Remove Pocket Integration from Firefox

[tucker....@gmail.com]

(Pasted from https://bugzilla.mozilla.org/show_bug.cgi?id=1172126. There are some comments on Hacker News at https://news.ycombinator.com/item?id=9667809).

Mozilla's recent integration with Pocket, a proprietary third-party service, is a mistake.

It is very exciting to see the ways in which Firefox continues to improve. And it's even more exciting to see the ways that Mozilla advances it's stated mission outside of the Firefox browser with new developments like Firefox Accounts. Pocket now allows you to log in on their site using your Firefox Account; being able to authenticate with a trusted third party like Mozilla is a huge win for online privacy advocates and the Mozilla community. However, adding Pocket as a built-in feature to Firefox should not have been done.

This is particularly surprising since it was Firefox that made browser extensions mainstream. Pocket should have been an extension (in fact, a Pocket extension used to exist). It could have even been bundled with the browser. This distinction is important, since extensions can be removed entirely, whereas currently Pocket can only be disabled.

The user experience of disabling Pocket is not good, either. It needs to be disabled in about:config, which is not at all user friendly, and therefore not in line with Mozilla's mission. In the past, Mozilla has been very good about showing the user what new features have been added to the interface and explaining any privacy implications that may come with them. That is why I was so surprised when the Pocket icon suddenly appeared in Firefox Developer Edition a couple days ago. It is so unlike Mozilla to introduce something like that, I ran a virus scan and checked what programs had been installed recently -- I assumed it had been put there in the same way that IE users used to get the Ask Toolbar installed.

It may also not be clear to some users that, even when signing in with your Firefox account, you are still giving your email address to a third party whose privacy policy is different than Mozilla's. Many users would not assume this, since it is a feature that is bundled with the browser.

Mozilla's recent blog post about the Pocket feature is titled "Firefox Puts You in Control of Your Online Life" (https://blog.mozilla.org/blog/2015/06/02/firefox-puts-you-in-control-of-your-online-life/). Had this been coming from a startup, that post would be humorously ironic. But given how much people care about Mozilla and it's stated mission, it is more painful than funny.

Firefox should continue to add new features that benefit its users, but those features must be done in accordance with Mozilla's core values. This feature should've been done as an extension, which allows for greater user choice and avoids bloat. Most importantly, there was very little public discussion about this inclusion of a proprietary, third-party service. It's a huge departure from Mozilla's commitment to transparency. The existence of the Pocket code in Firefox is a bug in the browser, and it does not adhere to Mozilla's core mission.

[Adam Porter]

I have mixed feelings about this, and I think it's good to have this discussion. I was surprised at the announcement, because it seemed sudden and unexpected. Did I miss something, or was the discussion entirely internal to Mozilla (or on a bugzilla page, not something outsiders would typically discover on their own)?

I was also surprised because it is a proprietary service integrated into a Free Software product. There were blog posts talking about how "Save" needs to be integrated across products, devices, and the Internet. But "Save" was not integrated here--Pocket was, a proprietary service, a single web site.

It seems to me that an outcome more in-line with Mozilla's stated mission would be to publish a save-for-later API, integrate it into Firefox Sync, and make it possible for Firefox users to point their browsers' built-in save-for-later list at third-party services that implement the API. It could even become a federated API, potentially integrating the variety of incompatible read-it-later-type services that exist.

There are, after all, already Free Software implementations of Pocket-like services (e.g. Poche). It seems contrary to Mozilla's stated mission to tie in to a proprietary service instead of furthering the creation of open APIs and platforms.

Imagine a certain web site or service released a new, JSON-based protocol that combined HTTP, HTML, AJAX, maybe XUL or XSLT-type stuff, and released a Firefox extension that let people access its site or services more quickly than using HTTP/HTML/AJAX. Now fast-forward a few years and it's very popular (maybe it's something like Netflix, and it lets them implement their UI more easily, or lock it down more than an HTML UI). Would Mozilla then integrate it directly into Firefox? It seems like the principle is the same.

I write all this as a long-time Firefox user, and one who's used Pocket since early in its Read-It-Later incarnation. As much as I use it, it doesn't seem appropriate to integrate it directly into Firefox.

And when viewed together with the EME situation, the trend toward integrating proprietary software and services is also concerning. It can always be rationalized with lines like, "Our users are going to use it, one way or another, so we might as well integrate it," but if that had been Mozilla's attitude from the beginning, I don't think we would be here using Firefox today. It seems like Mozilla is prioritizing users' short-term good over the long-term.

[manis...@gmail.com]

> It seems to me that an outcome more in-line with Mozilla's stated mission would be to publish a save-for-later API, integrate it into Firefox Sync, and make it possible for Firefox users to point their browsers' built-in save-for-later list at third-party services that implement the API. It could even become a federated API, potentially integrating the variety of incompatible read-it-later-type services that exist.

I agree.

> Imagine a certain web site or service released a new, JSON-based protocol that combined HTTP, HTML, AJAX, maybe XUL or XSLT-type stuff, and released a Firefox extension that let people access its site or services more quickly than using HTTP/HTML/AJAX. Now fast-forward a few years and it's very popular (maybe it's something like Netflix, and it lets them implement their UI more easily, or lock it down more than an HTML UI). Would Mozilla then integrate it directly into Firefox? It seems like the principle is the same.

The rationale behind Pocket was "We're working on a 'save' feature anyway, why duplicate the work of something that already exists?". Intentions are important; the intention protects us from the slippery slope argument you're making.

> And when viewed together with the EME situation, the trend toward integrating proprietary software and services is also concerning.

Let's not bring EME into this. EME was something which was standardized -- a battle Mozilla lost.



=================


I'm also a tad annoyed by Pocket integration. I don't mind it shipping with Firefox, but I'd rather prefer it be off by default. Even better would be a privileged addon. This is because Pocket is a third party service and not everyone who uses Firefox because they trust Mozilla will check if it's a third party service before using it. By integrating Pocket, Mozilla effectively makes Pocket its weakest link in the trust scene; which isn't good.



Note that some of the arguments made about Pocket (and Hello) elsewhere on the Internet are fallacious:

- There's no way to disable it: You can drag the button off using the Customize button. Firefox UI components are lazy loaded.
- It adds to the bloat. Neither Pocket nor Hello are heavy. Pocket is a bunch of HTTP calls; Hello is a wrapper around WebRTC -- an open protocol with an open implementation that all browsers are supposed to support. These are really small droplets in the memory usage story.

[David Rajchenbach-Teller]

Divergent voice here: I don't like Pocket's integration in Firefox, but
for purely UX reasons. Does anyone know if there are plans to streamline
integration? Perhaps by improving Bookmarks enough that they superseed
Pocket.

Cheers,
David

--
David Rajchenbach-Teller, PhD
Performance Team, Mozilla

[walde.c...@gmail.com]

There's one argument unmentioned here, and i suspect it wasn't mentioned yet because Tucker is too polite to do so. I however, having been burned many ways by Mozilla's "governance", have no reason to be polite about it.

The addition of things like Hello and Pocket in FF core* deserves only a single description:

Hypocrisy.

Mozilla removed features that were core in FF, and would've been core in *any* browser; while arguing those features could be re-added as extensions.

A group that holds that stance has no business adding features to FF core that look, feel, taste and smell like extensions.


* would've been fine as bundled extensions

[hugoosval...@gmail.com]

I strongly agree with this removal. Integrating with third-party proprietary technologies seems to go quite clearly against Mozilla's stance on open source.

Back in the day, Mozilla implemented Mozilla Weave (now Firefox Sync) exactly because existing alternatives were proprietary. I believe that's the way to go forward.

As a long time user of Firefox, I now suddenly feel that contributing and donating to firefox wouldn't just promote freedom and open source, but also promote a third-party for-profit proprietary solution (Pocket).

On top of that: there's no reason to affiliate with pocket (or is there money in the middle?), when implementing this sort of thing is pretty trivial. It is, after all, basically a subset of the feature bookmarking includes, and bookmarks are already sync'd.

[jee...@gmail.com]

On Friday, June 5, 2015 at 5:59:56 PM UTC-4, tucker....@gmail.com wrote:
> (Pasted from https://bugzilla.mozilla.org/show_bug.cgi?id=1172126. There are some comments on Hacker News at https://news.ycombinator.com/item?id=9667809).
>
> Mozilla's recent integration with Pocket, a proprietary third-party service, is a mistake.

+1. This bundleware/bloatware needs to, at the very least, be bundled as an easily removable extension (preferably removed completely and made an optional addon). Having to go to about:config to remove this is unacceptable.

[mco...@harrisonpub.com]

I'm just a regular user (and extension developer)

Seriously, guys. Make this an extension. I know you need to monetize the browser - fine - bundle it, people who don't want it will remove it. Right now even setting 'browser.pocket.enabled' to false does not remove the "View pocket list" item from the bookmarks menu.

It just feels like spam.

[Mxx]

One of the primary reasons why Netscape Navigator failed and Firefox took over was because Navigator was big, slow and had everything with a kitchen sink that users couldn't get rid of. Meanwhile Firefox was lean, clean and fast alternative with extensions that allowed users to add desired missing functionality.

Now is Firefox turning into that Navigator with more and more unnecessary junk baked in.
First "Hello" was shoved down users' throats, now Pocket.
Neither are critical to browser's functionality and should not have been integrated into Firefox like this.

Both, Hello and Pocket should've had a "first launch wizard" that explained functionality of both modules and *asked users if they wanted to use them!*
Both should've been shipped as extensions which users would've been able to cleanly remove with no traces left behind!

Neither should've been part of the mandatory browser package update.

Whatever deal Mozilla has with Pocket with this integration should not have come to detriment of user's experience.

Please re-open and address Bug 1172126.

[scott...@gmail.com]

Would make sense to just publish it as an extension. I don't see how it needs to be in the default app.

[serial....@gmail.com]

I agree wholeheartedly.

An early Mozilla and Firefox user, I switched to Chrome for some time but in the past year or two have primarily used FF because of privacy concerns and not wanting a browser built by a company who can make money by ignoring my privacy needs.

[ssiva...@gmail.com]

I'm writing this as a long-time Firefox user/supporter and also a Pocket premium (paying) user.

I think that Pocket is a very useful service, and one that I personally use extensively. I've been happy using it through the Firefox extension, and I do not see any need whatsoever for Pocket to be "integrated" into Firefox. This development raises a few questions, that I think people in the community would like to learn about.


1. On what basis was this decision taken? Was there any discussion on this? I ask out of genuine ignorance, for this seems to have taken many people by surprise. (I found out about this only when I got an email from Pocket)

2. On what basis did Firefox decide to integrate a proprietary product from a particular for-profit entity? Why not team up with other services in the same arena -- eg: Instapaper/Readability/Wallaby? More broadly, is it in the user's best long-term interests for Mozilla/Firefox to promote one over the other, especially in a nascent field?

3. In the default setup (when this is enabled) I would like to know exactly what details of one's browsing activity this makes available to Pocket.

[stevensele...@gmail.com]

For what it's worth. I personally do not see the need for Pocket and would not use it.

[Kev...@gmx.de]

On Saturday, June 6, 2015 at 5:57:14 AM UTC+2, manis...@gmail.com wrote:
> Note that some of the arguments made about Pocket (and Hello) elsewhere on the Internet are fallacious:
>
> - There's no way to disable it: You can drag the button off using the Customize button. Firefox UI components are lazy loaded.
> - It adds to the bloat. Neither Pocket nor Hello are heavy. Pocket is a bunch of HTTP calls; Hello is a wrapper around WebRTC -- an open protocol with an open implementation that all browsers are supposed to support. These are really small droplets in the memory usage story.

I feel like setting 'browser.pocket.enabled;' to false in 'about:config'
is a better solution than just removing the UI component.

[ma...@szaro.org]

I agree wholeheartedly with this. All other major browser vendors have baked in integrations with non-free proprietary services. In these cases - like Google Apps on Chrome - it makes a lot of sense. However, given Mozilla's mission, and the legacy of Firefox as promoting user privacy, I can't see how integrating this directly into the browser chrome was a good idea.

While I find Pocket useful, I would much rather see this distributed as an extension. Honestly, I'd have no objection were Mozilla themselves to distribute it as a first-party extension, or even feature it - but an extension nonetheless.

[mehmet...@gmail.com]

Please reopen bug #1172126. Making a bug report dependent on a conversation on external & proprietary Google Groups is against Mozilla Manifesto (#8, primacy of transparent community-based processes).

Moreover, it looks sinister because it will hide that bug from users, which will cause unnecessary duplicate bugs and uproar.

The code that integrates Pocket goes against Mozilla Manifesto #7 (primacy of free and open source software) and should be reverted. It does so by violating #9 as it breaks the balance between commercial and free software offerings. It dismisses free software alternatives to Pocket before integrating it into Firefox. The proprietary software integration further violates #8 (primacy of transparent community-based processes) since the codes was seemingly slipped in without asking for community feedback.

Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1172126

Manifesto: https://www.mozilla.org/en-US/about/manifesto/

Thanks,
Mehmet.

[dev...@gmail.com]

I'm a Firefox user and a Pocket user (since back when it was called Read It Later). I love Pocket, its a very handy and effective service for me. But I do not think for a second that it should be bundled with Firefox by default. If you want to do that, develop an open source tagging/saving service that provides the same functionality. Its a simple concept that would be easy to re-create under an open source license. I'm a php/mysql dev and I would be happy to work on such a project, I've been considering doing it myself because the more I depend on Pocket the more inclined I am to move away from it to a self-hosted or open source solution (which has been my plan all along but gosh darnit, Pocket has just been so easy & effective that I haven't gotten around to it).

[aaso...@gmail.com]

I really hope you will remove pocket and let the users choose if they want to install it.

[arkhama...@gmail.com]

I completely agree. This is just another example in recent builds that are pushing me away from Firefox. First they change to Yahoo and in so doing this the update changed your current default. Absolutely shady work. I could have understood on a new install but on an update it should have at least asked you. Then you add the Hello button.. Why? Another thing to disable. Now lets integrate Pocket and make it not removable. Sure you can hide it sort of and disable in about:config but most people do not know how to use about:config. Shady again. What is next? Facebook integration we can't turn off announcing every page we visit? Who comes up with these terrible "features"?

[singp...@gmail.com]

On Friday, 5 June 2015 16:59:56 UTC-5, tucker....@gmail.com wrote:
> This is particularly surprising since it was Firefox that made browser extensions mainstream. Pocket should have been an extension (in fact, a Pocket extension used to exist). It could have even been bundled with the browser. This distinction is important, since extensions can be removed entirely, whereas currently Pocket can only be disabled.

