Mozilla's had quite the week. Well, quite the year. Well, quite the, uh, I dunno. It ain't what it used to be, that's for sure. Or is it?
If you search for "Firefox" or "Mozilla" on social media, you'll find no shortage of complaints about the organization (or corporation, or both) prioritizing the wrong thing, or making choices that are counter to the principles Mozilla is supposed to stand for.
Before diving into details, let me state the thesis plainly: Mozilla is pursuing its primary objective, which is the survival of Mozilla. Its mission statement is more than broad enough to accommodate that, and Firefox is not a real priority. The community should accept that and stop waiting for Mozilla to be the hero they deserve.
This is the first of two posts: first, a deep dive on the recent Terms of Use and Privacy Policy updates from Mozilla as a case study in their goals and objectives; and second, a review of Mozilla's behavior writ large.
The New Terms
Let's start with recent events. On February 26th, Mozilla announced a new agreement between Mozilla and Firefox users. For the first time, Firefox would come with Terms of Use in addition to the Privacy Policy, which also received updates.
It's not unusual to be loved by anyone for browsers to have Terms of Use. Here they are, for your own comparative study:
Among these, Firefox's new Terms are a little weird—maybe more than a little. In addition to shocking brevity, they include this passage:
You give Mozilla all rights necessary to operate Firefox, including processing data as we describe in the Firefox Privacy Notice, as well as acting on your behalf to help you navigate the internet. When you upload or input information through Firefox, you hereby grant us a nonexclusive, royalty-free, worldwide license to use that information to help you navigate, experience, and interact with online content as you indicate with your use of Firefox.
Like all legalese, there is room for interpretation here. But it's notable just how much room this policy leaves. Specifically, the "When you upload or input information through Firefox" sentence. As written, that would seem to be everything sent via the browser. Why is this clause necessary?
The charitable reading of this language is something like: we need your permission to transmit data via HTTP. And indeed, that is essentially what the latest update on the announcement blog post suggests. It's a bit condescending, but the clarification goes:
UPDATE: We’ve seen a little confusion about the language regarding licenses, so we want to clear that up. We need a license to allow us to make some of the basic functionality of Firefox possible. Without it, we couldn’t use information typed into Firefox, for example. It does NOT give us ownership of your data or a right to use it for anything other than what is described in the Privacy Notice.
How is Mozilla (not Firefox, mind you) is using "information typed into Firefox" is a little unclear, beyond "basic functionality," which miraculously functioned before this language existed. While it's nice to hear that we're not giving ownership away, no kidding: that's not what a license is; a license comprises usage rights, not ownership rights. So how is the typed information used? Per this (non-binding, not part of the Terms) blog post update, nothing "other than what is described in the Privacy Notice."
Before we hop over to the Privacy Notice, I want to make this point very clear. The "You give Mozilla all rights necessary" clause extends the set of data in question beyond the Privacy Policy. We'll see how in a moment.
What does the Privacy Policy say about how our data is used?
The table is quite large, but the top row, "To provide you with the Firefox browser," seems useful for our purposes.
Note that the justification for this collection is "to provide you with the necessary functionality" for Firefox to operate. The links to the collected data provide more information. The Telemetry documentation enumerates the types of "pings" Firefox's telemetry collects. I'll let you explore these, but what is absent from the data collected is, like, keystrokes.
Interaction Data
You might be wondering about the definition of "Interaction data." In the Privacy Policy, it is defined as:
Click counts, impression data, attribution data, how many searches performed, time on page, ad and sponsored tile clicks.
Time on page and ad clicks huh? Okay, but at least they're being up front about it. They are in the ad business now, after all. But uh, click counts on what? Impressions of what? That's a bit vague for me.
There is yet another definition of "interaction data" that doesn't quite align with the above. Per Mozilla's support article:
Technical and interaction data is information about how Firefox functions on your device and how you use its features. This includes performance details like page load times, and memory usage, as well as insights into which Firefox features you interact with, such as bookmarks, tabs, or settings. Additionally, it collects general device information, including your operating system, browser version, and hardware specifications. Mozilla gathers this data to enhance Firefox while respecting your privacy.
This data doesn’t include information like your browsing history, search queries, or saved passwords.
It's not a keylogger. But that's still a good chunk of data.
But wait! There's even more telemetry! The telemetry docs above mention the "Glean" library, which is the newer telemetry framework. Actually kind of weird we're not sent there first. After a bit of searching in the telemetry docs, I found my way to the Glean Dictionary, which is the actual, factual reference for telemetry data. The Desktop Pings give us some idea of the "Interaction data" that will be tracked. After some review, I found nothing sensitive in this data.
Not satisfied with documentation, I suddenly remembered that I wrote a course on how to use web proxies, so I fired one up and watched Firefox do its thing for a few hours. The was the Fedora build of Firefox, with default telemetry and other settings.
