New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Google Analytics is used to track users. #2785

Closed
ghost opened this Issue Jul 12, 2017 · 33 comments

Comments

@ghost

ghost commented Jul 12, 2017

Describe the problem and steps to reproduce it:

Google Analytics is used on the about:addons site while browsing not installed AddOns.

What happened?

It's tracking users and giving data to google directly without any consent.


EDIT from @kumar303: Mozilla has a legal contract with Google that prevents them from using our Google Analytics data for mining or from sharing it with third parties, among other privacy-protecting provisions.


What did you expect to happen?

No tracking anywhere in a browser that advertises with privacy.

Anything else we should know?

Yes, remove all tracking everywhere. (General Bug)

@tofumatt

This comment has been minimized.

Show comment
Hide comment
@tofumatt

tofumatt Jul 12, 2017

Member

As I mentioned in #1107: we will not be removing analytics support entirely. It is extremely useful to us and we have already weighed the cost/benefit of using tracking.

That said, I think we should only be enabling tracking for users who have opted-in to sharing their data usage in Firefox. I'd guess respecting the Telemetry checkbox (https://www.dropbox.com/s/blcumfu2vzrvt9f/Screenshot%202017-07-12%2014.13.00.png?dl=0) would work. Or maybe having a new checkbox if piggy-backing on that one is problematic from a legal perspective.

Member

tofumatt commented Jul 12, 2017

As I mentioned in #1107: we will not be removing analytics support entirely. It is extremely useful to us and we have already weighed the cost/benefit of using tracking.

That said, I think we should only be enabling tracking for users who have opted-in to sharing their data usage in Firefox. I'd guess respecting the Telemetry checkbox (https://www.dropbox.com/s/blcumfu2vzrvt9f/Screenshot%202017-07-12%2014.13.00.png?dl=0) would work. Or maybe having a new checkbox if piggy-backing on that one is problematic from a legal perspective.

@tofumatt

This comment has been minimized.

Show comment
Hide comment
@tofumatt

tofumatt Jul 12, 2017

Member

Actually, @muffinresearch pointed out we could probably just observe Do Not Track here, because this pane is actually a web page loaded in an iFrame inside the browser page. That might be faster to ship. Just thinking aloud 😄

I'm definitely for giving users the option to disable this.

Member

tofumatt commented Jul 12, 2017

Actually, @muffinresearch pointed out we could probably just observe Do Not Track here, because this pane is actually a web page loaded in an iFrame inside the browser page. That might be faster to ship. Just thinking aloud 😄

I'm definitely for giving users the option to disable this.

@tofumatt

This comment has been minimized.

Show comment
Hide comment
@tofumatt

tofumatt Jul 12, 2017

Member

Wanted to address your position though:

We don't give the "data directly to Google". See the discussion here: https://bugzilla.mozilla.org/show_bug.cgi?id=858839. The short version is:

tl;dr: We now have an option to opt-out of Google doing anything with the data that Google Analytics collections on Mozilla websites. GA tracking is anonymous and at the aggregate level and we use it to improve the experience of our websites.

We are collecting aggregate and non-identifiable data in numbers to ensure our development/UX changes are met well. We can respect privacy and still have analytics; in fact Mozilla's aim is for an experience that values user privacy and usability (I'd say Apple also wants UX that fits that mold, as an example). We need some data, anonymised and aggregated, to do this.

Member

tofumatt commented Jul 12, 2017

Wanted to address your position though:

We don't give the "data directly to Google". See the discussion here: https://bugzilla.mozilla.org/show_bug.cgi?id=858839. The short version is:

tl;dr: We now have an option to opt-out of Google doing anything with the data that Google Analytics collections on Mozilla websites. GA tracking is anonymous and at the aggregate level and we use it to improve the experience of our websites.

We are collecting aggregate and non-identifiable data in numbers to ensure our development/UX changes are met well. We can respect privacy and still have analytics; in fact Mozilla's aim is for an experience that values user privacy and usability (I'd say Apple also wants UX that fits that mold, as an example). We need some data, anonymised and aggregated, to do this.

@dertuxmalwieder

This comment has been minimized.

Show comment
Hide comment
@dertuxmalwieder

dertuxmalwieder Jul 12, 2017

We now have an option to opt-out

Privacy: Option to opt-in.

Anti-privacy: Option to opt-out.

dertuxmalwieder commented Jul 12, 2017

We now have an option to opt-out

Privacy: Option to opt-in.

Anti-privacy: Option to opt-out.

@sleeksorrow

This comment has been minimized.

Show comment
Hide comment
@sleeksorrow

sleeksorrow Jul 12, 2017

Without elaborating on opt-in or opt-out, there is one clear fact: A user that has telemetry disabled has clearly stated that he does NOT want to "Share performance, usage, hardware and customisation data about your browser with Mozilla". https://support.mozilla.org/en-US/kb/share-telemetry-data-mozilla-help-improve-firefox

If you do this add-on tracking despite this option is turned off, this is a clear breach of trust. If I have this option off, then I expect that exactly such a tracking of usage and customisation like described above is NOT happening.

sleeksorrow commented Jul 12, 2017

Without elaborating on opt-in or opt-out, there is one clear fact: A user that has telemetry disabled has clearly stated that he does NOT want to "Share performance, usage, hardware and customisation data about your browser with Mozilla". https://support.mozilla.org/en-US/kb/share-telemetry-data-mozilla-help-improve-firefox

If you do this add-on tracking despite this option is turned off, this is a clear breach of trust. If I have this option off, then I expect that exactly such a tracking of usage and customisation like described above is NOT happening.