In fact, extensions to add functionality instead of bundling a lot of bloat into core is why I switched to Firefox in the first place all those years ago.

Bundle an extension if you must, but please stop adding bloat to core!

[clic...@gmail.com]

My 2 cents, I think the original idea needs to be reviewed. A "save" feature, really? I don't think it's a feature that is needed, at all. Ok, if some people want it, fine. Maybe they can have an add-on if they want.

I think more focus on security, privacy, performance, stability, and customizability are far more important than this discussion of a "save" feature. It just seems like a silly feature to even have a discussion about. FF doesn't need sprawl.

[Eric Rescorla]

On Sat, Jun 6, 2015 at 4:49 AM, <walde.c...@gmail.com> wrote:

> There's one argument unmentioned here, and i suspect it wasn't mentioned
> yet because Tucker is too polite to do so. I however, having been burned
> many ways by Mozilla's "governance", have no reason to be polite about it.
>
> The addition of things like Hello and Pocket in FF core* deserves only a
> single description:
>
> Hypocrisy.
>
> Mozilla removed features that were core in FF, and would've been core in
> *any* browser; while arguing those features could be re-added as extensions.
>

I'm trying to figure out how you think this applies to Hello. The WebRTC
functionality in Firefox that Hello makes use of is still there and
continues
to be improved.

-Ekr

[Eric Rescorla]

On Sat, Jun 6, 2015 at 11:29 AM, Christian Walde <walde.c...@gmail.com>
wrote:

> As far as i can tell:
>
> WebRTC is an API, which of course belongs into core.
>
> Hello is a user interface, which should've been an extension.
>
> Or is it not be possible to implement an extension that duplicates Hello's
> functionality and makes use of the WebRTC api?
>

Yes, it is probably possible to implement an extension that duplicate's
Hello's functionality. I don't think it follows from that that it's not
appropriate
to ship it as part of Firefox.

-Ekr

[Eric Rescorla]

On Sat, Jun 6, 2015 at 11:52 AM, Christian Walde <walde.c...@gmail.com>
wrote:

> Thanks for confirming that my line of thought is correct on the
> implementability of Hello as an extension.
>
> That said, you may think it does not follow, but given that you do not
> explain why you think this, there is not much of a conversation to be had,
> and your ability to convince is zero as of now.
>

I'm not trying to convince you. You made an assertion that I don't think is
convincing
and I said so.



> As i stated in my original email, given their explanation of earlier
> removals, it is hypocritical of Mozilla to implement functionality in core
> that could be implemented in an extension instead.
>

I'm not really sure what earlier removals you're referring to, but there's
absolutely
nothing contradictory about taking some features that could be implemented
in
extensions and putting them in the main product while requiring that other
features
to be implemented in extensions. Rather, it's a product judgement about
which
features are of the widest general interest and the best fit for being part
of the
main product as shipped.

-Ekr

[Eric Rescorla]

On Sat, Jun 6, 2015 at 12:21 PM, Christian Walde <walde.c...@gmail.com>
wrote:

> I'm describing a factual reality. The parameters of such i hope i made
> clear and obviously match the reality we live in. If there are parameters i
> have overlooked, it is up to you to state which ones.
>

No, really, it's not. You made (and continue to make a categorical argument)
about hypocrisy. I think that argument is silly and gave you some potential
reasons why it's reasonable to make different decisions in different cases,
but I'm really not interested in debating the particulars of either of
these cases
or in trying to convince you. Feel free to continue to think what you want.

-Ekr

[David Rajchenbach-Teller]

For clarification: it is possible to reimplement most Firefox entirely
as an extension. For instance, Bookmarks, Find in Page, Save As, Tabbed
Browsing, Session Restore, etc. could all be implemented as extensions.
Not only that, but some of these features were initially implemented as
extensions and were then bundled with Firefox.

In other words, the questions that needs to be asked here are:
1. does it work well?
2. does it serve users?
3. does it hurt privacy or security?

I haven't checked 3., but the answer to questions 1. and 2. is very much
"yes". Of course, 1. could be improved, and I'm sure that it will.

Best regards,
David

On 06/06/15 20:45, Eric Rescorla wrote:
> Yes, it is probably possible to implement an extension that duplicate's
> Hello's functionality. I don't think it follows from that that it's not
> appropriate
> to ship it as part of Firefox.
>

> -Ekr
> _______________________________________________
> governance mailing list
> gover...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/governance

[Majken Connor]

Is the answer to 2 "very much" yes? This isn't a feature I'm interested in.
I'm more interested in having a setting to use reader mode by default on
mobile so I don't waste data loading images etc unnecessarily. However I am
guessing that a "save to read later" feature is probably more desirable
outside North America. What is our understanding of who this will benefit
and how significant is the group we're expecting to use this?

[Michael Kohler]

Just to chime in my 2 cents here:

1) Click on the Pocket button -> Remove from Toolbar. Now you don't
have it in your GUI anymore. This is preferred way over
usingabout:config. All the associated menu items (Bookmarks menu and
Context Menu) won't show up anymore. There is no interaction with
Pocket anymore since all the interaction is only loaded when clicking
on the icon.

2) Firefox has a preferencein about:config which specifies the API
endpoint: browser.pocket.api . If somebody has a compatible API, feel
free to promote that as alternative. Yes, it needs to be compatible
though. If you think that the user should have other alternatives as a
choice: feel free to propose a patch adding the "choice" in a menu and
implement the alternative. A bonus point here for getting the
alternative to provide a login for Firefox Accounts as well.

3) There is no money involved in this as far as I can know from the
different blog posts by Mozilla.

Of course this is only my knowledge and could be wrong. On the other
hand I don't think just saying Mozilla should remove it without
providing any alternatives doesn't lead this discussion anywhere.
According to Mozilla studies have shown that people want to have a
"Read Later" list. Mozilla might continue their own implementation, but
completing that feature takes some time.Maybe somebody could pick up the
work that has already been done there and improve it so it works? Of
course there is no guarantee that Mozilla would pick up a working
"Reader List" implementation which works with Sync, but it could be
worth a try?

And a last note: Mozilla management is reading this list so I believe
we don't need to spam this list with non-informative and only "me
too"-like comments. So please keep keep good input coming and express
your support with a vote on
https://bugzilla.mozilla.org/show_bug.cgi?id=1172126(but please don't
comment there to not spam people either). You can find the "vote"
button in the left column.

Cheers,
Michael

[David Rajchenbach-Teller]

I judged 2. from the fact that I've been a user of Pocket since it was
called "Read It Later". Of course, YMMV.

On 06/06/15 21:41, Majken Connor wrote:
> Is the answer to 2 "very much" yes? This isn't a feature I'm interested
> in. I'm more interested in having a setting to use reader mode by
> default on mobile so I don't waste data loading images etc
> unnecessarily. However I am guessing that a "save to read later" feature
> is probably more desirable outside North America. What is our
> understanding of who this will benefit and how significant is the group
> we're expecting to use this?

[»Q«]

In <news:mailman.879.1433613...@lists.mozilla.org>,

mehmet...@gmail.com wrote:

> Please reopen bug #1172126. Making a bug report dependent on a
> conversation on external & proprietary Google Groups is against
> Mozilla Manifesto (#8, primacy of transparent community-based
> processes).

It need not depend on Google Groups -- this conversation is also
available via NNTP on news.mozilla.org and via mailing list at
<https://lists.mozilla.org/listinfo/governance>. Giganews provides
the NNTP server, which I guess qualifies as external and proprietary,
but the ml option is a mailman instance on a Mozilla server, so
internal F/LOSS.

[Dan Stillman]

On 6/6/15 3:36 PM, David Rajchenbach-Teller wrote:
> For clarification: it is possible to reimplement most Firefox entirely
> as an extension. For instance, Bookmarks, Find in Page, Save As, Tabbed
> Browsing, Session Restore, etc. could all be implemented as extensions.
> Not only that, but some of these features were initially implemented as
> extensions and were then bundled with Firefox.
>
> In other words, the questions that needs to be asked here are:
> 1. does it work well?
> 2. does it serve users?
> 3. does it hurt privacy or security?
>
> I haven't checked 3., but the answer to questions 1. and 2. is very much
> "yes". Of course, 1. could be improved, and I'm sure that it will.

Well, it clears hurts privacy, right? It's a feature that sends browsing
data to a VC-funded third-party company, which says in its privacy
policy that if it's acquired " user information may be included among
the transferred assets".

I have nothing against Pocket — from the comments I've seen on this list
and on HN, it seems to be an exceptional tool and service. And I
actually think Reading List functionality is entirely appropriate in a
browser, a natural extension of the browsing process.

But Pocket's inclusion in Firefox as a default toolbar icon is
mystifying to me, coming from an organization that values user privacy
so highly that it designed a client-side-encrypted sync architecture to
avoid collecting similar data.

Yes, Firefox has a search bar that sends queries to search engines, but
that's unavoidable — Mozilla isn't in a position to build a search
engine, and the privacy trade-off is clear. But it seems to me that
Mozilla could absolutely build functionality like this (sans web access)
on top of its existing, privacy-protecting sync architecture.
Privileging a third-party service that doesn't have those same
protections — a few icons down from the bookmark icon, which does —
feels like an abdication of Mozilla's role and a betrayal of users who
trust Mozilla but may not fully understand where their data is going
when they use this feature that suddenly appeared in their toolbar.

So I fully support the decision to add this sort of functionality to
Firefox, but I want it designed according to the principles that cause
me to use Firefox in the first place. Until that time, I think Pocket
integration should be treated like the services available via the Share
button: as a clearly separate, third-party option with benefits that
Mozilla can't provide but that may carry trade-offs that aren't in line
with Mozilla's priorities.

[David Rajchenbach-Teller]

Indeed, putting this somewhere in or around the Share button sounds like
a good idea.

On 07/06/15 08:42, Dan Stillman wrote:
> So I fully support the decision to add this sort of functionality to
> Firefox, but I want it designed according to the principles that cause
> me to use Firefox in the first place. Until that time, I think Pocket
> integration should be treated like the services available via the Share
> button: as a clearly separate, third-party option with benefits that
> Mozilla can't provide but that may carry trade-offs that aren't in line
> with Mozilla's priorities.

[Chris Double]

Eric Rescorla <e...@rtfm.com> writes:

> I'm trying to figure out how you think this applies to Hello. The
> WebRTC functionality in Firefox that Hello makes use of is still there
> and continues to be improved.

>From what I can gather on Reddit and other forums there is a
misconception that Hello is a proprietary component provided by
Telefonica. This seems to come from the branding on the component. Is
there a post or some documentation to point people too when they think
this that shows what Telefonica's role is and that Hello is open source?

--
http://bluishcoder.co.nz

[Kev...@gmx.de]

On Sunday, June 7, 2015 at 9:59:04 AM UTC+2, Chris Double wrote:
> [...] there is a

> misconception that Hello is a proprietary component provided by
> Telefonica. This seems to come from the branding on the component. Is
> there a post or some documentation to point people too when they think
> this that shows what Telefonica's role is and that Hello is open source?

All other issues aside, this is something that also happened to me.
My first thought was "Oh no, what is this proprietary service doing in my browser?" and I tried to find a way to rip it out.
To be honest, I still haven't looked up what Hello is all about or how it works (especially in terms of what data gets sent where, why and when) and I feel like the latter should have been documented and presented to the end-user.

Seeing some people run around, yelling
> "Great, Mozilla, will [proprietary chat/voip service] be integrated, too?"
or
> "I wonder when they will build in [a popular social network that spies on its users] integration that nobody but power users knows how to disable."
is obviously a bad thing - and I've seen it happen a lot.

[Kev...@gmx.de]

> Firefox should continue to add new features that benefit its users, but those features must be done in accordance with Mozilla's core values. This feature should've been done as an extension, which allows for greater user choice and avoids bloat.
I assume some of the German people at Mozilla have already seen this, but I'd just like to leave these comments from a German IT-news article here:
http://www.heise.de/forum/iX/News-Kommentare/Mozilla-nimmt-Reader-Software-Pocket-in-Webbrowser-Firefox-auf/forum-198500/page-2/

Translating a few subject lines, for those who are interested:
- "Sowas von überflüssig.." - "Totally unnecessary.."
(the comment is about how Pocket should be extension)
- "Proprietärer Cloud-Dreck!" - "Proprietary cloud-crap!"
(the comment is about how Pocket is just another spy-/bloatware component that got added to Firefox, and how you need to disable it in about:config to make it stop 'phoning home')
- "Zum Abschalten: about:config -> browser.pocket.enabled = false" - "To turn this off: [...]"
(subcomments include things like "Wozu wohl der String "browser.pocket.oAuthConsumerKey" dient? Ein Schelm..." ("I wonder what the browser.pocket.oAuthConsumerKey option is for? Evil to him who evil thinks..."))
- "Und er wird immer fetter ..." - "And it [the Firefox core] is getting more and more bloated..."
- "Bitte noch Thunderbird und Sunbird integriegen..." - "Now please go on by integrating Thunderbird and Sunbird..."
(goes on about how we will end up at Netscape Naviagtor and/or a web suite, being the primary reason why Firefox exists and that we have to to choose between the devil (Chrome) and the deep blue sea (Firefox) these days)

Those are really sad to see. Unfortunately, they are getting more and more common these days.

> It may also not be clear to some users that, even when signing in with your Firefox account, you are still giving your email address to a third party whose privacy policy is different than Mozilla's.
In my opinion this is particularly bad. Why should anyone expect core-components to 'violate' your privacy by adhering to different rules (i.e. ones that you wouldn't expect, seeing as component X is part of the Firefox core)?

I hope somebody at Mozilla sees the need for a (few) change(s).

[Chris Ilias]

On 2015-06-07 3:58 AM, Chris Double wrote:
> From what I can gather on Reddit and other forums there is a
> misconception that Hello is a proprietary component provided by
> Telefonica. This seems to come from the branding on the component. Is
> there a post or some documentation to point people too when they think
> this that shows what Telefonica's role is and that Hello is open source?

<https://support.mozilla.org/en-US/kb/firefox-hello-video-and-voice-conversations-online>
mentions WebRTC, and links to
<https://support.mozilla.org/en-US/kb/which-browsers-will-work-firefox-hello-video-chat>,
which I think is a good one to point people to.

