Ashkan Soltani was the Chief Technologist of America's Federal Trade Commission in 2014 — and earlier was a staff technologist in its Division of Privacy and Identity Protection helping investigate tech companies including Google and Facebook

Friday on Twitter he accused another group of privacy violations: the nonprofit rights organization, the American Civil Liberties Union. Yesterday, the ACLU updated their privacy statement to finally disclose that they share constituent information with 'service providers' like Facebook for targeted advertising, flying in the face of the org's public advocacy and statements.

In fact, I was retained by the ACLU last summer to perform a privacy audit after concerns were raised internally regarding their data sharing practices. I only agreed to do this work on the promisee by ACLU's Executive Director that the findings would be made public. Unfortunately, after reviewing my findings, the ACLU decided against publishing my report and instead sat on it for ~6 months before quietly updating their terms of service and privacy policy without explanation for the context or motivations for doing so. While I'm bound by a nondisclosure agreement to not disclose the information I uncovered or my specific findings, I can say with confidence that the ACLU's updated privacy statements do not reflect the full picture of their practices.

For example, public transparency data from Google shows that the ACLU has paid Google nearly half a million dollars to deliver targeted advertisements since 2018 (when the data first was made public). The ACLU also opted to only disclose its advertising relationship with Facebook only began in 2021, when in truth, the relationship spans back years totaling over $5 million in ad-spend. These relationships fly against the principles and public statements of the ACLU regarding transparency, control, and disclosure before use, even as the organization claims to be a strong advocate for privacy rights at the federal and state level. In fact, the NY Attorney General conducted an inquiry into whether the ACLU had violated its promises to protect the privacy of donors and members in 2004. The results of which many aren't aware of. And to be clear, the practices described would very much constitute a 'sale' of members' PII under the California Privacy Rights Act (CPRA).

The irony is not lost on me that the ACLU vehemently opposed the CPRA — the toughest state privacy law in the country — when it was proposed. While I have tremendous respect for the work the ACLU and other NGOs do, it's important that nonprofits are bound by the same privacy standards they espouse for everyone else. (Full disclosure: I'm on the EFF advisory board and was recently invited to join EPIC's board.)

My experience with the ACLU further amplifies the need to have strong legal privacy protections that apply to nonprofits as well as businesses — partially since many of the underlying practices, particularly in the area of fundraising and advocacy, are similar if not worse.
Soltani also re-tweeted an interesting response from Alex Fowler, a former EFF VP who was also Mozilla's chief privacy officer for three years: I'm reminded of EFF co-founder John Gilmore telling me about the Coders' Code: If you find a bug or vulnerability, tell the coder. If coder ignores you or refuses to fix the issue, tell the users.

Sunday IT Wire counted up the number of signatories on two open letters, one opposing Richard Stallman's return to the FSF and one supporting it.

- The pro-Stallman letter had 3,632 individual signers
- The anti-Stallman letter had 2,812 individual signers (plus 48 companies and organizations).

But the question of Stallman's leadership has now also arisen in the GCC community:

A long-time developer of GCC, the compiler created by the GNU Project and used in Linux distributions, has issued a call for the removal of Free Software Founder Richard Stallman from the GCC steering committee. Nathan Sidwell [also a software engineer at Facebook] said in a post directed to the committee that if it was unwilling to remove Stallman, then the panel should explain why it was not able to do so.

Stallman is also the founder of the GNU Project and the original author of GCC.

"RMS [Stallman] is no longer a developer of GCC, the most recent commit I can find regards SCO in 2003," Sidwell wrote in a long email. "Prior to that there were commits in 1997, but significantly less than 1994 and earlier. GCC's implementation language is now C++, which I believe RMS neither uses nor likes.

"When was RMS' most recent positive input to the GCC project? Even if it was recent and significant, that doesn't mean his toxic behaviour should be accepted."
Meanwhile, the following groups have also issued statements opposing Stallman's return to the FSF:

- Mozilla: We can't demand better of the internet if we don't demand better of our leaders, colleagues and ourselves. We're with the Open Source Diversity Community, Outreachy & the Software Conservancy project in supporting this petition.
- The Tor Project: The Tor Project is joining calls for Richard M. Stallman to be removed from board, staff, volunteer, and other leadership positions in the FOSS community, including the Free Software Foundation and the GNU Project.
Rust creator Graydon Hoare: He's been saying sexist shit & driving women away for decades. He can't change, the FSF board knows it, is sending a "sexism doesn't matter" message. This is bad leadership and I'm sad about all of it, agree with calls to resign.

