code references <a href="https://support.mozilla.org/kb/lookingglass" rel="nofollow">https://support.mozilla.org/kb/lookingglass</a>, which (as of now) only says "test - 12817".<p>The add-on tests whether specific words can be detected on sites; the current list has nice picks like "revolution" and "privacy". Of course, this is only a test, but in the future Firefox might look for specific terms in the pages you load and do specific things based on them.<p>The other thing it's doing is to send an extra header to three specific sites: <a href="https://github.com/gregglind/addon-wr/blob/da464ac8f1c3b089405ca96fc68b999d2b624ef4/addon/webextension/background.js#L52" rel="nofollow">https://github.com/gregglind/addon-wr/blob/da464ac8f1c3b0894...</a>. I suppose the words and the domain are a reference to the Mr. Robot series.<p>The add-on describes itself as an "Augmented Reality Game Experience" and was made by a certain "PUG Experience Group": <a href="https://github.com/gregglind/addon-wr/blob/da464ac8f1c3b089405ca96fc68b999d2b624ef4/package.json" rel="nofollow">https://github.com/gregglind/addon-wr/blob/da464ac8f1c3b0894...</a>.<p>Of course, Shield Studies are supposed to be a way of making "more informed product decisions based on actual user needs".<p><a href="https://www.reddit.com/r/firefox/comments/7jh9rv/what_is_looking_glass/" rel="nofollow">https://www.reddit.com/r/firefox/comments/7jh9rv/what_is_loo...</a>
1) Mozilla uses weird, spooky language in an add-on.<p>2) Users are justifiably concerned.<p>3) Mozilla explains that the add-on is actually anodyne; the developers responsible were having fun with an opt-in research service.<p>4) Some users try to justify their initial overreaction by painting Firefox as mysterious, dangerous entity, fabulating conspiracy theories about one of the most forthright and open OSS companies in the world.<p>Really, guys. If Mozilla was hellbent on invading your privacy, do you really think they would proudly entitle their tracker "Looking Glass". Or would they call it debugservice_1223?
In the Preferences, scroll down to "Data Collection and Use", and disable <i>everything</i>.<p>I know that you only need to need to turn off "install and run studies", but this has now cost Mozilla all telemetry data from me, and I encourage everyone to do the same.
What the fuck Mozilla? You can't just sideload extensions that are <i>literally ads</i>. There is no universe in which this is even a little bit okay.<p><a href="http://qutebrowser.org/" rel="nofollow">http://qutebrowser.org/</a>
Go to settings, look in Firefox Data Collection and Use.<p>Why are these turned on automatically? Plus, I turned mine off, and now they're back on again, with this looking junk installed.<p>What the heck Mozilla? What happened to caring about the users? We definitely can't trust Mozilla anymore.
Out of <i>literally</i> all the software vendors I know, including the one I'm working for, Mozilla is the one I'd have least expected to allow such a thing. I'm very surprised (Negatively, needless to say)
Mozilla Firefox installer is signed by a code-signing certificate. But at the very end it means nearly nothing: if the developer cannot be trusted, no amounts of certificates, green bars, smart screens, stores and walled gardens can fix that.<p>That's a very important point to grasp, as I hear a lot of voices nowadays claiming that the modern security model (read walled gardens of all kinds) is the universal panacea.<p>Just the opposite, it brings a false sense of security making you more vulnerable. It also tends to inhibit a healthy and free market competition when a lot of potentially good software suppliers are gated off from the walled gardens from the start.
Somewhat tangential to this particular issue, but this is a good lesson for developers in why you should be dry and explicit in your writing.<p>Sure `alert("FFFUUU WHY U NO WORK");` keeps you entertained for 5 minutes while you debug a problem but when that accidentally gets to prod...
HOLD THE PHONE<p>The support thread links to <a href="https://support.mozilla.org/en-US/kb/lookingglass" rel="nofollow">https://support.mozilla.org/en-US/kb/lookingglass</a>.<p>That page says, in a clearly delineated box,<p>> <i>No changes will be made to Firefox unless you have opted in to this Alternate Reality Game.</i><p>PLEASE EXPLAIN THIS INCONSISTENCY.
Ffs .. I've just checked my addons b/c of the headline and sure enough it has been installed against my will.<p>I've been very loyal to mozilla over all these years but this really is not ok. If they keep doing shit like this I'll switch to a fork.
I just wanted to add a few things.<p>1. I notice it yesterday, only because Avast was showing I have a low trust level Add-On installed in Firefox.<p>2. I googled it, and the first results was from Mozilla, showing it was part of their studies and experiment.<p>3. That was Ok, because I trust Mozilla, although somewhere in the back of my mind I thought every studies were supposed to be opt-in, since I have a few Add On installed in the week and I dont restart my browser, I thought i might have clicked it by mistake.<p>4. Now I am reading this through, I am more then worried. If I am reading the online comment correctly, Mozilla installed an Add On without user permission, enabled, collected data, and not for their own UX studies but a third party.<p>And to make the matter worst, that Add-On is now gone. It disappeared in my Add on Screen now I just check. Call me old fashion but that is not how i view privacy.<p>Like I said before, Mozilla's management and culture has a tendency of self destruction and messing things up right after they start being good. Still this is turning around much quicker then I thought.
