Firefox now has Terms of Use! This'll go over like a lead balloon.

You give Mozilla all rights necessary to operate Firefox, including processing data as we describe in the Firefox Privacy Notice, as well as acting on your behalf to help you navigate the internet. When you upload or input information through Firefox, you hereby grant us a nonexclusive, royalty-free, worldwide license to use that information to help you navigate, experience, and interact with online content as you indicate with your use of Firefox.


mozilla.org/en-US/about/legal/…

Update: See below in the thread for their clarification.

This entry was edited (7 months ago)

reshared this

in reply to Taggart

So if they decide ads based on my artwork/writing help me "navigate, experience, and interact with online content," they have the right to steal it from me and use it in their "privacy-respecting" ads?
in reply to NotARobot

@TruelyNotARobot I'm not a lawyer but I don't see how. You were never presented with these conditions. If Mozilla thinks that they can say "this is available under a free software license but oh there's this other website where we take away your rights that you were never notified about" that's uhhhhh not the way it works.

@_tissa_ @mttaggart

in reply to Oliver Geer

@WebCoder49 the problem with things that can be interpreted differently is that if your interpretation doesn't match Mozilla's, and they do a snatch and grab of all your stuff, your only recourse is an expensive lawsuit, which no matter which way it is finally decided, the only parties that win are the lawyers.

@copiesofcopies @mttaggart

in reply to Aaron Williamson

@copiesofcopies Yeah, that seems more correct.
The last line is pretty telling "..as you indicate with your use of Firefox".
If you didn't indicate that you wanted Firefox to take your artwork then Mozilla doesn't get that permission. They only get the permissions to do what you "indicate".
The other important part is "When you upload or input information through Firefox"

Basically it's just saying that if you indicate that you want to upload a photo to x website, by for example dragging an image into Firefox, then you give Firefox permission to send it to that website you are on.

To rephrase, when you upload through Firefox, you give Firefox the permission to do what you indicated, i.e. uploading.

The true meaning of the quote seem to have blown over @mttaggart 's head like a helium balloon.

This entry was edited (7 months ago)
in reply to rsp

@rspfau @copiesofcopies The lawsuit environment in USA is quite insane. People file lawsuits over any small thing.
And lawsuits are expensive. Often it just turns into a battle of attrition by money.

A terms of use document is cheap way to stand stronger in those battles.
Its not something that is required, but one day you might wish your company had one.

Just go have a look at the page, its mostly just textbook things like "You Are Responsible for the Consequences of Your Use of Firefox",
if you eat Firefox you are responsible for your tummy-ache
mozilla.org/en-US/about/legal/…

This entry was edited (7 months ago)
in reply to Taggart

@copiesofcopies The way Mozilla has been going recently, and the way it's worded, I'm having two hunches.
1. This is required for their new advertising initiative. Mozilla wants to collect (presumably anonymous) data about shown ads and conversion.
2. This can be used for some kind of AI thingy. Like, imagine a local neural net that'll get trained on sites your visit and images you upload.
in reply to F4GRX Sébastien

@f4grx @infosecdj I couldn't say without being directly involved with development. However, the devs have said they plan to support popular extensions, but are currently focused on building the engine. It is being built from the ground up afterall, and Alpha (to early adopters) is only scheduled for Summer 2026 at this stage.
in reply to Taggart

This clause explicitly separates the information they claim license over from the data collected in the Privacy Notice. This clause is more expansive—"information uploaded through Firefox" is basically anything in a HTTP request or a websocket.

mozilla.org/en-US/privacy/fire…

reshared this

in reply to Taggart

This is the press release. I do not believe there is concord between this language and the actual policy: blog.mozilla.org/en/products/f…

reshared this

in reply to Taggart

Hey FWIW, Vivaldi does not have anything like this language: vivaldi.com/privacy/vivaldi-en…

reshared this

in reply to Taggart

I have spent my night reading browser Terms and Privacy Policies. Why? Because I love you and hate myself, apparently.

So here's the deal: that "non-exclusive, royalty-free, worldwide license" you're granting to Firefox/Moz when you upload data through it? It is boilerplate language. Pretty common actually!

