I wrote:
While I can understand that this was not handled well in terms of public
relations, I think it's mostly a manufactured outrage (an excuse to be
righteously indignant over something relatively minor) for those who don't
look at the issue in terms of software freedom.
https://blog.mozilla.org/firefox/update-looking-glass-add/ has Mozilla's
response to the issue I think is the topic of this subthread -- the Looking
Glass add-on.
In that post, Mozilla says that the user has to:
1. Enable the Looking Glass add-on.
2. Visit a website which will use the Looking Glass add-on.
in order for this add-on to do anything that reveals user data:
Quoting Mozilla's blog post above:
Fans of the show enabled this game in Firefox by turning on the “Looking
Glass” add-on effect via preferences setting. When enabled, and the user
navigated to Mr. Robot’s ARG page, a clue necessary to advance the
puzzle would be revealed. When enabled, the add-on would also invert
text from a list of words related to the shows themes, throughout the
web for a few seconds.
Instead of giving users the choice to install this add-on, we initially
pushed an update to Firefox that installed the “Looking Glass” add-on
for English speaking users. This add-on was installed and set to ‘OFF’
and made no changes in the user experience unless it was explicitly
turned on by a user, but it was added. Even when turned on no user data
was collected or shared.
One might wonder how this situation with Looking Glass is significantly
different from other users who see some feature that allegedly requires the
user do something to activate it before it has any potential to do
something bad. For instance, users who post anywhere on behalf of some
nonfree software insecurity and point out something like saying "things
aren't so bad because the user has to do X, Y, and Z before that insecurity
will do anything against the interests of that user".
Here's how Mozilla's Looking Glass feature is different: software freedom.
The Looking Glass add-on is, as far as I know, free software. Therefore in
the Looking Glass case we can inspect the add-on's source code to see how
it actually behaves and compare that with Mozilla's description. We can
inspect Firefox's source code and compare that to Mozilla's description. We
thus have what we need to reach a defensible conclusion based on what the
relevant code actually does.
In any case involving nonfree software, users can only guess what causes an
insecurity to manifest, or how the system will divulge sensitive data, or
open a backdoor to the system, or whatever else malware can do. Making such
guesses (regardless of the degree of testing) is indistinguishable from
making excuses for proprietors based on one's ignorance of what triggers
the malware; in other words, carrying a proprietor's water. Testing (no
matter how thorough) is never complete without code analysis because for
all anyone knows there are factors to trigger the malware that went
untested (or are no longer testable).
So even though Mozilla apparently won't champion this on the basis of
software freedom (they are an "open source" organization and as such won't
champion software freedom for its own sake or the underlying ethics behind
the free software movement), so long as Mozilla is distributing free
software to its users this is true: software freedom is the critical
difference between making excuses for proprietors when those proprietors
release untrustable software, and a free software developer releasing
software users are free to run, inspect, share, and modify.