The results? Pretty much just ads. I even tried to trigger a crash report with an ungracious termination (SIGKILL), and nothing.
Is this "core functionality?" I think it may be, insofar as it is opt-out, not opt-in. While Firefox allows you to disable telemetry collection, it's on by default, and therefore this language may be necessary (suddenly, since the features were present before) to operate telemetry collection without explicit consent.
That takes care of "including processing data as we describe in the Firefox Privacy Notice." But then we come to the end of the sentence:
as well as acting on your behalf to help you navigate the internet.
What does that even mean? Acting on my behalf? What does that mean that goes above and beyond what's described in the Privacy Policy? Is it just the submission of HTTP requests? Is there something else that Firefox does—or may do in the future—on my behalf?
To me, that's the question at the heart of this strange little paragraph. What can Firefox do on my behalf that I'm licensing my information to accomplish? What will it do?
But at this point we've moved from fact to speculation. Let's move back to facts for a moment. The claim that Mozilla "needs" this broad language is specious at best. Very few other browsers have similar language in their terms. I have found two that do: Chrome and Arc. In Chrome's case, the "worldwide, non-exclusive, royalty-free" license applies to all data sent to all Google services. But check it out—the intentions are made clear.
This may be particularly necessary since the Terms are for all Google services. Nevertheless, the explication is appreciated. As you go through these other agreements, Mozilla's Terms for Firefox seem more and more slapdash. Arc's license clause is a great example.
In order to display your User Content on the Services, and to allow other users to enjoy it (where applicable), you grant us certain rights in the User Content (see below for more information). Please note that all of the following licenses are subject to our Privacy Policy to the extent they relate to User Content that is also your personally-identifiable information.
For all User Content, you hereby grant Browser a license to translate, modify (for technical purposes, for example, making sure your content is viewable on a mobile device as well as a computer) and reproduce and otherwise act with respect to such User Content, in each case to enable us to operate the Services, as described in more detail below. This is a license only – your ownership in User Content is not affected.
It goes on for quite a while like that, service-by-service, until:
You agree that the licenses you grant are royalty-free, perpetual, sublicensable, irrevocable, and worldwide, provided that when you delete your Browser account, we will stop displaying your User Content (other than Public User Content, which may remain fully available) to other users (if applicable), but you understand and agree that it may not be possible to completely delete that content from The Browser Company's records, and that your User Content may remain viewable elsewhere to the extent that they were copied or stored by other users.
Verbose? You betcha. But also explicit, and that's the point. The clarity of a contract's language protects both parties.
Even so, the majority of browsers have not felt the need to include this language. I'm going to halfway-include Chrome in this, because those Terms refer to all of Google's services at once. But I did notice that Facebook, X, and Instagram all have this language in their Terms. And given what they do with your data, I'm hardly surprised. But is that the company Firefox needs to keep?
The Context
Let's bring it back to Mozilla's new Terms for Firefox. They come within a week of a massive restructuring at Mozilla, in which CEO Mitchell Baker exits, and a new leadership council is appointed. From the announcement blog post:
We’ve recognized that Mozilla faces major headwinds in terms of both financial growth and mission impact. While Firefox remains the core of what we do, we also need to take steps to diversify: investing in privacy-respecting advertising to grow new revenue in the near term; developing trustworthy, open source AI to ensure technical and product relevance in the mid term; and creating online fundraising campaigns that will draw a bigger circle of supporters over the long run. Mozilla’s impact and survival depend on us simultaneously strengthening Firefox AND finding new sources of revenue AND manifesting our mission in fresh ways. That is why we’re working hard on all of these fronts.
Two mentions of Firefox—and the last, for the rest of the announcement, including announcing new chairs for the Mozilla Foundation, Corporation, and Mozilla.ai. Indeed, where the announcement ends may be more telling than where it began:
Mozilla is entering a new chapter—one where we need to both defend what is good about the web and steer the technology and business models of the AI era in a better direction.
Just as that weird paragraph in Firefox's new Terms is oddly expansive, so too is this mission statement. In a way, it puts Firefox to one side as Moz focuses on advertising and AI—you know, where the money is.
In this context, let's reexamine the question: what is Firefox doing on my behalf? What will it do on my behalf? Just like with telemetry, the chatbot sidebar, and "privacy-preserving ads," we should expect features that "help you navigate the internet" to be opt-in. We don't know what they'll be, if anything. First, we'd need to see substantial new features in Firefox at all.
So, is this Mozilla "going evil?" Nah, prolly not. But it is at best clumsy, and a poor showing if they want me to believe they care about Firefox, rather than the data it can provide. As for the latter, I believe a healthy skepticism and constant vigilance is warranted when it comes to Firefox and Mozilla.
That's it for Part 1. In Part 2, we'll talk about how Mozilla has changed over the years, and how the community that relied on what it was needs to accept Mozilla for what it is today.