If someone is a public leader their public behaviour matters. I don't criticize private individuals here and I don't think twitter-justice is especially nuanced. But this is so far over the line, such a stupid and tone-deaf choice, and it is about community leadership.
The EFF: We at EFF are profoundly disappointed to hear of the re-election of Richard Stallman to a leadership position at the Free Software Foundation, after a series of serious accusations of misconduct led to his resignation as president and board member of the FSF in 2019. We are also disappointed that this was done despite no discernible steps taken by him to be accountable for, much less make amends for, his past actions or those who have been harmed by them. Finally, we are also disturbed by the secretive process of his re-election, and how it was belatedly conveyed to FSF's staff and supporters.

Stallman's re-election sends a wrong and hurtful message to free software movement, as well as those who have left that movement because of Stallman's previous behavior.

Free software is a vital component of an open and just technological society: its key institutions and individuals cannot place misguided feelings of loyalty above their commitment to that cause. The movement for digital freedom is larger than any one individual contributor, regardless of their role. Indeed, we hope that this moment can be an opportunity to bring in new leaders and new ideas to the free software movement.

We urge the voting members of the FSF1 to call a special meeting to reconsider this decision, and we also call on Stallman to step down: for the benefit of the organization, the values it represents, and the diversity and long-term viability of the free software movement as a whole.
Finally, the Free Software Foundation itself has now pinned the following tweet at the top of its Twitter feed: No LibrePlanet organizers (staff or volunteer), speakers, award winners, exhibitors, or sponsors were made aware of Richard Stallman's announcement until it was public.

Mozilla Firefox will soon include a revised Referrer Policy to tighten up queries and better protect user information. From a report: Firefox 87, due to ship on March 23, will cut back on path and query string information from referrer headers "to prevent sites from accidentally leaking sensitive user data." In a blog post on Monday, developer Dimi Lee and security infrastructure engineering manager Christoph Kerschbaumer said the latest browser version will include a "stricter, more privacy-preserving default Referrer Policy." Browsers send HTTP Referrer headers to websites to indicate which location has 'referred' a user to a website server. Full URLs of referring documents are often sent in the HTTP Referrer header with other subresource requests, and while this may contain innocent information used for purposes including analytics, private user data may also be included. Referrer policies aim to protect this data, but if no policy is set by a website, this often defaults to "no-referrer-when-downgrade," an element that Firefox says does trim down the referrer when navigating to a less secure resource, but still "sends the full URL including path and query information of the originating document as the referrer."

Tech companies led by Mozilla are urging the Federal Communications Commission to swiftly reinstate net neutrality rules stripped away under the Trump administration. From a report: In a letter to FCC Acting Chairwoman Jessica Rosenworcel Friday, ADT, Dropbox, Eventbrite, Reddit, Vimeo and Wikimedia joined Mozilla, the maker of the Firefox web browser, in calling net neutrality "critical for preserving the internet as a free and open medium that promotes innovation and spurs economic growth." [...] In a blog post Friday, Mozilla Chief Legal Officer Amy Keating said the pandemic has made the need for net neutrality rules even more clear.

"In a moment where classrooms and offices have moved online by necessity, it is critically important to have rules paired with strong government oversight and enforcement to protect families and businesses from predatory practices," Keating said. "In California, residents will have the benefit of these fundamental safeguards as a result of a recent court decision that will allow the state to enforce its state net neutrality law. However, we believe that users nationwide deserve the same ability to control their own online experiences."

Firefox's "Compact density" option, which reduces the size of the user interface, is set to disappear when Mozilla rolls out its Proton visual redesign for the browser later this year. PCMag reports: A bug was posted on Mozilla's bug tracking system entitled "Remove compact mode inside Density menu of customize palette." The reasons given for its removal include the fact it's "currently fairly hard to discover" and "we assume gets low engagement." The development team wants to "make sure that we design defaults that suit most users and we'll be retiring the compact mode for this reason." The Bugzilla thread highlights a desire for compact density to be retained as an option, but it doesn't seem likely to survive right now.

