An Update on Mozilla's Terms of Use for Firefox
60 comments
·February 28, 2025move-on-by
hysan
This pretty much confirms that this is what everyone thought the change was about. So we get clarity, but no actual change in course from Mozilla. Good. We now know very clearly where Mozilla and Firefox stand on privacy.
wesapien
If one opted out of all the possible data collection and privacy related options, are they still able to collect your data? If yes, how does it work? Is this called client-side scanning?
KennyBlanken
Yup. This is almost a year exactly after they announced a "pivot" to "privacy."
At least the most useless, overpaid person in SV is finally gone and no longer collecting her $7M salary.
Not like money has ever been a problem at Mozilla - they're sitting on over $1.5B in assets, $500M or so in cash alone. That's despite a plunging market share...
ants_everywhere
Mozilla is continuing to dig its own grave
tomxor
If they would simply tell us what part of Firefox is affected by the CCPA's definition of "selling user data", there would be no room for misinterpretation and this would be over.
If it's as innocent as "Firefox has to send HTTP packets to arbitrary web servers to achieve the fundamental function of loading a page" and that web server is considered 3rd party by CCPA, then everyone would understand... this is either poor communication or they are hiding something else (which everyone should rightly assume in this day and age).
Just tell us already Mozilla!
alabastervlog
> in exchange for “monetary” or “other valuable consideration.”
JFC, it's funny they try to call this out as some kind of a "weird" definition when that's just... what selling is.
WD-42
I actually laughed out loud at this. “We can’t say we don’t sell your data because some places have definitions of “sell” that are legally difficult to interpret, for example”:
<completely unambiguous definition of selling follows>
null
drivingmenuts
That was in California. Presumably, it's worded somewhat differently, and with different intent, elsewhere.
50 states, plus Federal laws, and all the other countries of the world and internal jurisdictions is how many possible variations? And before you say "Yeah, but they all mean mostly the same thing", remember it's lawyers we're dealing with, who will happily charge large sums of money arguing over misplaced punctuation and legislators who will happily take bribes from those same lawyers.
hedora
Usually, when I point out that Google sells your data and there’s no possible way to actually opt out, someone replies to say that’s not true, then defines “sell” in some way that most people would disagree with.
wwweston
Yeah, "Calm down everyone, the only issue here is that certain jurisdictions have sensible definitions that mean we can't legally claim we're not selling data because we are" is arguably clarifying but it's not particularly comforting.
Seems safest to assume that if it can be tracked, it will be. And traded too.
85g5gh85g
If they intended to clarify wording, they would have added something in place of their original wording instead of deleting it entirely. Legal team isn't slipping like that.
null
comex
> Whenever we share data with our partners, we put a lot of work into making sure that the data that we share is stripped of potentially identifying information, or shared only in the aggregate, or is put through our privacy preserving technologies (like OHTTP).
But if the data was fully stripped of potentially identifying information, then it should not count as "personal information" under the California Consumer Privacy Act, therefore it should not trigger the "sale of personal information" requirement, regardless of how it's transmitted or what kind of compensation is involved.
The CCPA defines "personal information" as follows:
> “Personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
(It also includes a list of examples [1], but the examples are conditional on the same "linked, directly or indirectly, with a particular consumer or household" requirement.)
So, which is it? Is the data deidentified or is it not?
Is Mozilla just trying to reduce risk in case someone argues their deidentification isn't good enough? If so, I'd call that a cowardly move.
[1] https://leginfo.legislature.ca.gov/faces/billTextClient.xhtm...
amanaplanacanal
I dunno, if legal recommends wording for your TOS you should probably listen to them.
rendaw
Yes, so you claim you can do whatever you want with everything you can get your hands on and then social media blows up because it's batshit insane, but don't worry because you're _legally in the clear_.
You're acting like they didn't have the 2nd option of just not selling the data so the current wording is accurate...
winwang
Then comes the question: would it also obviously expand their domain of allowable actions to trespass on their users?
Since that is a resounding "yes" and they also have the extremely obvious finance incentive to do so...
ranger_danger
How about don't send ANYONE's personal information, anonymized or not, to anyone including themselves? I think that's what people want. But that will never happen because you can't make money from it.
tomrod
Nor should you make money from data transfer.