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Jul 12, 2017

Still code from a service you don't control is running on this site. You never know when Google changes anything there or get's hijacked at this point. (Which is a very good target btw.)

ghost commented Jul 12, 2017

Still code from a service you don't control is running on this site. You never know when Google changes anything there or get's hijacked at this point. (Which is a very good target btw.)

@sleeksorrow

This comment has been minimized.

Show comment
Hide comment
@sleeksorrow

sleeksorrow Jul 12, 2017

(Since the comment I replied to has been deleted, I quote it without username):

If you do this add-on tracking despite this option is turned off, this is a clear breach of trust.

Not really, Google Analytics does not share with Mozilla. (But with Google which, in turn, shares with Mozilla. But technically that's not the same thing.)

Agreed, a laywer could take this route to defend that in court. But somehow I doubt that it is benefiting that Mozilla users need lawyers to be able to decide if they can trust the options they set in Firefox or if there is some legal way for Mozilla to do what they stated they do not want.

sleeksorrow commented Jul 12, 2017

(Since the comment I replied to has been deleted, I quote it without username):

If you do this add-on tracking despite this option is turned off, this is a clear breach of trust.

Not really, Google Analytics does not share with Mozilla. (But with Google which, in turn, shares with Mozilla. But technically that's not the same thing.)

Agreed, a laywer could take this route to defend that in court. But somehow I doubt that it is benefiting that Mozilla users need lawyers to be able to decide if they can trust the options they set in Firefox or if there is some legal way for Mozilla to do what they stated they do not want.

@Johann-Tree

This comment has been minimized.

Show comment
Hide comment
@Johann-Tree

Johann-Tree Jul 12, 2017

We don't give the "data directly to Google".

When using Google Analytics, the data is saved on a server owned by Google, right? Then the data is given directly to Google. And I do not want that.

Johann-Tree commented Jul 12, 2017

We don't give the "data directly to Google".

When using Google Analytics, the data is saved on a server owned by Google, right? Then the data is given directly to Google. And I do not want that.

@k00ni

This comment has been minimized.

Show comment
Hide comment
@k00ni

k00ni Jul 12, 2017

Why not using a Piwik hosted by Mozilla instead of Google Analytics?

k00ni commented Jul 12, 2017

Why not using a Piwik hosted by Mozilla instead of Google Analytics?

@pwd-github

This comment has been minimized.

Show comment
Hide comment
@pwd-github

pwd-github Jul 12, 2017

Various users have probably opted in to Telemetry not knowing that also means opting into Google Analytics. Given that Mozilla released the billboard "Big Browser is watching" it's beyond disappointing that they would contribute to the very thing they're calling Google out on without first notifying users of the fact or giving users the option to opt out.

pwd-github commented Jul 12, 2017

Various users have probably opted in to Telemetry not knowing that also means opting into Google Analytics. Given that Mozilla released the billboard "Big Browser is watching" it's beyond disappointing that they would contribute to the very thing they're calling Google out on without first notifying users of the fact or giving users the option to opt out.

@justjanne

This comment has been minimized.

Show comment
Hide comment
@justjanne

justjanne Jul 12, 2017

Who is legally responsible for this feature (Name, Corporation, Address)? This is a clear violation of the opt-in requirement for tracking that the EU Cookie Directive (which handles all kinds of tracking) sets, and it seems like I’d have to go the legal route, considering that the suggested "fix" doesn’t fix anything.

justjanne commented Jul 12, 2017

Who is legally responsible for this feature (Name, Corporation, Address)? This is a clear violation of the opt-in requirement for tracking that the EU Cookie Directive (which handles all kinds of tracking) sets, and it seems like I’d have to go the legal route, considering that the suggested "fix" doesn’t fix anything.

@tofumatt

This comment has been minimized.

Show comment
Hide comment
@tofumatt

tofumatt Jul 12, 2017

Member

Let's clear a few things up:

  1. Right now the about:addons page loads an iFrame with content hosted on a Mozilla website ("The Discovery Pane"). This page contains Google Analytics. Because we don't allow add-ons to run on about:* pages, add-ons that would block GA don't work here.
  2. Opting in to Telemetry doesn't mean opting in to GA. I was proposing using that feature as a possible signifier the user is okay with sending usage data to Mozilla. That's not currently the case.
  3. Our agreement with Google Analytics means our data is aggregated and anonymised.
  4. We won't use Piwik. Mozilla uses Google Analytics for website analytics. Hosting our own is more work for a worse product.