When Proton arrives, the Normal and Touch density options are expected to remain, with Touch increasing the size of the user interface to make it more finger-friendly. Meanwhile, the development team is optimizing the Normal density for displays that use 768 pixels for height, while most displays now use a higher resolution than that. Hopefully this doesn't mean the UI will be larger than it is now by default.

With the News Media Bargaining Code out of the way, the Australian government has moved its tech giant battle to the browser scene, keeping Google in its crosshairs while putting Apple under the microscope. From a report: Led by the Australian Competition and Consumer Commission (ACCC), the new battle is focused on "choice and competition in internet search and web browsers." The consumer watchdog on Thursday put out a call for submissions, with a number of questions posed in a discussion paper , centred on internet browser defaults. It claimed Apple's Safari is the most common browser used in Australia for smartphones and tablets, accounting for 51% of use. This is followed by Chrome with 39%, Samsung Internet with 7%, and with less than 1%, Mozilla Firefox. This shifts on desktop, with Chrome being the most used browser with 62% market share, followed by Safari with 18%, Edge 9%, and Mozilla 6%.

The ACCC said it's concerned with the impact of pre-installation and default settings on consumer choice and competition, particularly in relation to online search and browsers. It's also seeking views on supplier behaviour and trends in search services, browsers, and operating systems, and device ecosystems that may impact the supply of search and browsers to Australian consumers. It wants views also on the extent to which existing consumer harm can arise from the design of defaults and other arrangements.

Last week Firefox's official blog responded to some viral misinformation about the Firefox logo. "People were up in arms because they thought we had scrubbed fox imagery from our browser. Rest easy knowing nothing could be further from the truth..." Sure, it's stressful to have hundreds of thousands of people shouting things like "justice for the fox" in all-caps in your mentions for three days straight, but ultimately that means people are thinking about the brand in a way they might not have for years. ..

The logo causing all the stir is one we created a while ago with input from our users. Back in 2019, we updated the Firefox browser logo and added the parent brand logo as a new logo for our broader product portfolio that extends beyond the browser... which represents the family of Firefox products we make outside of just the Firefox browser, like Firefox Monitor. It's not an icon you're going to see on a dock, phone's home screen or desktop, though.

We didn't get rid of the fox then and have no plans to do so now, or ever. Plenty of folks jumped in to try and clear things up in the original thread, but once the "they killed the fox" meme caught momentum and became the "Firefox minimalist logo" meme, there was no stopping it. It spread to Instagram and then to Reddit. The memes became so pervasive that there were memes being made about how there were too many Firefox logo memes... Well, fear not, because no matter what you think you heard on the internet, the fox isn't leaving any time soon.

For our Firefox Nightly users out there, we're bringing back a very special version of an older logo, as a treat. Stay tuned.

Two years after publicly launching a privacy-focussed browser, Brave, founded by former Mozilla executive Brendan Eich, is taking on Google's search business, too. From a report: The announcement of Brave Search puts the upstart in the rare position of taking on both Google's browser and search dominance. Eich says that Brave Search, which has opened a waitlist and will launch in the first half of this year, won't track or profile people who use it. "Brave already has a default anonymous user model with no data collection at all," he says adding this will continue in its search engine. No IP addresses will be collected and the company is exploring how it can create both a paid, ad-free search engine and one that comes with ads.

But building a search engine isn't straightforward. [...] Eich says Brave isn't starting its search engine or index from scratch and won't be using indexes from Bing or other tech firms. Instead Brave has purchased Tailcat, an offshoot of German search engine Cliqz, which was owned by Hubert Burda Media and closed down last year. The purchase includes an index of the web that's been created by Tailcat and the technology that powers it. Eich says that some users will be given the ability to opt-in to anonymous data collection to help fine-tune search results. "What Tailcat does is it looks at a query log and a click log anonymously," Eich says. "These allow it to build an index, which Tailcat has done and already did at Cliqz, and it's getting bigger." He admits that the index will not be anywhere near as deep as Google's but that the top results it surfaces are largely the same.

