So what would the author prefer? That security sensitive software doesn't check for updates? WHAT COULD POSSIBLY GO WRONG.
Somewhat later there is this remark:
Why are these add-ons? Why are they not designed-in and built-in to the browser?
Well, this is actually built-into Firefox Nightly. It's called Tracking Protection...and it updates its lists using the exact same SafeBrowsing the original author whines about.
It's hard to take these people seriously, which is bad, because privacy is a serious problem. Not worthy to be left over to whiners that offer no solutions.
> Not worthy to be left over to whiners that offer no solutions.
This is not a fair criticism. I can tell someone, "Hey dude, your house is on fire" without having to offer them either a bucket of water or a new house.
This type of argument is frequently used to forestall any criticism whatsoever. Bad supervisors often say things like, "don't give me complaints without also giving me a solution."
It's sloppy thinking, and rejects valuable feedback.
> Bad supervisors often say things like, "don't give me complaints without also giving me a solution."
This is true, but bad employees often say "Hey this sucks" without providing any constructive reasoning, and expecting someone else to fix a problem that you've seen but they haven't usually results in a lousy fix.
Sure, it's not their job to fix it, but if you come to me and say 'our art pipeline sucks, it's too inefficient' and then walk away, I literally have nothing at all to work on.
> Bad supervisors often say things like, "don't give me complaints without also giving me a solution."
That might be a bad supervisor if they say it to unskilled labor; to professional/analytical staff, the expectation that a problem report to management include a recommended course of action to address the problem is not unreasonable. In fact, since those are the kind of staff that would be called on to propose action to resolve a problem even if someone else reported it, its simply a case of issuing the follow-up assignment in advance to eliminate an inefficient delay step.
What's wrong with telling one's boss, "Hey, I think we have a problem here that you should be aware of"? It sounds like these PHBs are drilling their PHs into the sand...
In some circumstances that attitude is valuable. When it comes to oversubscribed workers noticing something that doesn't seem right, it could save the company a lot in long run.
Sometimes you don't have the time to find solutions, because you're working on your own stuff.
I couldn't disagree more strongly. There IS a solution. There are even multiple ones. The critics are pointing out that a particular one they focus one isn't perfect on their arbitrary metrics, and so they claim it isn't good.
"I dislike it that the user-friendly software I use (as opposed to TBB) phones home to check for updates and track metrics" isn't valuable feedback. It's stating the obvious without proper qualification. It's ignoring the trade-offs that are obvious. It's not constructive.
You're the person complaining to the fire brigade because they made your house wet.
Really, your post is the kind of thing that must sit framed in every Internet Troll cave. Because that sure is everybodies favorite internet hobby: complain loudly about everything, offer no solutions, and then whine even harder when the authors that are working to make things better (sometimes for free) quit in disgust.
And the entitlement in the replies, you cannot be serious. Yes, you're all entitled to whine, I'm sorry, point out flaws, all day on the internet. Congrats.
He isn't saying their isn't a solution... he's saying that you don't have to offer a problem AND a solution at the same time.
He's right: There shouldn't be an "All or Nothing" mentality.
There are times and places where a problem shouldn't be mentioned without a solution...
There are also times and places where bring up a problem is itself important enough to warrant a talk WITHOUT a solution.
Ignoring the fact that both extremes exist is a larger part of problem in having any kind of constructive conversation these days. "If you don't agree with me 100%, you're an idiot, a troll and your mom should be shot" type of attitude is a troll in of itself and a major problem blocking any kind of conversation on a multitude of topics.
Why can't the problem be discussed without forcing the conversation down the "this is the solution..." path?
It seems that the authors tone is not "whiny," but maybe that was my interpretation. He is raising a serious concern: tools that people think are keeping them safe/anonymous are actually not 100% anonymous. I think this is always important to consider. Most of us on HN are technical, and we are already aware of (even worse) privacy "violations" than those described in the article. Nonetheless, most people who use the internet are not aware of this and it will be important to keep the layman informed for his/her own sake and for the future of the net.
The problem is that this trade-off isn't properly explained or qualified in the original posts.
Do you think I'm doing the uninformed public a favor if I go around yelling:
"Vaccines frequently cause fever, pain around the injection site, and muscle aches. In rare cases, much more severe side effects can result from vaccination."?
I agree. The tradeoff was not properly explained or qualified.
<offtopic>
In regards to vaccinations, I think the uninformed public should be provided with all information possible, including scientific evidence of the utility of vaccination and potential, albeit rare, side-effects of vaccination.
</offtopic>
Deliberately depriving people of information is not ethical.
> Deliberately depriving people of information is not ethical.
Misleading people is unethical. Providing incomplete information is misleading.
80% of Americans say they want labels on food warning if they contain DNA[0]. Not because people fear DNA, but because when you ask, that signals that DNA is potentially bad. Actually providing such a label is also a signal that DNA is bad.
Labeling food with "Warning: contains DNA" is unethical because it misleads people into thinking that's bad.
Adding a label saying "DNA-free" is unethical because it's false, unless you're selling salt. (And probably also misleading: https://xkcd.com/641/ )
But failing to provide such a label? Not misleading, and not unethical.
If someone asks "does X phone home, does Y contain DNA", you should answer honestly, but you should probably also provide explain the pros/cons. Granted, unless you planted the idea in their heads, that's not your responsibility, but if you publish an article saying "Food X contains DNA!" or "Plugin Y phones home!" you _are_ responsible for the resulting fear, and should qualify the information with an honest evaluation of what that means.