This issue is for the discussion around disabling Google Analytics usage on the page that serves the Discovery Pane. Implementing that feature is, to me, a good idea. We have heard the opinions here of people who do not trust Google. For now obviously you can block Google Analytics domains in your DNS settings and opting not to use the about:addons feature (you can also disable the discovery pane from loading by blocking requests to discovery.addons.mozilla.org where the page is hosted). We won't be entertaining the notion that Google will hoard all the data it has agreed to keep anonymous and private for now.

So: please keep this discussion civil in tone. I would ask that you assume good faith in Mozilla if you would like to discuss how to improve Firefox and limit the pages that load analytics. If you are assuming Mozilla will act badly, then I would encourage you simply to block the discovery pane from loading as I mentioned above.

Member

tofumatt commented Jul 12, 2017

Let's clear a few things up:

  1. Right now the about:addons page loads an iFrame with content hosted on a Mozilla website ("The Discovery Pane"). This page contains Google Analytics. Because we don't allow add-ons to run on about:* pages, add-ons that would block GA don't work here.
  2. Opting in to Telemetry doesn't mean opting in to GA. I was proposing using that feature as a possible signifier the user is okay with sending usage data to Mozilla. That's not currently the case.
  3. Our agreement with Google Analytics means our data is aggregated and anonymised.
  4. We won't use Piwik. Mozilla uses Google Analytics for website analytics. Hosting our own is more work for a worse product.

This issue is for the discussion around disabling Google Analytics usage on the page that serves the Discovery Pane. Implementing that feature is, to me, a good idea. We have heard the opinions here of people who do not trust Google. For now obviously you can block Google Analytics domains in your DNS settings and opting not to use the about:addons feature (you can also disable the discovery pane from loading by blocking requests to discovery.addons.mozilla.org where the page is hosted). We won't be entertaining the notion that Google will hoard all the data it has agreed to keep anonymous and private for now.

So: please keep this discussion civil in tone. I would ask that you assume good faith in Mozilla if you would like to discuss how to improve Firefox and limit the pages that load analytics. If you are assuming Mozilla will act badly, then I would encourage you simply to block the discovery pane from loading as I mentioned above.

@toolforger

This comment has been minimized.

Show comment
Hide comment
@toolforger

toolforger Jul 12, 2017

Question is what's carrying more weight for the Mozilla Foundation: The promise of respecting user privacy, or getting more accurate usage statistics with less work.

It's good to know that the Mozilla Foundation does the latter.

It's bad that the MF thinks is can pass on data to third parties because it's convenient, without asking the user for consent (maybe Mozilla did, implicitly, but then I wasn't made aware that the decision involved third parties, so I still didn't consent even if the MF supposes I did).

I hear you say that user tracking is not a black-or-white thing.
Technically, you're right. Aggregate data is different from individual data, and there are many, many shades of aggregation.
Socially, however, people cannot check what shade of grey the MF is doing now, due to lack of time and/or expertise. So they have to be pessimistic (as far as they're concerned about privacy - the whole debate is moot about those people who are not concerned). And that means that the trust in the MF's privacy promise pegs at 0%, from whatever value it was at before.

toolforger commented Jul 12, 2017

Question is what's carrying more weight for the Mozilla Foundation: The promise of respecting user privacy, or getting more accurate usage statistics with less work.

It's good to know that the Mozilla Foundation does the latter.

It's bad that the MF thinks is can pass on data to third parties because it's convenient, without asking the user for consent (maybe Mozilla did, implicitly, but then I wasn't made aware that the decision involved third parties, so I still didn't consent even if the MF supposes I did).

I hear you say that user tracking is not a black-or-white thing.
Technically, you're right. Aggregate data is different from individual data, and there are many, many shades of aggregation.
Socially, however, people cannot check what shade of grey the MF is doing now, due to lack of time and/or expertise. So they have to be pessimistic (as far as they're concerned about privacy - the whole debate is moot about those people who are not concerned). And that means that the trust in the MF's privacy promise pegs at 0%, from whatever value it was at before.

@gorhill

This comment has been minimized.

Show comment
Hide comment
@gorhill

gorhill Jul 12, 2017

Because we don't allow add-ons to run on about:* pages, add-ons that would block GA don't work here.

This is incorrect, add-ons can block network requests made by about: pages:

a

The issue is that allowing content blockers to block network requests on about: pages by default has the potential to break other stuff in the browser (example), hence the about: pages are whitelisted by default in uBlock Origin specifically (the whitelist directive about-scheme can be removed by users who are ok with potential breakage elsewhere).

Edit: correction below.

gorhill commented Jul 12, 2017

Because we don't allow add-ons to run on about:* pages, add-ons that would block GA don't work here.

This is incorrect, add-ons can block network requests made by about: pages:

a

The issue is that allowing content blockers to block network requests on about: pages by default has the potential to break other stuff in the browser (example), hence the about: pages are whitelisted by default in uBlock Origin specifically (the whitelist directive about-scheme can be removed by users who are ok with potential breakage elsewhere).

Edit: correction below.

@tofumatt

This comment has been minimized.

Show comment
Hide comment
@tofumatt

tofumatt Jul 12, 2017

Member

I thought web extensions couldn't block that content.

Member

tofumatt commented Jul 12, 2017

I thought web extensions couldn't block that content.

@toolforger

This comment has been minimized.