[Chris Peterson]

On 6/7/15 5:30 AM, Kev...@gmx.de wrote:
> - "Bitte noch Thunderbird und Sunbird integriegen..." - "Now please go on by integrating Thunderbird and Sunbird..."
> (goes on about how we will end up at Netscape Naviagtor and/or a web suite, being the primary reason why Firefox exists and that we have to to choose between the devil (Chrome) and the deep blue sea (Firefox) these days)

I think that quote points to the heart of this debate:

What is a browser? Is it a simple window to the web? Or an integrated
communications suite for online services?

What do users really want? If you look at the 20 most popular Firefox
extensions downloaded this week [1], there are two clear trends:

1. Privacy (7 of the top 20)
2. Downloading videos (11 of the top 20)

Firefox can uniquely compete against Chrome on these two issues!
Google's business model depends on users being tracked across websites
(so no privacy) and watching video ads on YouTube (so no downloading
because Google can't show you video ads offline).

Firefox (Phoenix) unseated the bloated Mozilla Application Suite. Chrome
unseated the then bloated Firefox (though Chrome also benefited from
Google's aggressive advertising on google.com and being bundled in the
Adobe Flash Player's installer). Firefox is faster and slimmer than it
was, but still can't shake its old reputation as a memory hog. Maybe
it's time for Mozilla to rename/rebrand Firefox. Microsoft rebooted IE
as Edge/Spartan and that was received positively.

Who will unseat Chrome? Microsoft's Edge/Spartan, Mozilla's
Servo+browser.html, or some secret "Chrome NG" project inside Google?


chris


[1] https://addons.mozilla.org/en-US/firefox/extensions/?sort=popular

* Privacy extensions:
Adblock Plus
Adblock Plus Pop-up Addon
anonymoX
Ghostery
NoScript Security Suite
Adblock Edge
ZenMate Security & Privacy VPN

* Video downloader extensions:
Video DownloadHelper
Flash Video Downloader - YouTube HD Download
Download YouTube Videos as MP4
Ant Video Downloader
DownThemAll!
1-Click YouTube Video Download
YouTube Video and Audio Downloader
Download Flash and Video
YouTube Video Downloader
YouTube Flash Player
Easy Youtube Video Downloader Express

[commen...@riseup.net]

Le lundi 8 juin 2015 10:05:11 UTC-1, Chris Peterson a écrit :
> What do users really want?

If we were to follow trends, Mozilla should probably pivot to producing
porn and pictures of cats.

> What is a browser? Is it a simple window to the web? Or an integrated
> communications suite for online services?

History tells us that trying to bundle everything is a bad, bad, idea.

Allowing people to keep track of what they've read/are willing to read
later has always been one of the core functionality of modern web
browsers. "Bookmarks" anyone?

Despite the fact that browsers UX have greatly improved over time (so
have users' expectations), bookmarks have received little to no
attention. One might consider that the type of services provided by
pocket/instapaper/read-it-later/whatever are just drop-in fixes for
something that has been neglected for too long: actually provide
functionalities to "mark" things that want to be read/watched/looked at.

And in 2015, they want to be able to do it across devices. It's not an
option, Safari does it. This is something that kept countless users I
tried to convert to Firefox from switching, because Sync is broken [1].

[1] https://wiki.mozilla.org/User_Services/Sync

# Does it make sense to provide built-in services to improve webpages
readability?

As much as much as, at some point, providing built-in pop-up blocking
functionalities became necessary. As much as killing <blink> and
<marquee>. Publishers/websites-owner are still learning about web
typography, web publishing using modern technologies and/or have already
transformed their websites into blinking Christmas trees. Maybe they
will never learn but the need for reading was there ten years ago and is
going to be there ten years from now.

So YES, it should be a core functionality. Money and time should be
dedicated to this so that Firefox remains independent from third
parties.

# Does it make sense to provide built-in services to store and organize
contents?

YES, it is just how bookmarks should have been from the beginning
(beyond the role of saving a link to a page). Users can already organize
tabs, group them (panorama/tab groups), search though them, restore them
when the browser starts,…

Browsers are already providing these kind of functionalities. The
question isn't "do we want to do it?" but "do we want to keep on
improving in that field?". It is already a core functionality and should
not be outsourced.

# Finally, should Pocket/whatever be integrated into the browser?

YES, if Mozilla is going to buy the company. NO, otherwise, for all the
reasons that have been repeated here countless times (privacy, free
software, don't let Firefox become the new Lotus Notes,…).

# Is it enough?

NO, money and time should also be dedicated to Sync because these
functionalities are complementary.


C.A.

[WaltS48]

On 06/06/2015 12:39 PM, aaso...@gmail.com wrote:
> I really hope you will remove pocket and let the users choose if they want to install it.
>

The extension will still be used if the user has installed it. AIUI

See "What Happens If I Already Have the Pocket Extension in Firefox?" at
[Pocket is Now Built Into Firefox! « Pocket
Blog](http://getpocket.com/blog/2015/06/pocket-is-now-built-into-firefox/)

[Christian Walde]

On Sat, 06 Jun 2015 21:29:09 +0200, Eric Rescorla <e...@rtfm.com> wrote:

> On Sat, Jun 6, 2015 at 12:21 PM, Christian Walde
> <walde.c...@gmail.com> wrote:
>> On Sat, 06 Jun 2015 21:09:18 +0200, Eric Rescorla <e...@rtfm.com> wrote:
>>> On Sat, Jun 6, 2015 at 11:52 AM, Christian Walde
>>> <walde.c...@gmail.com> wrote:
>>>> On Sat, 06 Jun 2015 20:45:44 +0200, Eric Rescorla <e...@rtfm.com>
>>>> wrote:
>>>>> On Sat, Jun 6, 2015 at 11:29 AM, Christian Walde
>>>>> <walde.c...@gmail.com> wrote:
>>>>>> On Sat, 06 Jun 2015 20:22:34 +0200, Eric Rescorla <e...@rtfm.com>
>>>>>> wrote:
>>>>>>> On Sat, Jun 6, 2015 at 4:49 AM, <walde.c...@gmail.com> wrote:
>>>>>>>> There's one argument unmentioned here, and i suspect it wasn't
>>>>>>>> mentioned yet because Tucker is >>>>>>>>too polite to do so. I
>>>>>>>> however, having been burned many ways by Mozilla's "governance",
>>>>>>>> have >>>>>>>>no reason to be polite about it.
>>>>>>>>
>>>>>>>> The addition of things like Hello and Pocket in FF core* deserves
>>>>>>>> only a single description:
>>>>>>>>
>>>>>>>> Hypocrisy.
>>>>>>>>
>>>>>>>> Mozilla removed features that were core in FF, and would've been
>>>>>>>> core in *any* browser; while >>>>>>>>arguing those features could
>>>>>>>> be re-added as extensions.
>>>>>>>

>>>>>>> I'm trying to figure out how you think this applies to Hello. The
>>>>>>> WebRTC
>>>>>>> functionality in Firefox that Hello makes use of is still there
>>>>>>> and continues
>>>>>>> to be improved.
>>>>>>

>>>>>> As far as i can tell:
>>>>>>
>>>>>> WebRTC is an API, which of course belongs into core.
>>>>>>
>>>>>> Hello is a user interface, which should've been an extension.
>>>>>>
>>>>>> Or is it not be possible to implement an extension that duplicates
>>>>>> Hello's functionality and makes use of >>>>>>the WebRTC api?
>>>>>

>>>>> Yes, it is probably possible to implement an extension that
>>>>> duplicate's
>>>>> Hello's functionality. I don't think it follows from that that it's
>>>>> not appropriate
>>>>> to ship it as part of Firefox.
>>>>

>>>> Thanks for confirming that my line of thought is correct on the
>>>> implementability of Hello as an extension.
>>>>
>>>> That said, you may think it does not follow, but given that you do
>>>> not explain why you think this, there is >>>>not much of a
>>>> conversation to be had, and your ability to convince is zero as of
>>>> now.
>>>
>>> I'm not trying to convince you. You made an assertion that I don't
>>> think is convincing
>>> and I said so.
>>
>> I'm describing a factual reality. The parameters of such i hope i made
>> clear and obviously match the reality we >>live in. If there are
>> parameters i have overlooked, it is up to you to state which ones.
>
> No, really, it's not. You made (and continue to make a categorical
> argument)
> about hypocrisy. I think that argument is silly and gave you some
> potential
> reasons why it's reasonable to make different decisions in different
> cases,
> but I'm really not interested in debating the particulars of either of
> these cases
> or in trying to convince you. Feel free to continue to think what you
> want.

"xxx is silly" is not an argument, it is an assertion that is up to you to
prove.

You tried to do so with guesses, and i explained why guesses are
insufficient.

As for the particulars, they are *exactly* what stands in question in this
thread. Without further evidence there cannot be (especially in light past
behavior of Mozilla, see the ad debacle) an assumption of reasonability of
decisions of Mozilla that have obvious drawbacks and are in contradiction
to their own statements.

--
With regards,
Christian Walde

[Christian Walde]

i have overlooked, it is up to you to state which ones. You've tried to do
so in the following, and as such i will address:

> I'm not really sure what earlier removals you're referring to,

It is completely and entirely irrelevant, but to satisfy your curiosity:
Take for example the very simple case of the RSS button.

> there's absolutely
> nothing contradictory about taking some features that could be
> implemented in
> extensions and putting them in the main product while requiring that
> other features
> to be implemented in extensions. Rather, it's a product judgement about
> which
> features are of the widest general interest and the best fit for being
> part of the
> main product as shipped.

If that is indeed the reason, then you might be correct. Such a reason
can, if argued and explained publicly, honestly and in good faith, be
exceptional circumstance.

However you're guessing about Mozilla's reasons.

As i've said, reasons might exist, but are both not obvious (the reasons
you stated are entirely non-obvious, and especially for Pocket the
"obvious" reason is wildly different from your guess) and have not been
stated publicly by Mozilla. Or can you refer to such?

[Christian Walde]

On Sat, 06 Jun 2015 20:22:34 +0200, Eric Rescorla <e...@rtfm.com> wrote:

> On Sat, Jun 6, 2015 at 4:49 AM, <walde.c...@gmail.com> wrote:
>> There's one argument unmentioned here, and i suspect it wasn't
>> mentioned yet because Tucker is too polite to >>do so. I however,
>> having been burned many ways by Mozilla's "governance", have no reason
>> to be polite about >>it.
>>
>> The addition of things like Hello and Pocket in FF core* deserves only
>> a single description:
>>
>> Hypocrisy.
>>
>> Mozilla removed features that were core in FF, and would've been core
>> in *any* browser; while arguing those >>features could be re-added as
>> extensions.
>
> I'm trying to figure out how you think this applies to Hello. The WebRTC
> functionality in Firefox that Hello makes use of is still there and
> continues
> to be improved.

As far as i can tell:

WebRTC is an API, which of course belongs into core.

Hello is a user interface, which should've been an extension.

Or is it not be possible to implement an extension that duplicates Hello's
functionality and makes use of the WebRTC api?

I might be wrong in the case of Hello and am open to being corrected.

[Christian Walde]

On Sat, 06 Jun 2015 20:45:44 +0200, Eric Rescorla <e...@rtfm.com> wrote:
> On Sat, Jun 6, 2015 at 11:29 AM, Christian Walde
> <walde.c...@gmail.com> wrote:

> Yes, it is probably possible to implement an extension that duplicate's
> Hello's functionality. I don't think it follows from that that it's not
> appropriate
> to ship it as part of Firefox.

Thanks for confirming that my line of thought is correct on the
implementability of Hello as an extension.

That said, you may think it does not follow, but given that you do not
explain why you think this, there is not much of a conversation to be had,
and your ability to convince is zero as of now.

As i stated in my original email, given their explanation of earlier
removals, it is hypocritical of Mozilla to implement functionality in core

that could be implemented in an extension instead.

If there is special circumstance for either Hello or Pocket, there should
be a very good reason for it, but so far none is obvious or has indeed
been given.

[benni...@gmail.com]

On Sunday, 7 June 2015 05:37:00 UTC+10, David Rajchenbach-Teller wrote:
> For clarification: it is possible to reimplement most Firefox entirely
> as an extension. For instance, Bookmarks, Find in Page, Save As, Tabbed
> Browsing, Session Restore, etc. could all be implemented as extensions.
> Not only that, but some of these features were initially implemented as
> extensions and were then bundled with Firefox.

I'd point out that none of the above require users to trust interaction with a 3rd party proprietary service. I think this is the line that Mozilla has crossed, arguably in the Hello case, repeated in the Yahoo case and now with Pocket.

I still don't see any reference to how, when or where this decision was made. This might help improve the transparency and arguments for Pocket's inclusion. I suspect that the reason many people use Mozilla software is for this sort of transparency and to make their own decisions about who to trust on the internet.

[blben...@gmail.com]

On Saturday, 6 June 2015 04:59:56 UTC+7, tucker....@gmail.com wrote:
> (Pasted from https://bugzilla.mozilla.org/show_bug.cgi?id=1172126. There are some comments on Hacker News at https://news.ycombinator.com/item?id=9667809).
>
> Mozilla's recent integration with Pocket, a proprietary third-party service, is a mistake.
>
> It is very exciting to see the ways in which Firefox continues to improve. And it's even more exciting to see the ways that Mozilla advances it's stated mission outside of the Firefox browser with new developments like Firefox Accounts. Pocket now allows you to log in on their site using your Firefox Account; being able to authenticate with a trusted third party like Mozilla is a huge win for online privacy advocates and the Mozilla community. However, adding Pocket as a built-in feature to Firefox should not have been done.

