Mozilla Exec tells Google, Apple, Microsoft, "don't be evil"

Every once in awhile a browser plug-in will show up in Firefox whether you gave it permission to be there by accident or maybe without any permission at all. A top Mozilla executive is tired of it and has called on Microsoft, Apple and Google to stop the practice of allowing browser plug-ins to install automatically. 

Asa Dotzler, the co-founder of the Spread Firefox project and a member of Mozilla's leadership team, says the big three are 'evil' and their plug-ins are being installed without user permission. Dotzler went off on a bit of a tangent on his blog

Why do Microsoft, Google, Apple, and others think that it is an OK practice to add plug-ins to Firefox when I'm installing their software packages? When I installed iTunes, in order to manage my music collection and sync to my iPod, why did Apple think it was OK to add the iTunes Application Detector plug-in to my Firefox web browser without asking me? Why did Microsoft think it was OK to sneak their Windows Live Photo Gallery or Office Live Plug-in for Firefox into my browser (presumably) when I installed Microsoft Office? What makes Google think it's reasonable behavior for them to slip a Google Update plug-in into Firefox when I installed Google Earth or Google Chrome (not sure which one caused this) without asking me first?

The attack on Google is a little surprising, as the search deal Mozilla has with Google provides most of their income. Even still, he went on to bite the proverbial hand that feeds him. 

Google, Microsoft, Apple, RockMelt, and any others out there who are doing this, I'm calling on you to stop this now. If you want to add software to my system, ask me. Sneaking software onto my system that I didn't ask for is evil (precisely in the Google "don't be evil" sense.)

He concluded his rant by saying that Firefox could do more to prevent this type of behavior, but doesn't feel that they should have to waste their energy fighting against companies that should be considered trustworthy. Closing out, he requested one thing of the software companies: "ASK first!"

Report a problem with article
Previous Story

Verizon Photoshops iPhone maps screen onto Droid X

Next Story

Playboy releases entire catalog on hard drive, easy to hide

66 Comments

Commenting is disabled on this article.

Hmmmm... here's an idea..... instead of telling these companies not to silently install plugins into Firefox, why don't you code your browser in such a way that plugins cannot be installed silently and have to be specifically activated unless expressly installed manually by a user?

The only way to stop it is to make it illegal.

If a company repairing the roof of my house wants to add an unwanted window in a piece having already 3 windows they'll ask me first. If a company changing the oil of my car wants to add unwanted neon lights under the car they need to ask me first and i expect a pro company to ask me first. The last thing i want is neon lights all over my car If i bring my car for an oil change i don't want some extra.

Why should it be different for computer? Why it is considered okay to install DRM softwares, toolbars and plug-ins without asking the user about it first?

I do not use my computer to play games only. I use it to work as i'm a computer engineer. It's an important piece of hardware for me.

LaP said,
The only way to stop it is to make it illegal.

If a company repairing the roof of my house wants to add an unwanted window in a piece having already 3 windows they'll ask me first. If a company changing the oil of my car wants to add unwanted neon lights under the car they need to ask me first and i expect a pro company to ask me first. The last thing i want is neon lights all over my car If i bring my car for an oil change i don't want some extra.

Why should it be different for computer? Why it is considered okay to install DRM softwares, toolbars and plug-ins without asking the user about it first?

I do not use my computer to play games only. I use it to work as i'm a computer engineer. It's an important piece of hardware for me.

Because the rules and line that would need to be defined would be insane if it were to be defined for legal purposes.

You are already clicking the 'agree' button when you install software from these companies, so there is why it IS NOT and WON'T be illegal.

Additionally, there is a difference between a user installing a software suite like Microsoft Office that installs a simple plugin that ONLY fires when the user is using Office Online and wants to open the document in Word or Excel on their desktop. This requires an authorization request, and without this plugin - it BREAKS the user's ability to open Office documents from the Offline Online/Live website.

So if Microsoft didn't provide this, Firefox users would not be able to open their Office documents from inside Firefox because of the secure authenication required. And if this happened, a lot of users would be angry and even Firefox would be angry as they would be saying Microsoft is excluding Firefox.

