Per Mozilla knowledgebase article https://support.mozilla.org/en-US/kb/navigate-web-faster-firefox-suggest, Mozilla is now logging search bar keystrokes and sending them to advertisers by default. Unlike the article mentioned, I've confirmed multiple users are being opted into this 'feature' without informed consent. This is dark pattern behavior that other bugs for other browsers have been opened and resolved. (notable Bug #552298) I don't know if we should address this by blocking 93, providing user education (spyware useflag?), or patching out the defaults and/or functionality. Other discussion of this issue: https://news.ycombinator.com/item?id=28804588
Why are you saying that this is happening without consent? The article you quoted is mentioning and showing a dialog where user has to opt-in. Also, have you seen anything like that for Gentoo firefox yet? We are disabling Normandy which is probably blocking that roll-out, too.
I confirmed with multiple US users that gentoo's firefox (both the bin and self compiled) are getting this enabled upon upgrade without user any sort of dialog or notification. As the kb article mentions this is not opt-in anymore but a US default set in 93. That's why I am saying they did not provide informed consent, I found out about this through the HN submission I linked in my initial report and requested feedback from some gentoo IRC channels before filing this. Please leave this open for comment. I will do some code digging to see what specifically is enabling this. It may be that it's gentoo's policy to not disable this. However, considering that this is unexpected behavior and the people I asked were surprised and annoyed to have it checked, it's either a bug that Mozilla put no linux notification or malicious, in which case users should receive some notification through portage that this may (depending on location) happen.
Ok, here's all you need to know. Please review this single commit from upstream: https://github.com/mozilla/gecko-dev/commit/9a516aec93934a2fb4eba690b0257e94fb7113e1 This confirms that onboarding for US region users with language set to en will be force opted-in without any notification upon upgrade. Alternatively, users may be opted in online through Nimbus (allow user experiments option, if enabled). However, for this report and this specific case, users are being opted in without prior knowledge. I do not believe I am being alarmist by stating that this is an online keylogger sending keystrokes to Mozilla's advertisers without the consent of their users. This is not controlled by the user's preference to opt-out of telemetry and it is not set by Normandy (yet).
Hey, I can't reproduce this on firefox-93 or firefox-bin-93 with empty L10N, or with my own L10N. Can you show emerge --info and emerge -pv firefox{-bin}, and a screenshot of your "Privacy & Security -> Address Bar" view? These are on empty profiles though.
Joonas, Correct me if I'm wrong, but you are in Finland? The conditions this must hit are 1. US region. *AND* 2. en language. In any case, the region detection code goes off a bunch of things including timezone and geoip, it is independent of L10N: https://searchfox.org/mozilla-central/source/toolkit/modules/Region.jsm
I have a VPN with US/NA servers available. I'd really like to believe our Firefox doesn't sniff this much, but guess there's more testing to be done.
> Update, 10/12/21 11:49 am Eastern: As of Firefox 93’s release, > Mozilla’s documentation stated that Firefox would be sending > queries to Mozilla’s servers when Firefox Suggest’s contextual > suggestions were enabled, as explained below. However, it appears > that Mozilla did not properly explain how this feature worked. > > Mozilla has since posted an update explaining that keystrokes > (in other words, queries sent as you type) will not be sent to > Mozilla with the default settings and that these “smarter suggestions” > are instead an opt-in experience. > > In other words, with Firefox 93’s default settings, Firefox will > show you suggestions and ads—but it will source them from a local > offline database in Firefox itself rather than sending your queries > to Mozilla’s servers. Note that Gentoo's firefoxes will not participate in any experiment which will get distributed via Normandy because we disable Normandy by default. Closing as INVALID because the claim was wrong and that new feature is opt-in. See updated doc at https://support.mozilla.org/en-US/kb/navigate-web-faster-firefox-suggest for more details. There is also nothing left to do for us.