Show comment
Hide comment
@toolforger

toolforger Jul 12, 2017

@tofumatt I hope I've been civil enough for your taste - it's difficult to stay strictly neutral when dealing with personal disappointment.
I think most people here have been trying to be as civil as humanly possible.

One other thing: It's not as simple as "good faith in Mozilla"
I can have faith in Mozilla's good intentions, and still question its decisionmaking.

I'm feeling pretty uneasy about the priorities I am seeing being applied. A single privacy blunder, whether intentional or not, whether by Google or by Mozilla, means that user data went into the hands of people that they shouldn't have gone to, and you can never be sure that it's actually deleted even if the entity that got the data agreed to deleting it.
UX problems can be fixed after the fact, privacy problems cannot. And I do not see that reflected in the decisionmaking priorities that I have seen here.

toolforger commented Jul 12, 2017

@tofumatt I hope I've been civil enough for your taste - it's difficult to stay strictly neutral when dealing with personal disappointment.
I think most people here have been trying to be as civil as humanly possible.

One other thing: It's not as simple as "good faith in Mozilla"
I can have faith in Mozilla's good intentions, and still question its decisionmaking.

I'm feeling pretty uneasy about the priorities I am seeing being applied. A single privacy blunder, whether intentional or not, whether by Google or by Mozilla, means that user data went into the hands of people that they shouldn't have gone to, and you can never be sure that it's actually deleted even if the entity that got the data agreed to deleting it.
UX problems can be fixed after the fact, privacy problems cannot. And I do not see that reflected in the decisionmaking priorities that I have seen here.

@NoXPhasma

This comment has been minimized.

Show comment
Hide comment
@NoXPhasma

NoXPhasma Jul 12, 2017

Also to think making data "anonymous" would help in privacy aspects is very naive. As we all should know that google has so much data about our all lives and online activities, that it's easy for them to know from which browser/person the data is coming from. Cookies are not important any more to track users.

Maybe you as the MF trust google that they handle the data anonymously, but that doesn't mean that we do too. I also want to mention that I never expected the about:addons page being a tracking monster on me at all. Maybe you have written it anywhere on page 120 in the user agreement, but tbh who reads them anyway?

NoXPhasma commented Jul 12, 2017

Also to think making data "anonymous" would help in privacy aspects is very naive. As we all should know that google has so much data about our all lives and online activities, that it's easy for them to know from which browser/person the data is coming from. Cookies are not important any more to track users.

Maybe you as the MF trust google that they handle the data anonymously, but that doesn't mean that we do too. I also want to mention that I never expected the about:addons page being a tracking monster on me at all. Maybe you have written it anywhere on page 120 in the user agreement, but tbh who reads them anyway?

@gorhill

This comment has been minimized.

Show comment
Hide comment
@gorhill

gorhill Jul 12, 2017

I thought web extensions couldn't block that content.

I just ran a couple of tests, and I believe you are correct.

Legacy uBlock Origin can block the network request to GA.

However webext-hybrid uBO as per Network pane in dev tools does not block it. Same for pure webext Ghostery, the network request to GA was not blocked, again as per Network pane in dev tools.

What is concerning is that both uBO webext-hybrid and Ghostery report the network request to GA as being blocked, while it is really not as per Network pane in dev tools. It's as if the order to block/redirect the network request was silently ignored by the webRequest API, and this causes webext-based blockers to incorrectly and misleadingly report to users what is really happening internally, GA was not really blocked on about:addons, but there is no way for the webext blockers to know this and report properly to users.

This is what I have observed, hopefully this can be confirmed by others.

gorhill commented Jul 12, 2017

I thought web extensions couldn't block that content.

I just ran a couple of tests, and I believe you are correct.

Legacy uBlock Origin can block the network request to GA.

However webext-hybrid uBO as per Network pane in dev tools does not block it. Same for pure webext Ghostery, the network request to GA was not blocked, again as per Network pane in dev tools.

What is concerning is that both uBO webext-hybrid and Ghostery report the network request to GA as being blocked, while it is really not as per Network pane in dev tools. It's as if the order to block/redirect the network request was silently ignored by the webRequest API, and this causes webext-based blockers to incorrectly and misleadingly report to users what is really happening internally, GA was not really blocked on about:addons, but there is no way for the webext blockers to know this and report properly to users.

This is what I have observed, hopefully this can be confirmed by others.

@nkestrel

This comment has been minimized.

Show comment
Hide comment
@nkestrel

nkestrel Jul 12, 2017

This seems like something the built-in "Tracking Protection" feature (currently only available in private windows but in FF56 available to all windows) is meant to protect us from but alas it does not appear to stop the about:addons page from pinging GA using either the basic or strict filter.

nkestrel commented Jul 12, 2017

This seems like something the built-in "Tracking Protection" feature (currently only available in private windows but in FF56 available to all windows) is meant to protect us from but alas it does not appear to stop the about:addons page from pinging GA using either the basic or strict filter.

@justjanne

This comment has been minimized.

Show comment
Hide comment
@justjanne

justjanne Jul 12, 2017

@tofumatt

We won't be entertaining the notion that Google will hoard all the data it has agreed to keep anonymous and private for now.