As for other software like iTunes and Google Crap that installs their toolbars and other plugins without telling the user that 'oh we are going to screw up and change your browser', it is a bit un-ethical and not in the same argument as Microsoft Office installing features that make their product work and don't interfere with how the browser works.

Microsoft also hates companies that install crap in browsers, and it was quite an internal fight that MS let the Bing Toolbar be an option for Windows Live Essentials when it is installed even.

If you look at IE8 and the addon manager and how IE9 will even warn you that crap is slowing down your browser or doing things it shouldn't and list the ones doing this and ask you to disable them.

Why is this newsworthy? A lot of what many Mozilla develops say on their blogs can be like this, so I don't see what makes this particular one of Asa's blog posts newsworthy.

By the way, a post by Asa =/= definitive stance of Mozilla. For one, he is soapboxing about an adverse situation with plugins ... not defining Mozilla's stance on plugins. He is not making an annoucement about future features, or an announcement about future lack of features.

This is not by any means limited to Neowin news posters or commenters, but people take blog posts waaaaay too seriously sometimes, especially personal blogs, and attempt to read far too much into it.

I agree with this. When I install a program, I may not really want them to install a toolbar, plug-in, add-on, or extension. I would like to be asked and also explained what they are really asking (pros & cons)

I don't think it's fair to call it surprising for a Mozilla person to include Google in their comments ... they are an independent and open organization. To pull their punches would be exactly the kind of thing they _shouldn't_ be doing.

It's barely a tangent ... it's his own blog. How can you go off on a tangent when it's directly related to what he does?

It's also hardly a 'rant'. Sheesh.

@NspyraishN,
"I will continue to disable most of these plugins, but I still must agree with Mozilla that I really shouldn't have to in the first place."

Then Mozilla should build some mechanism into Firefox to prevent this, not just asking for the plugin vendor's mercy. You can't possibly ask this to every plugin vendors out there, especially some intentionally malicious ones. So Mozilla/Firefox is the one who should provide some mechanism that prevent the automatic installation of plugins without user consent, then it will solve the problem from the root, not just asking a handful of big plugin vendors to be nice while there may be thousands of other plugin vendors (some intentionally malicious) lurking out there.

wellofsouls said,
@NspyraishN,
Then Mozilla should build some mechanism into Firefox to prevent this, not just asking for the plugin vendor's mercy.

Yeah, but it's a bit scary with the "install everything without asking the user because we don't believe he needs to know" mentality. In the end it is a balance between making it easier for the user without deep knowledge and user control.

I've long before I read this disabled all plugins I don't want in Firefox.

wellofsouls said,
Then Mozilla should build some mechanism into Firefox to prevent this, not just asking for the plugin vendor's mercy.
They're actually considering this, but it's preferable to make the request first, before taking the permanent route (that can result in confusion and annoyance on _everyone's_ side, even if the end result is beneficial).

They need to look in the mirror first.

With the claim that Firefox is now the most insecure browser... One has to wonder.

Raa said,
With the claim that Firefox is now the most insecure browser... One has to wonder.
One has to wonder .... what? Are these actions mutually exclusive things, improving browser security, and ensuring plugins don't auto-install?

Dude has a rather broad definition of "evil."

That said yes, installers should at least ask and preferably allow the owner to choose whether to include each component.

Chrome lost any chance it ever had with me by being forcibly installed along with some other installer I needed to run (many months ago, forgotten exactly what). I take that rather seriously and couldn't get rid of it fast enough, no matter what merits it may have.

Rudy said,
I agree with them... I hate when installers install stuff you didnt ask for

They've never installed when I didn't ask them.

Raa said,
They've never installed when I didn't ask them.
Are you suggesting Google Update doesn't do this? Cause it does. Same with the Windows Live stuff.

jasonon said,
I was asked in IE 9 for the office extension, is it only firefox that has this problem?

