Mozilla Browser Deal – A Bewildering Compromise You Must Make

Google + Mozilla

I spent several hours this weekend on Reddit. I’ve been discussing Mozilla and their future. After finally de-googling my mobile life, I have been confronted by one simple truth: the organization that provides my default browser is now a larger threat to my safety than most other threat actors that I now face. Why is that? That’s simple. The new Google and Mozilla browser deal ensures that private data – my private data and your private data – will be collected by Mozilla and then delivered to Google.

Does This Make Any Sense?

From Google’s viewpoint, this makes perfect sense. They can make sure that their search engine is still the default search engine for a large number of Firefox users. For most folks, search engines don’t make sense. And if you don’t understand something, you usually don’t try to change it. All of us know the adage that if it isn’t broken, then you shouldn’t fix it. For this reason, most people don’t touch the browser that they use. This deal extension plays right into Newton’s First Law: the law of inertia. This extension enshrines a docile Mozilla. It ensures that they will act as the “dutiful competitor” whenever state and federal regulators get too inquisitive.

From Mozilla’s viewpoint, this also makes sense. The Firefox market share is shrinking – and has been shrinking for years. And Mozilla just laid off hundreds of employees. Obviously, they are not going to innovate their way out of their death spiral. Some think that this deal simply provides sufficient financial cushion for the leaders of the Mozilla Foundation to land on their feet.

From A Personal Vantage Point

When you have a list and you move things off of that list, new things surface as “the most important” thing that you must address. So as I’ve reduced my risks from Google, something else had to take Google’s place. And at this moment, it is the browser. More specifically, it is Mozilla’s browser.

Firefox for Android has four (4) embedded trackers. These include: Adjust, Google AdMob, Google Firebase Analytics, and LeanPlum. Half of these trackers report data directly to Google. So after recently breaking the chain that kept me in Google’s sway, I am now left with someone else taking the very same data treasure and “gifting” it right back to Google. Given their financial peril, I truly doubt that the Mozilla Foundation will be convinced to remove these trackers on my behalf.

A Historical Alliance

All of this makes some historical sense. When the Mozilla Foundation first started, they were fighting Microsoft. Today, I am sure that many of the people at Mozilla still see Google as “the enemy of my enemy” and not just “the ‘new’ enemy”. 

But the times have changed, right? Microsoft was cowed. And Google rose triumphantly – as did the Mozilla Foundation. Nevertheless, one thing remains the same. There is a ravenous competitor prowling the field. And the consumers that were threatened before are threatened once again. But this time, it is Google that needs to be cowed.

What’s A Geek To Do?

My situation is simple: my most important mobile app is my browser. And this product is now siphoning private information into Google’s coffers. I can’t tolerate this. So I’ve been struggling with this all weekend.What can I do?

  1. I could continue to use the Fennec variant available on F-Droid. This will work. But this product is EOL. And so there will be no new versions. So while I can keep on using this product, I am living on borrowed time.
  2. I could change my browser. There are some very good browsers that meet some very specific needs. I could use Chromium – or any one of a number of derivative works. But it is very difficult to cross this bridge. After all, Chromium is the basis for all of Google’s proprietary browser investments.
  3. I could also use any of a bunch of browsers that are descended from Firefox. IceCast is one such descendant. It is a good browser that is built upon Gecko. And it is actively being maintained.  They are trying to keep up with Firefox. But their next update probably won’t happen until the Mozilla folks lay down their next “extended support release” (or ESR). Consequently, this release is intentionally behind the times as the last ESR release is quite dated.
  4. I could use another browser that is not part of either legacy. But to be fair, there are very few new options that fall into this category.
  5. I could switch and use the “new” Firefox for Android. This one stings. I am emotionally hurt by the gyrations that Mozilla is inflicting upon their users. Nevertheless, their new version is a very good browser – albeit with several Google trackers. Fortunately, I can neutralize those trackers. By using Pihole, I can ensure that connections made to named Google services will not be properly resolved. In this way, I can have Firefox and still block Google – at least until Mozilla defeats this DNS-oriented defense.
Bottom Line

So what will I do? For now, I’m switching from Fennec F-Droid to Firefox for Android. And I’ve reviewed all of the adlists included on my Pihole. For now, I can use Mozilla Firefox while still intercepting any private data being fed to Google.

Is the Mozilla browser deal good for me? It absolutely is not. Is the deal good for the industry? It probably isn’t. Will I make a temporary compromise until a better solution emerges? Yes, I will make that compromise. But I am altogether unhappy living in this compromised state.