So, you’re saying we should just trust Google? I’m sorry, but if we’d trust Google, everyone would be using Google Chrome.

Additionally, at least a standard cookie notice should exist on that page, as it is tracking the user.

justjanne commented Jul 12, 2017

@tofumatt

We won't be entertaining the notion that Google will hoard all the data it has agreed to keep anonymous and private for now.

So, you’re saying we should just trust Google? I’m sorry, but if we’d trust Google, everyone would be using Google Chrome.

Additionally, at least a standard cookie notice should exist on that page, as it is tracking the user.

@tofumatt

This comment has been minimized.

Show comment
Hide comment
@tofumatt

tofumatt Jul 12, 2017

Member

I'm not telling you or anyone else to trust Google; I don't presume to tell any user what they should do or how they should behave.

If you do not trust Google to handle your data, despite the assurances (https://bugzilla.mozilla.org/show_bug.cgi?id=697436#c14) we have from them, I would suggest you block their code from your browser by disabling their Analytics domains. I think that's entirely reasonable.

Again: I am happy to discuss ways we can make the blocking of GA easier for users on the discovery pane. That's what this issue is about. If you have a blanket distrust of Google that is fine but is out-of-scope for this issue or for Mozilla. Mozilla will continue to use Google Analytics on its web properties, of which the Add-ons Discovery Pane is one.

The cookies notice is a separate issue which should be addressed separately; if you would like to file a bug about that feel free. Note, however, that the EU has reformed its policy on cookies and as I understand it the notices will largely go away next year: https://webdevlaw.uk/2017/01/10/cookie-law-reform-announcement/ (of course, I am not a lawyer! 😅)

Member

tofumatt commented Jul 12, 2017

I'm not telling you or anyone else to trust Google; I don't presume to tell any user what they should do or how they should behave.

If you do not trust Google to handle your data, despite the assurances (https://bugzilla.mozilla.org/show_bug.cgi?id=697436#c14) we have from them, I would suggest you block their code from your browser by disabling their Analytics domains. I think that's entirely reasonable.

Again: I am happy to discuss ways we can make the blocking of GA easier for users on the discovery pane. That's what this issue is about. If you have a blanket distrust of Google that is fine but is out-of-scope for this issue or for Mozilla. Mozilla will continue to use Google Analytics on its web properties, of which the Add-ons Discovery Pane is one.

The cookies notice is a separate issue which should be addressed separately; if you would like to file a bug about that feel free. Note, however, that the EU has reformed its policy on cookies and as I understand it the notices will largely go away next year: https://webdevlaw.uk/2017/01/10/cookie-law-reform-announcement/ (of course, I am not a lawyer! 😅)

@gcp

This comment has been minimized.

Show comment
Hide comment
@gcp

gcp Jul 12, 2017

This seems like something the built-in "Tracking Protection" feature (currently only available in private windows but in FF56 available to all windows) is meant to protect us from but alas it does not appear to stop the about:addons page from pinging GA using either the basic or strict filter.

Can you file a bug for this against Firefox (i.e. in Bugzilla, not github). https://bugzilla.mozilla.org/enter_bug.cgi?product=Toolkit -> component: Safe Browsing

Maybe not filtering about:* is by design but clearly extending this functionality is now very desirable.

gcp commented Jul 12, 2017

This seems like something the built-in "Tracking Protection" feature (currently only available in private windows but in FF56 available to all windows) is meant to protect us from but alas it does not appear to stop the about:addons page from pinging GA using either the basic or strict filter.

Can you file a bug for this against Firefox (i.e. in Bugzilla, not github). https://bugzilla.mozilla.org/enter_bug.cgi?product=Toolkit -> component: Safe Browsing

Maybe not filtering about:* is by design but clearly extending this functionality is now very desirable.

@ocdtrekkie

This comment has been minimized.

Show comment
Hide comment
@ocdtrekkie

ocdtrekkie Jul 12, 2017

@tofumatt You should really just be considering the message you're sending when you say that Mozilla will use Google Analytics because it's less work for a better product. Because a lot of people could (and might) translate that to equally apply to Google Chrome. Firefox has made great strides to catch up, but you basically just gave the best argument one could for just abandoning Firefox.

If even Mozilla can't be bothered to step away from El Goog, what hope do any of us have?

ocdtrekkie commented Jul 12, 2017

@tofumatt You should really just be considering the message you're sending when you say that Mozilla will use Google Analytics because it's less work for a better product. Because a lot of people could (and might) translate that to equally apply to Google Chrome. Firefox has made great strides to catch up, but you basically just gave the best argument one could for just abandoning Firefox.

If even Mozilla can't be bothered to step away from El Goog, what hope do any of us have?

@pwd-github

This comment has been minimized.

Show comment
Hide comment
@pwd-github

pwd-github Jul 12, 2017

I am happy to discuss ways we can make the blocking of GA easier for users on the discovery pane. That's what this issue is about. If you have a blanket distrust of Google that is fine but is out-of-scope for this issue or for Mozilla. Mozilla will continue to use Google Analytics on its web properties, of which the Add-ons Discovery Pane is one.