Yup, IE9 introduced tighter control of plugin/addons. Everytime a plugin/addon is installed, it prompts the user for explicit consent to enable it, else it stays disabled.

brianshapiro@ whether or not the plugins may be useful is subjective, and for that reasons, users should be given a choice. You might not see performance differences, but as a poweruser, I do. After disabling over 100 "might be useful" services in Windows 7, I found myself using a computer that was nearly 5 times faster latency-wise than it was with my OEM installation. Uninstalling several "could-be-useful" programs and services not only freed up hard disk space, but also nearly doubled my performance (not benchmark performance, but real-life performance).

Even in Linux, too much "could be useful" bloat will slow a system down; KDE desktop was notorious for this, and I still prefer the performance of Openbox for the speed that its minimalism and simplicity it offers.

While you might not see the advantage of the K.I.S.S. principle, many (if not most) of the more dedicated powerusers do, and mainstream web browsers like the aforementioned Big 3 (and Rockmelt to a lesser extent) have a responsibility to be conscientious of those predispositions, whether such perceptions are valid or not.

I will continue to disable most of these plugins, but I still must agree with Mozilla that I really shouldn't have to in the first place.

In regards to OEM's including flash, I thing the following should be noted:
(1) comparing OEM installations to applications modifying *other* applications is far more far-fetched than comparing apples to oranges-- it's like comparing humans to snails (we both have a central nervous system!)
(2) OEMs only include flash by default in Windows installations (new Macs don't anymore); if it were up to the powerusers like myself, the user would be given the option at initial set-up screen that OEM computers have; the user would select which plugins, if any, they wanted. That's a far more fair and satisfactory system for everyone, I think; in fact, this system is already used in Ubuntu 10.10-based installations.

NspyraishN said,

(1) comparing OEM installations to applications modifying *other* applications is far more far-fetched than comparing apples to oranges-- it's like comparing humans to snails (we both have a central nervous system!)

I don't think OEMs installing Flash is any less extreme than Microsoft Office installing the Office Live plug-in or iTunes installing an iTunes plugin. And I don't remember from my install, but I'd expect if you opted for a custom install of Office rather than a default install, you could disable it.

You're saying its apples and oranges -- or more far-fetched even -- but even if its apples or oranges, both are still not a big deal.

NspyraishN said,

You might not see performance differences, but as a poweruser, I do.

As a power user, as am I, you know how to uninstall it. Its the non-power users I'd worry about.

murkurie said,
Skype is annoying with all the extra stuff it trys to add,

Install the business version. Plain, simple, all the features without the "extra".

It's nice to read someone has balls in the software business. Just yesterday I was trying to uninstall (to reinstall, since repair didn't work) itunes, and **** did it have a ton of extra apps installed, bonjour, apple mobile device, quicktime, etc. I had to get Revo Uninstaller; yes indeed, a dedicated application UNINSTALLER - l.m.f.a.o...

I use products from all three of those companies, and I've never once noticed any plugins being installed without my permission from Apple, Microsoft, or Google.

Skype, on the other hand, is notorious for this. Every time I install Skype, it adds the Skype plugin to Firefox and IE, which is annoying at best (especially when it starts highlighting anything that looks like a phone number). Beyond that though, every time Skypes updated itself in the past, it installed the "Browser Highlighter", which really ticks me off - not only does Skype not ask permission to install it, but Skype also doesn't even mention it, and there's nothing there indicating that it was installed by a Skype update. The first time I saw it, I though my computer got infected with malware or something.

Browser loyalty aside, I totally agree that this needs to stop. Kaspersky did it for a while then removed it, and I think AVG does it too. It doesn't stop with just these companies.

brianshapiro said,
... then , contrary to what he's saying it is Mozilla's responsibility to prevent it.

hell no.

Firefox is open source but also a open platform with open specification, so everybody can use it and modify at whim.

Magallanes said,

hell no.

Firefox is open source but also a open platform with open specification, so everybody can use it and modify at whim.

