Firefox maker Mozilla deleted a promise to never sell its users’ personal data and is trying to assure worried users that its approach to privacy hasn’t fundamentally changed. Until recently, a Firefox FAQ promised that the browser maker never has and never will sell its users’ personal data. An archived version from January 30 says:
Does Firefox sell your personal data?
Nope. Never have, never will. And we protect you from many of the advertisers who do. Firefox products are designed to protect your privacy. That’s a promise.
That promise is removed from the current version. There’s also a notable change in a data privacy FAQ that used to say, “Mozilla doesn’t sell data about you, and we don’t buy data about you.”
The data privacy FAQ now explains that Mozilla is no longer making blanket promises about not selling data because some legal jurisdictions define “sale” in a very broad way:
Mozilla doesn’t sell data about you (in the way that most people think about “selling data”), and we don’t buy data about you. Since we strive for transparency, and the LEGAL definition of “sale of data” is extremely broad in some places, we’ve had to step back from making the definitive statements you know and love. We still put a lot of work into making sure that the data that we share with our partners (which we need to do to make Firefox commercially viable) is stripped of any identifying information, or shared only in the aggregate, or is put through our privacy preserving technologies (like OHTTP).
Mozilla didn’t say which legal jurisdictions have these broad definitions.
Glad they clarified. To me the “selling data being defined broadly” argument made sense in the context of Google paying them to be included as a search provider. Because there is an argument that Google paying Firefox, and then the user entering a search and that being sent to Google’s servers could be legally seen as Mozilla selling data to Google.
They should clarify that then. Explain any and all situations that could be considered “selling user data” and explain what data that consists of. Then explain how to avoid it.
That shouldn’t be hard.
Across every country they operate in, and if anyone in those countries disagrees they might sue?
Not saying Im supporting FF here but it’s not as easy as you might think if their stated reason is honest
They wouldn’t have to do every country. A single example would be helpful, for context and clarity.
If so much of what they do could be considered “selling user data,” then are they really committed to protecting your data?
This sounds like FUD to me. If they were fine with the old language for years, why change it now? Were there lawsuits or actual risks of lawsuits? Or are they inching closer to what countries consider “selling user data”?
It feels like they’re hiding something. It’s not hard to have changes specific to a region (e.g. my VPS host, Hetzner, has additional EULA terms for the US), so they could have a separate TOS for regions they haven’t vetted.