But not in browsers. In fact, not a single browser ToS has anything resembling this provision.

Know what does?

Facebook
X
Instagram

I wonder why Mozilla would want to use the same language those platforms do.

in reply to Taggart

Mozilla has updated their press release with the following clarification:

UPDATE: We’ve seen a little confusion about the language regarding licenses, so we want to clear that up. We need a license to allow us to make some of the basic functionality of Firefox possible. Without it, we couldn’t use information type into Firefox, for example. It does NOT give us ownership of your data or a right to use it for anything other than what is described in the Privacy Notice.


blog.mozilla.org/en/products/f…

That is good to hear, but their reasoning makes no sense given that no other browser uses that language.

in reply to Irenes (many)

> that it's one of two things:

  1. Mozilla's lawyers overthought it and came up with something weird and unnecessary and are now regretting they didn't loop in the PR team
  2. the company needs this permission because it intends to use this permission, because it intends to use browsing data in all the ways everyone is concerned about

reshared this

in reply to Taggart

I think it makes sense for specific services that need to transit through Mozilla's servers first, but for anything else it doesn't. Examples of such services would be account synchronization, online translation (although Firefox has offline models, but maybe they also have online?), search suggestions (pretty sure those go through a Moz server that also serves "recommended" sites)... Essentially all optional features that aren't the core of what a browser does, but some may be enabled by default so it's easier for them to just ask for the rights to use the necessary information instead of having the users specifically activate them and get an extra clause to look at. Although having them opt-in by default would be more privacy friendly...
in reply to Advanced Persistent Teapot

@http_error_418 @ireneista So, having done a fairly exhaustive review of browser terms, I can tell you that this language is rare. But when it's present, such as in Arc's terms, it is explicit about the use of your data in transmission, and that's it. Arc is also notable—perhaps because it is an AI product—for starting its Privacy Policy with statements about what it will not collect from you. Firefox's policy, sadly, makes no such definitive claims.
in reply to Taggart

What I find troubling is the vagueness about 'upload' - to me, an upload is anything at all sent in the upstream, including personal logins and private identity data you may be sharing with a secure system. If this is what they mean, then they need to break down exactly what data is being collected. Is it everything you send to a site via the browser?

Or is this whole thing just about basic telemetry that you can disable in privacy settings?

in reply to Taggart

> We need a license to allow us to make some of the basic functionality of Firefox possible.

Which basic functionality, exactly?
How, exactly, would it be impossible without the license?

> Without it, we couldn’t use information type into Firefox, for example.

Use *how*, exactly?
Can we please be more specific here, @mozillaofficial ?

in reply to Taggart

Could this be a precursor to rolling out Privacy-Preserving Attribution (PPA)?

noyb.eu/en/firefox-tracks-you-…

in reply to Taggart

My priority criteria are full @ublockorigin compatibility and support for all my user scripts and user styles for fragile or consent-contemptuous sites requiring something more complex than uBlock Origin filters. Tab containers are also important.

Essentially, I care about ensuring I can eat my cake and still have it: block each part of every site that doesn't serve my purpose, and still make the parts which do serve my purpose work despite that.

This entry was edited (7 months ago)
in reply to Taggart

I notice they haven’t clarified the section on collecting data for “Compliance with law in responding to data subject rights requests, responding to law enforcement requests, managing and protecting our (and our users) rights, property and/or safety. Legitimate interest, where compliance is not appropriate, in supporting legal or regulatory processes or requests, preventing fraud and managing and protecting our (and our users’) rights, property and/or safety.”
in reply to Taggart

sorry, in case i'm answering rhetorical questions, but those platforms have that license thing because they publish your content.

So that would mean mozilla wants to publish my browsing behavior?

AI training could be kind of seen as publishing, but the license seems to be too heavy for that.

I think gmail has that clause as well, so advertising?

Well once it goes into effect we should be able to DSGVO it.

