PSA (?): just got this popup in Firefox when i was on an amazon product page. looked into it a bit because it seemed weird and it turns out if you click the big “yes, try it” button, you agree to mandatory binding arbitration with Fakespot and you waive your right to bring a class action lawsuit against them. this is awesome thank you so much mozilla very cool

https://queer.party/@m04/112872517189786676

So, Mozilla adds an AI review features for products you view using Firefox. Other than being very useless, it’s T&C are as anti-consumer as it possibly can be. It’s like mozilla saying directly “we don’t care about your privacy”.

  • jet@hackertalks.com
    link
    fedilink
    English
    arrow-up
    28
    arrow-down
    1
    ·
    edit-2
    4 months ago

    Here is a talk on OHTTP (OHAI) https://www.youtube.com/watch?v=_HEzpnktAwY

    and a OHTTP recap https://www.youtube.com/watch?v=qjLwo4Ufp8s

    Basically, if you trust the OHTTP Proxy (mozilla) and the OHTTP service provider (fakespot) to not collude, then OHTTP protects your data.

    If you think Mozilla and fakespot might collude, then this doesn’t give you any privacy. (Update - Someone pointed out Mozilla has purchased fakespot, so this comes down to Trusting mozilla with 100% of your data for their privacy promise and OHTTP is totally pointless here)

    Depends on your threat model.

    If they actually cared about privacy they would have the OHTTP model, sure, but also a TOR hidden service endpoint that anyone could use as well ; Removing all the links between the user and the service shouldn’t be a problem, since they are not monitizing user behavior, right? RIGHT?!?!?

    • GenderNeutralBro@lemmy.sdf.org
      link
      fedilink
      English
      arrow-up
      18
      arrow-down
      1
      ·
      edit-2
      4 months ago

      Mozilla says they use a third-party OHTTP intermediary. In the blog post linked above, they name Fastly as their partner. So it’s not as bad as Mozilla + Mozilla-wearing-funny-glasses.

      Personally, I still think this is the wrong approach to privacy, even though I’ve used Fakespot on my own many times over the years. Largely because I don’t think any of this needs to be built into a web browser.

      I would prefer my web browser to minimize information leakage by default, to the greatest degree that it can while still remaining useful as a web browser. Mozilla keeps adding bloat to Firefox, and bloat always comes at a cost. I’d much prefer these to be browser extensions that people can download if they want them, rather than built in by default. The baseline Firefox should be lean. Less “stuff” = smaller attack surface. Simplicity is best.

      I mean, the Fakespot browser extension has existed for a long time, and I’ve never seriously considered installing it. I’d much rather just take an extra three seconds to load their web site and paste in a URL than have it constantly monitoring my activity and doing god-knows-what with it. That way I have better knowledge and control of what is happening with my data. Even if I trust their intentions, I don’t implicitly trust their competence (all software has bugs) and I don’t trust that they will never go rogue in the future.

      And also, I just don’t find this claim all that compelling in principle:

      By processing the data jointly across two independent parties, they ensure neither party holds the information required to reveal sensitive information about someone.

      I mean…sure. That’s fair. Buuuuuut handing half the data to your “partner” doesn’t give me a whole lot of confidence. Especially since literally nobody reads all of the privacy policies they are subject to. See:

      https://www.theatlantic.com/technology/archive/2012/03/reading-the-privacy-policies-you-encounter-in-a-year-would-take-76-work-days/253851/

      https://www.npr.org/sections/alltechconsidered/2012/04/19/150905465/to-read-all-those-web-privacy-policies-just-take-a-month-off-work

      https://www.techradar.com/computing/cyber-security/you-need-a-whole-workweek-every-month-to-read-privacy-policiesand-thats-bad-news

      Minimizing privacy policies should be a high-priority goal for any organization that claims to value privacy.

      Furthermore, how many additional parties have access (legally or otherwise) to both Mozilla and Fastly? 🤷

      • jet@hackertalks.com
        link
        fedilink
        English
        arrow-up
        9
        arrow-down
        1
        ·
        4 months ago

        i would like to see mozilla making all of these features as full fledged browser extensions (installed by default, sure why not, but uninstallable at user request)

      • jqubed@lemmy.world
        link
        fedilink
        arrow-up
        7
        ·
        4 months ago

        I remember when Firefox was brand new over 20 years ago and one of the reasons for creating it was the main Mozilla browser had too much feature bloat so it was stripped down to just a browser and if you wanted more features you could add them in as extensions, putting just what you wanted in the browser and leaving out what you didn’t. It was great! Eventually Firefox became more popular so Mozilla switched their efforts to it and they’ve been jamming more things that used to be extensions in as features and bloating it full of features I don’t want. It’s one of the reasons I started using Chrome in the early days of Chrome but then of course that and Google started getting worse so I switched back to Firefox, but it still has its problems.

    • 𝘋𝘪𝘳𝘬@lemmy.ml
      link
      fedilink
      arrow-up
      9
      arrow-down
      3
      ·
      4 months ago

      I don’t trust Mozilla one single bit with my data as long as they have an advertising network enabled by default and use pingback telemetry for ALL actions you do in the browser by default that can only be turned off by changing multiple “hidden” about:config settings.

      • jet@hackertalks.com
        link
        fedilink
        English
        arrow-up
        5
        arrow-down
        1
        ·
        4 months ago

        It doesn’t, but when modeling threats we have to go be capabilities and not intentions.

        • Vincent@feddit.nl
          link
          fedilink
          arrow-up
          11
          arrow-down
          2
          ·
          4 months ago

          If we’re going by capabilities, then your browser maker can already see everything you do in that browser.