Firefoxers howl as privacy add-on auto updates with 'bloatware'

Overstuffed TACO

  • alert
  • submit to reddit

Top 5 reasons to deploy VMware with Tegile

Updated Firefox users are howling that a widely-used browser add-on designed to protect them from unwanted cookie tracking has been automatically updated with what they see as overly intrusive "bloatware".

On June 14, after it was acquired by a software outfit known as Abine, a new version of the TACO behavioral-ad–blocking add-on was pushed out via Mozilla's auto-update process — which means it has received Mozilla's approval — and an army of users are complaining of a kind of privacy add-on bait-and-switch.

"Despicably evil move guys. Using the trusted update path to stealthily 'update' to a bloatware shareware suite is just evil. Now I have to completely blow away this profile and reinstall all my TRUSTED extensions," says one reviewer. "See how easy it is to lose trust. *snapofthefingers* gone."

Speaking with The Reg, Abine has defended the upgrade, saying that Mozilla asks users for their approval before downloading the new add-on and that although the add-on installs a host of new tools, any unrelated to TACO's original cookie management mission are turned off by default.

"That's why we think of it as a legitimate upgrade," co-founder and CEO Eugene Kuznetsov tells The Reg. "You need [Abine's additional cookie management tools] to maintain the level of privacy TACO gave to a year ago. Behavioral ad networks are always adding new tools and you need new tools to stop them."

A Mozilla spokeswoman said: "TACO changed owners, and the new owners changed the add-on radically. It still provides the same core functionality, but the user interface is very different and there are a large number of extra features and privacy tools. The add-on update was approved by Mozilla. It is safe for users and follows our policies set forth in our Add-on Review Process." You can peruse the process here.

Abine TACO

Abined TACO

In March of last year, after Google rolled out its interest-based advertising behavioral ad targeting operation, privacy researcher Christopher Soghoian offered up a Firefox plug-in that opted you out of not only Google's behavioral ad system, but countless others across the web. He called it the Targeted Advertising Cookie Opt-Out project — TACO, for short.

Google was offering its own opt-out plug-in, but this was limited to the company's own tracking. So Soghoian modified the code — Google had released it under an Apache 2.0 license — to handle other networks as well. At the time, TACO blocked behavioral ad cookies from twenty-seven separate networks, and this has since grown to over 100.

It was a sliver of an add-on — about 8K. But this week, it expanded to a whopping 3MB. Soghoian recently sold TACO to Abine, a software outfit based in Boston, and on Monday, Abine rolled out a new version of TACO that's bundled with a host of additional software tools designed to protect your privacy. It also adds a pair of buttons to your browser chrome, and it includes a pop-up interface that appears every time you visit a new site.

Several of the Abine tools installed with the new add-on are turned off by default, and you can turn off the pop-up interface. But dozens of users, including Reg readers and posters on the add-on's Mozilla page, are howling that they've been duped.

"What ethics of a company that take this insidious approach to push their product to the numerous Firefox users out there?" says one Reg reader. "A nearly 3Mb slow-as-treacle monster isn't quite the same thing as 8K of write-locked cookies."

This reader has now erased the add-on from his machine, accusing Mozilla of un-Jobsian behavior. "There's a lesson to be learned here. Two in fact. The first is, I bet the App Store wouldn't have let this fly <smirk> and... be careful who you trust."

But Abine is backing the beefed-up add-on, saying that although TACO 3.0 does install several other Abine tools, only tools related to cookie management are turned on by default.

TACO 3.0, for instance, automatically blocks Flash cookies and various JavaScript web bugs as well as permanently setting generic, non-personally identifiable opt-out cookies for more than 100 behavioral ad networks. It also includes myriad other tools — including a log-ins and passwords manager, a web identities manager, a safe email and phone client, a payments app for securely storing credits cards — but Abine's Kuznetsov defends the inclusion of these apps because they're not activated.

TACO 3.0 is tagged as a beta. But Kuznetsov says the beta tag only applies to the tools that are turned off by default. That said, there is a bit of a glitch in the suite's main UI. Kuznetsov had told us that with this UI, we could turn off the suite's pop-interface — which appear every time you visit a new site, describing what ad networks and cookies are in use. But on the version of the add-on we tested, this isn't the case. You can, however, turn off the pop-up interface from a "Hide this window?" link that appears on the pop-up itself.

"There are glitches in the software," Kuznetsov says. "And we apologize for that." He says that much of the add-on's 3MB is taken up by encryption tools, and that the company is "working to" reduce its size. During anecdotal testing at The Reg, the add-on does seem to slow Firefox considerably.

Abine TACO popup

Abined TACO pop-up

Kuznetsov says that he's aware of the complaints over the new TACO and that he's reached out to several users to address their concerns. On Mozilla's add-on site, the new plug-in has received more than 60 reviews and almost all involved vehement complaints. "TACO is BADWARE!" says another reviewer. "I can't think of any reason why someone should give TACO a try and am recommending that it be avoided completely. Prior version was ok; update is a deliberately malicious social engineering attack to a current version that is: Garbage. Garbage. GARBAGE!"

Some have accused the new add-on of being "spyware". But Kuznetsov says that it collects no user information, and Christopher Soghoian tells The Reg that when he sold the add-on to Abine, he received written assurances that it would not do so.

But Soghoian understands the other complaints. "People are pretty pissed about this, and they have a right to be."

Amidst the howls, one user has forked the TACO project again, offering an Abine-free version known as Beef TACO. "That shows the power of open source," Soghoian says. "If you don't like something, you can change it." ®

Update: This story has been updated with comment from Mozilla.

Beginner's guide to SSL certificates

More from The Register

next story
That dreaded syncing feeling: Will Microsoft EVER fix OneDrive?
Microsoft's long history of broken Windows sync
Mozilla, EFF, Cisco back free-as-in-FREE-BEER SSL cert authority
Let’s Encrypt to give HTTPS-everywhere a boost in 2015
SLURP! Flick your TONGUE around our LOLLIPOP – Google
Android 5 is coming – IF you're lucky enough to have the right gadget
Nokia's N1 fondleslab's HIDDEN BRILLIANCE: The 'Z Launcher'
Sugarcoating Android's Lollipop makes tab easier to swallow
Bug fixes! Get your APPLE BUG FIXES! iOS and OS X updates right here!
Yosemite fixes Wi-Fi hiccup, older iOS devices get performance boost
Facebook, working on Facebook at Work, works on Facebook. At Work
You don't want your cat or drunk pics at the office
Soz, web devs: Google snatches its Wallet off the table
Killing off web service in 3 months... but app-happy bonkers are fine
Meet Windows 10's new UI for OneDrive – also known as File Explorer
New preview build continues Redmond's retreat to the desktop
Microsoft: Your Linux Docker containers are now OURS to command
New tool lets admins wrangle Linux apps from Windows
prev story


Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Simplify SSL certificate management across the enterprise
Simple steps to take control of SSL across the enterprise, and recommendations for a management platform for full visibility and single-point of control for these Certificates.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.