Feeds

Firefoxers howl as privacy add-on auto updates with 'bloatware'

Overstuffed TACO

  • alert
  • submit to reddit

Secure remote control for conventional and virtual desktops

Updated Firefox users are howling that a widely-used browser add-on designed to protect them from unwanted cookie tracking has been automatically updated with what they see as overly intrusive "bloatware".

On June 14, after it was acquired by a software outfit known as Abine, a new version of the TACO behavioral-ad–blocking add-on was pushed out via Mozilla's auto-update process — which means it has received Mozilla's approval — and an army of users are complaining of a kind of privacy add-on bait-and-switch.

"Despicably evil move guys. Using the trusted update path to stealthily 'update' to a bloatware shareware suite is just evil. Now I have to completely blow away this profile and reinstall all my TRUSTED extensions," says one reviewer. "See how easy it is to lose trust. *snapofthefingers* gone."

Speaking with The Reg, Abine has defended the upgrade, saying that Mozilla asks users for their approval before downloading the new add-on and that although the add-on installs a host of new tools, any unrelated to TACO's original cookie management mission are turned off by default.

"That's why we think of it as a legitimate upgrade," co-founder and CEO Eugene Kuznetsov tells The Reg. "You need [Abine's additional cookie management tools] to maintain the level of privacy TACO gave to a year ago. Behavioral ad networks are always adding new tools and you need new tools to stop them."

A Mozilla spokeswoman said: "TACO changed owners, and the new owners changed the add-on radically. It still provides the same core functionality, but the user interface is very different and there are a large number of extra features and privacy tools. The add-on update was approved by Mozilla. It is safe for users and follows our policies set forth in our Add-on Review Process." You can peruse the process here.

Abine TACO

Abined TACO

In March of last year, after Google rolled out its interest-based advertising behavioral ad targeting operation, privacy researcher Christopher Soghoian offered up a Firefox plug-in that opted you out of not only Google's behavioral ad system, but countless others across the web. He called it the Targeted Advertising Cookie Opt-Out project — TACO, for short.

Google was offering its own opt-out plug-in, but this was limited to the company's own tracking. So Soghoian modified the code — Google had released it under an Apache 2.0 license — to handle other networks as well. At the time, TACO blocked behavioral ad cookies from twenty-seven separate networks, and this has since grown to over 100.

It was a sliver of an add-on — about 8K. But this week, it expanded to a whopping 3MB. Soghoian recently sold TACO to Abine, a software outfit based in Boston, and on Monday, Abine rolled out a new version of TACO that's bundled with a host of additional software tools designed to protect your privacy. It also adds a pair of buttons to your browser chrome, and it includes a pop-up interface that appears every time you visit a new site.

Several of the Abine tools installed with the new add-on are turned off by default, and you can turn off the pop-up interface. But dozens of users, including Reg readers and posters on the add-on's Mozilla page, are howling that they've been duped.

"What ethics of a company that take this insidious approach to push their product to the numerous Firefox users out there?" says one Reg reader. "A nearly 3Mb slow-as-treacle monster isn't quite the same thing as 8K of write-locked cookies."

This reader has now erased the add-on from his machine, accusing Mozilla of un-Jobsian behavior. "There's a lesson to be learned here. Two in fact. The first is, I bet the App Store wouldn't have let this fly <smirk> and... be careful who you trust."

But Abine is backing the beefed-up add-on, saying that although TACO 3.0 does install several other Abine tools, only tools related to cookie management are turned on by default.

TACO 3.0, for instance, automatically blocks Flash cookies and various JavaScript web bugs as well as permanently setting generic, non-personally identifiable opt-out cookies for more than 100 behavioral ad networks. It also includes myriad other tools — including a log-ins and passwords manager, a web identities manager, a safe email and phone client, a payments app for securely storing credits cards — but Abine's Kuznetsov defends the inclusion of these apps because they're not activated.

TACO 3.0 is tagged as a beta. But Kuznetsov says the beta tag only applies to the tools that are turned off by default. That said, there is a bit of a glitch in the suite's main UI. Kuznetsov had told us that with this UI, we could turn off the suite's pop-interface — which appear every time you visit a new site, describing what ad networks and cookies are in use. But on the version of the add-on we tested, this isn't the case. You can, however, turn off the pop-up interface from a "Hide this window?" link that appears on the pop-up itself.

"There are glitches in the software," Kuznetsov says. "And we apologize for that." He says that much of the add-on's 3MB is taken up by encryption tools, and that the company is "working to" reduce its size. During anecdotal testing at The Reg, the add-on does seem to slow Firefox considerably.

Abine TACO popup

Abined TACO pop-up

Kuznetsov says that he's aware of the complaints over the new TACO and that he's reached out to several users to address their concerns. On Mozilla's add-on site, the new plug-in has received more than 60 reviews and almost all involved vehement complaints. "TACO is BADWARE!" says another reviewer. "I can't think of any reason why someone should give TACO a try and am recommending that it be avoided completely. Prior version was ok; update is a deliberately malicious social engineering attack to a current version that is: Garbage. Garbage. GARBAGE!"

Some have accused the new add-on of being "spyware". But Kuznetsov says that it collects no user information, and Christopher Soghoian tells The Reg that when he sold the add-on to Abine, he received written assurances that it would not do so.

But Soghoian understands the other complaints. "People are pretty pissed about this, and they have a right to be."

Amidst the howls, one user has forked the TACO project again, offering an Abine-free version known as Beef TACO. "That shows the power of open source," Soghoian says. "If you don't like something, you can change it." ®

Update: This story has been updated with comment from Mozilla.

Boost IT visibility and business value

More from The Register

next story
Why has the web gone to hell? Market chaos and HUMAN NATURE
Tim Berners-Lee isn't happy, but we should be
Microsoft boots 1,500 dodgy apps from the Windows Store
DEVELOPERS! DEVELOPERS! DEVELOPERS! Naughty, misleading developers!
'Stop dissing Google or quit': OK, I quit, says Code Club co-founder
And now a message from our sponsors: 'STFU or else'
Apple promises to lift Curse of the Drained iPhone 5 Battery
Have you tried turning it off and...? Never mind, here's a replacement
Mozilla's 'Tiles' ads debut in new Firefox nightlies
You can try turning them off and on again
Linux turns 23 and Linus Torvalds celebrates as only he can
No, not with swearing, but by controlling the release cycle
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
prev story

Whitepapers

Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up distributed data
Eliminating the redundant use of bandwidth and storage capacity and application consolidation in the modern data center.
The essential guide to IT transformation
ServiceNow discusses three IT transformations that can help CIOs automate IT services to transform IT and the enterprise
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.