Mozilla has better lawyers than PR
Two days ago, Mozilla introduced new terms of use and an updated privacy notice for Firefox.
This is the reaction. What the general public took out of the new terms is, well, we should probably switch to another browser.
I spent yesterday reading tweets and private messages all saying something to the tune of: goodbye Firefox!
But is there any truth to this? Well, let's dive in.
Firstly, the facts. Mozilla announced a new set of Terms of Use, which we had not had before, and an updated Privacy Notice. Let's start with the former.
The controversial paragraph is the following, and I'm going to read it in its entirety:
You give Mozilla all rights necessary to operate Firefox, including processing data as we describe in the Firefox Privacy Notice, as well as acting on your behalf to help you navigate the internet. When you upload or input information through Firefox, you hereby grant us a nonexclusive, royalty-free, worldwide license to use that information to help you navigate, experience, and interact with online content as you indicate with your use of Firefox.
There are a few other problematic sections. A few paragraph below, Mozilla warns that they can now "suspend or end anyone's access to Firefox at any time for any reason", though I'd love to see them try.
Finally, your use of Firefox now must follow a newly-created "Acceptable Use Policy". These include bans of most illegal activities (pirating, theft, violating copyrights, violating any person's privacy, harming children, and more):
However, you also cannot "Upload, download, transmit, display, or grant access to content that includes graphic depictions of sexuality or violence", i.e., you are no longer allowed to watch, upload, or distribute pornography or anything that depicts violence.
The rest of the Terms of Use is what you would expect: a few indemnification clauses, software is provided as is, yadda yadda.
Now, onto the Privacy Policy. This document is quite detailed and - I believe - understandable.
Firstly, there's a list of all data collected to make the Firefox browser work. This includes the browser settings, the password manager, customization options, and such. Your browser history is also kept locally (e.g., for autocompletion purposes), as well as web form data (so you don't have to re-write everything if the browser closes), and so on.
There are a few advertisement clauses. If you search for location-related keywords and you have Sponsored Suggestions turned on, then you will be served advertisements related to that keyword, though they'll never link it directly to you as an individual. Firefox New Tab might also show advertising, and some technical and interaction data (how you interact with the ad) is collected and shared with partners on a de-identified or aggregated basis.
There are also a few sections regarding that data that you might want to share with Mozilla to help them improve their browser, such as how fast pages load for you and how many ads you see – all of this is, again, de-identified or aggregated (and you can opt out).
Nothing else catches my eye, though you might want to go check the webpage yourself.
Finally, Mozilla also updated its FAQ page to remove all mentions of Firefox not selling your data. In all places where this was mentioned, it's not anymore.
Even worse, the entire question "Does Firefox sell your data?" (to which the answer was, "no obv") was also removed.
I believe that's all. Of course, this paints a very bleak picture for Mozilla; some of us are left wondering why all of these changes are taking place, while others don't care and are jumping ship already.
So, let's play a game. Let's try to build the best possible defense for Mozilla and see if it's solid. If it's not, that's a pretty big issue. Let's start with the "nonexclusive, royalty-free, worldwide license" to your data. According to Mozilla,
We need a license to allow us to make some of the basic functionality of Firefox possible. Without it, we couldn’t use information typed into Firefox, for example. It does NOT give us ownership of your data or a right to use it for anything other than what is described in the Privacy Notice.
Brodie here dutifully points out that, no, the TOS does not give them ownership of your data, but it does grant them a license to it. However, this does not change the fact that they're still bound to their Privacy Notice, which did not allow for data usage aside from, well, operating the browser.
Indeed, I'd like to stress that the license is "to use that information to help you navigate, experience and interact with online content as you indicate with your use of Firefox".
The CEO of Epic Games and creator of Unreal Engine, Tim Sweeney, similarly defends Mozilla on this specific point:
The license says that when you type stuff, the program can use the stuff you typed to do the thing you asked it to do. This is what programs ordinarily do, but nowadays lawyers tend to advise companies to say it explicitly.
I don't hold particular sympathy towards him, but I believe he knows more than me about what the lawyers are up to these days.
Many claimed that other browsers work just fine without this legal wording, but that's simply false.
Google grants itself a worldwide, non-exclusive, royalty-free license to "host, reproduce, distribute, communicate, and use your content" and "modify and create derivative works" for the "limited purpose" of "operating and improving the services".
The same applies to Edge: Microsoft grants itself a "worldwide and royalty-free intellectual property license to use Your Content, for example, to make copies of, retain, transmit, reformat, display, and distribute via communication tools Your Content on the Services".
Outliers here are Safari, Brave, and Opera, which do not seem to currently have this mentioned.
Other software have similar sentences, though; as an example, you're also giving Microsoft a full license to everything you write with Word, if you use that kind of software.
Let's assume that's why the sentence was there. But why ban pornography?
