On Bitwarden, at least for now, it's mostly Open Source … for techies, for the server-side, there's Vaultwarden which is easy to self-host and with self-hosting of FOSS software you achieve true data sovereignty.
I'm an EU citizen and I worry about the US as well, but we need to be careful about this migration to EU services, as in some areas the European alternatives aren't good enough and people will go back to Big Tech, instead of preferring a FOSS solution that happens to have US dependencies.
Under ePrivacy, websites only need to show a cookie banner when they are doing spyware shit. There are exceptions to this, but generally speaking you don't need a cookie banner for functionality that the user expects. As one example, you don't need a cookie banner for a login cookie or for storing the user's preferences.
While the law has flaws, it's very frustrating to see people misinterpreted it, instead of reaching the correct conclusion that the vast majority of websites are spyware. And that it's not EU's law to blame, but rather standard internet practices related to analytics and the serving of ads.
Whoa, slow down there. You can't just go around asking people to read first-party sources and think critically on their own about an issue without getting their opinion from their feed or influencer of choice. That's an unreasonable and insane expectation! /s
The first-party source is Mozilla themselves skirting around saying, but very heavily implying they are now selling unspecified data about me to unspecified actors, in a legally binding way, then walking it back with a pinky promise that is not legally binding, so doesn't actually mean anything.
And here's another credible source explaining Mozilla's mistake in making this decision based on language that was only present in a draft version of the CCPA, as opposed to the final version, but which also made it to Wikipedia: https://news.ycombinator.com/item?id=43276624
Most of the conversation on this topic never moved past the first misunderstanding, just a bunch of irrational kvetching at Mozilla by people who read an (incorrect) summary of the situation.
Why do you trust everything the allegedly bad guys say? By reading it and thinking critically as you said we all should, I can easily see that they are following the pattern that many bad guys follow: write some legalese allowing them to do bad stuff, then write some non-binding non-legalese saying they won't. Then only point at the latter to silence complaints. And then, the next step in the pattern is to actually do the bad stuff, while continuing to point at the non-binding non-legalese.
Whereas you seem to be taking what they said at face value, which is not critical thinking.
Not much changed on Mozilla's side, only the law (e.g., CCPA, GDPR), because technically speaking (as far as CCPA is concerned), Firefox has already been “selling” users' data.
Furthermore, at this point, that legalese talks about features that the user expects. Otherwise, in the EU, Firefox would be forced to ask for explicit consent. GDPR is so strong that when Firefox will actually sell your data, you'll know it because in the EU it will have to tell users exactly how or why.
Note that Mozilla was already hit with a privacy complaint in the EU due to PPA [1] because it's opt-out instead of opt-in. Whether they'll be found guilty by EU's DPAs, it really depends on whether they actually anonymize that data, as they claim to do, or not. Note here that the GDPR doesn't accept pseudo-anonymization as being valid anonymization.
Of course, it may take a while to find the outcome of such complaints, just note that as far as the GDPR is concerned, that Privacy Policy of theirs doesn't count for squat. It really doesn't matter what they claim in their Privacy Policy, unless they are lying, i.e., if they actually “sell the data” of users in a way that users don't expect as part of the service, then the GDPR asks for explicit consent (opt-in).
Technically speaking, they've already sold user data since 2006 because they've been installing Google's Search as the default, used, for example, for search suggestions. So everything you type in that address bar, goes to Google, and they get paid for it. Of course, search suggestions are part of the service that the user expects, but note that the user's search history can also be used for user profiling by Google. So as far as the CCPA is concerned, that's selling user data. And, very importantly, Firefox has been funded by ad-tech since 2006, much like all Chromiums and even Safari.
What's actually new is that Mozilla wants to diversify. Which is good, as the Search deal is in jeopardy and those hundreds of millions of $ they need to fund the browser aren't going to come from donations. So they would like an alternative to cut the middleman, i.e., Google. If that alternative is also privacy preserving and at the very least opt-out (though I'd prefer opt-in), then that's even better than the status quo.
People unhappy with this deal are people that hate advertising, or any reasonable monetization strategy, as if a viable browser with an independent engine could be funded via the donations of people that ad-block YouTube instead of paying for Premium.
---
TLDR:
1. Nothing actually changed, and that Privacy Policy doesn't count for squat.
2. Results matter, not words, results such as that wonderful offline translation feature, which is a great showcase of privacy preserving AI tech that only Mozilla pulled ;-)
PS: Isn't it odd that whenever the underdogs get boycotted, the winners are always the Big Tech solutions that are far worse in every aspect?
