The Malware You Installed, Part 2

In the previous post I said I wanted to talk about Firefox specifically. This is essentially just because Firefox is the browser I use on a day-to-day basis, and is therefore the browser whose issues I'm most familiar with. The point of this post is not "Firefox is awful, you should use Google Chrome or Safari"; I have no reason to believe that Safari is any better than Firefox, and I have good reason to believe that Google Chrome is far WORSE than Firefox.

I just have to get that disclaimer out of the way; the point of this post is not just "Firefox is awful". So without further ado...

Firefox is awful

Firefox. The chosen browser of the open source fanatic. Unlike Safari and Google Chrome, which are both proprietary, Firefox is fully open source (mostly, there's some issues with Mozilla's trademark license, which forbids redistribution of anything with Mozilla or Firefox's name on it, but the code itself is open at least. Also, yes, I know that Chromium is ""open source"", but I don't really consider it to be a truly open source project; that's maybe a subject for a third post though, if I end up writing one). The unfortunate reality though is that Mozilla is still a for-profit company, and it seems that like many other for-profit companies, they've developed a real taste for telemetry.

I could go on and on about the negative impacts of telemetry, and how it's deceptive and borderline criminal, but you've likely read that a dozen times before. Instead, I think it would be more fun to do something much simpler: Here is a straightforward list of just some of the telemetry mechanisms present in Firefox, all of which are enabled by default, and all but one of which cannot be disabled without using about:config.

(Some of these might be inaccurate, and there's likely some issues missing from this list. This is just off the top of my head, collected from a variety of Firefox configurations distributed within the community. Mozilla's documentation has proven completely useless in providing a better source, so I only really have "word of mouth" and "guessing based on option names" to work with)

Again I stress, none of these options (except one) can be controlled via the UI, meaning that the user needs to be tech savvy enough to know that 1) these telemetry mechanisms exist, 2) they can be disabled in about:config, 3) how to disable them in about:config. This process is made even more complicated by the fact that many of these are not documented by Mozilla at all, and so users are forced to rely on other members of the community to find new tracking mechanisms whenever they're added (which is very frequently, as Mozilla seems to like adding a new telemetry mechanism just as soon as everyone's figured out how to disable the previous one) and publishing that widely enough that people can actually find out about it.

To a relatively tech savvy person who isn't afraid of burying their hands in software internals, disabling telemetry and intentional backdoors is a frustrating and lengthy process. To a "normal" end user, it's impossible. There's nothing to even indicate to a normal user that all these "features" exist and are enabled by default, and even if they were aware, the average person certainly doesn't have the skills to disable them all.

The sheer number of telemetry mechanisms, the almost total lack of documentation, the way they're hidden from the user in an advanced settings menu (with over four thousand options! Seriously!), and the way various options override other options in ways which aren't immediately clear and always result in telemetry data being sent unintentionally...

It leads me to only one conclusion: That this is intentional behaviour. Either the developers at Mozilla are truly and completely incompetent of even basic software development, which I doubt given the complexity of the browser, or they've designed the software to be intentionally obtuse in an attempt to make it as difficult as possible for users to avoid having their data collected, without requiring them to take the PR hit of forcing telemetry to be used.

To some extent it makes total sense: the only audience who Firefox has grabbed the unwavering attention of is the open source community, which tends to care a lot more about things like telemetry and intentional backdoors and predatory software development than other groups. Whereas Google can load as much telemetry into Google Chrome without needing to worry about the PR backlash, any serious confrontation about Firefox's telemetry would be enough to singlehandedly sink Mozilla's entire business. Of course they would want to develop a system wherein they can use massive amounts of telemetry while simultaneously absolving themselves of any responsibility for it by saying "Hey, you can turn it off! You just have to spend four hours searching 15 year old bug reports!".

So. What do we call a program which collects massive amounts of user data without consent, has multiple intentional backdoors which can be used to install additional code, and actively tries to hide this information from the user? Malware. It's called malware.

Sure, Firefox isn't going to encrypt all your files and demand a ransom, nor will it email itself to all your friends to create a botnet (although it's honestly not far from it), but it is nevertheless still malware. It's a program which seeks to steal user data without knowledge or consent, under the guise of providing a free service. That's, like, the textbook definition of a Trojan. If Firefox isn't malware, then "Free AntiVirus 2023 PRO™ Trial for Windows Mac" isn't either. To qualify as normal, not-malware software, it needs to be doing the things that the user wants it to do, instead of trying to hide things the user doesn't want it to do.

But wait, there's more!