>
> This is particularly surprising since it was Firefox that made browser extensions mainstream. Pocket should have been an extension (in fact, a Pocket extension used to exist). It could have even been bundled with the browser. This distinction is important, since extensions can be removed entirely, whereas currently Pocket can only be disabled.
>

> The user experience of disabling Pocket is not good, either. It needs to be disabled in about:config, which is not at all user friendly, and therefore not in line with Mozilla's mission. In the past, Mozilla has been very good about showing the user what new features have been added to the interface and explaining any privacy implications that may come with them. That is why I was so surprised when the Pocket icon suddenly appeared in Firefox Developer Edition a couple days ago. It is so unlike Mozilla to introduce something like that, I ran a virus scan and checked what programs had been installed recently -- I assumed it had been put there in the same way that IE users used to get the Ask Toolbar installed.
>
> It may also not be clear to some users that, even when signing in with your Firefox account, you are still giving your email address to a third party whose privacy policy is different than Mozilla's. Many users would not assume this, since it is a feature that is bundled with the browser.
>
> Mozilla's recent blog post about the Pocket feature is titled "Firefox Puts You in Control of Your Online Life" (https://blog.mozilla.org/blog/2015/06/02/firefox-puts-you-in-control-of-your-online-life/). Had this been coming from a startup, that post would be humorously ironic. But given how much people care about Mozilla and it's stated mission, it is more painful than funny.
>
> Firefox should continue to add new features that benefit its users, but those features must be done in accordance with Mozilla's core values. This feature should've been done as an extension, which allows for greater user choice and avoids bloat. Most importantly, there was very little public discussion about this inclusion of a proprietary, third-party service. It's a huge departure from Mozilla's commitment to transparency. The existence of the Pocket code in Firefox is a bug in the browser, and it does not adhere to Mozilla's core mission.




Just Delete Pocket from Firefox! Make only option to install it! MOZILLA, you have a PROFITABLE PROJECT, like FIREFOXOS and OTHERS! Just don't MESS UP with USER WEB BROWSER! WE REALLY HATES MOZILLA DOING THIS! JUST REMOVE IT lah!

[Nic]

On Saturday, June 6, 2015 at 2:47:53 PM UTC-5, David Rajchenbach-Teller wrote:
> I judged 2. from the fact that I've been a user of Pocket since it was
> called "Read It Later". Of course, YMMV.
>

So because you use it, it serves users? There is a long time pocket user further up that believes Pocket shouldn't be integrated and should be left as a extension. Seems like Mozilla shouldn't be integrating things that are best left as extensions as well as things no one will use (Hello).

[hansen....@gmail.com]

My real problem with this is that you've handed a gigantic amount of free business to Pocket while getting little in return other than dependence on Pocket. It's one thing for the browser to be _able_ to interact with various proprietary websites; but it's quite another to implement an important-seeming new feature based on such a proprietary service. Now an important piece of user-visible functionality won't be able to function without Pocket's proprietary service. This would be akin to introducing an email client that could only interface with one particular provider.

The right way to do this: define a generic save-this-page-for-later protocol, and let the user choose among multiple providers. Like is currently done with search engines. Then auction off the default position to gain resources for further development of the browser.

In the meantime you're handing a bunch of free business to Pocket while gaining little benefit, incurring a proprietary dependency in core browser functionality, and burdening many users with a feature they didn't want in the first place.

Of course, I don't really know what "users" want. Has there been any research done on what percentage of users have save-for-later extensions installed already? Or what percentage would rate that as highly desired functionality?
- Josh

[ronwi...@gmail.com]

On Saturday, June 6, 2015 at 3:42:13 PM UTC-4, Michael Kohler wrote:

> Of course this is only my knowledge and could be wrong. On the other
> hand I don't think just saying Mozilla should remove it without
> providing any alternatives doesn't lead this discussion anywhere.

Save-to-Read

https://addons.mozilla.org/en-US/firefox/addon/save-to-read/

Uses bookmarks, so you can, of course, Sync them.

[Patrick Cloke]

On 6/6/2015 3:36 PM, David Rajchenbach-Teller wrote:
> For clarification: it is possible to reimplement most Firefox entirely
> as an extension. For instance, Bookmarks, Find in Page, Save As, Tabbed
> Browsing, Session Restore, etc. could all be implemented as extensions.
> Not only that, but some of these features were initially implemented as
> extensions and were then bundled with Firefox.
>
> In other words, the questions that needs to be asked here are:
> 1. does it work well?
> 2. does it serve users?
> 3. does it hurt privacy or security?
>
> I haven't checked 3., but the answer to questions 1. and 2. is very much
> "yes". Of course, 1. could be improved, and I'm sure that it will.
>
> Best regards,
> David

I think what has upset many long term Firefox users is the lack of
record of where these questions were answered and the surprise in which
this was landed. (It showed up in Beta, I believe? What happened to
having new features "ride the trains" from Nightly?)

I haven't really checked 3 either (well, I did do a packet capture and I
was happy to see that no data was sent to Pocket until I actually
interacted with the Pocket button!)

2 might "very much" be a "yes" for you, but it's never good to project
your own needs as a developer on to what users want. Was there user
research that went into this? Was that released? Was the user research
asking for Pocket, in particular? I don't personally know a single
person who uses Pocket (I actually only know one person who knew *what
it was* when it was added to Firefox...doesn't seem like it's a hot
feature people are asking for. [1])

In summary, I respectfully disagree with your assessment of the need for
this feature.

--Patrick

[1] Yes, I'm projecting the small-ish group of people onto Firefox users
in general. But I queried a pretty techie group of friends/coworkers.
Many of who like to follow the hot trends in websites, etc.

[ry...@ckfce.com]

I was very disappointed to see this integration. I've always looked to Firefox as an example of uncompromising support for open standards and free software. If this integration has to happen, like bundling search providers, I think that it should be as an extension or a new API.

[Felix Dreissig]

On 6 Jun 2015, at 16:56, Mxx wrote:
> One of the primary reasons why Netscape Navigator failed and Firefox took over was because Navigator was big, slow and had everything with a kitchen sink that users couldn't get rid of. Meanwhile Firefox was lean, clean and fast alternative with extensions that allowed users to add desired missing functionality.
>
> Now is Firefox turning into that Navigator with more and more unnecessary junk baked in.
> First "Hello" was shoved down users' throats, now Pocket.
> Neither are critical to browser's functionality and should not have been integrated into Firefox like this.

This, so much this.
Generally, I’m not a huge fan of the direction Firefox is going into when it comes to the integration of non-browser functionality. It’s even worse in this case, as we’re talking about the active endorsement of one proprietary web service among many.

In related news: Why is such a major (maybe not technically, but at least in terms of the user interface) feature part of a dot-dot release?

Regards,
Felix

[zchr...@gmail.com]

Just another Firefox user here to say how bad of an idea I think this is. The only reason I am using Firefox now rather than Chrome or one of the other browsers is because it was the only one offering control to its users. The integrated non-removable pocket functionality is a breach of this trust. It is the same kind of moves that have driven me away from Google's services where possible.

I will be looking for other browser options until this is dealt with, might even go back to IE since they don't push any third party junk on their users.

[rand...@gmail.com]

I also want to ask that Pocket be removed entirely, made optional, or made an optional extension. It's bloatware. It's completely unnecessary. It goes against KISS engineering principles. The fact that it was added takes us further down this trend in software design/control recently in the world of "Apps" in which updates make significant and sudden changes to the user experience without warning (for example the latest version of Android on my smartphone banned colors from update icons- why? what does this add to the user experience? In fact, it notably degraded the functionality of several of my apps.).

Please do not reinforce this mindset. Firefox has one job. If people want it to do more than that, make it opt-in.

[Patrick Cloke]

On 6/6/2015 3:41 PM, Michael Kohler wrote:
> Just to chime in my 2 cents here:
>
> 2) Firefox has a preferencein about:config which specifies the API
> endpoint: browser.pocket.api . If somebody has a compatible API, feel
> free to promote that as alternative. Yes, it needs to be compatible
> though. If you think that the user should have other alternatives as a
> choice: feel free to propose a patch adding the "choice" in a menu and
> implement the alternative. A bonus point here for getting the
> alternative to provide a login for Firefox Accounts as well.

And whenever that API changes even slightly than this 'alternate
service' gets screwed and needs to update. Or Pocket could (without much
forewarning) dramatically change the API in coordination with a Firefox
update, to block competitors. Unless there's truly an open standard
around it, I find the argument of "there's a documented API" to be weak.
(See Twitter vs. identi.ca.)

> 3) There is no money involved in this as far as I can know from the
> different blog posts by Mozilla.

Frankly, I hope there's money involved. It's the only thing that makes
*any* sense of why this was added.

> And a last note: Mozilla management is reading this list so I believe
> we don't need to spam this list with non-informative and only "me
> too"-like comments.

It'd be nice if they responded and offered answers to resolve baseless
speculation. :) Mozilla management has already been burnt a handful of
times by being silent on matters.

> So please keep keep good input coming and express
> your support with a vote on
> https://bugzilla.mozilla.org/show_bug.cgi?id=1172126(but please don't
> comment there to not spam people either). You can find the "vote"
> button in the left column.

Voting on a resolved bug is pretty useless, additionally votes on bugs
aren't really taken into account.

--Patrick

[sbr...@gmail.com]

Also agreeing that Pocket's default integration should be removed. I have been a long term user of Pocket myself since it was a small independent plugin for Firefox. I enjoy the service across several of my devices but the critical issue here is that I opted to use the product. This sort of default third party integration into Firefox is the beginning of a very slippery slope.

This starts Mozilla on a whole in a direction counter to the core reasons I choose to use their browser... namely choice, configuration options, and control. It unfortunately puts a fair sized dent in my trust of Mozilla's decision making process.

[llkiw...@gmail.com]

I think no matter whether this feature is good or bad, Mozilla devs should at least ask it's users before making such a radical change, so it does not come at such a big surprise to the users, and the users can actually get to know the rationale behind the decision before getting angry at Mozilla.

[ifphi...@gmail.com]

On Saturday, June 6, 2015 at 11:42:19 PM UTC-7, Dan Stillman wrote:
>
> Well, it clears hurts privacy, right? It's a feature that sends browsing
> data to a VC-funded third-party company, which says in its privacy
> policy that if it's acquired " user information may be included among
> the transferred assets".

Can someone at Mozilla explain under what circumstances Firefox will send data of any kind to Pocket?

[mark....@gmail.com]

Can someone from Mozilla chime in on two questions:

1) Was there any money exchanged for the inclusion of Hello and Pocket? Or other "kick-backs" (using that term loosely, I mean things like product placement of Firefox on Hello- or Pocket-related sites).

2) Where was the inclusion of Hello or Pocket discussed in the open, with an option for the public to chime in? And if not, why?

Don't get me wrong, Mozilla doesn't "owe" anyone anything, but this whole kerfluffle seems to be contradictory to their mission, if not in letter, at least morally-speaking.

[David Rajchenbach-Teller]

Because I find it useful, I find it useful.

Cheers,
David

On 07/06/15 01:55, Nic wrote:
> So because you use it, it serves users? There is a long time pocket user further up that believes Pocket shouldn't be integrated and should be left as a extension. Seems like Mozilla shouldn't be integrating things that are best left as extensions as well as things no one will use (Hello).

> _______________________________________________
> governance mailing list
> gover...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/governance

[David Rajchenbach-Teller]

I realize that I wasn't clear: I replied "very much" to 2, because I, as
a user, find this useful. This was not me assessing a feature for users,
this was me, as a user, supporting a choice.

But yes, there has been market research. I do not remember the
specifics, but the lack of a "Read It Later" feature that could let
users save a bookmark on a device and reopen a snapshot on either the
same device or another one was among the top salient items (somewhere
around the same level as Flash crashes, I believe, and we are also
working on it).

I have no answer to give on the crash-landing, as I do not have any
information on the topic. I know that we are revisiting the "riding the
trains" process, and I assume that this is one of the growing pains
until we have figured out exactly what process we should adopt.

Best regards,
David

On 07/06/15 23:07, Patrick Cloke wrote:
> I think what has upset many long term Firefox users is the lack of
> record of where these questions were answered and the surprise in which
> this was landed. (It showed up in Beta, I believe? What happened to
> having new features "ride the trains" from Nightly?)
>
> I haven't really checked 3 either (well, I did do a packet capture and I
> was happy to see that no data was sent to Pocket until I actually
> interacted with the Pocket button!)
>
> 2 might "very much" be a "yes" for you, but it's never good to project
> your own needs as a developer on to what users want. Was there user
> research that went into this? Was that released? Was the user research
> asking for Pocket, in particular? I don't personally know a single
> person who uses Pocket (I actually only know one person who knew *what
> it was* when it was added to Firefox...doesn't seem like it's a hot
> feature people are asking for. [1])
>
> In summary, I respectfully disagree with your assessment of the need for
> this feature.
>
> --Patrick
>
> [1] Yes, I'm projecting the small-ish group of people onto Firefox users
> in general. But I queried a pretty techie group of friends/coworkers.
> Many of who like to follow the hot trends in websites, etc.
>

[Robert Kaiser]

Christian Walde schrieb:

> Or is it not be possible to implement an extension that duplicates
> Hello's functionality and makes use of the WebRTC api?

That's not an argument, as the Firefox add-on system is so powerful that
*all* functionality in Firefox, including any APIs, can actually be
implemented as add-ons.

KaiRo

[WaltS48]

With your iOS device?

--
Kubuntu 15.04 | KDE 4.14.8 | Thunderbird 38.0b6 (Beta)
[Visit Pittsburgh](http://www.visitpittsburgh.com/)
[Dollar Bank Three Rivers Arts Festival](http://www.3riversartsfest.org/)
One users useless feature is a useful feature to other users.
Go Bucs!

[Robert Kaiser]

Kev...@gmx.de schrieb:

>> Firefox should continue to add new features that benefit its users, but those features must be done in accordance with Mozilla's core values. This feature should've been done as an extension, which allows for greater user choice and avoids bloat.

> I assume some of the German people at Mozilla have already seen this, but I'd just like to leave these comments from a German IT-news article here:
> http://www.heise.de/forum/iX/News-Kommentare/Mozilla-nimmt-Reader-Software-Pocket-in-Webbrowser-Firefox-auf/forum-198500/page-2/

The Heise Forums are known to be full of trolls and not to be taken
seriously. It's sad that that's the case there just like in most major
news site comment sections, but it means that anything coming from there
needs to be taken with a grain (or a whole package) of salt.

KaiRo

[Robert Kaiser]

Felix Dreissig schrieb:

> In related news: Why is such a major (maybe not technically, but at least in terms of the user interface) feature part of a dot-dot release?

Because version numbers are both necessary and irrelevant. They are only
for reference but their actual value doesn't have any value (pun intended).

KaiRo

[Robert Kaiser]

ifphi...@gmail.com schrieb:

Read the code for details (I haven't), but from all I know, *only* data
that you send to Pocket yourself is being sent there. That means, of
course Pocket will be told who you are (your email address) when you log
in there (even with a Firefox Account), of course the address of the
page you save into Pocket is sent to them (would be pretty useless
otherwise), and of course, Pocket makes entries in their logs when you
visit their website.
I *think* that's all points that actually transfer data to them but I'm
no expert (didn't read the code and am not involved in any dealing with
them).