First of all, while many valuable perspectives are offered here, the legal nuances of the CCPA are complex and usually best assessed by those with formal legal expertise. It seems to me that individuals without legal training are the primary source of the allegation, so I believe that allegation itself needs to be taken with a grain of salt, as those making the accusation are quite possibly missing key legal context. This isn't intended as an insult, rather, just an objective observation from my perspective. Please ask a lawyer or law school friend to review all of this, including both the blog post and other HN post I linked above, as well as the links in that HN post, which include a law blog citing the drafting error. I encourage everyone with legal expertise to review these points and share additional insights. I am offering numerous, reputable, cross-checked sources for my position, something I haven't seen or heard from the people arguing for your position. If you have more information to share, please do share it. I want to have as holistic an understanding as possible here, after all.
Second, Mozilla as an entity has a lengthy track record of being the only big good guy in the "browser wars" for a long time. The entire ethos of Mozilla - both the foundation and the corporation (not the same business entity, another detail the many voices weighing in on this subject aren't even aware that they didn't know, but which is directly relevant to the legalese of the CCPA) - was to preserve a free, open-source, less untrustworthy major browser, in the face of IE and Chrome, both products of companies have taken a more opaque approach to their proprietary code and have been involved in decades worth of controversial experiments on (and changes to) user privacy, unlike Mozilla. Microsoft and Alphabet (Google) want to hide their code from you because their code contains a bunch of functionality that is optimal for the business' interests, but malicious from the perspective of end users who value privacy, freedom, and their right to determine what code runs on their own machine.
This brings me to my third point, that Mozilla's Firefox is COMPLETELY open source. If Mozilla was trying to slurp up user data to sell it, they wouldn't keep their product open-source, because the community would just strip out all the bits they don't like. Contrast to Alphabet (Google), who are literally deprecating Manifest V2 to prevent the community from developing ad blockers that actually block all ads, or Microsoft's documented historical practice of waging war on open standards through "Embrace, Extend, Extinguish". Lengthy, obvious, and well-documented patterns of abuse like that exist for both Microsoft / Alphabet (Google). Contrast to the lengthy pattern of standing up against that very same abuse from Mozilla. Keeping Firefox open source is antithetical to the interests of an entity which was trying to surreptitiously slurp up user data the way Microsoft and Alphabet (Google) do. While each organization has merits of their own, the availability of transparent, open source code (specifically, for the final product - not just an open core like Chromium) can help ensure that power users and developers like us have ways to verify and challenge any potentially problematic practices - something that Mozilla has remained committed to, but which Microsoft and Alphabet (Google) had never fully embraced to begin with.
Fourth, If you've read Firefox's blog posts, if you've read the discussion I linked to above, if you've read the articles about the CCPA drafting error, if you've read the Wikipedia article, confirming that it did contain the incorrect draft language, if you understand that lawyers interpret everything legalistically (not the way ordinary people do), I believe this all paints a picture of an honest misinterpretation on Mozilla's part of the obligations the CCPA might put on them, in the least generous interpretation of the draft language of the CCPA. This does make me sympathetic to the possibility that Mozilla made an honest mistake, but sympathy and trust are not the same, which brings me to my fifth point below.
I'm not "trusting" anything Mozilla says. I'm reading into, understanding, and verifying all of it. And again, even if Mozilla was trying to do such a thing, their current open-source architecture makes those efforts completely irrelevant to developers like myself and many others here who can read, understand, and make modifications to, and rebuild from source. Given the established track record of Mozilla and the documented shortcomings with proprietary browsers in this regard, one might consider whether some of the criticisms (that are encouraging people to trust a narrative that results in a snap judgement against Mozilla without reading into the details) could be influenced by broader competitive dynamics. Nonetheless, it’s important to evaluate each claim on its validated merits.
This brings me to addressing your concerns directly: you make a perfectly valid argument in favor of remaining vigilant, and I support this! Keeping an eye on Firefox source code modifications, monitoring the situation over time, and so on. These can be done while simultaneously assuming Mozilla made a genuine mistake here, and isn't secretly plotting against our interests. The narrative that Mozilla has suddenly turned evil is broadly inconsistent with Mozilla's lengthy track record of standing AGAINST such abuses from Microsoft and Alphabet (Google). That narrative alone is also NOT a reason to spread FUD about a browser that, as of this moment, remains WAY more trustworthy than the "main" alternatives that most uninformed users would migrate to, should they leave Firefox.
