Firefoxers howl as privacy add-on auto updates with 'bloatware'
Updated Firefox users are howling that a widely-used browser add-on designed to protect them from unwanted cookie tracking has been automatically updated with what they see as overly intrusive "bloatware".
On June 14, after it was acquired by a software outfit known as Abine, a new version of the TACO behavioral-ad–blocking add-on was pushed out via Mozilla's auto-update process — which means it has received Mozilla's approval — and an army of users are complaining of a kind of privacy add-on bait-and-switch.
"Despicably evil move guys. Using the trusted update path to stealthily 'update' to a bloatware shareware suite is just evil. Now I have to completely blow away this profile and reinstall all my TRUSTED extensions," says one reviewer. "See how easy it is to lose trust. *snapofthefingers* gone."
Speaking with The Reg, Abine has defended the upgrade, saying that Mozilla asks users for their approval before downloading the new add-on and that although the add-on installs a host of new tools, any unrelated to TACO's original cookie management mission are turned off by default.
"That's why we think of it as a legitimate upgrade," co-founder and CEO Eugene Kuznetsov tells The Reg. "You need [Abine's additional cookie management tools] to maintain the level of privacy TACO gave to a year ago. Behavioral ad networks are always adding new tools and you need new tools to stop them."
A Mozilla spokeswoman said: "TACO changed owners, and the new owners changed the add-on radically. It still provides the same core functionality, but the user interface is very different and there are a large number of extra features and privacy tools. The add-on update was approved by Mozilla. It is safe for users and follows our policies set forth in our Add-on Review Process." You can peruse the process here.
In March of last year, after Google rolled out its
interest-based advertising behavioral ad targeting operation, privacy researcher Christopher Soghoian offered up a Firefox plug-in that opted you out of not only Google's behavioral ad system, but countless others across the web. He called it the Targeted Advertising Cookie Opt-Out project — TACO, for short.
Google was offering its own opt-out plug-in, but this was limited to the company's own tracking. So Soghoian modified the code — Google had released it under an Apache 2.0 license — to handle other networks as well. At the time, TACO blocked behavioral ad cookies from twenty-seven separate networks, and this has since grown to over 100.
It was a sliver of an add-on — about 8K. But this week, it expanded to a whopping 3MB. Soghoian recently sold TACO to Abine, a software outfit based in Boston, and on Monday, Abine rolled out a new version of TACO that's bundled with a host of additional software tools designed to protect your privacy. It also adds a pair of buttons to your browser chrome, and it includes a pop-up interface that appears every time you visit a new site.
Several of the Abine tools installed with the new add-on are turned off by default, and you can turn off the pop-up interface. But dozens of users, including Reg readers and posters on the add-on's Mozilla page, are howling that they've been duped.
"What ethics of a company that take this insidious approach to push their product to the numerous Firefox users out there?" says one Reg reader. "A nearly 3Mb slow-as-treacle monster isn't quite the same thing as 8K of write-locked cookies."
This reader has now erased the add-on from his machine, accusing Mozilla of un-Jobsian behavior. "There's a lesson to be learned here. Two in fact. The first is, I bet the App Store wouldn't have let this fly <smirk> and... be careful who you trust."
But Abine is backing the beefed-up add-on, saying that although TACO 3.0 does install several other Abine tools, only tools related to cookie management are turned on by default.
TACO 3.0 is tagged as a beta. But Kuznetsov says the beta tag only applies to the tools that are turned off by default. That said, there is a bit of a glitch in the suite's main UI. Kuznetsov had told us that with this UI, we could turn off the suite's pop-interface — which appear every time you visit a new site, describing what ad networks and cookies are in use. But on the version of the add-on we tested, this isn't the case. You can, however, turn off the pop-up interface from a "Hide this window?" link that appears on the pop-up itself.
"There are glitches in the software," Kuznetsov says. "And we apologize for that." He says that much of the add-on's 3MB is taken up by encryption tools, and that the company is "working to" reduce its size. During anecdotal testing at The Reg, the add-on does seem to slow Firefox considerably.
Abined TACO pop-up
Kuznetsov says that he's aware of the complaints over the new TACO and that he's reached out to several users to address their concerns. On Mozilla's add-on site, the new plug-in has received more than 60 reviews and almost all involved vehement complaints. "TACO is BADWARE!" says another reviewer. "I can't think of any reason why someone should give TACO a try and am recommending that it be avoided completely. Prior version was ok; update is a deliberately malicious social engineering attack to a current version that is: Garbage. Garbage. GARBAGE!"
Some have accused the new add-on of being "spyware". But Kuznetsov says that it collects no user information, and Christopher Soghoian tells The Reg that when he sold the add-on to Abine, he received written assurances that it would not do so.
But Soghoian understands the other complaints. "People are pretty pissed about this, and they have a right to be."
Amidst the howls, one user has forked the TACO project again, offering an Abine-free version known as Beef TACO. "That shows the power of open source," Soghoian says. "If you don't like something, you can change it." ®
Update: This story has been updated with comment from Mozilla.
Sponsored: Becoming a Pragmatic Security Leader