As part of its war on web tracking, Mozilla is adding a new tool to Firefox aimed at stopping cookies from keeping tabs on you across multiple sites. From a report: The "Total Cookie Protection" feature is included in the web browser's latest release -- alongside multiple picture-in-picture views -- and essentially works by keeping cookies isolated between each site you visit. Or, in Mozilla's words: "By creating a separate cookie jar for every website." Firefox's new feature pares with last month's network partitioning tool, which works by splitting the Firefox browser cache on a per-website basis to prevent tracking across the web, itself targeted at blocking more stubborn "supercookies." According to Mozilla, these types of cookies are more difficult to delete and block as they are stored in obscure parts of the browser, including in Flash storage, ETags, and HSTS flags. Both tools are available as part of Firefox's enhanced tracking protection suite in "strict mode" on desktop and Android.

Rust -- the programming language, not the survival game -- now has a new home: the Rust Foundation. From a report: AWS, Huawei, Google, Microsoft and Mozilla banded together to launch this new foundation today and put a two-year commitment to a million-dollar budget behind it. This budget will allow the project to "develop services, programs, and events that will support the Rust project maintainers in building the best possible Rust." Rust started as a side project inside of Mozilla to develop an alternative to C/C++. Designed by Mozilla Research's Graydon Hore, with contributions from the likes of JavaScript creator Brendan Eich, Rust became the core language for some of the fundamental features of the Firefox browser and its Gecko engine, as well as Mozilla's Servo engine. Today, Rust is the most-loved language among developers. But with Mozilla's layoffs in recent months, many on the Rust team lost jobs and the future of the language became unclear without a main sponsor, though the project itself has thousands of contributors and a lot of corporate users, so the language itself wasn't going anywhere.

"The South African Revenue Service (SARS) has released this week its own custom web browser," reports ZDNet, "for the sole purpose of re-enabling Adobe Flash Player support, rather than port its existing website from using Flash to HTML-based web forms." To prevent the app from continuing to be used in the real-world to the detriment of users and their security, Adobe began blocking Flash content from playing inside the app starting January 12, with the help of a time-bomb mechanism... As SARS tweeted on January 12, the agency was impacted by the time-bomb mechanism, and starting that day, the agency was unable to receive any tax filings via its web portal, where the upload forms were designed as Flash widgets. But despite having a three and a half years heads-up, SARS did not choose to port its Flash widgets to basic HTML & JS forms, a process that any web developer would describe as trivial. Instead, the South African government agency decided to take one of the most mind-blowing decisions in the history of bad IT decisions and release its own web browser.

Released on Monday on the agency's official website, the new SARS eFiling Browser is a stripped-down version of the Chromium browser that has two features.

The first is to re-enable Flash support. The second is to let users access the SARS eFiling website.

As Chris Peterson, a software engineer at Mozilla, pointed out, the SARS browser only lets users access the official SARS website, which somewhat reduces the risk of users getting their systems infected via Flash exploits while navigating the web. But as others have also pointed out, this does nothing for accessibility, as the browser is only available for Windows users and not for other operating systems such as macOS, Linux, and mobile users, all of which are still unable to file taxes.

Tech blogger Paul Thurrott writes: Firefox 85 now protects users against supercookies, which Mozilla says is "a type of tracker that can stay hidden in your browser and track you online, even after you clear cookies. By isolating supercookies, Firefox prevents them from tracking your web browsing from one site to the next." It also includes small improvements to bookmarks and password management.

Unfortunately, Mozilla has separately — and much more quietly — stopped work on Site Specific Browser (SSB) functionality... This feature allowed users to use Firefox to create apps on the local PC from Progressive Web Apps and other web apps, similar to the functionality provided in Chrome, Microsoft Edge, and other Chromium-based web browsers. "The SSB feature has only ever been available through a hidden [preference] and has multiple known bugs," Mozilla's Dave Townsend explains in a Bugzilla issue tracker. "Additionally, user research found little to no perceived user benefit to the feature and so there is no intent to continue development on it at this time. As the feature is costing us time in terms of bug triage and keeping it around is sending the wrong signal that this is a supported feature, we are going to remove the feature from Firefox."
Thurrott's conclusion? "Mozilla is walking away from a key tenet of modern web apps and, in doing so, they are making themselves irrelevant."