A good-faith, open, evidence-based discussion is key to ensuring our whole community understands these complex issues, and I'd accordingly invite you to share more evidence to support your interpretation, which I will read and consider in good faith.
Microsoft can push Edge on Windows users that don't know any better. They also aren't concerned about the web, as long as Edge is a vehicle for Bing and their ads. In that sense, Microsoft's interests align very well with those of Google's.
Chromium is controlled by Google and their interests. It is Open Source; however, Google has complete control over it, even though it has other contributors as well. Yes, it can be forked, should Google's stewardship go entirely wrong, but doing so would mean spending many resources that most companies can't afford.
To give an ancient example: ActiveX. Which Google almost copied in Chrome via NaCL / PNaCL. Mozilla with Firefox stood their ground and proposed Asm.js: https://en.wikipedia.org/wiki/Asm.js — out of all this effort came WebAssembly, which is more well-defined and at least smells like a good standard.
Now, of course, depending on where you're coming from, you might view these efforts as being good. ActiveX was good as well, many apps were built with it, it's where XmlHttpRequest (AJAX!) comes from. It also locked people into IExplorer and Windows.
Yet another example that should speak for itself — the deprecation of the Manifest v2 APIs that make good ad-blockers work: https://ublockorigin.com/
And yet another example: Firefox for Android supports extensions, whereas no Chromium fork does. There was a Chromium fork that tried doing it (Kiwi?) but at this point it's discountinued, as the burden was insurmountable.
Microsoft can always decide to fork Chrome. Not integrating upstream changes from Chromium anymore and develop their own browser based on one specific Chromium release.
They gave up their own engine because it wasn’t good enough.
If Google turns into a direction Microsoft doesn’t like, they can develop their own engine based on the best one currently available. As long as Google’s direction ist satisfactory to Microsoft, they can just save a lot of money by just using it.
I don't disagree, and yes, you make a good point, and I added that the interests of Google and Microsoft coincide, which is also bad for us. The banning of ad-blockers, for instance, is also in the interest of Microsoft.
I think Microsoft just doesn't care about ad-blockers. They probably don't have a strong position on it. If they work it's fine for them, if they don't its also fine.
They need to ship a good browser with Windows, because a lot of their enterprise customers rely heavily on web applications. A lot of Microsoft enterprise applications are browser apps. The purpose of Edge is not primarily web browsing.
In 2024, Microsoft generated 12.58 billion dollars in revenue from advertising, which is nothing to scoff at.
And we also have to look at future opportunities — the share of the advertising market may be small, but they represent THE alternative to Google's ads, including on all alternative search engines.
If they aren't concerned about ads or ad-blockers, then why are they so aggressive about pushing Edge on Windows users? And in the EU, when people first open up the Edge browser, why do they inform people that Edge will share their data with the entire advertising industry?
> They gave up their own engine because it wasn’t good enough.
It wasn't good enough because they had neglected it, not because they didn't have the talent or cash to make it good enough. They didn't want to. The bugs had been a moat to keep Firefox out of the enterprise, and it had worked. That was not going to work against Google, who had a good business reason to own the browser, unlike Microsoft at that point.
IE at a fairly early point became purely a market manipulation to funnel Windows users. They spent far more cash on the legal effort to bundle a shitty, buggy browser with Windows that kept every muggle's installation a permanently infected radioactive mess (one of the primary marketing points for their competitor, Apple) than they spent on the browser itself. I honestly blame the competition from Apple for both the ditching of IE and for Windows Defender.
I don't think Microsoft cares about browsers. They'd even fork Firefox if blink got too hostile.
My conspiracy theory: Apple is going to buy Ladybird, and on some level they're already working together. Apple holding a high-quality Open Source non-copyleft alternative to Google and the flailing Firefox ecosystem, built from a new greenfield design by absurdly qualified people, is absolutely going to be worth a billion $ to them. Apple will end up on both Windows and Linux, and not in the horrible form of iTunes, but as the objectively best choice for a gateway to the internet. And written in Swift.
It's hard to tell if they neglected the original Edge or if they just couldn't keep up with Chrome.
IE was a completely different story, it was full of proprietary Microsoft technology (ActiveX) and a lot of Enterprise applications used it heavily.
Microsoft didn't care about browsers maybe 15 years ago, but this changed a lot. A lot of Microsoft software is just available in the browser, they migrated a lot of things to web technology. That's also the reason they switched their browser to Chromium, they needed to ship something that actually works.
> Apple is going to buy Ladybird, and on some level they're already working together.