Thomas, Reopening as your reading comprehension was marked INVALID. Your claims are wrong and I will prove it. Per comment #3, this is *not* enabled through Normandy. I have linked the commit including the logic to set this change offline, if it wasn't clear enough here is the specific offending code, scenario 1 is what I'm describing: /** * Depending on certain conditions [1], possibly enables on the default prefs * branch the Firefox Suggest "offline" scenario, which means Firefox Suggest * (quick suggest) will be fully enabled by default without showing onboarding * and without sending data to Mozilla [2]. Users can opt out in the prefs UI, * which will set overriding prefs on the user branch. Note that values set * programatically on the default branch like this do not persist across app * restarts, so this needs to be called on every startup until these pref * values are codified in firefox.js. * * [1] Currently the conditions are: the user's home region must be US and * their locale must be en-* * * [2] In contrast, the "online" scenario sends data to Mozilla and requires * user opt-in via onboarding before Firefox Suggest is fully enabled. */ async maybeEnableOfflineQuickSuggest() { // `Region.home` is null before init finishes, so await it. await Region.init(); if ( Region.home == "US" && Services.locale.appLocaleAsBCP47.substring(0, 2) == "en" ) { let prefs = Services.prefs.getDefaultBranch("browser.urlbar."); prefs.setBoolPref("quicksuggest.enabled", true); prefs.setCharPref("quicksuggest.scenario", "offline"); prefs.setBoolPref("quicksuggest.shouldShowOnboardingDialog", false); prefs.setBoolPref("suggest.quicksuggest", true); prefs.setBoolPref("suggest.quicksuggest.sponsored", true); } }
Now now, there's no need to resort into insulting. That's usually just a sure-way to get a bug / account locked. The information you provided afterwards, is useful though. I've read everything about it, and it's still hard for me to believe this. I've asked our fellow users in the US to check their Firefox's, and I can continue tomorrow (in +12 hours) my own testing with VPN, timezone change on my system. Since this truly is unbelievable, it takes a bit to verify, but we'll get there.
Created attachment 744624 [details] default settings in US Here is a screenshot of the default settings (brand new linux user) in the US
Joonas, Apologies for losing my patience with Thomas, but it is incredibly frustrating to have this bug dismissively and repeatedly closed when I've been doing my best to research this. Ultimately it's up to Gentoo devs to decide what to do in this and similar scenarios. Either way I'm stepping out from this report. No good will come from me commenting further. Also, I updated the title of this bug to note it affects US users only so hopefully devs in other countries won't be as confused now.
Joe, you first said and that's also the summary of your bug, that Firefox will send data to Mozilla _without_ consent. That is _wrong_. _No user_ will end up with a Firefox submitting data _without_ consent. At the moment, some specific users will get prompted for the new feature. But if you don't answer the prompt with "YES", nothing will change and you will not send any data to Mozilla. So what do you want us to do here? I see nothing left to do for us since this feature is disabled by default.
(In reply to Thomas Deutschmann from comment #12) > Joe, you first said and that's also the summary of your bug, that Firefox > will send data to Mozilla _without_ consent. That is _wrong_. _No user_ will > end up with a Firefox submitting data _without_ consent. > > At the moment, some specific users will get prompted for the new feature. > But if you don't answer the prompt with "YES", nothing will change and you > will not send any data to Mozilla. > > So what do you want us to do here? I see nothing left to do for us since > this feature is disabled by default. That doesn't seem to be consistent with iamben's screenshot above, unless I'm misunderstanding? He's saying it was like that by default/out of the box?
(In reply to Sam James from comment #13) > (In reply to Thomas Deutschmann from comment #12) > > Joe, you first said and that's also the summary of your bug, that Firefox > > will send data to Mozilla _without_ consent. That is _wrong_. _No user_ will > > end up with a Firefox submitting data _without_ consent. > > > > At the moment, some specific users will get prompted for the new feature. > > But if you don't answer the prompt with "YES", nothing will change and you > > will not send any data to Mozilla. > > > > So what do you want us to do here? I see nothing left to do for us since > > this feature is disabled by default. > > That doesn't seem to be consistent with iamben's screenshot above, unless > I'm misunderstanding? He's saying it was like that by default/out of the box? Especially given: > * Depending on certain conditions [1], possibly enables on the default prefs > * branch the Firefox Suggest "offline" scenario, which means Firefox Suggest > * (quick suggest) will be fully enabled by default without showing onboarding > * and without sending data to Mozilla [2]. Users can opt out in the prefs UI, ... and what the code actually seems to do?
I just tested it: With an existing profile from previous version, you will get the prompt like shown in the Mozilla article on first launch after the upgrade. With a new profile, I got a slightly different prompt when I used navbar for the first time (like you probably remember from Firefox ~5x series when auto-completion via search engines was added which is enabled by default for years now). If you don't pay attention (especially when you are used to some default prompts) you maybe click the wrong button which will enable that feature but I see nothing actionable for us like it won't get enabled automatically for any user.