Did you know that dihydrogen monoxide was responsible for at least 368,000 deaths[1] worldwide in 2013? In the USA it's the second leading cause of death for children under 12 years old. Surely you'd want to know if a product had dihydrogen monoxide in it.
I'd say you've hit the nail squarely on the head here.
As an (amusingly directly relevant to the side-discussion) example, in a college English course I took we had a group project and presentation in which we had to take a position on an issue. Despite it being dangerous territory, my group dove directly into the vaccine debate. After beginning our research (note that this was prior to the major cited paper(s) on the issue being retracted) we decided that we would work very carefully, within the guidelines of the project, to advocate that any and all possible links should be researched farther. Technically this position was not a great fit for the directions we had been given, but we wanted to be very careful to say "this might be an issue and should be investigated in more detail" rather than "this is a problem and we fix it with [x]."
TL;DR: Taking the hard line is often a bad call, but calling for something to be looked into (with cause) is often wise. If you read the newsgroup post to the end, this is exactly what the author does, albeit with some important context to the issue omitted.
While true, that's more a problem of the person hearing the truth versus the person sharing the truth.
Since I can already see the objection to saying that, I don't necessary think it's always fair to blame someone for hearing the truth and not comprehending it.
These addons are installed from the Mozilla addons website and Firefox can check automatically for addon updates.
Complaining that software is phoning home is perfectly legitimate. It should ask for consent and at a minimum tell users what information is gathered and for which purposes it is used.
Huh? How is that a non-denial denial? The question is "How do I know that's all you collect?" and the answer is "You can verify it yourself by examining the source code."
The Tracking Protection feature is available in Firefox 36, the current release channel version. It is not exposed in the preferences UI yet, but you can flip the "privacy.trackingprotection.enabled" about:config pref. To verify that Tracking Protection is working, visit cnn.com or nytimes.com and look for the shield icon in the address bar. On my laptop, cnn.com takes 18 seconds to load without tracking protection and 4 seconds with it. If you find a website that is broken by Tracking Protection, please file a bug on Bugzilla in the "Core :: DOM: Security" component. You can click the shield icon to disable Tracking Protection for individual websites.
Will Tracking Protection be enabled by default? I don't know. Mozilla must walk a narrow line between protecting user privacy and angering publishers such that they block Firefox users.
(I work for Mozilla, but not on the Tracking Protection project.)
>Mozilla must walk a narrow line between protecting user privacy and angering publishers such that they block Firefox users. //
Is there any precedent for that, it sounds impossible, that publishers would block one of the major browser brands like this; wouldn't it just mean people would use UA switchers?
The only reason FF wouldn't want to serve it users like this, that I can see, is so as not to annoy those they're in commercial relationships with like the company they forced the browser toolbar button on to everyone's Firefox to get sponsorship from.
> Is there any precedent for that, it sounds impossible, that publishers would block one of the major browser brands like this; wouldn't it just mean people would use UA switchers?
Some websites already detect ad blocker extensions and instruct users to disable them. If Firefox Tracking Protection was enable by default, it's possible publishers might do the same for Firefox users. Another precedent, though different circumstances, was when OkCupid asked its Firefox users to switch to Chrome or IE to protest Brendan Eich's appointment to Mozilla CEO.
Probably less than 1% of Firefox users know what a User-Agent string is. The path of least resistance, and the one likely suggested by the content sites, would be to switch to Chrome or IE. Even if Firefox users changed their User-Agent strings, websites could still detect whether a user is using tracking protection or ad blockers (by requesting known-blocked URLs to see if they are blocked).
> The only reason FF wouldn't want to serve it users like this, that I can see, is so as not to annoy those they're in commercial relationships with like the company they forced the browser toolbar button on to everyone's Firefox to get sponsorship from.
>Some websites already detect ad blocker extensions and instruct users to disable them. //
Indeed but ad blocking and user tracking are different orders of need for the advertisers. Advertisers still want access to FF users even if they can't track them. Currently with browser fingerprinting "don't track" is probably just another high-value data point to make the fingerprinting more successful.
>Probably less than 1% of Firefox users know what a User-Agent string is. //
How many people who've watched a ripped DVD know about DVDCSS. Firefox could just go the IE route and spoof by default (alright they don't quite spoof, just jam everyone else's UA strings in to their own). I see no reason that browser fingerprint spoofing (to coin a phrase) can't be as democratised as adblocking. How many adblock users know how it works?
>Which toolbar button is that?
"Hello" button that kept re-appearing had Telefonica's name with it; perhaps FF didn't view that as advertising but I imagine the market rate for "we'll put a button that links to your name in the browser of every Firefox user and when they remove it we'll put it right back" has got to be in the 10s of millions of USD.
> So what would the author prefer? That security sensitive software doesn't check for updates?
Considering that we normally use the OS's distribution channels (repositories for *nix, markets for windows/os x), it's completely useless for me that any software calls home to check for updates. My OS handles this already.
I am OK with people pointing out things that are/could be wrong without offering a solution. There are usually more solutions to a problem than we need, so why muddy the waters.
Somewhat later there is this remark: Why are these add-ons? Why are they not designed-in and built-in to the browser?
Well, this is actually built-into Firefox Nightly. It's called Tracking Protection...and it updates its lists using the exact same SafeBrowsing the original author whines about.
It's hard to take these people seriously, which is bad, because privacy is a serious problem. Not worthy to be left over to whiners that offer no solutions.