Can I just state that this is fine and reiterate that the argument here is that users should be notified of third party analytics collecting their data, have the ability of opting out of third party analytics and have any protections they've taken against third party analytics or cookies respected.

pwd-github commented Jul 12, 2017

I am happy to discuss ways we can make the blocking of GA easier for users on the discovery pane. That's what this issue is about. If you have a blanket distrust of Google that is fine but is out-of-scope for this issue or for Mozilla. Mozilla will continue to use Google Analytics on its web properties, of which the Add-ons Discovery Pane is one.

Can I just state that this is fine and reiterate that the argument here is that users should be notified of third party analytics collecting their data, have the ability of opting out of third party analytics and have any protections they've taken against third party analytics or cookies respected.

@edwardgalligan

This comment has been minimized.

Show comment
Hide comment
@edwardgalligan

edwardgalligan Jul 12, 2017

As I mentioned in #1107: we will not be removing analytics support entirely. It is extremely useful to us and we have already weighed the cost/benefit of using tracking.

Frankly, the primary reason I use Firefox is that I hope when carrying out cost/benefit analyses, user privacy is given weighted priority. Otherwise, there's little to distinguish the product from Google Chrome, as others here have mentioned.

As @justjanne has already mentioned, this is likely illegal in European countries. As a company literally trading on the promise of privacy, the bare minimum of complying with privacy law should be a bar well below the standard set.

We don't give the "data directly to Google". See the discussion here: https://bugzilla.mozilla.org/show_bug.cgi?id=858839.

It's already been mentioned above, but to re-iterate: you are sending data to Google servers. Any promise from Google on what will be done with that data is contingent on a user's trust of Google, which should be independent of a user's trust of Mozilla.

Mozilla will continue to use Google Analytics on its web properties, of which the Add-ons Discovery Pane is one.

Regardless of where we stand on Mozilla's policy on their web properties in general, the Add-ons Discovery Pane is part of the browser chrome. Considering it a web property because of the technical implementation details behind it doesn't meet user expectation. It is not a Mozilla web property, it's a part of my browser.

we should only be enabling tracking for users who have opted-in to sharing their data usage in Firefox. I'd guess respecting the Telemetry checkbox would work. Or maybe having a new checkbox if piggy-backing on that one is problematic from a legal perspective.

As a user that did opt in to Telemetry (before this), my expectation is that this checkbox enables sending data to Mozilla and Mozilla alone and would not entail sharing my data with 3rd parties. Regardless of the legal standpoint, if enabling Telemetry necessarily involves sharing data with 3rd parties, you should tell users, and you will lose Telemetry opt-ins as a result of doing that.

edwardgalligan commented Jul 12, 2017

As I mentioned in #1107: we will not be removing analytics support entirely. It is extremely useful to us and we have already weighed the cost/benefit of using tracking.

Frankly, the primary reason I use Firefox is that I hope when carrying out cost/benefit analyses, user privacy is given weighted priority. Otherwise, there's little to distinguish the product from Google Chrome, as others here have mentioned.

As @justjanne has already mentioned, this is likely illegal in European countries. As a company literally trading on the promise of privacy, the bare minimum of complying with privacy law should be a bar well below the standard set.

We don't give the "data directly to Google". See the discussion here: https://bugzilla.mozilla.org/show_bug.cgi?id=858839.

It's already been mentioned above, but to re-iterate: you are sending data to Google servers. Any promise from Google on what will be done with that data is contingent on a user's trust of Google, which should be independent of a user's trust of Mozilla.

Mozilla will continue to use Google Analytics on its web properties, of which the Add-ons Discovery Pane is one.

Regardless of where we stand on Mozilla's policy on their web properties in general, the Add-ons Discovery Pane is part of the browser chrome. Considering it a web property because of the technical implementation details behind it doesn't meet user expectation. It is not a Mozilla web property, it's a part of my browser.

we should only be enabling tracking for users who have opted-in to sharing their data usage in Firefox. I'd guess respecting the Telemetry checkbox would work. Or maybe having a new checkbox if piggy-backing on that one is problematic from a legal perspective.

As a user that did opt in to Telemetry (before this), my expectation is that this checkbox enables sending data to Mozilla and Mozilla alone and would not entail sharing my data with 3rd parties. Regardless of the legal standpoint, if enabling Telemetry necessarily involves sharing data with 3rd parties, you should tell users, and you will lose Telemetry opt-ins as a result of doing that.

@floatingatoll

This comment has been minimized.

Show comment
Hide comment
@floatingatoll

floatingatoll Jul 12, 2017

(Welcome, HN visitors! Please be patient if responses seem slow — you outnumber us 100:1 and today's a workday so there's meetings and timezones and so on.)

floatingatoll commented Jul 12, 2017

(Welcome, HN visitors! Please be patient if responses seem slow — you outnumber us 100:1 and today's a workday so there's meetings and timezones and so on.)

@timlib

This comment has been minimized.