This entry was edited (7 months ago)
in reply to Leeloo

help.vivaldi.com/desktop/priva…

Update: The project to remove our unique ID stalled after we encountered unexpected deviations in the number of users counted using other methods. We spent a lot of time researching and understanding the reasons for this. We have concluded that the numbers we get using a unique id are more accurate, so we are sticking with it at the moment. It’s as important not to over-count as it is not to under-count as we develop Vivaldi.
in reply to Tamsyn Ulthara 🏳️‍⚧️⛧🎃🐈‍⬛

@TamsynUlthara Librewolf is cool in theory but kind of Opinionated™. Seriously, deleting all your history when you close the browser??? That should NOT be on by default, what the actual fuck. (I knew there was something I didn't like about its defaults last we tried it, but couldn't remember what, so I looked it up just now and found its settings docs and..yeah.)

Is there something like it that's less... *waves paw* yeah?

Kinda sucks because I'm a wolf and I would love a Wolf Browser that's actually good. But yeah.

in reply to Frost「|霜の狼|人面獣心」

I agree that the LibreWolf defaults are ... not the best for people using it as a standard browser. The idea is to make it as secure and private as possible by default, and let the user scale that back as necessary.

The one thing I find the most annoying is having it always open its window to certain dimensions on startup, to reduce fingerprinting, with no way (that I've found) in the settings to disable it. It doesn't matter in my tiling window manager, but on other machines I've had to use an extension to work around this.

in reply to Frost「|霜の狼|人面獣心」

It would be nice if there were a toggle to easily make LibreWolf more-or-less as functional as standard Firefox, just minus the privacy-invasive bullshit from upstream, and let us add more security/privacy as we saw fit. Right now we have to work in the opposite direction, which is frustrating for new users. (Once you get past that initial one-time phase of tweaking the settings, the experience is solid, IMHO.)
in reply to davidhanzlik

@davidhanzlik Per OMG Ubuntu, they are new new: omgubuntu.co.uk/2025/02/mozill…
in reply to Taggart

is this not the same boilerplate language used in almost every website that hosts user content?

Like, no doubt it’s weird for a browser to do this but that wording is typically for allowing websites to publicly host your content on their service/equipment and allow things like image cropping/ re-sharing etc.

Makes me wonder if they’re going to start like, hosting servers as intermediaries between the user and whatever site they’re uploading to. I can’t see why that’d be worth it though except maybe in situations where the end site is unstable. Even if it is at the end of the day for training purposes, I can’t imagine they’d not have some kind of cover story to justify it.

Unknown parent

mastodon - Link to source

sp00ky cR0w 🏴

@da_667 vivaldi.com/blog/manifest-v3-u…

We will keep Manifest v2 for as long as it’s still available in Chromium. We expect to drop support in June 2025, but we may maintain it longer or be forced to drop support for it sooner, depending on the precise nature of the changes to the code.
in reply to Taggart

The part about gathering data “to prevent harmful, unauthorized or illegal activity”worries me even more…

mastodon.social/@sarahjamielew…


There is also the incredibly broad "To comply with applicable laws, and identify and prevent harmful, unauthorized or illegal activity." in which Mozilla states they may gather "all data types" - among the defined types include: searches, browsing data (visited URLS), content and any other data.

In support of nebulously defined "identify and prevent harmful," and in response to law enforcement.

That "learn more about" link just goes to a list of definitions.


in reply to Taggart

OK e-mailed legal-notices@mozilla.com

(Note it is a lot more than this one clause where they expand their claimed right to spy on you, and i encourage your e-mails to reflect this where i did not. See Sarah Jamie Lewis' thread, social.coop/@sarahjamielewis@m… )

Anyway what i wrote, before i read that:

Firefox does not have any right to information i enter into the URL address bar or forms on websites

My feedback and suggestion here, absolutely you can use for free.

in reply to benjamin melançon

Which is that this clause is wildly unacceptable, and you need to make very clear that you do not and will not ever spy on people while they browse:

"When you upload or input information through Firefox, you hereby grant us a nonexclusive, royalty-free, worldwide license to use that information to help you navigate, experience, and interact with online content as you indicate with your use of Firefox."

in reply to benjamin melançon

Sounds like a ridiculously overbroad claim so that you can stick "AI" down our throats and advertisements, but with this start you will hand over our private data to a fascist government, too.