CPI: Continuous Privacy Improvement – Part 2

Continuous Improvement
Continuous Improvement

Continuous Improvement is nothing new. In the early nineties, total quality management (TQM) was all the rage. And even then, TQM was a re-visitation of techniques applied in preceding decades. Today, continuous improvement is embraced in nearly every development methodology. But whether from the “fifties” or the “twenties”, the message is still the same: any measurable improvement (whether in processes or in technologies) is the result of a systematic approach. This is true for software development. And it is true for continuous privacy improvements.

Privacy Is Threatened

With every wave of technology change, there have been concurrent improvements in determining what customers desire – and what they will “spend” in order to obtain something. At the same time, customers have become increasingly frustrated with corporate attempts to “anticipate” their “investment” habits. For example, the deployment of GPS and location technologies has allowed sellers to “reach” potential customers whenever those customers are physically near the point of sale. In short, when you got to the Magnificent Mile in Chicago, you’ll probably get adds for stores that are in your vicinity.

While some people find this exhilarating, many people find it frustrating. And some see these kinds of capabilities as demonstrative of a darker capability: the ability for those with capability to monitor and manage the larger populace. For some, the “sinister” people spying on them are corporations. For many, the “malevolent” forces that they fear are shadowy “hackers” that can steal (or have already stolen) both property and identity. And for a very small group of people, the powers that they fear most are governments and / or similar authorities. For everyone, the capability to monitor and influence behavior is real.

Surveillance And Exploitation Are Not New

Governments have tried to “watch” citizens – whether to protect them from threats or to “manage” them into predetermined behaviors. You can look at every society and see that there have always been areas of our life that we wish to keep private. And balanced against those desires are the desires of other people. So with every generation (and now with every technology change), the dance of “personal privacy” and “group management” is renewed.

As the technology used for surveillance has matured, the tools for ensuring privacy have also changed. And the methods for ensuring privacy today have drastically changed from the tools used even a few years ago. And if history is a good predictor of the future, then we can and should expect that we must continually sharpen our tools for privacy – even as our “adversaries” are sharpening their tools of surveillance. Bottom Line: The process of maintaining our privacy is subject to continuous threat and must be handled in a model akin to continuous process improvement. So let’s start accepting the need for continuous privacy improvement.

Tackling Your Adversaries – One At A Time

If you look at the state of surveillance, you probably are fatigued by the constant fight to maintain your privacy. I know that I am perpetually fatigued. Every time that you harden your defenses, new threats emerge. And the process of determining your threats and your risks seems to be never-ending. And in truth, it really is never-ending. So how do you tackle such a problem? I do it systematically.

As an academic (and lifetime) debater – as well as a trained enterprise architect – I continually assess the current state. That assessment involves the following activities:

  • Specify what the situation is at the present moment.
  • Assess the upsides and downsides of the current situation.
  • Identify those things that are the root causes of the current situation.
  • Outline what kind of future state (or target state) would be preferable.
  • Determine the “gaps” between the current and future states.
  • Develop a plan to address those gaps (and their underlying problems).

And there are many ways to build plans. Some folks love the total replacement model. And while this is feasible for some projects, it is rarely practical for our personal lives. [Note: There are times when threats do require a total transformation. But they are the exception and not the general rule.] Since privacy is such a fundamental part of our lives, we must recognize that changes to our privacy posture must be made incrementally – and continuously. Consequently, we must understand the big picture and then attack in small and continuous ways. In military terms, you want to avoid multi-front campaigns at all cost. Both Napoleon and Hitler eschewed this recommendation. And they lost accordingly.

My Current State – And My Problems

I embarked on my journey towards intentional privacy a few years ago. I’ve given dozens of talks about privacy and security to both IT teams and to personal acquaintances. And I’ve made it a point to chronicle my personal travails along my path to a more private life. But in order to improve, I needed to assess what I’ve done – and what remains to be done.

So here goes…

Over the past two years, I’ve switched my primary email provider. I’ve changed my search providers and my browsers – multiple times. And I’ve even switched from Windows to Linux. But my transformation has always been one step away from its completion.

The Next (to Last) Step: De-googling

This year, I decided to address the elephant in the room: I decided to take a radical step towards removing Google from my life. I’ve been using Google products for almost half of my professional life. Even though I knew that Google was one of the largest threat actors my ecosystem, I still held on to to a Google lifeline. Specifically, I was still using a phone based upon Google’s ecosystem. [Note: I did not say Android. Because Android is a Linux-oriented phone that Google bought and transformed into a vehicle for data collection and advertising delivery.]

