Feeds

Firefoxers howl as privacy add-on auto updates with 'bloatware'

Overstuffed TACO

  • alert
  • submit to reddit

3 Big data security analytics techniques

Updated Firefox users are howling that a widely-used browser add-on designed to protect them from unwanted cookie tracking has been automatically updated with what they see as overly intrusive "bloatware".

On June 14, after it was acquired by a software outfit known as Abine, a new version of the TACO behavioral-ad–blocking add-on was pushed out via Mozilla's auto-update process — which means it has received Mozilla's approval — and an army of users are complaining of a kind of privacy add-on bait-and-switch.

"Despicably evil move guys. Using the trusted update path to stealthily 'update' to a bloatware shareware suite is just evil. Now I have to completely blow away this profile and reinstall all my TRUSTED extensions," says one reviewer. "See how easy it is to lose trust. *snapofthefingers* gone."

Speaking with The Reg, Abine has defended the upgrade, saying that Mozilla asks users for their approval before downloading the new add-on and that although the add-on installs a host of new tools, any unrelated to TACO's original cookie management mission are turned off by default.

"That's why we think of it as a legitimate upgrade," co-founder and CEO Eugene Kuznetsov tells The Reg. "You need [Abine's additional cookie management tools] to maintain the level of privacy TACO gave to a year ago. Behavioral ad networks are always adding new tools and you need new tools to stop them."

A Mozilla spokeswoman said: "TACO changed owners, and the new owners changed the add-on radically. It still provides the same core functionality, but the user interface is very different and there are a large number of extra features and privacy tools. The add-on update was approved by Mozilla. It is safe for users and follows our policies set forth in our Add-on Review Process." You can peruse the process here.

Abine TACO

Abined TACO

In March of last year, after Google rolled out its interest-based advertising behavioral ad targeting operation, privacy researcher Christopher Soghoian offered up a Firefox plug-in that opted you out of not only Google's behavioral ad system, but countless others across the web. He called it the Targeted Advertising Cookie Opt-Out project — TACO, for short.

Google was offering its own opt-out plug-in, but this was limited to the company's own tracking. So Soghoian modified the code — Google had released it under an Apache 2.0 license — to handle other networks as well. At the time, TACO blocked behavioral ad cookies from twenty-seven separate networks, and this has since grown to over 100.

It was a sliver of an add-on — about 8K. But this week, it expanded to a whopping 3MB. Soghoian recently sold TACO to Abine, a software outfit based in Boston, and on Monday, Abine rolled out a new version of TACO that's bundled with a host of additional software tools designed to protect your privacy. It also adds a pair of buttons to your browser chrome, and it includes a pop-up interface that appears every time you visit a new site.

Several of the Abine tools installed with the new add-on are turned off by default, and you can turn off the pop-up interface. But dozens of users, including Reg readers and posters on the add-on's Mozilla page, are howling that they've been duped.

"What ethics of a company that take this insidious approach to push their product to the numerous Firefox users out there?" says one Reg reader. "A nearly 3Mb slow-as-treacle monster isn't quite the same thing as 8K of write-locked cookies."

This reader has now erased the add-on from his machine, accusing Mozilla of un-Jobsian behavior. "There's a lesson to be learned here. Two in fact. The first is, I bet the App Store wouldn't have let this fly <smirk> and... be careful who you trust."

But Abine is backing the beefed-up add-on, saying that although TACO 3.0 does install several other Abine tools, only tools related to cookie management are turned on by default.

TACO 3.0, for instance, automatically blocks Flash cookies and various JavaScript web bugs as well as permanently setting generic, non-personally identifiable opt-out cookies for more than 100 behavioral ad networks. It also includes myriad other tools — including a log-ins and passwords manager, a web identities manager, a safe email and phone client, a payments app for securely storing credits cards — but Abine's Kuznetsov defends the inclusion of these apps because they're not activated.

TACO 3.0 is tagged as a beta. But Kuznetsov says the beta tag only applies to the tools that are turned off by default. That said, there is a bit of a glitch in the suite's main UI. Kuznetsov had told us that with this UI, we could turn off the suite's pop-interface — which appear every time you visit a new site, describing what ad networks and cookies are in use. But on the version of the add-on we tested, this isn't the case. You can, however, turn off the pop-up interface from a "Hide this window?" link that appears on the pop-up itself.

"There are glitches in the software," Kuznetsov says. "And we apologize for that." He says that much of the add-on's 3MB is taken up by encryption tools, and that the company is "working to" reduce its size. During anecdotal testing at The Reg, the add-on does seem to slow Firefox considerably.

Abine TACO popup

Abined TACO pop-up

Kuznetsov says that he's aware of the complaints over the new TACO and that he's reached out to several users to address their concerns. On Mozilla's add-on site, the new plug-in has received more than 60 reviews and almost all involved vehement complaints. "TACO is BADWARE!" says another reviewer. "I can't think of any reason why someone should give TACO a try and am recommending that it be avoided completely. Prior version was ok; update is a deliberately malicious social engineering attack to a current version that is: Garbage. Garbage. GARBAGE!"

Some have accused the new add-on of being "spyware". But Kuznetsov says that it collects no user information, and Christopher Soghoian tells The Reg that when he sold the add-on to Abine, he received written assurances that it would not do so.

But Soghoian understands the other complaints. "People are pretty pissed about this, and they have a right to be."

Amidst the howls, one user has forked the TACO project again, offering an Abine-free version known as Beef TACO. "That shows the power of open source," Soghoian says. "If you don't like something, you can change it." ®

Update: This story has been updated with comment from Mozilla.

Top three mobile application threats

More from The Register

next story
Next Windows obsolescence panic is 450 days from … NOW!
The clock is ticking louder for Windows Server 2003 R2 users
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Ditch the sync, paddle in the Streem: Upstart offers syncless sharing
Upload, delete and carry on sharing afterwards?
Microsoft TIER SMEAR changes app prices whether devs ask or not
Some go up, some go down, Redmond goes silent
Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
Admins dab straining server brows in advance of Trusty Tahr's long-term support landing
Red Hat to ship RHEL 7 release candidate with a taste of container tech
Grab 'near-final' version of next Enterprise Linux next week
Windows 8.1, which you probably haven't upgraded to yet, ALREADY OBSOLETE
Pre-Update versions of new Windows version will no longer support patches
Inside the Hekaton: SQL Server 2014's database engine deconstructed
Nadella's database sqares the circle of cheap memory vs speed
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.