Yeah, its so intuitive for the average person to type: about:config in address bar and scroll through hundreds of oddly named parameters to turn off spyware.

Comments like yours are illustrative of a certain mindset. When you encounter the complexity of domains you are not intimately familiar with (court system, law, finance, etc), and those complexities are designed specifically to make it hard for you to protect yourself, I'm sure you are just as understanding as you are now.

You're being hyperbolic, you don't need to go into about:config.

It's right in the main browser settings, under the Privacy and Security section where one would expect settings like this to be

If what you say is true, please point me to where I can find the following privacy settings in the main preferences:

  network.websocket.enabled
  network.IDN_show_punycode
  dom.event.clipboardevents.enabled
  dom.storage.enabled
  dom.indexedDB.enabled
  dom.battery.enabled
  dom.enable_user_timing
  dom.enable_resource_timing
  dom.netinfo.enabled
  layout.css.visited_links_enabled
  browser.safebrowsing.phishing.enabled
  browser.safebrowsing.downloads.remote.enabled
  browser.safebrowsing.malware.enabled
  browser.send_pings
  beacon.enabled
  privacy.donottrackheader.enabled
  privacy.trackingprotection.enabled
  dom.enable_performance
  datareporting.healthreport.service.enabled
  datareporting.healthreport.uploadEnabled
  toolkit.telemetry.enabled
  toolkit.telemetry.unified
  media.peerconnection.enabled
  media.peerconnection.ice.default_address_only
  media.peerconnection.ice.no_host
  media.eme.enabled
  media.gmp-eme-adobe.enabled
  webgl.disabled
  geo.enabled
  camera.control.face_detection.enabled
  device.sensors.enabled
  security.tls.unrestricted_rc4_fallback
  security.tls.insecure_fallback_hosts.use_static_list
  security.ssl.require_safe_negotiation
  security.ssl.treat_unsafe_negotiation_as_broken

Errr... is "dom.enable_performance" really a privacy setting?

Doing someone online searching now, not seeing an explanation for it. There is one other HN post though, also mentioning it in a privacy context, but not further info either. :/

> It's right in the main browser settings, under the Privacy and Security section where one would expect settings like this to be

If you asked me "where would you go to change settings to prevent the browser from violating your privacy and infringing on your security?", then, yes, I would go to "Privacy and Security". If, however, you asked me "what would you expect to find under 'Privacy and Security'?", my answer would be that that's where I would go to protect myself from malicious websites, not from malicious browsers.

(I know that 'malicious' is quite, and almost certainly too, strong here, but the point is that I think, and am explicitly encouraged to think, of Mozilla as being on my side against the sites I visit, and I don't think it's natural to expect that I will start thinking of how I need to protect myself from Mozilla to use their products in the way that I, rather than they, intend.)

How are you supposed to do turn the defaults to a reasonable level of privacy without launching Firefox once though?

I remember it was asking if I want participate in studies when I installed FF for the first time.

It is.