And again, that sentence is making a claim to data that was never intended to be shared with Mozilla, that is and must remain solely the private personal communication between the person using Firefox and the website being visited.

in reply to Taggart

Reminds me of Chrome's "Enhanced ad privacy" in the way this seems to be a form of privacy washing.

Source: ghacks.net/2023/07/01/all-chro…

This entry was edited (7 months ago)
in reply to Taggart

I'm surprised to see you spreading FUD like this.

How is this license different than any other license for any other web-based application?

You know how many things your browser interacts with to display what it does and you also know that there are a handful of tools like Firefox Sync or Pocket built into it that interact with backend services that Mozilla runs, and those things probably already had terms like this so....

I'm straining to see any way in which this is an issue other than the fact that everybody in the entire universe is going to make it an issue, because we go through this fucking dance every single time everyone ever sees this language, even though it's used in like every EULA ever and you'd think people would get it by now.

sigh

in reply to Taggart

So is the issue you're taking here that the EULA is not sufficiently granular, in that it doesn't distinguish between usage for data provided for standard browsing versus data transmitted to built-in services like Sync?

I'm calling this FUD specifically because I think your interpretation of this language, which we really do see almost everywhere, is particularly uncharitable (to put it nicely.)

I'm as frustrated with Moz' governance as everyone else, but I do not think this EULA is some great evil. I think this is probably them trying to have one standard EULA instead of separate EULAs for every damn thing they do, plus they didn't have one at all AFAIK for the data they exchange to provide standard things like CRL lookups and safe browsing checks.

in reply to mav

I guess if you want to say that your beef with it is that this could be stretched to say that every time you submit data to a site you're giving Mozilla a license to use it, but I don't think that's what they intended at all. Moreover, Firefox IS using your data, and if you use Sync, may very well be saving stuff about what you did (depending on what kind of access you did.)

Asking them to clarify is certainly not unreasonable, but this is hardly a "panic lets all switch to Chrome" kind of scenario.

in reply to mav

@mav Respectfully, you are imputing intent where there is none in the language. For one thing, "Sync" shows up nowhere in this paragraph. The language is "When you upload or input information through Firefox." That is broad, and I must assume intentionally broad.

Look, we can disagree on intention, but think defensively. Let's assume Mozilla does want to do gross stuff with my HTTP requests. With this tacit contract, I've agreed to that usage, and any attorney worth a damn could argue so in front of a judge or jury. It's not what they will do; it's what the language could let them do.

@mav
in reply to Taggart

in reply to mav

@mav This is a very confusing claim, given that I above linked Vivaldi's Terms, which do not include this seemingly intentionally-vague or expansive language. And those terms satisfy me just fine. So I guess it is possible to satisfy me!

If by "what they acquire," you are referring to the enumerated data in the Privacy Policy, the paragraph in question in the new terms is clear that they are referencing a set of data including, but not limited to, that data. Combined with the expansive "Uploaded through Firefox" language is neither normal nor particularly comforting.

Now, your points on defensive tooling are pure goalpost-moving. Yes, any service can decide to "go evil," as you put it. But look at how Mozilla has been behaving. Why the hell would I give them the benefit of the doubt now?

As far as what's been hashed and rehashed, I cannot recall a time when a web browser, much less an open source one meant to be a paragon of privacy, has included language like this.

I could be entirely wrong! But look at the pattern and tell me I shouldn't be wary.

@mav
in reply to Taggart

This entry was edited (7 months ago)
in reply to Taggart

I blogged about this for a wider audience: quippd.com/posts/2025/02/26/mo…

Also open to feedback!

Unknown parent

mastodon - Link to source

Taggart

@Polychrome @lispi314 Yours is a very charitable reading of the clause. But let's consider Mozilla's recent behavior, and ask how much good faith is due. Can you imagine no more expansive interpretation of this language?

I've spent the night reading browser Terms. Not a one includes a clause like this. They do explicitly call out GDPR, which this oddly does not (the Privacy Policy does have appropriate EU affordances). You know what does use this language?

Facebook.

Unknown parent

mastodon - Link to source

Taggart

@Schouten_B I do not agree.