Show comment
Hide comment
@timlib

timlib Jul 12, 2017

A fundamental issue is that Mozilla is making a choice on the behalf of users to trust Google without a clear opt-in mechanism. This trust is not being backed by any auditing or accountability by Mozilla or any other parties, making this purely a matter of taking Google at their word. However, Google has paid $22.5M to the FTC for violating user privacy setting in Safari - which is a pretty clear indicator whatever trust Mozilla places in Google is misplaced. To quote the FTC directly: Google "misrepresented to users of Apple Inc.’s Safari Internet browser that it would not place tracking “cookies” or serve targeted ads to those users".[0]

The available public evidence suggests very clearly that Google should not be trusted in this way. The Safari fine is one of many examples to cite. As others have said, Firefox's main selling point is supposed to be more privacy than Chrome, the use of GA directly undermines this and raises questions about Firefox's relative value.

[0] https://www.ftc.gov/news-events/press-releases/2012/08/google-will-pay-225-million-settle-ftc-charges-it-misrepresented

timlib commented Jul 12, 2017

A fundamental issue is that Mozilla is making a choice on the behalf of users to trust Google without a clear opt-in mechanism. This trust is not being backed by any auditing or accountability by Mozilla or any other parties, making this purely a matter of taking Google at their word. However, Google has paid $22.5M to the FTC for violating user privacy setting in Safari - which is a pretty clear indicator whatever trust Mozilla places in Google is misplaced. To quote the FTC directly: Google "misrepresented to users of Apple Inc.’s Safari Internet browser that it would not place tracking “cookies” or serve targeted ads to those users".[0]

The available public evidence suggests very clearly that Google should not be trusted in this way. The Safari fine is one of many examples to cite. As others have said, Firefox's main selling point is supposed to be more privacy than Chrome, the use of GA directly undermines this and raises questions about Firefox's relative value.

[0] https://www.ftc.gov/news-events/press-releases/2012/08/google-will-pay-225-million-settle-ftc-charges-it-misrepresented

@justjanne

This comment has been minimized.

Show comment
Hide comment
@justjanne

justjanne Jul 12, 2017

Regarding

the use of GA directly undermines this and raises questions about Firefox's relative value.

The issue isn’t just the usage of GA, but not asking users about it. If a user opts in to GA, that’s fine, and you can track them (although that’s still not ideal). But trusting GA by default, without even an opt-out, is a major issue, and also means that Mozilla will have to figure out how this was approved for shipping in the first place, as it goes against the ideals for which Mozilla stands.

justjanne commented Jul 12, 2017

Regarding

the use of GA directly undermines this and raises questions about Firefox's relative value.

The issue isn’t just the usage of GA, but not asking users about it. If a user opts in to GA, that’s fine, and you can track them (although that’s still not ideal). But trusting GA by default, without even an opt-out, is a major issue, and also means that Mozilla will have to figure out how this was approved for shipping in the first place, as it goes against the ideals for which Mozilla stands.

@edwardgalligan

This comment has been minimized.

Show comment
Hide comment
@edwardgalligan

edwardgalligan Jul 12, 2017

If a user opts in to GA, that’s fine

Technically, yes. For any other company that is not Mozilla, yes. For Mozilla, a company that sells their product on the back of claims of prioritising privacy, I would ideally hope that:

  • sending data to 3rd-parties, even with consent, is kept to as much of a minimum as is reasonable
  • when data is being sent to 3rd-parties, selection of those 3rd-parties is a careful, considered process that excludes any entities with a history of flagrant disregard for user privacy

edwardgalligan commented Jul 12, 2017

If a user opts in to GA, that’s fine

Technically, yes. For any other company that is not Mozilla, yes. For Mozilla, a company that sells their product on the back of claims of prioritising privacy, I would ideally hope that:

  • sending data to 3rd-parties, even with consent, is kept to as much of a minimum as is reasonable
  • when data is being sent to 3rd-parties, selection of those 3rd-parties is a careful, considered process that excludes any entities with a history of flagrant disregard for user privacy
@tofumatt

This comment has been minimized.

Show comment
Hide comment
@tofumatt

tofumatt Jul 12, 2017

Member

Hi all: a gentle reminder that Mozilla has considered its usage of Google Analytics, was careful in its selection of Google Analytics, and negotiated a deal with Google to ensure data was not shared for mining or with other third parties.

This issue has now been posted on Hacker News and is receiving lots of traffic and comments which do not add to the issue at hand: don't load GA if the user has enabled Do Not Track.

This issue tracker is not a general discussion forum for how you think Mozilla should conduct its usage tracking or interactions with Google. There is a Hacker News thread monitored by Mozilla staff where a discussion around how Mozilla handles tracking you're welcome to participate in if you'd like to continue the discussion further, but I'll be locking this issue as I think what needs to be said has been said, and further comments have not added to specific fixes for this issue.

Thanks for your contributions, folks. A number of people on the Firefox team are taking note of what's been said in this thread and we'll work toward getting the Discovery Pane's usage of Analytics more in line with the privacy settings expected based on what users have set in the browser.

Member

tofumatt commented Jul 12, 2017

Hi all: a gentle reminder that Mozilla has considered its usage of Google Analytics, was careful in its selection of Google Analytics, and negotiated a deal with Google to ensure data was not shared for mining or with other third parties.