KaiRo

[Nicholas Nethercote]

On Sun, Jun 7, 2015 at 8:27 AM, <rand...@gmail.com> wrote:
>
> I also want to ask that Pocket be removed entirely, made optional, or made an optional extension. It's bloatware. It's completely unnecessary. It goes against KISS engineering principles.

There are two arguments being made in this thread:

- Pocket integration is bad because Pocket is a commercial third-party service.

- Pocket integration is bad because the feature is not useful, or not
sufficiently useful to enough people.

The email I've quoted is a perfect example of the second argument. But
it's the first argument that's the important one here. If Mozilla had
implemented its own Pocket-like feature would there be a vehement
thread like this one? No. There might be some quibbling -- "maybe that
could just be an add-on" -- but the reaction would be much milder.

What I'm saying is this: don't mix up the two arguments above. If
you're really upset by the Pocket integration, it's almost certainly
because of the first argument above, so don't get side-tracked by the
second argument.

Nick

[bcl...@mozilla.com]

Hey -

I appreciate all the feedback. I've tried to read all the message in this thread and respond to them here. Firefox is a constantly evolving system that is always changing and never finished.

Pocket has been a popular Firefox Add-On for a long time and we've seen that users love to save interesting Web content to easily revisit it later, so it was an easy choice to offer Pocket as a service in Firefox. and we've gotten lots of positive feedback about the integration from users.

All the code related to this integration within Firefox is open source and Pocket has licensed all the Firefox integration code under the MPLv2 license. On top of that, Pocket asked Mozilla for input on how to improve their policy, based on early comments from Mozillians. After that discussion, Pocket updated their privacy policy in early May to explain more precisely how they handle data. You can read Pocket's privacy policy here: https://getpocket.com/privacy.

Directly integrating Pocket into the browser was a choice we made to provide this feature to our users in the best way possible. To disable Pocket, you can remove it from your toolbar or menu. If Pocket is removed from the toolbar or menu, then the feature is effectively disabled, though you can still find it again by accessing it in the Customize Panel. You can find detailed instructions here: https://support.mozilla.org/kb/disable-pocket-on-firefox

Feel free to reach out to me directly via email bcl...@mozilla.com

Thanks,
~ Bryan

--
Product Manager, Firefox : Pocket

[Gervase Markham]

On 09/06/15 04:22, Nicholas Nethercote wrote:
> What I'm saying is this: don't mix up the two arguments above. If
> you're really upset by the Pocket integration, it's almost certainly
> because of the first argument above, so don't get side-tracked by the
> second argument.

Right. And the first argument is strange because this is not the first
time we've done this. Most of the bundled search engines, safe browsing
and (until recently) our location service are/were all commercial
third-party services with closed source back-ends.

I know there are people out there who don't want to use any website
whose code is closed source, but I think they are pretty rare, as 99.9%
of websites are closed source. Mozilla has, more than a decade ago, made
a policy decision that linking to or integrating with services whose
backend is closed-source is OK, and that decision is not under review.
Trying to do otherwise would, IMO, make our product seriously
uncompetitive, which would not be good for the mission. (Note that
Mozilla's mission is not to make the entire web open _source_ anyway.)

In creating any feature, Mozilla has to choose between partnering to get
it, or building it ourselves. And we can't build _everything_. A current
example is safe browsing, and a future example of something I think we'd
like to integrate that I doubt we can build is a translation service.

Gerv

[David Rajchenbach-Teller]

Well, deciding whether a feature should be part of Firefox or not is
part of the job of Product Management. So, by deciding that Hello or
Pocket should be bundled in, but that other features should not, they
have done exactly their job.

Whether or not you agree with these choices is up to you. But please
discuss them on their merits, not on a misunderstanding.

Best regards,
David

On 06/06/15 20:52, Christian Walde wrote:
> Thanks for confirming that my line of thought is correct on the
> implementability of Hello as an extension.
>
> That said, you may think it does not follow, but given that you do not
> explain why you think this, there is not much of a conversation to be
> had, and your ability to convince is zero as of now.
>
> As i stated in my original email, given their explanation of earlier
> removals, it is hypocritical of Mozilla to implement functionality in
> core that could be implemented in an extension instead.
>
> If there is special circumstance for either Hello or Pocket, there
> should be a very good reason for it, but so far none is obvious or has
> indeed been given.

[Dan Stillman]

On 6/9/15 5:03 AM, Gervase Markham wrote:
> On 09/06/15 04:22, Nicholas Nethercote wrote:

>> What I'm saying is this: don't mix up the two arguments above. If
>> you're really upset by the Pocket integration, it's almost certainly
>> because of the first argument above, so don't get side-tracked by the
>> second argument.

> Right. And the first argument is strange because this is not the first
> time we've done this. Most of the bundled search engines, safe browsing
> and (until recently) our location service are/were all commercial
> third-party services with closed source back-ends.

I touched on the search engine comparison in my earlier post. I think
the difference is that nobody expects Mozilla to build a search engine,
and the privacy implications of using a search engine are clear. But
Mozilla designed a sync architecture that encrypts bookmark data
client-side explicitly to avoid collecting it, and now has rolled out a
high-profile feature that causes that data to be collected by a
VC-funded third-party company, without even particularly framing it as a
service external to Mozilla. The Share button and the search bar both
make it very clear that you're choosing among third-party services. The
Pocket integration seems almost purposely designed to blur the
distinction between Mozilla and Pocket. (As Pocket's CEO put it, "With
the exception of search, it’s rare for companies to be integrated this
deeply into the browser." [1])

Safe Browsing is a slightly better parallel, but does Firefox actually
share browsing data for that? The documentation appears to claim that,
at least in most cases, Firefox downloads a list and compares URLs
locally: "No information about you or the sites you visit is
communicated during list updates." [2] (In any case, I think Safe
Browsing more or less qualifies as a search-engine-scale problem.)

> I know there are people out there who don't want to use any website
> whose code is closed source

I think this is a red herring, or at least isn't even vaguely the issue
for me. A website's being open source doesn't have any bearing on its
having access to people's private data. Mozilla software is open source
and Mozilla is a widely trusted organization, but even Mozilla chose not
to collect people's private bookmark data when it designed its sync system.

> In creating any feature, Mozilla has to choose between partnering to get
> it, or building it ourselves. And we can't build _everything_.

Mozilla can't build everything, but it clearly can build
bookmark-syncing services, and it can build them in a way that protects
people's privacy. To roll out a very similar feature in prime toolbar
space that treats that same data in such a different manner from the
existing functionality strikes me as a bizarre and worrying choice.


[1]
https://medium.com/@nateweiner/the-internet-needs-a-save-button-db6c8c416038
[2]
https://support.mozilla.org/en-US/kb/how-does-phishing-and-malware-protection-work

[Christian Walde]

Oh hey, an @mozilla address.

Frankly, I have no idea what you are trying to say here.

I never said it was not their job to do this nor that they did not do
their job. Please do not insinuate i said things i did not say.

I am however indeed saying that there is no demonstrated merit to their
decision, and that is objectionable in a number of ways. Note that this
does not necessarily mean that they must be removed, just that they should
put public a very good point for keeping them if they do so. Right now due
to lack of such the public has a hard time of discussing any merit in the
first place, since the reasons for the decision can only be guessed at and
the only thing that relates to this (as far as i am aware) in public
communication, was a justification to remove features that can be
implemented as extensions.

As for what you consider to be a misunderstanding, i cannot even begin to
guess. Maybe it would behoove you to reread my previous replies to make
sure you did not misunderstand me, or if you are sure that you did not, to
clarify what you are saying, so it cannot be misunderstood. Don't feel
afraid to be a little bit wordy. I'm not afraid of reading and would
rather have clarity in communication than careless brevity.

On Tue, 09 Jun 2015 12:01:06 +0200, David Rajchenbach-Teller
<dte...@mozilla.com> wrote:

> Well, deciding whether a feature should be part of Firefox or not is
> part of the job of Product Management. So, by deciding that Hello or
> Pocket should be bundled in, but that other features should not, they
> have done exactly their job.
>
> Whether or not you agree with these choices is up to you. But please
> discuss them on their merits, not on a misunderstanding.
>

[Patrick Cloke]

On 6/9/2015 5:03 AM, Gervase Markham wrote:
> On 09/06/15 04:22, Nicholas Nethercote wrote:
>> What I'm saying is this: don't mix up the two arguments above. If
>> you're really upset by the Pocket integration, it's almost certainly
>> because of the first argument above, so don't get side-tracked by the
>> second argument.
>
> Right. And the first argument is strange because this is not the first
> time we've done this. Most of the bundled search engines, safe browsing
> and (until recently) our location service are/were all commercial
> third-party services with closed source back-ends.

Nicholas, that is a nice point that there seems to be two separate
reasons people are upset. Personally, I'm upset by both arguments [0],
but agree with you that the first is more important. (I can get over
there being a feature I don't use...[1]).

Gerv brings up a good point of "how is this different"? This shouldn't
be used as an argument for brushing this point away! (And I'm not
suggesting anyone is trying to do that.) But we must dig deeper into
what is different about this that is upsetting people whereas search
engines, safe browsing, etc. don't! I'd suggest there are a few components:

- User facing component: Pocket is a MUCH more user facing feature
than, e.g. safe browsing is. Frankly, I'd suggest many non-power users
don't know that safe browsing is a thing...and if they do know, they
probably have no idea how it works. Search engines obviously have quite
a bit of clout in the UI, but the utility of them is probably

- Openness of it: there's an open format for search engines, I can go
use Google, Yahoo, Bing, Duck Duck Go, or make my own. I'm not being
locked into a specific vendor. (And no, having a public API does not
make it open. The control is from the wrong side: for it to be open the
browser vendors and services need to agree upon an API. It cannot be
controlled by the services.)

- Privacy implications: Just a little extra point in the comparison to
search engines; search engines have "always" been part of the browser,
even before "privacy" was the "crisis" that it is now. I'd suggest that
users will put new features that have any sort of privacy implication
under significant more scrutiny now than 5 - 10 years ago.

- Utility: And to tie back into Nicholas argument, I'd also suggest
the use case is important. For search engines it is clear that users are
using a third party service, and (I hope) understand there is privacy
implications. But frankly, you can't use the Internet effectively
without a search engine, there is a *clear* utility for (almost?) all
users. I'd suggest some of the backlash has been due to people feeling
the trade-off is not worth it for using Pocket *or* don't see a use-case
for it. But yes, this is a weaker argument.

--Patrick

[0] I also have other issues with it, such as how it landed (on beta,
really?) How it was integrated in a point release...and I don't care
about the argument "version numbers don't mean anything", that's a delusion.

[1] Although it seems that every new feature added to Firefox recently
is one that I don't use...and have no interest in using. :)

[commen...@riseup.net]

On 2015-06-09 02:41, bcl...@mozilla.com wrote:
> After that discussion, Pocket updated their privacy policy in early
> May to explain more precisely how they handle data. You can read
> Pocket's privacy policy here: https://getpocket.com/privacy.

From the Pocket ToS: “[...] our Privacy Policy is not a legal agreement,
and creates no contractual obligations [...]” [0]

[0] https://getpocket.com/tos

And given that you're referring to the privacy policy: “In the event
that we or certain of our assets are acquired, user information may be
included among the transferred assets.” [1]

[1] https://getpocket.com/privacy

On 2015-06-09 09:03, Gervase Markham wrote:
> Right. And the first argument is strange because this is not the first
> time we've done this. Most of the bundled search engines, safe browsing
> and (until recently) our location service are/were all commercial
> third-party services with closed source back-ends.

First of, it seems like you do not remember how “safe browsing” and the
now gone “location service” were welcomed back at the time. Mozilla was
highly criticized and there's still reason to do so regarding “safe
browsing” when you know that “[...] existing cookies you have from
google.com, our list provider, may also be sent.” [2]

[2]
https://support.mozilla.org/en-US/kb/how-does-phishing-and-malware-protection-work

Anyway, let's not digress, the only reason why I mentioned it is that it
invalidates your argument. These are example of Mozilla failures (now
fixed for the “location service”), not something you should brag about
or refer to as something positive that was already done in the past.

As for the integrated search engines, several of them are bundled, the
user can chose freely which one to use and – to join what you are saying
below – this is not a service that can easily be replicated on mozilla's
side. You do not build a search engine by snapping fingers. On the other
hand, the services provided by a search engine fundamentally differ from
the ones provided by pocket: among other things (see my previous mail)
pocket is meant to store data.

Storing data is something that Firefox has been capable of doing for
years.

> In creating any feature, Mozilla has to choose between partnering to
> get
> it, or building it ourselves. And we can't build _everything_.

Any computer science student can put a pocket clone together in a
weekend. There's nothing fancy, challenging nor complicated. There's
already a series of free softwares that does the exact same thing
(“wallabag” [3] among tens of others).

[3] https://wallabag.org

> I know there are people out there who don't want to use any website

> whose code is closed source, but I think they are pretty rare, as 99.9%
> of websites are closed source.

Nobody's talking about this. This is irrelevant, there are also people
who prefer to eat bananas over apples, this brings nothing to the
discussion.

> Mozilla has, more than a decade ago, made a policy decision that
> linking
> to or integrating with services whose backend is closed-source is OK,
> and that decision is not under review.

Mozilla also made the decision to put the respect for the privacy and
the independence of its users above anything else. “When it’s personal,
choose Firefox.” [4]

[4] http://getfirefox.com

[Gervase Markham]

On 09/06/15 12:44, Patrick Cloke wrote:
> - User facing component: Pocket is a MUCH more user facing feature
> than, e.g. safe browsing is. Frankly, I'd suggest many non-power users
> don't know that safe browsing is a thing...and if they do know, they
> probably have no idea how it works. Search engines obviously have quite
> a bit of clout in the UI, but the utility of them is probably

I agree this is a difference, but I'm not sure how it's relevant if
people are making an argument based on principle.

> - Openness of it: there's an open format for search engines, I can go
> use Google, Yahoo, Bing, Duck Duck Go, or make my own. I'm not being
> locked into a specific vendor. (And no, having a public API does not
> make it open. The control is from the wrong side: for it to be open the
> browser vendors and services need to agree upon an API. It cannot be
> controlled by the services.)

It is a good question as to whether, if Pocket came back to us and said
"actually, we need to change this API", and there were 3rd party
implementations of it, whether Mozilla would say Yes. I hope we would
say "no, not without notice and a transition period". But perhaps it is
worth investigating how Mozilla and Pocket view this API and its stability.