You give Mozilla all rights necessary to operate Firefox, including processing data as we describe in the Firefox Privacy Notice, as well as acting on your behalf to help you navigate the internet.


This means the set of data to which the "license" applies includes, but is not limited to, the data defined in the Privacy Policy. That's why the "when you upload or input information through Firefox" clause is so concerning to me. We don't know the bounds of that expanded set, only that it is expanded.

Unknown parent

mastodon - Link to source

Taggart

I am certainly not EU law expert, but Article 5, section 1 of 2001/29/EC would seem to obviate this concern:

  1. Temporary acts of reproduction referred to in Article 2, which are transient or incidental [and] an integral and essential part of a technological process and whose sole purpose is to enable:

(a) a transmission in a network between third parties by an intermediary, or

(b) a lawful use of a work or other subject-matter to be made, and which have no independent economic significance, shall be exempted from the reproduction right provided for in Article 2.

This entry was edited (7 months ago)
Unknown parent

mastodon - Link to source

Taggart

This...makes my point? The enumerated services do not include the browser qua the browser. This is the distinction! Google is not, it seems, claiming a license over all HTTP requests you send anywhere via Chrome. But Firefox now is.
This entry was edited (7 months ago)
in reply to Mani and the Nonos

@maniandthenonos Ain't no best. As this entire conversation demonstrates, browsers are an intensely personal choice. For some, it's a value statement. For others, the choice is purely pragmatic. There have been several mentioned in this thread that prioritize different aspects (privacy, openness, compatibility, etc.). I personally like using Vivaldi, but that's a non-starter for a lot of of people due to its Chromium base. Shop around!
Unknown parent

mastodon - Link to source

Simon Lucy

@jens @ireneista

Then the licence cannot be a blanket one but specific to the purpose. Given search terms are currently used without licence and search results are storable and reusable without a specific licence it simply puts a barrier between the user and Mozilla that wasn't there before.

Given that search behaviour has not needed to be licenced up to now and it's a necessary feature of a browser enforcing one now is bound to fail without consideration.

Unknown parent

mastodon - Link to source

Derek McAuley

@neil @TheVampireFishQueen One @lilianedwards and I did a piece of theatre at #Gikii on this few years back - in the context of the Databox project, a self hosted personal data store - if data never left the device what licence if any did (commercial) SW supplier need, and what GDPR obligations did they have. Not sure we ever actually got to a satisfactory conclusion!
in reply to Simon Lucy

@jens @ireneista

I think the objections to these changes are going to be much deeper and wider than just 'information' type usage, they change the whole relationship between Mozilla and the User.

The User can avoid a lot of this by never updating or removing the Firefox account and never logging in. Licences with unidentified users cannot be relied upon by the Licensee as a defence for use.

It essentially destroys the point of FOSS.

Unknown parent

@hobs @stinerman @TruelyNotARobot @_tissa_ if it's just bookmarks you are concerned about you can export them manually or use a tool like xbrowsersync.org/ it's open source and encrypted and works with all browsers. There's an APK you can get and keep up to date with Obtainium for Android devices as well.

Elyse M Grasso has moved reshared this.

in reply to Taggart

the clarification is in a blog post, that may not be legally binding. so in my eyes any clarification outside of the ToS is worthless.

If #Mozilla wants to offer AI services or collect and use their users data, this should be a separate opt-in ToS in my opinion, not the terms of the base application.

But TBH #Mozilla is doing too much dumb management decisions these days, so I'm considering to stop recommending it. (colorways, firing #rust and #servo teams, ads for temu and so on)

in reply to The Vampire Fish Queen

@TheVampireFishQueen @neil There are a couple of weirdnesses here that I am willing to chalk up to carelessness. But when writing your contracts, that's uh, not awesome as a defense.

But we must consider the alternative, which is that the vagaries in this policy are wiggle room they wanted for one reason or another.

Unknown parent

mastodon - Link to source

Taggart

@Schouten_B @jens Sorry to hop in, but since I've been poring over this for a day now, I think I see where you both are coming from.