Tax this, and give the tax back as reverse income tax to individuals.
ants_everywhere
It may be relevant that Mozilla recently acquired a Meta-created ad tracking company and is now awash with Meta ad execs. [0]
It may also be relevant that Meta is recently upsetting people in Europe for tracking and targeting people in spite of Europe's data protection rules [1].
My guess (and this is just speculation at this point) is that Meta and Mozilla think they're being clever and getting away with some "private" ad tracking and are underestimating how much damage they're doing to Mozilla's reputation.
I doubt the Anonym tech has been built into Firefox yet, but it's clear that the corporate strategic direction is to bet on some concept of "acceptable ads" like Google did in the 90s.
[0] https://www.adexchanger.com/privacy/mozilla-acquires-anonym-...
[1] https://www.reuters.com/technology/digital-rights-activists-...
nerdponx
[delayed]
JumpCrisscross
Facebook is sort of tech’s Enron / McDonnell Douglas.
teshaq
While I agree with folks that this is a step backwards in privacy, I think it’s a good exercise to zoom out and understand Firefox’s position.
The browser market is highly competitive, and Mozilla’s competitors have orders of magnitude more resources at their disposal. As we all know Firefox’s market share has been dropping over the past years and unfortunately the revenue supporting all of Mozilla comes predominantly from their Google deal (which itself has been risked by the ongoing case against Google)
Unfortunately as well - unfortunate for Mozilla, but fortunate for its mission and users :) - the Mozilla corporation is wholly owned by the foundation, so there is no easy way to raise funds (donations amount to so little compared to its Google revenue). Given no access to traditional fundraising, Mozilla has limited options on sustaining its business.
All this is to say, Mozilla seems to be trying to diversify its revenue hard, and its previous on-brand attempts (Firefox OS, VPN, etc) haven’t yielded the return they expected from them, so I’m not surprised Mozilla is trying to make money off of ads and selling data. I disable data collection, though if it came to it, I trust Mozilla a tad bit more than its competitors to protect my data - initiatives like ohttp give me a sign that at least they’re trying
kstrauser
It doesn’t help that they make it hard to donate to a specific product’s development. I’d donate to Firefox. I wouldn’t give a penny to anything of their other distractions.
(And others would support exactly the opposite, I’m sure. But no one gets to sponsor what they personally care about.)
ndriscoll
Mozilla were pulling in ~$500M/year on those search deals. So on year one, spend $15M on a team of 20+ highly competent full time developers for Firefox, put $450M into a trust to fund future development, and find something to waste $35M on. Then for the next 15 years, find something to waste $500M on.
The amount of money they've squandered is mind-boggling. If their goal had been to develop Firefox/Thunderbird/Mozilla Suite, and they had focused on how to sustainably do that, they never would've needed to diversify income sources.
NullPrefix
>spend $15M on a team of 20+ highly competent full time developers
Implies that the browser is the mission, not some social cause is the mission
tofof
While this is confirming that Mozilla is already outright selling data, it at least DOES provide clarity on the issues around the acceptible use policy.
That language had been so broad that it forbade most use of the browser. For example, "send unsolicited communications" so no filing a bug report. "Deceive, mislead" so no playing Among Us. "Sell, purchase, or advertise illegal or controlled products or services" so no online refils of your antimigraine medication lasmiditan or your epilepsy medication (pregabalin) which are schedule V. "Collect or harvest personally identifiable information without permission. This includes, but is not limited to, account names and email addresses" so no browsing any forum where a username is displayed to you. And of course "access to content that includes graphic depictions of sexuality or violence" that rules out watching the nightly news, stream PG-13 and R movies, to watch classic Looney Tunes cartoons, to play Fortnight, and on and on.
Shank
> It also includes a nonexclusive, royalty-free, worldwide license for the purpose of doing as you request with the content you input in Firefox.
I really struggle to understand what legal team believes this language is necessary in downloaded software. There is a lot of precedent for this kind of language in online hosted services, but not downloaded software.
> This does not give Mozilla any ownership in that content.
Yes, it’s a license. Nothing changes. There is no ambiguity about ownership in a perpetual nonexclusive worldwide license, but this doesn’t explain why this license is suddenly necessary now and wasn’t before.
Clearly the legal team at Mozilla is struggling with multiple issues in this update. Why are these changes being made now, and what is driving them?