Even without (conspiratorial) intent this seems to be happening unintentionally- Andreas is ex-Apple, after all, and that's why he switched development away from his own language to Swift. I wonder if it's analogous to Xamarin and Miguel de Icaza inevitably eventually ending up at Microsoft.
That said,
> Apple will end up on both Windows and Linux, and not in the horrible form of iTunes, but as the objectively best choice for a gateway to the internet. And written in Swift.
Sounds like too good a no-brainer to actually happen, at least under current leadership. Few of these "dream mergers" ever actually happen. Another example, Apple buying DuckDuckGo as a counter against the Google search monopoly, has never come close to happening after years of speculation.
That the GDPR is “all bark and no bite” is factually untrue.
As an example of a service that was forced to change to get in line with GDPR: Facebook.
For user profiling, they first tried to use their Terms of Service, then they tried claiming a legitimate interest, then they tried offering paid subscriptions, and now they are at the point where they somewhat degrade the experience of those refusing to be profiled. I'm not talking about the fines, I'm talking about EU citizens being able to use Facebook while refusing to give their consent for profiling. I'm also talking about the ability to download your data or to delete your data from their servers, which was also the outcome of GDPR.
Facebook has also received multiple GDPR-related fines, maybe it's not enough, but it's only going to get worse, as EU regulators are also eyeing them for the spread of election misinformation. Actually, Zuckerberg has been kissing Trump's ring because he's hoping for some protectionism from the US. He said so in his now infamous Joe Rogan podcast episode.
And for the DMA — well, Apple now allows alternative browser engines within the EU, as just one example.
So I just don't understand why people make this claim. The DPAs may be slow, but that's not a good argument. Law enforcement in general is slow. And the fact is that the GDPR is changing the Internet, which is undeniable.
Not in the EU myself but I don't think so. There's a specific entitlement that has to be granted and last time I looked nobody has ever done it.
I learned one interesting tidbit from the latest Ladybird progress report: apparently, in order for an engine to actually be eligible to get this entitlement, it actually has to have a higher than 90% WPT pass rate. I think it is absolutely fascinating that this is part of the criteria. The differences between the era of more-or-less free distribution on desktop platforms couldn't be more different than the totalitarian control of iOS and the slightly less restrictive control of Android. It almost feels like what happened with home computers was an accident, a circumstance that was only temporary and that once it is finally taken away we'll never get it back.
It's weird to think about. The evolving nature of computer security has definitely created some serious challenges for having a more open distribution model, but by and large nobody wants to try to solve that, and there's not much of an incentive to. The problem is, though, that closing down distribution doesn't just magically solve the problem of trust, it centralizes it to a single entity, with all of the many problems that comes with.
People, of course, seem to defend this practice tooth and nail. Like, it's not enough to just have the option of curated walled gardens: it's important to be forced to use them, because your agency could be used against you by other massive corporations, by coercing you to sidestep security measures. (Nevermind the fact that the existence of said abusive mega corporations is, in and of itself, a problem that should be dealt with directly...)
Meanwhile, I'm just blown away. I have an iPad with an M1 processor. It has virtualization capabilities. It could run VMs, if Apple would let it. Volunteers have gone great lengths despite JIT restrictions and sandboxing to make decent virtualization software for iOS, entirely free of charge. But instead, they updated iPadOS to explicitly remove the hypervisor framework in a major OS upgrade, and of course, it being an iPad, you can't even choose to downgrade it. Now I'm not saying running a desktop OS in a VM is an ideal experience for a tablet, but the damn thing has a keyboard cover and all manner of connectivity, it would be extremely useful to allow this, especially given how relatively powerful the device is. Yet, you can't.
And sure. If you don't like it, don't buy it. I largely don't buy Apple products anymore, but I have a few for various reasons. They're very nice pieces of hardware. But the thing is, the market isn't incentivized to offer alternatives to Apple. What Apple has accomplished with the App Store is absolutely unparalleled: 30% of all revenue. Everywhere, in every app. Perpetually. Forever. Holy Shit. And sure, there are technically exceptions, but let's face it: they play fast and loose with their own rules. When even Patreon is forced to pay 30% you know they are just going to push anyone with enough revenue into it with some rationale. So I personally struggle to believe that there will be alternatives if nothing is done. It's not a matter of people not being willing to buy viable alternatives, it's more a matter of nobody being able to sell them, because doing the arguably unfair thing profits hand-over-fist and nobody can fucking compete with that.
So we're here, bargaining with the richest company in the world, for the ability to be able to download a web browser that isn't Safari in a trenchcoat.