If they state as an explicit principle that no addons/studies are actually enabled unless the user opted in, then I’m going to give them the benefit of the doubt that <i>if</i> that happened to users that did not opt in, it was a terrible mistake (I.e a bug).<p>I can tolerate bugs, much more than I can tolerate sneaky app behavior. But I hope the statement about explicit opt-in will be repeated, and this will be explained.<p>At first I thought it must have been users that explicitly had opted in, but with so many users claiming they haven’t, it seems unlikely.<p>The next possibility is that preview versions have things opt-out instead of opt in (because in preview versions you need more data from users - typical for closed alphas etc) - <i>but</i> then this should be very clearly explained on download/install.
Mozilla can't stop doing crap like this. I love the engineering behind it and thr tech but I don't want any of your shenanigans. This makes me affraid to update.
I like Mozilla a lot. And this extension doesn't really bother me, since it's benign.<p>But oh boy, do they have a talent for always doing benign and harmless things that look bad at first glance. It's almost like they want to turn away typical messaging board users.
Menu > Options > Privacy & Security > untick Allow Firefox to install and run studies<p>I deliberately kept that enabled initially but if they're going to use it for Adware..
While I agree that releasing this as an undocumented extension was a poor PR move, in practical terms, I don’t see how this is any more insidious than the ‘no internet’ dinosaur jumping game built in to chrome.<p>Both are first-party. The difference seems to be that the dinosaur game keeps you entertained, where as this hopes to promote awareness of privacy/security.
FF 57 installed from Debian unstable repository has "Data reporting is disabled for this build configuration" - which disabled, in theory, the shield "studies" as well. I don't know who made this decision at Debian, but thank you.
And this is one of the reasons I stopped my yearly donation to the Mozilla foundation even if I love the new FF.
If they need money so badly they should push their donation campaign and keep their products clean instead of pushing some shady alliances with big corporations.
So, a lot of people in this thread are saying that Mozilla is a non-profit. There are in fact two Mozillas. One is the Mozilla Foundation, which is the non-profit. They are not involved with Firefox development, as I understand it. The Mozilla Corporation, which I think is owned by the non-profit, does the development. I think the foundation just does cute videos and outreach and other things not directly related to writing software. I also understand that if you donate money to the Mozilla foundation, the money would not make it to Mozilla corp and thus would not pay for the salary of any Firefox hacker.<p>I've never quite understood how exactly does this financial arrangement work and I would be grateful to anyone who could explain this to me.
I don't remember if this is opt-in or not, but I do not have it in my Firefox. Maybe I just removed it myself immediately after first install, when I went through to update all of the privacy and other browser settings.<p>I agree that it seems like a crappy extension, and people should be upset about things being preloaded to their browser.<p>But there's a point here to be made, that if you're concerned about privacy at all today, you need to look at the settings of any software after you install it. It doesn't matter how much previous trust you have for the developers. This should just be default behavior so that any surprise is met immediately, and not after any damage it could perform has been done.
Didn’t I see something on here recently about Mozilla increasing its revenue significantly? [0] ;)<p>[0] <a href="https://news.ycombinator.com/item?id=15880565" rel="nofollow">https://news.ycombinator.com/item?id=15880565</a>
Anyone know how I can turn off Firefox sending technical details and interactions?<p>Everytime I turn this off, and restart FF it's on again.<p>58.0b11
Doesn't bother me at all - I am fully acclimated to the idea that the browser and other applications <i>do</i> run arbitrary A/B test and other code all the time.
I switched to waterfox for quite awhile.
I've lost trust in mozilla when they bundled "Pocket" and people then didn't think much of it.
When you lose ability to control the browser its no longer a fair game. Bundling addons, changing settings, ads and "enhancements" no one asked for, all eroded trust.
Not to mention its aping Chrome more and more each version.
We need more firefox forks, not less. Chrome has dozens, because the privacy threat from google is obvious: firefox hdoesn't have that much forks,because its trusted by distro makers to be safe(but its not, as mozilla just proved).
People are upset when this implicit assumption that Firefox is the only browser(among modern graphical browsers) you can trust is actually false.
There is more information on this Reddit post:<p><a href="https://www.reddit.com/r/firefox/comments/7jvm2t/this_looking_glassmr_robot_sht_really_psses_me_off/" rel="nofollow">https://www.reddit.com/r/firefox/comments/7jvm2t/this_lookin...</a>
Better yet, it appears that these "studies" (read: Mozilla pushing addons to your browser without notification or permission) are default opt-out.<p>Will they stop doing it? Of course not. I can't recall any time that this company has changed course in response to outcry.
TechCrunch and Gizmodo just picked up the story:<p><a href="https://techcrunch.com/2017/12/15/mozillas-mr-robot-promo-backfires-after-it-installs-firefox-extension-without-permission/" rel="nofollow">https://techcrunch.com/2017/12/15/mozillas-mr-robot-promo-ba...</a><p><a href="https://gizmodo.com/mozilla-slipped-a-mr-robot-promo-plugin-into-firefox-1821332254" rel="nofollow">https://gizmodo.com/mozilla-slipped-a-mr-robot-promo-plugin-...</a><p>Also AFAIK the second link has the first official response of any kind? "A representative told Gizmodo the company is looking into the issue."