Others have discussed the data sale issue, but I don’t see a reasonable explanation for the license issue, and the changing text doesn’t inspire confidence.
MatthiasPortzel
> I really struggle to understand what legal team believes this language is necessary in downloaded software.
Exactly. Even if nothing is changing at Mozilla, their legal team has invented a new interpretation of copyright law. That’s a huge deal from a legal perspective—Apple, Google, Microsoft, etc need to be rushing to add corresponding terms to their applications.
Mozilla PR is dropping the ball completely by trying to sweep this under the rug as ‘standard legal boilerplate’ because it’s not a clause in any other application I’ve ever seen.
Since I use FireFox at work, I don’t even have permission to give Mozilla a license to the content I create on the clock, so I will be switching browsers.
nativeit
Not for nothing, it is standard legal boilerplate. I just checked two randomly selected terms of service--one for ReadAI, the other for Google--and they both include a very similar clause with those exact parameters.
That said, I'm not suggesting Mozilla isn't also being wildly hypocritical in their behavior, and hamfisted in their PR.
gtirloni
You can't download Google.
eipi10_hn
> not downloaded software
Tbf, any softwares that send your input to an external (like browsers...) should disclose like this too. The thing that sends those data is your software, not you. Otherwise, after you click on the button "Purchase" with your credit card information, the only way to not grant your software the rights to send that information is you driving to the stores and give them your credit card by yourself.
plipt
Is Google paying Mozilla to sabotage themselves?
Stay in business, so monopoly arguments can be brushed aside.
But slowly erode privacy on the internet. And slowly lose user base.
boomboomsubban
They just lost a monopoly case because they paid Mozilla all that money, this theory has always made little sense and sticking to it now makes even less.
EMIRELADERO
In fact, one could argue that Google losing its case is what caused this. Google provided a substantial amount of revenue to Mozilla. With that now gone, new ways(TM) to get money are needed.
asddubs
they also couldn't have timed this better with the manifestv3 thing
null
koolala
How do you turn off getting your search history sold? You can turn off seeing the suggestions. Can you request they don't sell it though? The company they sell your search profile to could then sell that to someone else.
techjamie
I use Firefox Nightly on Android, and originally had location sharing on for the handful of websites where I'm fine with sharing it. But today, my phone notified me that Nightly updated what it does with location data on the play store to include using location for marketing or advertising purposes.
Changed it to ask every time instantly, and I'm not going to be giving Mozilla nearly as much trust ever again.
vitehozonage
>there are a number of places where we collect and share some data with our partners, including our optional ads on New Tab and providing sponsored suggestions in the search bar
Mozilla should commit to stop doing anything like that. Then we can have a nice clear Terms of Use that promises to not sell data. I think that would alleviate community concerns.
hajile
In what countries is this FAQ (removed in their PR) not seen as a legally-binding contract with all current Firefox users? It seems like a very clear contractual obligation in the US.
{
"@type": "Question",
"name": "Does Firefox sell your personal data?", 1
"acceptedAnswer": {
"@type": "Answer",
"text": "Nope. Never have, never will. And we protect you from many of the advertisers who do. Firefox products are designed to protect your privacy. That’s a promise. " 9+
}
},mod50ack
Contracts in the US require consideration. A promise made in exchange for nothing is not a contract because there's no consideration.
hajile
That contract is made in exchange for your willingness to use their product and your willingness to use Mozilla is what gets them big contracts from companies like Google.
betaby
Time to move on. Mozilla lost latest pieces of relevancy. Apparently, half a billion dollars per year can't get a modern browser nowadays. At least in Mozilla case.
> The reason we’ve stepped away from making blanket claims that “We never sell your data” is because, in some places, the LEGAL definition of “sale of data” is broad and evolving. As an example, the California Consumer Privacy Act (CCPA) defines “sale” as the “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by [a] business to another business or a third party” in exchange for “monetary” or “other valuable consideration.”
THANK YOU California for this definition of selling data, which is accurate, and representative of what people think of when discussions of selling data come up.
> In order to make Firefox commercially viable, there are a number of places where we collect and share some data with our partners
Ok, so that’s pretty straightforward. According to CA and other states Mozilla is collecting and selling your data. Which is exactly what everyone is upset about and means exactly what everyone thought it meant.