With Mozilla's release of Firefox 85 on Tuesday, Adobe's once ubiquitous Flash technology is really gone for good. The software had been widely used to expand gaming, video and animation on the web, though Adobe stopped supporting it at the end of 2020. Firefox was the last major browser to support Flash. From a report: Apple, whose late boss Steve Jobs helped sink Flash by banning it from iPhones and iPads, ditched Flash with Safari 14 in September 2020. Google Chrome, the most widely used browser, completely excised it on Jan. 19 with version 88. Microsoft's Edge 88 followed suit on Jan. 21. The schedule of removals shows just how hard it is to advance technology foundations as widely used as the web. Browser makers for years wanted to remove Flash, replacing it with more advanced standards built directly into the web. Jobs' "Thoughts on Flash" letter in 2010 solidified the opposition, and Adobe started recognizing the software's doom by scrapping the Android version of Flash in 2011. It's taken years of effort to drop Flash completely. Adobe took until 2017 to announce that Flash would be completely unsupported at the end of 2020, and still some are willing to jump through lots of hoops to keep Flash around a little longer.

A coalition of tech companies announced today the launch of Open Web Docs, a new initiative to help write documentation for Web APIs, JavaScript, and other web tooling and platforms. From a report: The new project does not view itself as a replacement for MDN Web Docs, a website hosted by Mozilla, where all browser makers agreed to move the official Web API documentation back in October 2017, and stop developing their own, often diverging, documentation sites. Instead, in a press release and FAQ today, the Open Web Docs team said their role is to fund, coordinate, and contribute to MDN Docs going forward. The new initiative comes after Mozilla laid off 250 employees last summer, including many of its MDN Web Docs staff. Open Web Docs comes to fill this void and provide the labor force needed to continue updating the MDN Web Docs portal.

Legendary programmer Jamie Zawinski has worked on everything from the earliest releases of the Netscape Navigator browser to XEmacs, Mozilla, and, of course, the XScreenSaver project.

Now Slashdot reader e432776 writes: JWZ continues to track issues with screensavers on Linux (since 2004!), and discusses a new bug in cinnamon-screensaver. Long-standing topics like X11, developer interaction, and code licensing all feature. Solutions to these long-standing issues remain elusive.
Jamie titled his blog post "I told you so, 2021 edition": You will recall that in 2004 , which is now seventeen years ago, I wrote a document explaining why I made the design trade-offs that I did in XScreenSaver, and in that document I predicted this exact bug as my example of, "this is what will happen if you don't do it this way."

And they went and made that happen.

Repeatedly.

Every time this bug is re-introduced, someone pipes up and says something like, "So what, it was a bug, they've fixed it." That's really missing the point. The point is not that such a bug existed, but that such a bug was even possible. The real bug here is that the design of the system even permits this class of bug. It is unconscionable that someone designing a critical piece of security infrastructure would design the system in such a way that it does not fail safe .

Especially when I have given them nearly 30 years of prior art demonstrating how to do it right, and a two-decades-old document clearly explaining What Not To Do that coincidentally used this very bug as its illustrative strawman!

These bugs are a shameful embarrassment of design -- as opposed to merely bad code...
ZDNet reports that Linux Mint has issued a patch for Cinnamon that fixes the screensaver bug. But HotHardware notes that it was discovered when "one Dad let the kids play with the keyboard. This button-mashing actually crashed the machine's screensaver by sheer luck, allowing them onto the desktop, ultimately leading to the discovery of a high priority security vulnerability for the Linux Mint team."

But that's not the only thing bothering Jamie Zawinski: Just to add insult to injury, it has recently come to my attention that not only are Gnome-screensaver, Mint-screensaver and Cinnamon-screensaver buggy and insecure dumpster fires, but they are also in violation of my license and infringing my copyright.

XScreenSaver was released under the BSD license, one of the oldest and most permissive of the free software licenses. It turns out, the Gnome-screensaver authors copied large parts of XScreenSaver into their program, removed the BSD license and slapped a GPL license on my code instead -- and also removed my name. Rude...

Mint-screensaver and Cinnamon-screensaver, being forks and descendants of Gnome-screensaver, have inherited this license violation and continue to perpetuate it. Every Linux distro is shipping this copyright- and license-infringing code.

I eagerly await hearing how they're going to make this right.

Mozilla developers plan to remove support for using the Backspace key as a Back button inside Firefox. From a report: The change is currently active in the Firefox Nightly version and is expected to go live in Firefox 86, scheduled to be released next month, in late February 2021. The removal of the Backspace key as a navigational element didn't come out of the blue. It was first proposed back in July 2014, in a bug report opened on Mozilla's bug tracker. At the time, Mozilla engineers argued that many users who press the Backspace key don't always mean to navigate to the previous page (the equivalent of pressing the Back button).