It's a PR disaster from Mozilla. I was once a Mozilla rep and I'm ashamed of this. Studies like these should always be turned off by default and the user can opt in voluntarily. But launching Firefox and digging into the preferences to find that I'm enrolled into some studies by default is unethical for me. Sadly, I'll have to switch to Brave or some other privacy concerned browser until I see an official statement and action from Mozilla. I'm sure the management there have something to do with all of this.
Big Browser is watching. Browse freely with Firefox.<p><a href="https://pbs.twimg.com/media/DDsLeqvV0AE1k-2.jpg" rel="nofollow">https://pbs.twimg.com/media/DDsLeqvV0AE1k-2.jpg</a><p>The hypocrisy is amazing.
I actually discovered this because my browser would not stop running at 100% cpu utilization about 3 days ago, not doing anything, just sitting at Google.com with one tab open. It freaked me out because I couldn't find any documentation on the extension. Once removed Firefox was running fine again. I guess I'm relieved to know it wasn't some malware or something more sketchy, but I am wondering what it was doing pegging my cpu at 100% whenever my browser was open...
The best way to disable these things is to go to about:config, search and delete/replace all mozilla urls. For this particular case, the api url is probably in "extensions.shield-recipe-client.api_url" [0]<p>[0] - <a href="https://dxr.mozilla.org/mozilla-central/source/browser/extensions/shield-recipe-client/bootstrap.js" rel="nofollow">https://dxr.mozilla.org/mozilla-central/source/browser/exten...</a>
Once again saved by <a href="https://github.com/pyllyukko/user.js" rel="nofollow">https://github.com/pyllyukko/user.js</a>
I just checked my installation of Firefox and this addon was present as well. The developers involved (Greg Lind et al) should acknowledge this and apologize.
I checked out FF for the zillionth time the other week after the Quantum release hoping to love it, but the deep Pocket integration was just too offputting. Turning it off requires some Googling. There were other irritating commercial things too. It’s a shame. FF is probably the most important open source project in the world and it’s a shame they do stuff like this. I’m still on Chrome :(
From the wikipedia article. linked in the ticket<p>> Shield Studies are available on all channels. Individual studies can be opt-out or opt-in and any and all data being collected will be declared openly. After confirming willingness to participation, a self expiring add-on will be installed on the user's machine.<p>Mozilla is only installing an experimental feature ass an add-on if they opt in.
What I really do not understand is why this game thing was installed automatically given that websites can ask the user to install an extension when they land on a webpage. A popup that is part of Firefox shows up and asks the user if he really wants to install it.
Is the "Unknown" part in the title really unknown, or just Mozilla trying to protect its developer(s) from pitchforks? If it's really "unknown", then that's the really concerning part.
I haven't noticed this extension sending data to outside services. Did somebody find if/where it does that? If it is sending personal or browsing-related data out, we can flood the servers with garbage.
Posted here a few days ago about how Mozilla being for-profit joined at the hip with a non-profit seems kind of shady, and got dogpiled for it. Then they do this as a tie-in for Mr. Robot.<p>Vindication!
I use Firefox 58 beta developer edition in the USA and this extension didn't install automatically...<p>Maybe the government need to start sponsoring Mozilla so that they stop doing things like this.
This is disappointing rather. When Mozilla spent $$ in advertising Firefox Quantum in the internet media articles, they could have mentioned this at least somewhere in them.
I've been seeing the YouTube logo inverted recently. I wonder if this has something to do with it. If so. I'm done with Firefox. I've used it since it was Netscape in 1996. Enough is enough.
<a href="https://support.mozilla.org/en-US/kb/lookingglass" rel="nofollow">https://support.mozilla.org/en-US/kb/lookingglass</a><p><i>The Mr. Robot series centers around the theme of online privacy and security. One of the 10 guiding principles of Mozilla's mission is that individuals' security and privacy on the internet are fundamental and must not be treated as optional. The more people know about what information they are sharing online, the more they can protect their privacy.</i><p>...which you've done by installing a fishy-looking addon without our permission and making us less likely to trust you?<p>Well-done, Mozilla.
This is what it looks like: <a href="https://imgur.com/a/mriUw" rel="nofollow">https://imgur.com/a/mriUw</a><p>It scared the hell out of me! Are these guys losing their minds?<p>It was reported as a bug and the response thus far is indeed underwhelming for such a severe issue: <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1424977" rel="nofollow">https://bugzilla.mozilla.org/show_bug.cgi?id=1424977</a>
Having issues with your extra? Beginning with Firefox 57 (in discharge), just additional items manufactured utilizing WebExtensions APIs, the new innovation for Firefox expansions will work.
Just checked and saw the Looking Glass add-on installed on my work laptop.<p>I've uninstalled Firefox and will be removing it from all of my computers. I had just started slowly migrating back to it with the performance enhancements in the latest update, but honestly I don't think I can get past a breach of trust at this level.