The language seems to distinguish what you are licensing and what is covered by the Privacy Policy. That distinction lies in the "as well as" clause. Bas, your gloss is that because they only claim to process data listed in the Privacy Policy, whatever may be in the "as well as," (maybe nothing, maybe something someday) is out of Mozilla's reach. Jens, I think you're reading that to mean the "as well as" data can be processed, uncovered by the Privacy Policy.

Let's leave aside the blog update, which is for all intents not part of the contract.

Functionally, I suspect Bas is close to correct for now. However, it's difficult to imagine that, in drafting, no one read this with the suspicions voiced over the last 24 hours by the public. If we assume the vagueness is intentional, there is a space created for more opt-out (we hope) shenanigans down the road.

Unknown parent

mastodon - Link to source

Taggart

I mean straight up there's a material difference in how the collection policies are framed here. Arc's Privacy Policy opens with the guarantees about what they won't collect from you. Mozilla's has no such guarantee. Moreover, Moz explicitly states that "Browsing data" is collected for marketing purposes, and consent is "as required by law."

Now, back to the new Firefox Terms. Let's say Mozilla decides browser activity like time on site or even search data is important to train an advertising ML model.

Even if your read of the Terms is correct, that kind of processing would be covered under that section of the Privacy Policy. But if Jens is correct, uh oh, we're still covered for that and more because it could be an unenumerated data type that the broad license language now covers. By contrast, Arc's clear guarantees about what won't be collected, combined with the specific license language, remove this risk.

This entry was edited (7 months ago)
Unknown parent

mastodon - Link to source

Taggart

@Schouten_B @jens This is a highly Eurocentric discussion, which is fine, but I gotta tell ya, US jurisprudence is fairly hostile to the consumer in cases such as these. To make it more complicated, depending on what Circuit the case is tried in, it may be contract law or copyright law that holds sway.

natlawreview.com/article/end-u…

Unknown parent

mastodon - Link to source

Taggart

@Schouten_B @jens Serious question: unless you have some insider knowledge, what leads you to think Mozilla, an organization that just stated its intent to develop its AI business/strategy, and is incorporated in the US, built its Terms with EU laws at the top of mind? So far as I know, nobody in the EU was gunning for Firefox because of a lack of Terms.

Conversely, taking the more adversarial reading, this opens the door to potential use of user data down the line. I don't know what the rationale was, but I've seen no evidence to support your interpretation.

Unknown parent

mastodon - Link to source

Taggart

@Schouten_B @jens I'm gonna challenge that the scenarios laid out are "mostly legal" in the US. I would describe the use of user data for model training especially as "mostly unlitigated." There are ongoing suits that may establish precedent one way or another, but they have not been decided. And indeed, those cases tend to base their complaints in copyright law, such as the New York Times case against OpenAI.

I'm also gonna push back on the framing that the US government is friendly to corporations here. At the moment, this regime's relationship with tech is fraught at best, with essentially a protection racket holding sway to maintain tech's fealty. But that is distinct from how aby given federal judge may rule.

Now, given all this, I don't think it's crazy to imagine an AI-focused Mozilla taking steps to ensure that any future disputes about model training on user data fall in the realm of contract law rather than copyright law.

Unknown parent

mastodon - Link to source

Taggart

@Schouten_B @jens Both, really, since neither are spelled out. But tbh it's weird that they haven't said they won't train on user data. Hell, Zoom says so. Notion says so. On the other hand, Meta quietly slipped into their Terms that you license your content for training by using their platforms.

Yes this is speculative. But I have plenty of reason for skepticism, and "No," is not an argument to the contrary.

Unknown parent

mastodon - Link to source

Taggart

@Schouten_B @jens I see plenty of reason to add those terms now.

Let's take as read that neither of us knows what Moz's plans re: AI in Firefox actually are. That also means we don't know their timeline. So from a threat modeling perspective, this language introduces the risk of a dark pattern kind of opt-out consent for the use of user data, similar to how they've handled:

  • Ads
  • Telemetry
  • Chatbot on the sidebar

If my concern is the use of my data in ML processes of any kind, I would say I have ample reason to view these Terms as a potential threat vector.