The worst part is that this isn't even the end of Firefox's many problems. Like all browsers, Firefox is rife with unintended bugs and poorly thought out "features" which have resulted in an endless stream of security vulnerabilities and privacy violations. In a shocking turn of events, it seems that endlessly and rapidly adding new features to a program without any real thought of its impacts or implementation has rather extreme effects on the quality of said software. It is widely considered to be IMPOSSIBLE to create a new web engine, as they've grown so unfathomably complex that implementing even a tiny fraction of modern web specifications would be a Herculean task, and that's not even mentioning all the non-standard features.

By far the largest issue with web browser though isn't the browser itself, but rather, the websites, which are almost always laden in trackers and other malware, making browsing a nightmare for regular users, and borderline impossible for those with certain disabilities (want to try using a webapp with a screen reader? Good luck). Websites are the pinnacle of the "vendor agent", turning browsers into software that works for the servers and tracking companies whose content you're viewing, rather than acting on behalf of the user.

In fact, the vast majority of websites use non-consensual trackers which are actually ILLEGAL in various countries (Google Analytics has been deemed unlawful in several European countries, with more cases ongoing). Those annoying cookie consent popups that you've had to cope with every since the GDPR was passed? Yup, they're usually (and ironically) not even legal according to the very legislation that they were purported to comply with. In fact, according to various reports done by EU regulators, over 90% of cookie consent forms do not comply with the GDPR and are therefore considered illegal.

Now what?

So, if browsers suck, then what? What are we supposed to use instead? Well... that's a tough issue. The reality is that there is no viable competitor to the web as of yet. There have been past attempts (like Gopher, which fell out of favour due to some major shortcomings compared to the web), and some current attempts (like Gemini, which is an excellent concept, but whose future is entirely dependent on whether the community embraces it's intended simplicity or merely turns it into a second web by adding CGI to everything), but ultimately the issue that any competitor to the web will inevitably face is, of course, content. There's nothing in the world that has all of your favourite websites, except for the web, and that isn't going to change any time soon.

There's still plenty you can do though.

As an end-user, you can try your best to avoid the web when given the opportunity. Use native applications rather than webapps. Store data on your own computer rather than relying on cloud storage. Install security-enhancing extensions such as uBlock Origin, and use more secure browser settings when possible (although if you're using Firefox, that's harder than it sounds, as previously mentioned...). Use plain text in your emails, rather than HTML.

As a content creator, publish your content via non-web sources when possible. For example, if you're a blogger who writes text posts, instead of just having a webpage with all your posts on it, consider checking if the hosting provider you use supports serving your posts via an RSS feed, or even an email newsletter (but please god use plain text). Also consider using alternatives to the web such as Gopher or Gemini, and if you distribute things like documents or (short) videos, prefer sending plain files that can be opened with a native application, rather than requiring the use of a webapp like Google Docs to view.

As a developer, you have pretty much the same options, just more of them. Support alternatives services like Gopher or Gemini. If there's some webapp that you use on a regular basis, which doesn't have a native alternative, consider writing and publishing your own. You should be familiar with this concept as a software developer, it's nothing new; always seek to make improvements on the tools you work with.

Personally, I work almost exclusively with non-web-related software. I don't host my code on proprietary web services like GitHub, and all of the software I write runs as native applications, not webapps. This site internally uses Gemtext rather than HTML, and the server you're (maybe) reading this from right now uses a CGI program I wrote to convert Gemtext to HTML on the fly; you can access almost the entire site via a Gemini client, and this feed can also be read via an RSS feed. I also run an IRC server, which quickly replaced Discord as my go-to chat service, due to it being simple, robust, and native. Several years ago I deleted my Google account, and I haven't missed it even once.

These are the sorts of things you can try to do. Don't try to stop the moving train that is the web, because you can't. Instead, try to make little changes that improve your own quality of life. Avoiding the total reliance on the web that most people suffer from is 90% of the way to escaping it altogether.

Welp, this post is long enough. I could go on about the details of why the web is so awful, but then we'd be here all day (literally, I have spent entire days talking about this on IRC). If you'd like a fresher voice on the subject, the following article is a great read.

The reckless, infinite scope of web browsers - Drew DeVault

That's it for now though. In the past week I've started work on a Firefox configuration that aims to both eliminate tracking as well as provide slightly better documentation of Firefox's 4000+ options, plus cleaning up about:config to make it more readable (and usable). Going into this week though, my focus is mostly returning to Gamma Hollow. After this brief one-week hiatus, I'm certainly ready to get a lot more work done on that project.

Until next time!