> - Privacy implications: Just a little extra point in the comparison to
> search engines; search engines have "always" been part of the browser,
> even before "privacy" was the "crisis" that it is now. I'd suggest that
> users will put new features that have any sort of privacy implication
> under significant more scrutiny now than 5 - 10 years ago.

Perhaps, although I've not see anyone say "I've read Pocket's privacy
policy, the one that applies to this feature (as amended in consultation
with the Mozilla privacy team) and I object to X, Y and Z."

> - Utility: And to tie back into Nicholas argument, I'd also suggest the
> use case is important. For search engines it is clear that users are
> using a third party service, and (I hope) understand there is privacy
> implications.

I think "it's not sufficiently clear that Pocket is a third party
service" may actually be a reasonable objection. If people have
specifics on this, they would be worth discussing.

> [0] I also have other issues with it, such as how it landed (on beta,
> really?) How it was integrated in a point release...and I don't care
> about the argument "version numbers don't mean anything", that's a
> delusion.

I have concerns about that too, but I think they are out of scope for
the current discussion.

> [1] Although it seems that every new feature added to Firefox recently
> is one that I don't use...and have no interest in using. :)

Have you tried Hello? It really is rather nice. Surely you would want to
use it, even if only for reasons of competitive research :-)

Gerv

[snafum...@gmail.com]

How many times we saw Firefox rightly state:

"No, we're not implementing this feature. There aren't enough users for it to warrant having to maintain the code. If you want this functionality, there are already add-ons for it available."

~some time later~

"Yes, we're including this other feature now and thus are going to have to maintain its code despite there being only a few users who are going to use that feature. Also, it's irrelevant that there are already add-ons providing the same functionality."

I have been a Firefox loyalist for almost a decade and am fed up with its direction. If you're losing market share, lose it gracefully. Quit trying to gain market share by turning your back on your principles. It makes you seem desperate and shady. I will likely be leaving FF soon.

[Gervase Markham]

On 09/06/15 14:21, snafum...@gmail.com wrote:
> "Yes, we're including this other feature now and thus are going to
> have to maintain its code despite there being only a few users who
> are going to use that feature.

Do you have telemetry or metrics which show that few people use Pocket?
One of the reasons we went for this feature is that the addon is very
popular, which suggests that it's a feature a lot of people use. And
indeed, my understanding is that early numbers show that the integrated
version is also becoming very popular.

> I have been a Firefox loyalist for almost a decade and am fed up with
> its direction. If you're losing market share, lose it gracefully.
> Quit trying to gain market share by turning your back on your
> principles.

If you feel there is an issue of principle about including Pocket, then
it would be better to articulate it, rather than inventing user numbers.

Gerv

[snafum...@gmail.com]

Adblock plus and ublock origin are by far the most popular add-ons for Firefox. Will you be implementing those by default, too?

Firefox has always been about empowering the user. You never dumb things down for them, you give them a choice. If there's an add-on we want, we find it or we create it. The add-ons should not be implemented into Firefox outright, because then you're removing that "choice" by providing it to people who never asked for it in the first place.

[Gijs Kruitbosch]

On 09/06/2015 14:47, snafum...@gmail.com wrote:
> Adblock plus and ublock origin are by far the most popular add-ons for Firefox. Will you be implementing those by default, too?

Part of the effect of these add-ons (in terms of not being tracked and
pageload improvements) is currently (being) implemented in Firefox
Nightly, yes.

> Firefox has always been about empowering the user. You never dumb things down for them, you give them a choice. If there's an add-on we want, we find it or we create it. The add-ons should not be implemented into Firefox outright, because then you're removing that "choice" by providing it to people who never asked for it in the first place.

We give people a choice, but we do make a "what's the default" choice,
no matter which feature or add-on is concerned. We pick defaults that we
think make sense. Implementing things that add-ons provide as default
doesn't remove choice (assuming things can be overridden or turned off,
like with pocket, and/or don't seriously interfere with a large number
of users' usecases (I don't think we need a built-in "off" switch for
bookmarks or tabs, for instance)). It changes the default behaviour. I
would contend that it is fully part of Firefox being Firefox (and indeed
probably any good product/browser) that it continues to try to have sane
and useful defaults.

In this case we decided that including Pocket by default was a good way
of achieving our aims in the required timeframe. There are arguments for
and against that decision, for sure, but I don't think "Firefox should
never do anything that remotely resembles what an add-on does or could
do" is one of them.

~ Gijs

[Mike Connor]

On 9 June 2015 at 07:04, Dan Stillman <dsti...@gmail.com> wrote:

>
> The Pocket integration seems almost purposely designed to blur the
> distinction between Mozilla and Pocket. (As Pocket's CEO put it, "With the
> exception of search, it’s rare for companies to be integrated this deeply
> into the browser." [1])
>

At least to some extent, that's true of any good integration of a third
party service. It's certainly true for search as well. Painting something
as foreign and possibly scary would be directly counter to the goal of
helping users make use of a valuable feature/service. If we don't think
it's something we can recommend/promote to our users, we simply shouldn't
include it. Same goes for if we don't believe our users can or should
trust a partner.

> Safe Browsing is a slightly better parallel, but does Firefox actually
> share browsing data for that? The documentation appears to claim that, at
> least in most cases, Firefox downloads a list and compares URLs locally:
> "No information about you or the sites you visit is communicated during
> list updates." [2] (In any case, I think Safe Browsing more or less
> qualifies as a search-engine-scale problem.)

Where's the arbitrary line for "that's too big for Mozilla to do?" The
reality is that Mozilla is still a relatively small company, and all of our
major competitors have a couple of orders of magnitude more people and
money to back their efforts. To compete with those companies we need to
maximize leverage, and make pragmatic decisions on whether to
buy/build/partner for each problem we want to solve.

I know there are people out there who don't want to use any website

>> whose code is closed source
>>
>
> I think this is a red herring, or at least isn't even vaguely the issue
> for me. A website's being open source doesn't have any bearing on its
> having access to people's private data. Mozilla software is open source and
> Mozilla is a widely trusted organization, but even Mozilla chose not to
> collect people's private bookmark data when it designed its sync system.

It's clearly not the issue if you're using Gmail, indeed! It's a tradeoff,
and we believe that for the significant majority of users this is an
acceptable one.

In creating any feature, Mozilla has to choose between partnering to get
>> it, or building it ourselves. And we can't build _everything_.
>>
>

> Mozilla can't build everything, but it clearly can build bookmark-syncing
> services, and it can build them in a way that protects people's privacy. To
> roll out a very similar feature in prime toolbar space that treats that
> same data in such a different manner from the existing functionality
> strikes me as a bizarre and worrying choice.
>

The question to ask is not whether we can build it, but whether we can
build it as well and as quickly, and what we would be giving up if we
committed to competing with the existing services. Pocket's a market
leader in this space, and focused entirely on this space. Playing
catch-up, and investing enough in development to match their user value
proposition (especially their mobile coverage) would be prohibitively
expensive.

-- Mike

[Dan Stillman]

On 6/9/15 3:19 PM, Mike Connor wrote:
>
> On 9 June 2015 at 07:04, Dan Stillman <dsti...@gmail.com

> <mailto:dsti...@gmail.com>> wrote:
>
>
> The Pocket integration seems almost purposely designed to blur the
> distinction between Mozilla and Pocket. (As Pocket's CEO put it,
> "With the exception of search, it’s rare for companies to be
> integrated this deeply into the browser." [1])
>
>
> At least to some extent, that's true of any good integration of a
> third party service. It's certainly true for search as well. Painting
> something as foreign and possibly scary would be directly counter to
> the goal of helping users make use of a valuable feature/service. If
> we don't think it's something we can recommend/promote to our users,
> we simply shouldn't include it. Same goes for if we don't believe our
> users can or should trust a partner.

With search you can switch to DuckDuckGo with a couple clicks. With
Share you choose from many different services. Pocket is integrated as a
sole provider for a core feature.

The issue for me is the combination of the privileged integration with
how different it is from Firefox's own bookmarks architecture a few
icons over. If Mozilla hadn't previously deemed user bookmark data so
sensitive that it merited client-side encryption, this wouldn't strike
me as so odd.

And it's not a matter of trust. Again, Pocket seems like a great
company. But sensitive user data is being sent, and Mozilla and users
have no control over what's done with it, now or in the future.

> I know there are people out there who don't want to use any
> website
> whose code is closed source
>
>
> I think this is a red herring, or at least isn't even vaguely the
> issue for me. A website's being open source doesn't have any
> bearing on its having access to people's private data. Mozilla
> software is open source and Mozilla is a widely trusted
> organization, but even Mozilla chose not to collect people's
> private bookmark data when it designed its sync system.
>
>
> It's clearly not the issue if you're using Gmail, indeed! It's a
> tradeoff, and we believe that for the significant majority of users
> this is an acceptable one.

I think the significant majority of users don't think about where their
data is going, which is why it's up to privacy-focused organizations
like Mozilla to do it for them. We should at at least acknowledge that
Mozilla's position on what is acceptable with regard to users' data has
changed dramatically from when Firefox Sync was designed. I imagine
there were third-party, unencrypted bookmark sync providers that Mozilla
could have partnered with to speed development of Firefox Sync, offer
more features, and avoid having to maintain a sync architecture. For
that matter, I imagine an unencrypted version of Firefox Sync that was
still run by Mozilla would have been significantly easier to develop,
but that's not what Mozilla chose to do.

>
> In creating any feature, Mozilla has to choose between
> partnering to get
> it, or building it ourselves. And we can't build _everything_.
>
>
> Mozilla can't build everything, but it clearly can build
> bookmark-syncing services, and it can build them in a way that
> protects people's privacy. To roll out a very similar feature in
> prime toolbar space that treats that same data in such a different
> manner from the existing functionality strikes me as a bizarre and
> worrying choice.
>
>
> The question to ask is not whether we can build it, but whether we can
> build it as well and as quickly, and what we would be giving up if we
> committed to competing with the existing services. Pocket's a market
> leader in this space, and focused entirely on this space. Playing
> catch-up, and investing enough in development to match their user
> value proposition (especially their mobile coverage) would be
> prohibitively expensive.

I think this is a false dichotomy. A version of this that piggybacked on
Firefox Sync, with its inherent data protections, wouldn't need to — and
couldn't, by definition — offer all of the features of Pocket. But it
would maintain Mozilla's position of protecting bookmark data by default
instead of shrugging and shipping that data off to a third-party company
without public discussion.

[Mike Connor]

On 9 June 2015 at 16:13, Dan Stillman <dsti...@gmail.com> wrote:

> On 6/9/15 3:19 PM, Mike Connor wrote:
>
>>
>> On 9 June 2015 at 07:04, Dan Stillman <dsti...@gmail.com <mailto:
>> dsti...@gmail.com>> wrote:
>>
>>
>> The Pocket integration seems almost purposely designed to blur the
>> distinction between Mozilla and Pocket. (As Pocket's CEO put it,
>> "With the exception of search, it’s rare for companies to be
>> integrated this deeply into the browser." [1])
>>
>>
>> At least to some extent, that's true of any good integration of a third
>> party service. It's certainly true for search as well. Painting something
>> as foreign and possibly scary would be directly counter to the goal of
>> helping users make use of a valuable feature/service. If we don't think
>> it's something we can recommend/promote to our users, we simply shouldn't
>> include it. Same goes for if we don't believe our users can or should
>> trust a partner.
>>
>
> With search you can switch to DuckDuckGo with a couple clicks. With Share
> you choose from many different services. Pocket is integrated as a sole
> provider for a core feature.
>

For now, yes. I don't believe that to be the long term plan. Until 1.0
Firefox only shipped with Google. The first version of the Social API was
Facebook only. Something has to go first, and it's way easier to do that
with a single partner for a v1.

The issue for me is the combination of the privileged integration with how
> different it is from Firefox's own bookmarks architecture a few icons over.
> If Mozilla hadn't previously deemed user bookmark data so sensitive that it
> merited client-side encryption, this wouldn't strike me as so odd.
>

Let's get this one out there. The original, strong-crypto-despite-bad-UX
Firefox Sync didn't resonate with a lot of users. I know, I led work on it
for years. It resonated with some (many of whom didn't even trust Mozilla
with the encrypted data!) but the vast majority of users didn't understand
or care about the added security. It was more of a liability than an asset.
Firefox Accounts make a different tradeoff as a result, and it's
unsurprisingly more popular (and _useful_) as a result. We still encrypt
data, however it's derived from a username and password, not a fully random
key.

> And it's not a matter of trust. Again, Pocket seems like a great company.
> But sensitive user data is being sent, and Mozilla and users have no
> control over what's done with it, now or in the future.

I don't believe it's viable to try to build everything ourselves, or limit
the usefulness of our products out of concern for what _might_ happen.
That's missing out on the best the Web has to offer, and the best product
experience for our users.

I think the significant majority of users don't think about where their
> data is going, which is why it's up to privacy-focused organizations like
> Mozilla to do it for them. We should at at least acknowledge that Mozilla's
> position on what is acceptable with regard to users' data has changed
> dramatically from when Firefox Sync was designed. I imagine there were
> third-party, unencrypted bookmark sync providers that Mozilla could have
> partnered with to speed development of Firefox Sync, offer more features,
> and avoid having to maintain a sync architecture. For that matter, I
> imagine an unencrypted version of Firefox Sync that was still run by
> Mozilla would have been significantly easier to develop, but that's not
> what Mozilla chose to do.

We made a very different decision in 2008 than we'd make today. That said,
I don't believe the use case of a reading list is the same as a bookmark
provider. Bookmarks are a browser feature, while reading lists/apps are a
very specialized case that isn't constrained to browsers. There are apps,
e-reader integrations, web sites, and more capable of consuming articles
saved to these services. Pocket in particular has a much bigger reach than
Firefox in terms of mobile devices (e.g. platforms we don't support), and
that's one of the major advantages of working with an established partner.

> The question to ask is not whether we can build it, but whether we can
>> build it as well and as quickly, and what we would be giving up if we
>> committed to competing with the existing services. Pocket's a market
>> leader in this space, and focused entirely on this space. Playing
>> catch-up, and investing enough in development to match their user value
>> proposition (especially their mobile coverage) would be prohibitively
>> expensive.
>>
>
> I think this is a false dichotomy. A version of this that piggybacked on
> Firefox Sync, with its inherent data protections, wouldn't need to — and
> couldn't, by definition — offer all of the features of Pocket. But it would
> maintain Mozilla's position of protecting bookmark data by default instead
> of shrugging and shipping that data off to a third-party company without
> public discussion.

