Unknown Mozilla dev addon "Looking Glass 1.0.3" on browser

(support.mozilla.org)

757 points shak77 | 2 comments | 15 Dec 17 13:47 UTC | HN request time: 0.001s | source

Show context

AdmiralAsshat ◴[15 Dec 17 14:27 UTC] No.15932004[source]▶

https://support.mozilla.org/en-US/kb/lookingglass

The Mr. Robot series centers around the theme of online privacy and security. One of the 10 guiding principles of Mozilla's mission is that individuals' security and privacy on the internet are fundamental and must not be treated as optional. The more people know about what information they are sharing online, the more they can protect their privacy.

...which you've done by installing a fishy-looking addon without our permission and making us less likely to trust you?

Well-done, Mozilla.

replies(3): >>15932105 #>>15932234 #>>15932789 #

theossuary ◴[15 Dec 17 14:41 UTC] No.15932105[source]▶

>>15932004 #

If you clicked on the link about shield studies you'd see it says they're opt in, did you not getting prompted about it?

replies(9): >>15932122 #>>15932143 #>>15932169 #>>15932180 #>>15932182 #>>15932185 #>>15932332 #>>15932363 #>>15932810 #

yborg ◴[15 Dec 17 14:46 UTC] No.15932143[source]▶

>>15932105 #

Apparently it's getting loaded anyway for some people that say they had "Studies" disabled and/or "Studies" itself became re-enabled.

The whole idea of slipping paid advertorial content into what are billed as "research" kind of gives the lie to this whole thing and is why I never turn these on in any product. Which is also why it's now "opt-out" by default, and why it will eventually not be an option at all. It's all for our own good, you see.

replies(2): >>15932194 #>>15932210 #

Ajedi32 ◴[15 Dec 17 14:52 UTC] No.15932194{3}[source]▶

>>15932143 #

You don't just need "Studies" enabled, you also need to explicitly opt-in to each specific study on an individual basis:

> Participation in an individual study is opt-in

Source: https://wiki.mozilla.org/Firefox/Shield/Shield_Studies

If that didn't happen in this case, then I suspect it's probably a bug.

replies(4): >>15932236 #>>15932322 #>>15932829 #>>15932901 #

acqq ◴[15 Dec 17 15:10 UTC] No.15932322{4}[source]▶

>>15932194 #

> you also need to explicitly opt-in

Wrong, as far as I see: Looking in my about:config, I see

    app.shield.optoutstudies.enabled=true
    browser.onboarding.shieldstudy.enabled=true

enabled by default. The settings that I've changed from the default are shown in bold. These aren't bold. Those are the defaults. Everybody can check.

That means that the user must actively take steps to disable them, if he knows that they exist and where he can disable them.

Every time the user creates a new profile, and most probably also when he "refreshes" an old one, he has by default the studies allowed.

It's even worse in other aspects: through the UI the "Allow Firefox to install and run studies" can be unchecked but it doesn't change the value of "experiments.enabled" to false in about:config.

Apparently the "experiments" allow Mozilla to install the "experimental" extensions to any user, without him knowing. And these extensions are invisible in the GUI! Even if the user goes to the about:config and sets extensions.ui.experiment.hidden to false, it will be automatically set to true again.

replies(3): >>15932656 #>>15932744 #>>15933164 #

1. Ajedi32 ◴[15 Dec 17 17:01 UTC] No.15933164{5}[source]▶

>>15932322 #

Are you sure that's what those config options do? I tried looking them up, but they don't seem to be listed in Mozilla's config documentation: http://kb.mozillazine.org/About:config_entries

According to the Wiki page I linked in my previous comment, global settings shouldn't even matter in this case; since each SHIELD study must be opted into on an individual basis. (Or at least, that's how it's _supposed_ to work.)

Edit: Looks like the wiki was updated to state that some studies can be opt-out rather than opt-in. This also seems in-line with the documentation for SHIELD, which has a section on opt-out studies: https://normandy.readthedocs.io/en/latest/user/actions/opt-o...

replies(1): >>15933730 #

2. acqq ◴[15 Dec 17 18:08 UTC] No.15933730[source]▶

>>15933164 (TP) #

Your link in edit part is the answer to your question before the edit:

https://normandy.readthedocs.io/en/latest/user/actions/opt-o...

"opt-out-study: Install a Study Add-on Without Prompting

The opt-out-study action installs an add-on, typically one that implements a feature experiment by changing Firefox and measuring how it affects the user."

They are obviously the topic of:

app.shield.optoutstudies.enabled=true

That I mentioned.

I see a lot of commenters trying to excuse them. The problem is, people allowed the "studies" because Mozilla claimed that they are "measuring" whatever "to make Firefox better." They never told anybody that they are selling the "studies" functionality which silently installs ("opt-out" not opt in!) to the advertisers.

I don't know how anybody can defend such an approach.

↑