I had retained my Google foothold because I had some key investments that I was unwilling to relinquish. The first of these was a Google Voice number that had been at the heart of my personal life (and my business identity). That number was coupled with my personal Google email identity. It was the anchor of hundreds of accounts. And it was in the address books of hundreds of friends, relatives, colleagues, customers, and potential customers.

Nevertheless, the advantages of keeping a personal Google account were finally outweighed by my firm realization that Google wasn’t giving me an account for free; Google was “giving” me an account to optimize their advertising delivery. Or stated differently, I was willing to sell unfettered access to myself as long as I didn’t mind relinquishing any right to privacy. And after over fifteen years with the same account, I was finally ready to reclaim my right to privacy.

Too Many Options Can Lead To Inaction

I had already taken some steps to eliminate much of the Google stranglehold on my identity. But they still had the lynch pins:

  • I still had a personal Google account, and
  • Google had unfettered access to my mobile computing platform.

So I had to break the connection from myself to my phone. I carefully considered the options that were available to me.

  1. I could switch to an iPhone. Without getting too detailed, I rejected this option as it was simply trading one master for another one. Yes, I had reason to believe that Apple was “less” invasive than Google. But Google was “less” invasive at one point in time. So I rejected trading one for another.
  2. I could install a different version of Android on my current phone. While I have done this in the past, I was not able to do this with my current phone. I had bought a Samsung Galaxy S8+ three years ago. And when I left Sprint for the second time (due to the impending merger), I kept the phone. But this phone was based upon the Qualcomm SnapDragon 855. Consequently, the phone had a locked bootloader. And Qualcomm has never relented and unlocked the bootloader. So I cannot flash a new ROM (like LineageOS) on this phone.
  3. I could install a different version of Android on a new phone. This option had some merit – at the cost of purchasing new phone hardware. I could certainly buy a new (or used) phone that would support GraphenOS or LineageOS. But during these austere times (when consulting contracts are sparse), I will not relinquish any coin of the realm to buy back my privacy. And buying a Pixel sounds more like paying a ransomware demand that buying something of value.
  4. I could take what I had and live with it. Yes, this is the default option. And while I diddled with comparisons, this WAS what I did for over a year. After all, it fell into the adage that if it isn’t broken, then why fix it? But such defaults never last – at least, not for me.
  5. I could use the current phone and take the incremental next step in using a phone with a locked bootloader: I could eliminate the Google bits by eliminating the Google account and by uninstalling (and/or disabling) Google, Samsung, and T-Mobile apps using the Android Debug Bridge (a.k.a., adb).

I had previously decided to de-google my phone before my birthday (in July). So once Independence Day came and went, I got serious about de-googling my phone.

The Road Less Taken

Of all of the options available to me, I landed on the one that cost the least amount of my money but required the most investment of my personal time. So I researched many different lists of Google apps (and frameworks) on the Samsung Galaxy S8+. I first disabled the apps that I had identified. Then I used a tool available on the Google Play Store called Package Disabler Pro. I have used this before. So I used it again to identify those apps that I could readily disable. By doing this, I could determine the full impact of deleted some of these packages – before I actually deleted them. Once I had developed a good list and had validated that the phone would still operate, I made my first attempt.

And as expected, I ran into a few problems. Some of them were unexpected. But most of them were totally expected. Specifically, Google embeds some very good technology in the Google Play Services (gms) and Google Services Framework (gsf). And when you disable / delete these tools, a lot of apps just won’t work completely. This is especially true with notifications.

I also found out that there were some key multimedia messaging services (MMS) capabilities that I was using without realizing it. So when I deleted these MMS tools, I had trouble with some of my routine multi-recipient messages. I solved this by simply re-installing those pieces of software. [Note: If that had not worked, then I was ready to re-flash to a baseline T-Mobile ROM. So I had multiple fallback plans. Fortunately, the re-installation solved the biggest problem.]

Bottom Line

After planning for the eventual elimination of my Google dependence, I finally took the necessary last step towards a more private life; I successfully de-googled my phone – and my personal life. Do I still have some interaction with Google? Of course I do. But those interactions are far less substantial, far more manageable, and far more private. At the same time, I have eliminated a large number of Samsung and T-Mobile tracking tools. So my continuous privacy improvement process (i.e., my intentional privacy improvements) has resulted in a more desirable collaboration between myself and my technology partners.