Yea I was talking about software installing plug-ins without user approval. If some other software package were to install a plugin, the next time you open Firefox it could give a dialog box saying "This app you recently installed tried to install a plugin for Firefox. Allow it? y/n"

This got cut off the end of my previous comment by mistake when I edited it so I posted it again. The point is if Firefox is concerned that this tactic could be used for truly obtrusive or malicious behavior, by people like hackers they have no chance to ask to 'do no evil', like wellofsouls said above, then they have the obligation to create a solution instead of complaining about Microsoft, Google and Apple

brianshapiro said,
... then , contrary to what he's saying it is Mozilla's responsibility to prevent it.
I totally agree. Not only would it solve the issue of trust worthy companies adding things but it might make it harder for anyone else looking to do anything dodgy more difficult too.

If Mozilla wants to keep it as an open system then other companies will treat it as such.

Smigit said,
If Mozilla wants to keep it as an open system then other companies will treat it as such.
How are you defining 'open' here?

0day said,
I took a glance at the article and it said RockMelt. Since when did RockMelt do anything like this?

In Google Chrome, at the very least, I have noticed in the about:plugins list that RockMelt added its own update plugin to run while I'm using Chrome... of course, I disable all plugins I don't notice. (ex. I get rid of my Windows Live Photo Gallery since it doesn't make a diff for me at all)

LOL, brianshapiro is quite personal about this news ain't it. I bet he doesn't even use Firefox, but that doesn't matter.

Anyone fire up your favorite browser and type in about:plugins. You will see that those browser too loaded in those unauthorized plugins and not just a FF's nature alone. These plugins are universal and they will be loaded into whatever browser you are using. Opera,chrome, IE, heck even even the ancient Netscape 7. Brianshapiro's opinion of FF's security is a non-issue to begin with this topic.

Not only the possibility of crashing BROWSER[S], they eat up resources. So yes, companies should 'stop being evil' and add an option NOT to install these plugins during installation. Sorry for hijacking.

flexkeyboard said,
LOL, brianshapiro is quite personal about this news ain't it. I bet he doesn't even use Firefox, but that doesn't matter.

Anyone fire up your favorite browser and type in about:plugins. You will see that those browser too loaded in those unauthorized plugins and not just a FF's nature alone. These plugins are universal and they will be loaded into whatever browser you are using. Opera,chrome, IE, heck even even the ancient Netscape 7. Brianshapiro's opinion of FF's security is a non-issue to begin with this topic.

Not only the possibility of crashing BROWSER[S], they eat up resources. So yes, companies should 'stop being evil' and add an option NOT to install these plugins during installation. Sorry for hijacking.

I typed about:plugins and don't see anything, am I doing something wrong?

flexkeyboard said,
LOL, brianshapiro is quite personal. I bet he doesn't even use Firefox, but that doesn't matter ... Brianshapiro's opinion of FF's security is a non-issue to begin with this topic.

Me being personal? You're the one making this about me.

Maybe I should ask if you even use Microsoft Office, or whether you use OpenOffice instead.

flexkeyboard said,
Anyone fire up your favorite browser and type in about:plugins. You will see that those browser too loaded in those unauthorized plugins and not just a FF's nature alone. These plugins are universal and they will be loaded into whatever browser you are using. Opera,chrome, IE, heck even even the ancient Netscape 7. Brianshapiro's opinion of FF's security is a non-issue to begin with this topic.

I doubt this! Internet Explorer uses COM/ActiveX for it's plugin-System whereas the other browsers do not! And btw. there is no about:plugins in any version of IE…

flexkeyboard said,
LOL, brianshapiro is quite personal about this news ain't it. I bet he doesn't even use Firefox, but that doesn't matter.

Anyone fire up your favorite browser and type in about:plugins. You will see that those browser too loaded in those unauthorized plugins and not just a FF's nature alone.

It's not FF's nature or any browser's nature, that's the point. These companies have been circumventing the add-on installer by somehow installing their plugins while installing other programs. I don't think they're installed to your profile, as they should be, either, but instead they put them somewhere that allows them to be used by every user on the computer, whether they want to or not.