I don't think "build a less useful product" is in line with what is good
for Firefox or our users. We actually did build this, and chose to go with
Pocket integration instead as it was considered a much more usable product
for our users. There are tradeoffs both ways, we chose to ship the better
product.

-- Mike

[Zachary King]

> >
> > With search you can switch to DuckDuckGo with a couple clicks. With Share
> > you choose from many different services. Pocket is integrated as a sole
> > provider for a core feature.
> >
>
> For now, yes. I don't believe that to be the long term plan. Until 1.0
> Firefox only shipped with Google. The first version of the Social API was
> Facebook only. Something has to go first, and it's way easier to do that
> with a single partner for a v1.

Then why the pocket branding and terminology?

It would be one thing if this was marketed as a general way to save things
for later and Pocket just happened to be the only provider at launch with
a published goal/process for adding more services (Instapaper for example).
That is an entirely different message than "Here is Pocket (a completely
independent, profit driven, third party) now integrated into core Firefox.

Having a dialog where you could add/remove/edit "save for later" providers
would go a long, way in my opinion, to curbing the anger about this. Some
of us use Firefox for the primary reason of them giving us choice. To be
totally frank, I prefer Chrome, but find Google as a whole kind of creepy.
I would like to think that there is still at least one browser I can still trust.

-Zach

[Daniel Veditz]

On 6/6/15 9:44 AM, mehmet...@gmail.com wrote:
> Making a bug report dependent on a conversation on external &
> proprietary Google Groups is against Mozilla Manifesto (#8, primacy
> of transparent community-based processes).

The governance group, along with many of our other fora, are primarily
Mozilla-hosted mailing lists which are mirrored as newsgroups and on
Google Groups for the convenience of people who have different needs or
preferences.

https://www.mozilla.org/en-US/about/forums/#governance

-Dan Veditz

[bga...@gmail.com]

No one from the Mozilla Foundation must have bothered to read the Terms of Service for use Pocket(TM) Technologies.

This is critical because it has become clear from Oracle's handling of Java that just because software is released under an open source license doesn't mean that derived works will not result in a lawsuit. While Nate Weiner may not be the ass that Larry Ellison is, any company that has obligations to investors tends to do whatever they can to "protect" their "intellectual property" and I expect Pocket(TM) to be no exception.

There are several red flags regarding Pocket(TM)'s Terms of Service and Privacy Policy. In fact, there are so many that they go beyond the scope of my reply. I will just focus on the ones I find the most alarming.

(1) The Terms of Service and Privacy Policy claim to go into effect by installing their software. By Mozilla Foundation including it as part of the Firefox install, the Pocket(TM) documents claim to require adherence even if the user never uses Pocket(TM). Hence, the documents put the user into a locked opt-in even if the disable Pocket(TM) from the config since they have still installed it. By it being left an add-on, the user was given a default opt-out. Despite this, the Pocket(TM) Terms of Service and Privacy Policy don't seem to be provided as part of the Firefox "know your rights."

(2) The Terms of Service License Restrictions clearly *prohibits* redistribution. While Pocket(TM) has made it clear they intends the Mozilla Foundation to distribute the Pocket(TM) Technology application but does this exception to the Pocket(TM) Terms of Service extend to any other form of redistribution? Is this yet another way the Mozilla Foundation is trying to make life harder for groups like Debian? Is this a trend of ToS encumbered code which could lead to a potential lawsuit if left included in IceWeasel?

(3) Pocket(TM) does not appear to provide any protocol description for providing a compatible service. Also, the Terms of Service prohibits writing one. More specifically, users that install the Pocket(TM) Technologies application can not "determine or attempt to determine any ... methods or techniques embodied in the Pocket application or any portion thereof."

(4) Pocket(TM)'s Terms of Service also prohibits any modification or to create any derivative works based on the Pocket(TM) Technologies application. So, if you get around the previous issue and somehow create your own service compatible with the pocket-protocol, you can't modify the application to configure it to use an alternative server.

Overall, everything about the Pocket(TM) Terms of Service goes against any claim that Pocket(TM) truly intends the included Pocket(TM) Technologies application under the spirit of the MPL. Any attempt to by users to leverage their rights under the MPL in regards to this code intermixed into Firefox will but the user in a legally precarious position.

If Pocket(TM) did intend to honor the freedoms the Firefox community has come to expect, they would have done the following:

(A) Clearly state in the Privacy Policy and Terms of Service that agreement only takes place at *USE* instead of claiming user agreement for installing.

(B) Clearly state in the Terms of Service that the ToS License Restrictions do not apply to MPL covered code provided by Pocket(TM).

(C) Provide a clear protocol description document to assist in third-parties maintaining or modify the code.

(D) Provide a reference implementation of the server side of the pocket-protocol to assist in third parties maintaining or modifying the code and for users to setup their own private servers without having to accept the Pocket(TM) Privacy Policy. They would be under no obligation to provide support and could even make providing support only available via payment.

Pocket(TM) has decided to do none of the things above.

Instead, the bottom line is everything that MPL should allow are things the Pocket(TM) Terms of Service clearly indicates that Pocket(TM) is prepared to take legal action against doing. Mozilla's inclusion of this seems to be a bait and switch on their open source mission statement. This is not something that can just be "fixed" by providing instruction to "disable."

[David Rajchenbach-Teller]

Well, we have to start somewhere.
But yes, I believe that liberating the service from its single source
would be a very good step.

Best regards,
David

On 10/06/15 01:48, Zachary King wrote:
> Then why the pocket branding and terminology?
>
> It would be one thing if this was marketed as a general way to save things
> for later and Pocket just happened to be the only provider at launch with
> a published goal/process for adding more services (Instapaper for example).
> That is an entirely different message than "Here is Pocket (a completely
> independent, profit driven, third party) now integrated into core Firefox.
>
> Having a dialog where you could add/remove/edit "save for later" providers
> would go a long, way in my opinion, to curbing the anger about this. Some
> of us use Firefox for the primary reason of them giving us choice. To be
> totally frank, I prefer Chrome, but find Google as a whole kind of creepy.
> I would like to think that there is still at least one browser I can still trust.
>
> -Zach

> _______________________________________________
> governance mailing list
> gover...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/governance
>

[southa...@gmail.com]

What was Mozilla thinking on this? It was already an extension. This is madness. I have spent the week removing all traces of firefox from dozens of workstations. The about:config disable is not an acceptable solution. As there is still a for-profit api/system sitting on the machine. We left Navigator way back in the day for the same reason. It seems it is time to abandon this ship too.

[ignaci...@gmail.com]

On Friday, June 5, 2015 at 6:59:56 PM UTC-3, tucker....@gmail.com wrote:
> (Pasted from https://bugzilla.mozilla.org/show_bug.cgi?id=1172126. There are some comments on Hacker News at https://news.ycombinator.com/item?id=9667809).
>
> Mozilla's recent integration with Pocket, a proprietary third-party service, is a mistake.
>
> It is very exciting to see the ways in which Firefox continues to improve. And it's even more exciting to see the ways that Mozilla advances it's stated mission outside of the Firefox browser with new developments like Firefox Accounts. Pocket now allows you to log in on their site using your Firefox Account; being able to authenticate with a trusted third party like Mozilla is a huge win for online privacy advocates and the Mozilla community. However, adding Pocket as a built-in feature to Firefox should not have been done.
>
> This is particularly surprising since it was Firefox that made browser extensions mainstream. Pocket should have been an extension (in fact, a Pocket extension used to exist). It could have even been bundled with the browser. This distinction is important, since extensions can be removed entirely, whereas currently Pocket can only be disabled.
>
> The user experience of disabling Pocket is not good, either. It needs to be disabled in about:config, which is not at all user friendly, and therefore not in line with Mozilla's mission. In the past, Mozilla has been very good about showing the user what new features have been added to the interface and explaining any privacy implications that may come with them. That is why I was so surprised when the Pocket icon suddenly appeared in Firefox Developer Edition a couple days ago. It is so unlike Mozilla to introduce something like that, I ran a virus scan and checked what programs had been installed recently -- I assumed it had been put there in the same way that IE users used to get the Ask Toolbar installed.
>
> It may also not be clear to some users that, even when signing in with your Firefox account, you are still giving your email address to a third party whose privacy policy is different than Mozilla's. Many users would not assume this, since it is a feature that is bundled with the browser.
>
> Mozilla's recent blog post about the Pocket feature is titled "Firefox Puts You in Control of Your Online Life" (https://blog.mozilla.org/blog/2015/06/02/firefox-puts-you-in-control-of-your-online-life/). Had this been coming from a startup, that post would be humorously ironic. But given how much people care about Mozilla and it's stated mission, it is more painful than funny.
>
> Firefox should continue to add new features that benefit its users, but those features must be done in accordance with Mozilla's core values. This feature should've been done as an extension, which allows for greater user choice and avoids bloat. Most importantly, there was very little public discussion about this inclusion of a proprietary, third-party service. It's a huge departure from Mozilla's commitment to transparency. The existence of the Pocket code in Firefox is a bug in the browser, and it does not adhere to Mozilla's core mission.

Seems like it's time to uninstall Firefox and hope a good fork is made (all current forks are lacking in some respect). Even if Mozilla "changes their mind" on this one, it's clear what their intentions are for Firefox, and they'll keep trying to shove more 3rd-party datamining bloat whenever they get the chance.

[alex...@gmail.com]

On Tuesday, June 9, 2015 at 5:25:09 PM UTC+3, Gijs Kruitbosch wrote:
> > Firefox has always been about empowering the user. You never dumb things down for them, you give them a choice. If there's an add-on we want, we find it or we create it. The add-ons should not be implemented into Firefox outright, because then you're removing that "choice" by providing it to people who never asked for it in the first place.
>
> We give people a choice, but we do make a "what's the default" choice,
> no matter which feature or add-on is concerned. We pick defaults that we
> think make sense. Implementing things that add-ons provide as default
> doesn't remove choice (assuming things can be overridden or turned off,
> like with pocket, and/or don't seriously interfere with a large number
> of users' usecases (I don't think we need a built-in "off" switch for
> bookmarks or tabs, for instance)). It changes the default behaviour. I
> would contend that it is fully part of Firefox being Firefox (and indeed
> probably any good product/browser) that it continues to try to have sane
> and useful defaults.

1. There is a difference between blessing an option and making an option the default.
Including Pocket by default would have meant preinstalling a Pocket addon.
What has been done here is privileging Pocket over alternative solutions.
Is is not the same as providing a default search engine.
The only advantage a search engine gets by being provided by default is being the one available right after installation and nothing more. It can be replaced by the user at any time with any alternative and the behavior remains the same.
On the other hand you can not replace Pocket. You can disable it and install an addon for an alternative but Pocket will still be there (not loaded in memory, but still there). You can point browser.pocket.api somewhere else but alternatives would have to follow the Pocket API. But things are not equal.
There is nothing to say that after a radical update like FF28 ->FF29, Pocket wouldn't magically be enabled back.In doing so, you are endorsing Pocket more than just offering it as a default option would have. This is made worse by points 2 and 3.

2. Pocket is a Software as a Service provided by a for-profit company. It is SaaS and by definition the user can not control it. It is not freedom respecting because:
A) there is no self-hostable FLOSS Pocket Server available for anyone to use instead and
B) Read it Later Inc. controls the API.
(that comment about non-free Javascript was an attempt to derail the discussion)

3. To make the above points worse, Read it Later Inc. gets access to private data (email address, reading list, timestamps, etc). If this was done using a locally encrypted file and synchronized using a blessed (as in point 1) file hosting SaaS provider (let's say Dropbox), the situation would not have been as bad because the list itself would have been protected by a layer of encryption and only the user would have access. The SaaS provider would only get timestamps and maybe an email address.


As someone above already said, endorsing a non-free SaaS solution by blessing it and in doing so encouraging users to give private information to a for-profit company goes against the Mozilla Manifesto.

There is more to say about Mozilla betraying users trust with previous moves but that can get off topic quickly.

[Gian-Carlo Pascutto]

On 9/06/2015 15:05, commen...@riseup.net wrote:
> Mozilla was
> highly criticized and there's still reason to do so regarding “safe
> browsing” when you know that “[...] existing cookies you have from
> google.com, our list provider, may also be sent.” [2]
>
> [2]
> https://support.mozilla.org/en-US/kb/how-does-phishing-and-malware-protection-work

I couldn't find that statement on the linked page. If it is there, it
should be removed because it's no longer accurate. We sandbox the
SafeBrowsing cookie so any pre-existing google.com cookie will *not* be
sent.

--
GCP

[Gian-Carlo Pascutto]

On 9/06/2015 16:24, Gijs Kruitbosch wrote:
> On 09/06/2015 14:47, snafum...@gmail.com wrote:
>> Adblock plus and ublock origin are by far the most popular add-ons for
>> Firefox. Will you be implementing those by default, too?
>
> Part of the effect of these add-ons (in terms of not being tracked and
> pageload improvements) is currently (being) implemented in Firefox
> Nightly, yes.

We've already shipped Tracking Protection (and the resulting pageload
speedup). It just wasn't enabled by default.

That isn't ad blocking, though. My impression is that we're unlikely to
ship full ad blocking by default (until better alternatives are in
place) because of the impact on the web ecosystem.

That is, those add-ons are popular, but as they become more popular,
more sites are adding countermeasures, and we don't want to this to get
into an arms race.

(Well that was wildly offtopic)

--
GCP

[commen...@riseup.net]

On 2015-06-09 20:00, Gian-Carlo Pascutto wrote:
> I couldn't find that statement on the linked page. If it is there, it
> should be removed because it's no longer accurate. We sandbox the
> SafeBrowsing cookie so any pre-existing google.com cookie will *not* be
> sent.

It's there, it's visible or not depending on your Firefox version [1].

Here's the wikicode responsible for this behavior:

{for not fx27}In both cases, existing cookies you have from google.com,
our list provider, may also be sent.{/for}

[1] (search for "our list provider" in this page)
https://support.mozilla.org/en-US/kb/how-does-phishing-and-malware-protection-work/compare?locale=en-US&to=95843&from=94875

[Gavin Sharp]

We fixed the "sandbox safebrowsing cookie" bug as of Firefox 27
(https://bugzilla.mozilla.org/show_bug.cgi?id=368255), which shipped
in February 2014.

