I believe that when you install Firefox it specifically asks you to answer the question as to whether telemetry data is sent - because they recognise that this is unusual for Firefox and some people may not be comfortable with it.
This is not just some setting hidden in among 300 other settings. There is no excuse for not knowing about it. Whether you understand it is another issue.
Bottom line: Don’t want telemetry then just say no when you install Firefox. (So calling this a “privacy nightmare” is a bit extreme.) Or, if you already installed and said ‘yes’ then turn it off.
about:preferences#privacy
Untick ‘Allow Firefox to send technical and interaction data to Mozilla’
Asking how long it is stored or how to delete it is missing the point. If you care about this stuff then don’t enable it in the first place!
If you disable telemetry, it does regenerate the clientId (as well as requesting the deletion of telemetry data on Mozilla’s server for the old clientId) - which means that any future data (if re-enabled) should not be associated with any past data (before the data is deleted).
It may be possible for law enforcement to associate it (using the IP addresses) but that is a wider problem. Mozilla won’t be able to associate it. Of course if you are worried about that (law enforcement and IP addresses) then use a VPN service. By a totally amazing coincidence, the linked blog article is from PIA, a well known provider of VPN service.
Unlike most environments, Firefox is open source. Need to answer that question? … you can in theory do so. Maybe you yourself don’t have the expertise but someone somewhere can answer that question.
Compare that to many other browsers that are either partial black boxes or total black boxes.
Epic and Brave are also based on Chromium. Pale Moon is based on Firefox. My default is Epic, though I also use Pale Moon. I abandoned Firefox years ago.
As the common cores of almost everything software are increasingly open source it can be a two edged ‘solution’.
All the bugs and holes could become universal with the differences only in how they add ‘fixes’ in their release cycles. Maybe there will be a few forks running in parallel, some more robust than others, and having known problems is better than having yet to be discovered ones, but.
This is very true in other ways than you stated. If a project is open source, do you necessarily know how much a particular government entity might be ‘contributing’? There have been several open source projects that have been compromised in one way or another - generally by actor or actors unknown.
Of course, if you are a government then you can always put pressure on a company to do things a particular way - or insert/recruit one of your own ‘experts’ into the development process.
Apparently Apple was considering end-to-end encryption of iCloud - before it spoke to the FBI. (Apple’s take on this is that it did not want to be responsible for users who could not recover their own data/reset their own passwords - which is a reasonable position for a large technology company.)
Indeed. Nothing’s perfect. There is no “solution”, only OK and not-so-OK. Closed source is a black box, of which few see the inside. With open source, at least the interior of the box is readily accessible.
Around 95% of users don’t even know they have that option, let alone figure out how to apply the setting. It should be opt-in, and the university should be embarrassed that it cannot get basic privacy settings right.
I have long thought most companies have special teams tasked with the singular purpose of effectively hiding certain settings as well as making their operation counter-intuitive to defeat setting them for privacy, while being able to tout they exist.
That can be a way of getting additional compartmentalisation, so that if one browser is badly penetrated, other stuff may remain safe i.e. if you are rigorous about only ever visiting a given web site from the same browser each time.
So in your example, you might restrict social media to Epic, never visiting social media using Pale Moon, and keep Pale Moon clean for important stuff e.g. financial stuff.
This compartmentalisation is over and above that provided by the browser itself, where different web pages in the same browser may be intentionally running in different processes.
Homogeneity can be a bad thing, as you are suggesting, I think. Diversity of code base limits the scope of an exploit.
That isn’t really an issue with open source. Release cycle for vulnerabilities is basically ASAP (within a few days typically, after allowing for developing the fix, getting it to downstream repositories, getting it to mirrors - where any of that is relevant).
One benefit of open source is that they don’t generally downplay or attempt to conceal a vulnerability.
Release cycle can be a big issue in the Android world where the cycle is “there is no cycle” for all the various manufacturers that sell Android phones but couldn’t be bothered providing ongoing updates after a short period. So Google may fix the bug in a very timely fashion but the fix may never reach your Android phone.
They really are watching! Seriously, the most substantial risks IMHO involve pattern recognition. Putting together who goes where (even when the who is an aggregate), when and does what, then figuring out how to manipulate/influence behaviour.
Even open source distributions have managed release cycles regardless of what they are called. If they rolled out a fix ASAP each time it would be a never ending moving target.
During the life cycle for each major version, software changes to Red Hat Enterprise Linux are delivered via individual updates known as errata advisories through the Red Hat Customer Portaliii or other authorized Red Hat portals. Errata advisories may be released individually on an as-needed basis or aggregated as a minor release. Errata advisories may contain security fixes (Red Hat Security Advisories or RHSAs), bug fixes (Red Hat Bug Fix Advisories or RHBAs), or feature enhancements (Red Hat Enhancement Advisories or RHEAs). Errata advisories are tested and qualified against the active Red Hat Enterprise Linux major release.
Two examples should demonstrate the open source OS suppliers are actually as disciplined as any company. Devices that use open source cores have their own distribution policies, equally rigorous when from reputable established companies.
Fair enough. I shouldn’t have generalised across all Linux distros (and open source is bigger than that even).
Strangely though for all the massive amount of text regarding Ubuntu’s release policy, the one thing it doesn’t tell you is
they roll out a fix ASAP for every significant security issue.
In a bad week, you might see 3 sets of updates. In a good week, 0 or 1. So yes never ending and always moving. That’s security for you. You may want to rest. The nasty people and governments do not.
So while all that stuff about 6 month interim releases and biennial long-term support (LTS) releases is correct, what it doesn’t say is that within the support timeframe of the release, for either type of release, there is a continual stream of updates - security fixes, other bug fixes, performance improvements, functional enhancements. Significant security updates are pushed out ASAP for either type of release, backported where needed, within the support timeframe (which is 9 months for an interim release, and 5 years for an LTS).
For home users I would recommend, on balance, just taking all fixes ASAP. Business users may wish to exercise a greater level of control, including staging fixes and performing integration testing and regression testing, coordinated rollout, etc.
A little privacy seems a little too much for our increasingly draconian and fascist bending governments. The telcos seem only too happy to help. Ask government and it will be nothing to see, all for our benefit, move on, next…
This hole in FOI is new information to me as it could be to others. Put in a request for eg a Ministerial document, and they can stonewall and if they are shifted to another position or resign, the FOI request becomes null and void. We obviously don’t need to know whether they acted corruptly or not, but we might be able to make odds-on guesses. The practice may be pervasive across all occupants in government and all parties when given their chance.
He was told the request was now void because Canavan no longer held the office and the documents had not been kept by his successor, Keith Pitt, meaning they were “no longer in the possession of a minister”.
How convenient that his successor has lost them.
{Edit} It’s weird that a MInister must keep all this stuff but there is no requirement for continuity after he is gone. It isn’t as if the consequences of a Minister’s interactions with outside parties or the public interest in same disappear when he does.
My default browser (Epic) has been throwing errors lately. Presumably a Windows 10 update has upset it. So I went looking for an alternative. Might give Brave a go.
Seriously, the most substantial risks IMHO involve pattern recognition. Putting together who goes where (even when the who is an aggregate), when and does what, then figuring out how to manipulate/influence behaviour.