I don't like all EU regulation, but it's kind of unreal to watch this unfold and see how people actually defend this status quo. I still struggle to reconcile how people who consider themselves hackers or at least adjacent to hacker culture can see all of this and not feel dead inside.
> It almost feels like what happened with home computers was an accident, a circumstance that was only temporary and that once it is finally taken away we'll never get it back.
Home computers gave full control to the owners because there was no other choice. There was no internet, no way to push updates or hoover up data. Anything that happened on those machines had to be initiated by the user. They have been working on pulling all that back ever since always-on internet has become something that can basically be taken for granted.
And thankfully a lot of people realize that’s utter bullshit and are taking measures to fight off further enshittification. I’m not a nationalist but things like the GDPR and DMA make me proud to be European.
> I'm also talking about the ability to download your data or to delete your data from their servers, which was also the outcome of GDPR.
I’ll admit that I did this years ago so it may be different now. Facebook just gave me a copy of the data that I explicitly uploaded to Facebook: text posts and images. There was no other data about my login history or request history or anything else that (I believe, perhaps mistakenly) the GDPR considers as my personal data (cross-site tracking is the big one). There’s also no way to verify that my deletion request was honored, even for those text posts and images, but that will probably never be false so that’s kind of a weak point, IMO.
Not that I disagree with your overall point, just wanted to offer some words of concern on this particular point.
The GDPR is very clear (despite those who profit from breaching it would like you to believe): consent for non-essential data collection/processing should be strictly opt-in. You can't opt-in by default, you can't use dark patterns to trick people to opt-in, and you can't degrade the experience to coerce people to opt in.
Yet by your own comment's admission, Facebook has tried multiple blatant breaches of the regulation, and is still in business and trying their latest iteration of pseudo-compliance, which means whatever enforcement there is, it's clearly not enough.
When it comes to the DMA, Apple is currently on track to receive a (very low) fine for not actually complying by still preventing developer from letting users know they can pay for apps/services outside the App Store for cheaper. So clearly the potential penalties and actual enforcement is low enough that Apple is (rightly) calling their bluff.
I can now use Facebook without being profiled for ads. I can also delete my account.
It took longer than expected, but it happened. The GDPR has forced Facebook and others to change.
People may want huge fines, but then the EU is accused of targeting US companies or suffocating innovation. I don't want fines necessarily, I want results.
As a European citizen, why would I want my taxes to fund a browser built by a US entity and still subject to the whims of the current US administration?
Unless you mean that Mozilla should move completely to Europe, sure. But the part about the EU not telling Mozilla what to do is naive. If my taxes pay for it, of course I want the EU to tell Mozilla what to do.
Just a few days ago, they updated their android application info and stated they're going to share location data with third parties for "Advertising or Marketing" purposes...[1]
They also removed a promise to "never sell your data" in their FAQ[2] 2 weeks ago.
Sure, but my point is that Firefox has been funded by Google since 2006, and by having it as the default search engine, Firefox has been sending suggestion queries and searches to Google.
Of course, the nuance here is that this was part of a user action, i.e., the user probably wants to search, so they expect data to be sent to Google (although the address bar suggestions are a gray area IMO). However, what hasn't been expected, and the whole purpose of the GDPR, is that Google does store your search history for advertising purposes without user consent.
So, even if it was unavoidable, Firefox has already been selling user data to Google by simply making it the default search engine and getting paid to do it.
BTW, the GDPR is really strict, and I'll know that Firefox actually sells my data (in a way that I don't expect) when I'll see a GDPR interstitial about it for getting my consent. For instance, when you first open Microsoft's Edge in the EU, they inform users that they're going to share their data with the entire advertising industry.
As I understand, these "data safety" sections are what Google gives app owners to comply with "right to be informed". If they say "we're sharing location data with third parties for Advertising purposes" I'm believing it.
I agree that they should really be asking for consent as well, but they don't seem to be doing that. We've got no way to use legitimate location related functionality and deny advertising related usecases. Remember, consent must be specific and granular.
It'll be a while, until enforcement catches up. It's taken ~6 years for cookie banners to get a "reject" button and those are really easy to review and enforce.
It'll happen though, enforcement is just slow. GDPR is a fairly well written regulation, as far as corner cases and catching workarounds goes. So unless the laws change, enforcement will catch up eventually.
https://github.com/dani-garcia/vaultwarden
I'm an EU citizen and I worry about the US as well, but we need to be careful about this migration to EU services, as in some areas the European alternatives aren't good enough and people will go back to Big Tech, instead of preferring a FOSS solution that happens to have US dependencies.