Presumably the "{for not fx27}" syntax in that markup reflects that.
So that the line appears if you use very old versions of Firefox,
since those very old versions don't have the fix.

Gavin

[commen...@riseup.net]

On 2015-06-10 12:36, Gavin Sharp wrote:
> We fixed the "sandbox safebrowsing cookie" bug as of Firefox 27
> (https://bugzilla.mozilla.org/show_bug.cgi?id=368255), which shipped
> in February 2014.

That's a good thing.

> Presumably the "{for not fx27}" syntax in that markup reflects that.
> So that the line appears if you use very old versions of Firefox,
> since those very old versions don't have the fix.

Or if Javascript is disabled/enabled on a whitelist basis (NoScript).


-- C.A.

[Robert Kaiser]

Gervase Markham schrieb:

> On 09/06/15 04:22, Nicholas Nethercote wrote:
>> What I'm saying is this: don't mix up the two arguments above. If
>> you're really upset by the Pocket integration, it's almost certainly
>> because of the first argument above, so don't get side-tracked by the
>> second argument.
>

> Right. And the first argument is strange because this is not the first
> time we've done this.

Most notably, when we introduced the Social API, we had a Facebook
button appear automatically in primary UI (which I found bad because of
what Facebook represents, but that's a slightly different topic).

The big difference is that in that case, we had defined a vendor-neutral
API and didn't just use whatever their API is and make ourselves
dependent on the partner (as we have with Pocket), we did not import
unreviewed code drops from the partner (as we did with Pocket, even
though we required them to open-source that code), and we didn't ship
their icon as part of the actual installed product but downloaded it
afterwards (unlike what we do with Pocket).

I think we should look into correcting those things, with the necessary
diligence (and not with another rushed effort) though.
I still wonder if shipping their product in our downloads is a trademark
issue esp. for people doing rebuilds of our code, where we intentionally
remove our own branding, but the Pocket icon remains.
Also, if you replace the URL in the prefs with a different service that
uses the same API, you now have the Pocket icon and Pocket-branded
strings refer to a completely different service, which I think is
problematic in the long run.

This may be OK for this initial release (even though I'm unhappy with
the quality decisions we made there in general), but we should IMHO
improve upon those things in further work and future releases (and the
proper release train testing of the changes).

KaiRo

[john9...@gmail.com]

Gerv & DavidRaj... @mozilla

This is a long and popular thread. Perhaps it is worth starting a moderated adjacent thread just for the official mozilla answers to this and loosely related Pocket questions.

This thread is heading for 100 posts and 5k views.
You may already be aware that Mozilla staff at support.mozilla (sumo) rule much of this Pocket related discussion as off topic on Sumo and direct people to this governance list.

Specifically also note a sumo staff member filed a bug [1171569] after saying
Why can't the Pocket integration be fully removed?
>I believe the intention for the "browser.pocket.enabled" config option
>is to allow complete removal of Pocket integration from all menus.
>It has become apparent that this is not the current behavior.
>This is definitely a bug, which I will be filing shortly.

I am sure users will be aware of the Mozilla Feedback option,but many will be looking for somewhere to get a response and explanation of perceived problems or unfathamable decisions.

[Gervase Markham]

On 10/06/15 13:29, commen...@riseup.net wrote:
> Here's the wikicode responsible for this behavior:
>
> {for not fx27}In both cases, existing cookies you have from google.com,
> our list provider, may also be sent.{/for}

Right; so we fixed that problem in Firefox 27.

Gerv

[Gervase Markham]

On 10/06/15 06:21, bga...@gmail.com wrote:
> (1) The Terms of Service and Privacy Policy claim to go into effect
> by installing their software.

Whoa, there. Pocket's Privacy Policy applies if you use the
Firefox-integrated Pocket, sure. But are you sure their ToS apply? The
ToS from which you quote seem like they are designed for a proprietary
product; all Pocket-integration code in Firefox is open source.

What is the URL for these Terms of Service, and what makes you think
they apply to Firefox Pocket?

> By Mozilla Foundation including it as
> part of the Firefox install, the Pocket(TM) documents claim to
> require adherence even if the user never uses Pocket(TM).

I'm pretty darn sure that's not true.

> (2) The Terms of Service License Restrictions clearly *prohibits*
> redistribution. While Pocket(TM) has made it clear they intends the
> Mozilla Foundation to distribute the Pocket(TM) Technology
> application but does this exception to the Pocket(TM) Terms of
> Service extend to any other form of redistribution? Is this yet
> another way the Mozilla Foundation is trying to make life harder for
> groups like Debian? Is this a trend of ToS encumbered code which
> could lead to a potential lawsuit if left included in IceWeasel?

All Pocket code in Firefox is open source, full stop.

> (3) Pocket(TM) does not appear to provide any protocol description
> for providing a compatible service. Also, the Terms of Service
> prohibits writing one. More specifically, users that install the
> Pocket(TM) Technologies application can not "determine or attempt to
> determine any ... methods or techniques embodied in the Pocket
> application or any portion thereof."

Again, not sure if that actually applies to Pocket-in-Firefox; but I
would fall over backwards in astonishment if someone who installed
Firefox was thereby legally prevented from writing a server compatible
with the Firefox Pocket API.

Gerv

[Christopher Carpenter]

Hello Gervase,

In response to:

Perhaps, although I've not see anyone say "I've read Pocket's privacy
policy, the one that applies to this feature (as amended in consultation
with the Mozilla privacy team) and I object to X, Y and Z."

I'm assuming that this privacy policy is the correct one:
https://getpocket.com/privacy accessed 2015-06-09T17:06:00Z.

I normally don't get into these kinds of conversations and I'm not exactly
a stakeholder with firefox (I use it exclusively, but I don't donate to
mozilla or anything) but I thought I'd fill in some detail here. There
have been people complaining specifically about the privacy policy, but I
think they were drowned out by the other arguments. Recently (after the
quoted comment by you, I believe) commen...@riseup.net had a more
coherent privacy policy related argument, and I will reiterate some of
their argument here.

I am not a lawyer, but this line in the privacy policy is the biggest
problem to me:

In the event that we or certain of our assets are acquired, user
information may be included among the transferred assets.

I'd rather not have some big investment bank get a hold of my personal
information + URLs I've saved and be able to sell that to someone/do
whatever with it. If I understand privacy policies properly (which is by
no means guaranteed) this is a perfectly plausible scenario since the new
company would not be bound by it's terms.

Another thing I dislike about the policy, specifically because it appears
that all the information is stored unencrypted on the servers, are these
pretty standard lines:

Although we strive to protect the personal information of our users,
we will release personal information if required by law or in the
good-faith belief that such action is necessary. We follow the law
whenever we receive requests about you from a government or related to
a lawsuit. We will notify you when we are asked to hand over your
personally identifiable information in this way unless we are legally
prohibited from doing so. When we receive requests like this, we will
only release your personally identifiable information if we have a
good faith belief that disclosure is necessary or appropriate under
applicable law. Nothing in this policy is intended to limit any legal
defenses or objections that you may have to a third party's request to
disclose your information.


Basically no one better store links on articles about anything illegal!
Since all the URLs you saved are stored plain text, that could be used
against you if the law decides to ask for it.

Compare this to part of the non-legal part of the firefox sync privacy
policy(it's easier than the legalese):

Firefox Sync on your computer encrypts your data before sending it to
us so the data isn’t sitting around on our servers in a usable form.


Basically, I think any service that is this integrated into firefox should
live up to the type of privacy policy that firefox sync has. I don't even
care if they(pocket) store the URLs I store in an anonymized way but then
encrypt the part that says which URLs I have saved (so that they can still
make money of the anonymized information). I would prefer their server
software to be open source, but the privacy concerns are a much bigger
problem.

Basically, if they would make it to where the law nor businesses that
acquire pocket can easily figure out what URLs I have saved then that
would fix my biggest objection with the service being integrated (Though I
also have concerns about them controlling the "standardized" API for other
backends to be integrated). As it stands, I find the integration of pocket
unacceptable.

Another acceptable option for me would be for mozilla to put the effort
forth to integrate with another backend for this functionality that does
meet my privacy concerns above, and make that default while keeping pocket
as an easily accessible option. Similar to the existing search engine
functionality, but with a privacy conscious choice being the default.

Finally, a barely acceptable option for me would be to do all of the above
but keep pocket the default. I'd feel better about this if pocket paid for
the privilege like yahoo did to be the default search engine.

Thank you,
Christopher Carpenter

P.S. I apologize if this doesn't properly make it into everyone's threaded
view. I subscribed to this topic with my work email but didn't want to
send this from that email as my views do not represent my employer. I had
to manually recreate the subject/to and am not entirely sure I did it
properly.

[B Galliart]

On Wednesday, June 10, 2015 at 11:07:22 AM UTC-5, Gervase Markham wrote:
> On 10/06/15 06:21, bga...@gmail.com wrote:
> > (1) The Terms of Service and Privacy Policy claim to go into effect
> > by installing their software.
>
> Whoa, there. Pocket's Privacy Policy applies if you use the
> Firefox-integrated Pocket, sure. But are you sure their ToS apply? The
> ToS from which you quote seem like they are designed for a proprietary
> product; all Pocket-integration code in Firefox is open source.
>
> What is the URL for these Terms of Service, and what makes you think
> they apply to Firefox Pocket?

The *ONLY* Terms of Service related to Pocket(TM) software seems to be at:
https://getpocket.com/tos

There is no exclusions listed for Pocket(TM) application in open source form. If you have a different Pocket(TM) ToS that applies to the open source version, please let us know. Currently, the *ONLY* ToS that I can find clearly states:

"By installing the Pocket(tm) application, visiting our website or installing or using any of the Pocket Technologies, you are accepting these terms of service. If you do not agree to these terms, please do not install our application, access our website or use any of our products or services."

So, since Pocket(TM) application is now part of Firefox, if you don't agree to the ToS then you are told not to install the application where due to the integration means users can't install *ANY* of Firefox without agreeing. There is nothing in the ToS that disabling the Pocket(TM) application releases the Firefox user from the ToS. The wording of the Pocket(TM) ToS requires *UNINSTALLING* the application (Firefox with Pocket integration) if the user doesn't agree. This should put obligations on Mozilla Foundation to update the "Know Your (lack of) Rights" document accordingly.

> > By Mozilla Foundation including it as
> > part of the Firefox install, the Pocket(TM) documents claim to
> > require adherence even if the user never uses Pocket(TM).
>
> I'm pretty darn sure that's not true.

I am pretty darn sure that is what the only terms of service document that Pocket(TM) provides says given it claims to apply simply by *INSTALLING* it. If you are pretty darn sure there is an exclusion, please quote the exclusion.

> > (2) The Terms of Service License Restrictions clearly *prohibits*
> > redistribution. While Pocket(TM) has made it clear they intends the
> > Mozilla Foundation to distribute the Pocket(TM) Technology
> > application but does this exception to the Pocket(TM) Terms of
> > Service extend to any other form of redistribution? Is this yet
> > another way the Mozilla Foundation is trying to make life harder for
> > groups like Debian? Is this a trend of ToS encumbered code which
> > could lead to a potential lawsuit if left included in IceWeasel?
>
> All Pocket code in Firefox is open source, full stop.

There is applying the letter of open source (such as OpenJDK) and then there is adhering to the spirit of open source. The only Terms of Service document that Pocket(TM) makes available seems to make clear they have no intention of adhering to the spirit of open source. This is a rubber stamp job.

> > (3) Pocket(TM) does not appear to provide any protocol description
> > for providing a compatible service. Also, the Terms of Service
> > prohibits writing one. More specifically, users that install the
> > Pocket(TM) Technologies application can not "determine or attempt to
> > determine any ... methods or techniques embodied in the Pocket
> > application or any portion thereof."
>
> Again, not sure if that actually applies to Pocket-in-Firefox; but I
> would fall over backwards in astonishment if someone who installed
> Firefox was thereby legally prevented from writing a server compatible
> with the Firefox Pocket API.

If they intended to allow people to write a compatible server, why are they use an undocumented API call of "/v3/firefox/save"? Can you find anyplace at http://getpocket.com/developer/ which fully documents or even directly references what that API call does?

If you are so sure of the legal basis that Firefox users are permitted by Pocket(TM), why don't you try supplying the documentation on that undocumented API call or a reference server implementation of it?

Why is Mozilla now including code designed for a closed source API from a single vendor?? While it is similar in functionality to CEPH or OpenStack SWIFT, it is also enough different that anyone attempting to port the Firefox Pocket(TM) code to either of those might as just rewrite the code again from scratch.

Mozilla Foundation should have done a better job of reviewing the Terms of Service before including this and attacking their own "Known Your Rights" document. They should not have done such a poor job of code review as to allow code that claims to follow the "Public API Documentation [at] http://getpocket.com/developer/" and then later in the same code make API calls that are undocumented.

Once this Pocket(TM) application integration is forced by the Mozilla Foundation on Firefox stable users, I will honor the requirements give to user not accepting of the ToS and perform the required uninstall of the Firefox/Pocket(TM) application. It isn't that I want to stop using Firefox, I just can't accept the Terms of Service that Firefox is now integrated into regardless of what features are enabled/disabled because of *INSTALL* time provisions being issued.

[Gervase Markham]

On 09/06/15 14:05, commen...@riseup.net wrote:
> First of, it seems like you do not remember how “safe browsing” and the
> now gone “location service” were welcomed back at the time. Mozilla was

> highly criticized and there's still reason to do so regarding “safe

> browsing” when you know that “[...] existing cookies you have from
> google.com, our list provider, may also be sent.” [2]

I think Safe Browsing is a critical part of making a browser competitive
in 2015. Perhaps we simply disagree on this.

> the ones provided by pocket: among other things (see my previous mail)
> pocket is meant to store data.
>
> Storing data is something that Firefox has been capable of doing for years.

I think you underestimate the amount of effort it would take to build a
service competitive with Pocket. See Mike Connor's posts for why Mozilla
would need to invest a great deal of time and energy to get feature
parity with Pocket. Being able to retrieve and read the content on
pretty much every platform under the sun from Blackberry to Kindle is a
significant advantage.

> Any computer science student can put a pocket clone together in a
> weekend. There's nothing fancy, challenging nor complicated. There's
> already a series of free softwares that does the exact same thing
> (“wallabag” [3] among tens of others).

How would that work? When you click the "Save for Later" icon, it pops
up a box saying "Please give the API endpoint and login details for your
personal Wallabag server"?

Gerv