The key here is that the Acceptable Use Policy starts with: "You may not use any of Mozilla’s services to".
In the Terms of Service, the word "services" is defined as: Mozilla VPN, Firefox Relay, Firefox Monitor, Firefox Note, Firefox sync and Pocket. This does not seem to include Firefox.
Thus, what the Acceptable Use Policy is likely asking to do is avoiding anything illegal (or pornographic) when using their VPN, and maybe when saving articles to Pocket.
Out of curiosity, I checked whether NordVPN, one of the most well-known VPN companies, also has the terms. They do, disallowing any illegal content, but also "threatening, stalking, harming or harassing others, or promoting bigotry or discrimination".
So maybe this can be clarified as a VPN-type of thing that does not apply to Firefox, since it's not a service. But this still does not explain why on earth they would remove the "we won't sell your data" from their FAQ page.
Well, Mozilla did some damage control by adding a new question, phrased as "It seems like every company on the web is buying and selling my data. You’re probably no different.".
This is not a question, but the answer is nonetheless very interesting:
Mozilla doesn’t sell data about you (in the way that most people think about “selling data“), and we don’t buy data about you. Since we strive for transparency, and the LEGAL definition of “sale of data“ is extremely broad in some places, we’ve had to step back from making the definitive statements you know and love.
A few people here are speculating that the deal with Google might be at fault: since they receive money to use Google out of the box, which in turn collects your data, that might be considered "selling your data" in some jurisdictions.
That concludes the best defense of Mozilla I could put up. I would classify it as decent but not particularly compelling.
A criticism I would like to immediately bring up, regardless of whether Mozilla is correct or not, is just how badly all of this was communicated. I'm not sure if they tried to hide these changes - like removing the "we won't sell your data" question - in the hope we wouldn't notice. Because if you knew we were going to notice, why wouldn't you immediately have an explanation ready to go? Why wait to explain yourself?
And, even if I'm right in the distinction between services and the Firefox product, meaning I'm still allowed to watch porn… why is it so badly worded? The terms of service specifically talk about Firefox, and then there's a link to this list. Anyone would assume that it applies to what you do with the browser. Why not write more clearly?
However, there are more direct flaws in my argument, too.
Firstly, many users are pointing out that if I download the Firefox browser (and I operate it), therefore not necessarily using any of Mozilla services, I shouldn't need an agreement with Mozilla at all; why would then I license them my data?
This might have some explanation, such as Firefox using Mozilla's DNS, but it's getting into legalese speculation enough that I don't feel confident in weighing in.
Ultimately, everything relies on the Privacy Policy, as it's all as solid as that document is. Is it solid? Please tell me it's solid.
Let's start with data that Mozilla shares with "partners, service providers, suppliers and contractors". If they "sell your information", it's to them.
These partners, according to the webpage, are their search partners, such as Google, advertising partners, and a few related to Mozilla services you don't have to use (such as AI chatbots).
To provide search functionality and advertising, the following types of data are collected: technical data, location, language preference, settings data, unique identifiers, system performance data, interaction data, and search data.
Technical data is defined to be only about the hardware you are accessing the service from, the device type, operating system, IP address, and ISP.
The location only refers to your country code or city, and it does not include your precise location.
Interaction data only refers to how you engage with their services ("how many tabs you have open or what you've clicked on, click counts, impression data, attribution data, number of searches performed, time on page, ad click").
Search data is what you search for.
This should be everything that Mozilla can share with partners, and according to them, it only does so in a de-identified or aggregated way.
Then, there are authorities, such as governments. If there's a valid legal process ongoing, Mozilla might have to disclose personal data to that government in response to a Notice to law enforcement.
What kind of data? Any.
Examples of legal processes that would make Mozilla share personal data are Emergency Requests, Court Orders, National Security Requests, Pen Register Orders, Search Warrants, Subpoenas, and Wiretap Orders.
Of course, this is not exactly a great look, but I don't think Mozilla could've done anything differently here. The safety net does not come from relying on the fact that Mozilla won't share your data with governments if asked, but rather from the fact that you don't need to use Mozilla services in the first place, so that your data is kept on-device and secure, plus you can build Firefox yourself so that you can trust it fully.
So, to recap: to the best of my knowledge, no, Firefox/Mozilla can not use your data however they want, and I still consider it to be a very privacy-aware option. You also can still watch pornography - I think - just not when using their VPN. And they still don't sell your data, they just have the Google agreement they've always had. I don't think there's a reason to panic.
But there's a reason to worry. What a mess: this felt like a very rushed move. I want to give the benefit of the doubt that they asked for a legal review of their previous documents, and the legal team replied with: Hey, change all of this immediately, because we've discovered flaws that might get us in court now that we're aware of them.
Because if not, if they had time to prepare this announcement and think it through… what are they doing!?