This issue has now been posted on Hacker News and is receiving lots of traffic and comments which do not add to the issue at hand: don't load GA if the user has enabled Do Not Track.

This issue tracker is not a general discussion forum for how you think Mozilla should conduct its usage tracking or interactions with Google. There is a Hacker News thread monitored by Mozilla staff where a discussion around how Mozilla handles tracking you're welcome to participate in if you'd like to continue the discussion further, but I'll be locking this issue as I think what needs to be said has been said, and further comments have not added to specific fixes for this issue.

Thanks for your contributions, folks. A number of people on the Firefox team are taking note of what's been said in this thread and we'll work toward getting the Discovery Pane's usage of Analytics more in line with the privacy settings expected based on what users have set in the browser.

@tofumatt tofumatt closed this Jul 12, 2017

@mozilla mozilla locked and limited conversation to collaborators Jul 12, 2017

@tofumatt tofumatt reopened this Jul 12, 2017

@potch

This comment has been minimized.

Show comment
Hide comment
@potch

potch Jul 12, 2017

Member

@tofumatt should I file an issue to add a Privacy Policy link to the discovery pane footer?

Member

potch commented Jul 12, 2017

@tofumatt should I file an issue to add a Privacy Policy link to the discovery pane footer?

@tofumatt

This comment has been minimized.

Show comment
Hide comment
@tofumatt

tofumatt Jul 12, 2017

Member

@potch Yes please! 👍

Member

tofumatt commented Jul 12, 2017

@potch Yes please! 👍

@tofumatt tofumatt self-assigned this Jul 12, 2017

@tofumatt tofumatt modified the milestone: 2017.07.13 Jul 12, 2017

@tofumatt tofumatt removed their assignment Jul 12, 2017

@tofumatt

This comment has been minimized.

Show comment
Hide comment
@tofumatt

tofumatt Jul 13, 2017

Member

A note to all users following the discussion here:

We shipped a hotfix to the Add-ons Websites today and now respect Do Not Track on the Mozilla Add-ons Website and about:addons. See: #2792 and mozilla/addons-server#5901 for the relevant issues). This will affect any browser that visits https://discovery.addons.mozilla.org/ with the Do Not Track flag set (that includes Tor Browser).

You can disable Google Analytics in about:addons by setting your Do Not Track status to on.

Again: this only affects users who visit the page with Tracking Protection on (which automatically enables DNT) or who manually set their DNT status to on. This was the fastest and most straightforward way to ship a fix to this issue and it is now in production without requiring a browser update. 👍

Thanks a lot to those at Mozilla who helped get these patches reviewed, landed, and on production in less than a day's turnaround.


A few notes:

There is an edge case regarding caching we are trying to figure out that may require a browser patch and will take more time: https://bugzilla.mozilla.org/show_bug.cgi?id=1380754. This should not affect most users, however, and the fix is straightforward: please restart your browser after enabling Do Not Track.

There is a separate issue regarding disabling Sentry error reporting for app exceptions (#2802) when DNT is enabled.


Thanks to all the users who brought this to our attention. I'm closing this issue as there is now a straightforward way to disable Google Analytics on about:addons and indeed on Mozilla's Add-ons website as well. If you think there are further steps Firefox should take I would encourage you to file a Bugzilla issue if it's a browser-related bug.

If you spot an issue with our implemetation of DNT to disable Google Analytics, feel free to file an issue on this repo.

Member

tofumatt commented Jul 13, 2017

A note to all users following the discussion here:

We shipped a hotfix to the Add-ons Websites today and now respect Do Not Track on the Mozilla Add-ons Website and about:addons. See: #2792 and mozilla/addons-server#5901 for the relevant issues). This will affect any browser that visits https://discovery.addons.mozilla.org/ with the Do Not Track flag set (that includes Tor Browser).

You can disable Google Analytics in about:addons by setting your Do Not Track status to on.

Again: this only affects users who visit the page with Tracking Protection on (which automatically enables DNT) or who manually set their DNT status to on. This was the fastest and most straightforward way to ship a fix to this issue and it is now in production without requiring a browser update. 👍

Thanks a lot to those at Mozilla who helped get these patches reviewed, landed, and on production in less than a day's turnaround.


A few notes:

There is an edge case regarding caching we are trying to figure out that may require a browser patch and will take more time: https://bugzilla.mozilla.org/show_bug.cgi?id=1380754. This should not affect most users, however, and the fix is straightforward: please restart your browser after enabling Do Not Track.

There is a separate issue regarding disabling Sentry error reporting for app exceptions (#2802) when DNT is enabled.


Thanks to all the users who brought this to our attention. I'm closing this issue as there is now a straightforward way to disable Google Analytics on about:addons and indeed on Mozilla's Add-ons website as well. If you think there are further steps Firefox should take I would encourage you to file a Bugzilla issue if it's a browser-related bug.

If you spot an issue with our implemetation of DNT to disable Google Analytics, feel free to file an issue on this repo.

@tofumatt tofumatt closed this Jul 13, 2017

@tofumatt tofumatt modified the milestones: 2017.07.20, 2017.07.13 Jul 14, 2017

@tofumatt tofumatt self-assigned this Jul 14, 2017

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.