Mozilla is "investigating" a design refresh for its Firefox browser. Ghacks reports that the refresh is referred to internally as "Photon." Information about the design refresh is limited at this point in time. Mozilla created a meta bug on Bugzilla as a reference to keep track of the changes. While there are not any mockups or screenshots posted on the site, the names of the bugs provide information on the elements that will get a refresh. These are:

- The Firefox address bar and tabs bar.
- The main Firefox menu.
- Infobars.
- Doorhangers.
- Context Menus.
- Modals.
Most user interface elements are listed in the meta bug. Mozilla plans to release the new design in Firefox 89; the browser is scheduled for a mid-2021 release. Its release date is set to May 18, 2021...

[Developer/Firefox extension author] Sören Hentzschel revealed that he saw some of the Firefox Proton mockups... He notes that Firefox will look more modern when the designs land and that Mozilla plans to introduce useful improvements, especially in regards to the user experience. Hentzschel mentions two examples of potential improvements to the user experience: a mockup that displays vertical tabs in a compact mode, and another that shows the grouping of tabs on the tab bar.

References to decades-old computer software are included in the new Brexit agreement, including a description of Netscape Communicator and Mozilla Mail as being "modern" services. From a report: Experts believe officials must have copied and pasted chunks of text from old legislation into the document. The references are on page 921 of the trade deal, in a section on encryption technology. It also recommends using systems that are now vulnerable to cyber-attacks. The text cites "modern e-mail software packages including Outlook, Mozilla Mail as well as Netscape Communicator 4.x." The latter two are now defunct - the last major release of Netscape Communicator was in 1997. The document also recommends using 1024-bit RSA encryption and the SHA-1 hashing algorithm, which are both outdated and vulnerable to cyber-attacks.

An anonymous reader quotes a report from ZDNet: Firefox 85, scheduled to be released next month, in January 2021, will ship with a feature named Network Partitioning as a new form of anti-tracking protection. The feature is based on "Client-Side Storage Partitioning," a new standard currently being developed by the World Wide Web Consortium's Privacy Community Group. "Network Partitioning is highly technical, but to simplify it somewhat; your browser has many ways it can save data from websites, not just via cookies," privacy researcher Zach Edwards told ZDNet in an interview this week. "These other storage mechanisms include the HTTP cache, image cache, favicon cache, font cache, CORS-preflight cache, and a variety of other caches and storage mechanisms that can be used to track people across websites." Edwards says all these data storage systems are shared among websites.

The difference is that Network Partitioning will allow Firefox to save resources like the cache, favicons, CSS files, images, and more, on a per-website basis, rather than together, in the same pool. This makes it harder for websites and third-parties like ad and web analytics companies to track users since they can't probe for the presence of other sites' data in this shared pool. The Mozilla team expects [...] performance issues for sites loaded in Firefox, but it's willing to take the hit just to improve the privacy of its users.

Browser makers Apple, Google, Microsoft, and Mozilla, have banned a root certificate that was being used by the Kazakhstan government to intercept and decrypt HTTPS traffic for residents in the country's capital, the city of Nur-Sultan (formerly Astana). From a report: The certificate had been in use since December 6, 2020, when Kazakh officials forced local internet service providers to block Nur-Sultan residents from accessing foreign sites unless they had a specific digital certificate issued by the government installed on their devices. While users were able to access most foreign-hosted sites, access was blocked to sites like Google, Twitter, YouTube, Facebook, Instagram, and Netflix, unless they had the certificate installed. Kazakh officials justified their actions claiming they were carrying out a cybersecurity training exercise for government agencies, telecoms, and private companies. Officials cited that cyberattacks targeting "Kazakhstan's segment of the internet" grew 2.7 times during the current COVID-19 pandemic as the primary reason for launching the exercise. The government's explanation did, however, make zero technical sense, as certificates can't prevent mass cyber-attacks and are usually used only for encrypting and safeguarding traffic from third-party observers. After today's ban, even if users have the certificate installed, browsers like Chrome, Edge, Mozilla, and Safari, will refuse to use them, preventing Kazakh officials from intercepting user data.