I've had several people check in the US who've noted the same as iamben (all said options enabled, not asked). Additionally, I've found this bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1729776 and indeed it even says: "The Firefox Suggest offline scenario should be enabled by default for users in the US region using en builds. Both sponsored and non-sponsored suggestions should be enabled. No Firefox Suggest onboarding dialog should appear."
(In reply to Sam James from comment #16) > I've had several people check in the US who've noted the same as iamben (all > said options enabled, not asked). > > Additionally, I've found this bug: > https://bugzilla.mozilla.org/show_bug.cgi?id=1729776 and indeed it even says: > "The Firefox Suggest offline scenario should be enabled by default for users > in the US region using en builds. Both sponsored and non-sponsored > suggestions should be enabled. No Firefox Suggest onboarding dialog should > appear." Note that this is the _offline_ scenario and I have no idea what that entails (see https://hg.mozilla.org/mozilla-central/rev/14505a265fdf2e703f75bf7f51dbe50c0b13d882 too). But the options are still indeed checked on.
(In reply to Thomas Deutschmann from comment #15) > I just tested it: > > With an existing profile from previous version, you will get the prompt like > shown in the Mozilla article on first launch after the upgrade. FWIW, not for me - launching firefox-93.0 for the first time since upgrading on Saturday using an existing profile, I got no prompt/popup, and the boxes were all enabled in "Privacy & Security -> Address Bar". (I'm in the US, with LANG=en_US.utf8)
(In reply to Thomas Deutschmann from comment #15) > I just tested it: > > With an existing profile from previous version, you will get the prompt like > shown in the Mozilla article on first launch after the upgrade. > > With a new profile, I got a slightly different prompt when I used navbar for > the first time (like you probably remember from Firefox ~5x series when > auto-completion via search engines was added which is enabled by default for > years now). > > If you don't pay attention (especially when you are used to some default > prompts) you maybe click the wrong button which will enable that feature but > I see nothing actionable for us like it won't get enabled automatically for > any user. I just tested it as well-- I do not get any prompt on existing or new profiles.
US user. L10N is not set (the empty/default) checkbox enabled by default on existing and new profiles. no prompts whatsoever.
Is it possible that our gentoo customization to the firefox setup are suppressing the new prompt by mistake?
Just adding a "me too" I did not see any notification when this feature was enabled. I plan on leaving this enabled, but it would have been nice to know about.
Ping. Can't we just turn it off using customization? Multiple people have verified it's on for them without consent.
In short: No (not at this point and current state of implementation). There is so much FUD around this topic and I don't know where to start to correct things. The claim that Mozilla Firefox is sending keystrokes for *any* user without opt-in to their servers is wrong. If you believe this is the case please create a video showing that you are using a new profile and capture network traffic showing such a transmission (which would be a big deal if true). Regarding the "Firefox Suggest" feature, I recommend to read source code and get familiar with the implementation: The feature currently consists of 3 states: > a) history > This is the scenario when the user is not in any rollouts. Firefox > Suggest suggestions are disabled. > b) offline > This is the scenario for the "offline" rollout. Firefox Suggest > suggestions are enabled by default. Search strings and matching keywords > are not included in related telemetry. The onboarding dialog is not > shown. > c) online > This is the scenario for the "online" rollout. The onboarding dialog will > be shown and the user must opt in to enable Firefox Suggest suggestions > and related telemetry, which will include search strings and matching > keywords. State a, "history", is the default state for all users at the moment. Maybe state b, "offline", is confusing which gets enabled in the US and will cause that some checkboxes will appear, creating the impression that this feature is fully enabled. But even in this mode, no data is leaving your system and is sent to a Mozilla service (again: if you believe this is wrong data will be already send, create a video and network capture, if true, this would be big). Only in state c, "online", which will be always opt-in, i.e. causing the dialog I mentioned before, data will be send to a Mozilla service. But please stay calm: Even in "online" mode, the service works like Google/Amazon/bing/Wikipedia or any other pre-installed search engine suggestion feature, which is auto-enabled for years, which we aren't patching (and probably have less user-friendly privacy terms than Firefox Suggest). And that's why we are probably never going to add special handling for Mozilla Suggest (unless the feature really develops into a privacy disaster, which, according to the current status, cannot be assumed).
