Firefox is a less bad option, even with the recent stupid policy changes they've made.
Or there are a bunch of other options that care about privacy (see https://privacytests.org/). Brave, Librewolf, Arc, Zen, Orion (Kagi's thing). I tried Orion for a few days recently, but it started crashing randomly and felt unstable and slowed down after real-world use (3-6 windows, many many tabs, dev tools, etc).
I really wish there was more competition here from the smaller, privacy focused players...but the reality is building a browser is insanely difficult for the modern web.
Firefox didn't make stupid policy changes. Firefox made policy changes they were legally required to in order to comply with a stupidly-worded California law.
And thank WHATWG for making it impossible for indie players to remain compliant with modern standards by turning W3C's eminently reasonable and wholly sufficient specifications into a hulking monstrosity that's simultaneously large enough to be used as a stress test for your mobile browser's rendering engine (seriously. go try to load up 'view-source:https://html.spec.whatwg.org/'. At the time of writing, the HTML for that single-page version is over 98,254 lines composing over 15MB of plain HTML) while simultaneously quite literally being defined as a continuously moving target.
> Firefox didn't make stupid policy changes. Firefox made policy changes they were legally required to in order to comply with a stupidly-worded California law.
They had other options, including not collecting and selling user data. The California law is working as intended.
They're not selling user data in any sense that any ordinary, reasonable person would understand, only in California's excessively broad definition that may technically cover a litany of entirely noncommercial uses, like using opt-in customer metadata to improve their own free product, without distributing it to any third party at all.
Businesses like to avoid risk where possible, and Mozilla's lawyers pushed this wording to ensure compliance with the riskiest possible interpretation of California's ambiguous and poorly-worded law.
The Mozilla Corporation sharing user metadata with the Mozilla Foundation to assist with internal decision making may technically meet California's definition of "sale of data" despite constituting absolutely nothing even vaguely resembling what laypeople would consider a "sale of data".
Note that the CCPA's "third party" clause is part of an "OR" set, alongside "another business". Mozilla Foundation and Mozilla Corporation are respectively "another business" relative to each one's self, despite not being unrelated third parties.
The problem is not that Mozilla is actually selling user data (they're not in the sense that any layperson would understand "selling data" to mean), the problem is the way the California law is worded.
As usual, tech-illiterate politicians aren't even competent enough to write laws with the nuance and understanding required to not botch the entirely good and justified intention without pointing a loaded legal gun at the heads of the genuinely innocent. Think along the lines of the CFAA's legal risks to good-faith security researchers¹, or how the DMCA would technically criminalize discussion of how to decode Pig Latin if that was used as a copyrighted media protection technique.
It appears you are trying to explain why CCPA's does not meet the laypersons definition of "selling data". After reading your explanation I'm none the wiser. Given no one has replied, I suspect that's true for most people. They've just scratched their head and moved on.
I was about to do that too, when it dawned you probably have no idea people don't understand what you are saying. Maybe an example would help. Its needs top be something a layman would not consider to be "selling data" but the CCPA defines that way.
Claiming that users just don't understand what selling their data means is incredibly patronizing. Everyone colloquially understands that "selling user data" isn't limited to just selling ZIP archives of our browsing history, but also includes e.g. targeted advertising by the likes of Google, which is precisely why we sought alternatives that explicitly promised not to sell our data.
I'm not making the claim that users don't understand what "selling their data" means, I'm making the claim that Mozilla is not doing anything that any reasonable person other than a lawyer interpreting the CCPA in the most unreasonable way possible would consider what Mozilla is doing to be "selling of data". It's an internal transfer between the Mozilla Foundation and the Mozilla Corporation that doesn't even involve money. No payments. No third parties whatsoever. In the CCPA's poor and ambiguous wording, this does technically constitute "sale of data", as the CCPA defines it. Please read my other newer posts in this thread.
> The reason we’ve stepped away from making blanket claims that “We never sell your data” is because, in some places, the LEGAL definition of “sale of data” is broad and evolving. As an example, the California Consumer Privacy Act (CCPA) defines “sale” as the “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by [a] business to another business or a third party” in exchange for “monetary” or “other valuable consideration.”
How is the CCPA stupidly-worded when that's what a layman would think "selling data" means?
I do wholeheartedly agree with your sentiments about the WHATWG though, as someone who contributed to Pale Moon's development. That web browser cartel should be investigated by the US government for anti-competitive practices as they did with Google and Microsoft.
>How is the CCPA stupidly-worded when that's what a layman would think "selling data" means?
Because it is the twisty logic that lawyers can apply which is relevant to mitigate legal risk, not what a layman would think.
Where I work, our lawyers are convinced that running our code in the cloud to run our service counts as "distribution" under the terms of open source licenses. Because a cloud employee might accidentally look at it or something? Who knows. A lawyer sees legal risk in things you or I don't; they should know I guess!
The Mozilla Corporation sharing user metadata with the Mozilla Foundation to assist with internal decision making may technically meet California's definition of "sale of data" despite constituting absolutely nothing even vaguely resembling what laypeople would consider a "sale of data".
Note that the CCPA's "third party" clause is part of an "OR" set, alongside "another business". Mozilla Foundation and Mozilla Corporation are respectively "another business" relative to each one's self, despite not being unrelated third parties.
The problem is not that Mozilla is actually selling user data (they're not in the sense that any layperson would understand "selling data" to mean), the problem is the way the California law is worded.
As usual, tech-illiterate politicians aren't even competent enough to write laws with the nuance and understanding required to not botch the entirely good and justified intention without pointing a loaded legal gun at the heads of the genuinely innocent. Think along the lines of the CFAA's legal risks to good-faith security researchers¹, or how the DMCA would technically criminalize discussion of how to decode Pig Latin if that was used as a copyrighted media protection technique.
So I've read the CCPA again, and I've realized that Mozilla may have made an error in quoting the relevant part of the law in their blog. This part they quoted:
> As an example, the California Consumer Privacy Act (CCPA) defines “sale” as the “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by [a] business to another business or a third party” in exchange for “monetary” or “other valuable consideration.”
Anyway even then I'm not sure if the Foundation would've been considered "another business", since "business" is defined first as any "legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners", which MoFo clearly doesn't do. There's the second definition might've covered the Foundation (since they control the Corporation which is covered by the first definition), but AFAIK the Corp doesn't share any consumer personal info back into the Foundation (if it does that would be concerning)
I was sitting here thinking everyone else was wrong under the assunption that almost nobody here actually tried to read and interpret that wording in the least generous way possible (i.e. how lawyers intetpret everything), but I guess the joke's on Mozilla and I for reading the wrong version.
Your attention to detail here is exceptional and commendable. I used to feel that Mozilla's decision here was defensible and misunderstood, but it's now looking more like Mozilla and I are guilty of misunderstanding, after reviewing your claims here.
Thank you for having the patience to explain in such detail! Posts like yours here are part of the magic that elevates HN discussions over so many other forums on the web these days :)
The blog was written by product management, and most likely legal just generally told them that they got their justification from the CCPA's definition of sale, and the PR/marketing just searched for it and gave it to the blog post's author. Since Wikipedia is usually the first result in a search engine (and even has its own infobox), that's probably what they went with.
Or there are a bunch of other options that care about privacy (see https://privacytests.org/). Brave, Librewolf, Arc, Zen, Orion (Kagi's thing). I tried Orion for a few days recently, but it started crashing randomly and felt unstable and slowed down after real-world use (3-6 windows, many many tabs, dev tools, etc).
I really wish there was more competition here from the smaller, privacy focused players...but the reality is building a browser is insanely difficult for the modern web.