Sunday, June 22, 2008

Awesomebar or Breach of Trust?

I just made the transition from Firefox 2 to Firefox 3 and my initial reaction was, well, underwhelmed. On further use though I realized that there is a horrid privacy issue that has existed for some time. It was the Awesomebar that brought this to light, which should be renamed by the way to the annoying bar. Anything that absorbs that much of my screen real estate and is that intrusive should have an easy way to turn it off.

That is not the privacy concern though. What really caught my attention was the fact that I have had Firefox set to not remember a thing. No history, flush the cache, cookies ... everything when I close the browser. If I want to revisit a site at a later date I bookmark it. Now with the advent of the Awesomebar I discovered that when I started typing in a URL that even though my history tab is empty that the Awesomebar was still pulling up the sites I had visited even though I had explicitly told it not to. What was more shocking was that I was seeing websites show up in there that I had visited prior to installing Firefox 3.

What in the world? There is a reason I dont want my browser to cache this stuff. I do not want anyone who walks up to my computer to be able to take a look at where I have been or what I have been researching. For one thing when I am at work I'm not really supposed to be going to sites like LXer or Groklaw, well, actually I can go there, I'm just not supposed to spend as much time as I do there. Or say I run across an interesting bit of news that sends me off on a knowledge hunt about the how or what of something. I realize that any of the IT folks who monitor network traffic could figure it out really quick, that's not my point though. My browser should NOT be caching this information against my express wishes.

Anyone, and I mean anyone with a little knowledge can walk up to your system and pull your history regardless of what you have told the browser to flush or not retain. This is not just breach of privacy, it's a breach of trust. I find it ethically questionable and morally reprehensible. So thanks to the Awesomebar for bringing this to my attention however my reaction after I sat down and thought about it for a few minutes was to start inventing a few new vulgar words to direct at the Firefox team.

Make no mistakes, this is not another undocumented "feature". This is a breach of public trust. Your browser is tracking EXACTLY what you have told it not to track or retain. I love using Firefox, but this revelation has set me to taking a serious look at other broswers for personal use, as should anyone who is concerned with personal privacy.

This is my call to Firefox. Fix it, and fix it now.

~Az

15 comments:

excessory said...

In my testing if the cache/history and everything is removed, the _only_ thing the awesome bar will show is sites that are bookmarked - which you said were fine.

If it is storing information beyond that, I would report it as a bug.

Azerthoth said...

Not in mine, Many of the results that were turning up were not bookmarked. Nor were they hand set into my hosts file. The thing that truly disturbs me is that sites that I had visited while using FF2 prior to FF3 install were showing up as well. FF2 settings were to not remember a thing either.

ĸεиلı said...

They are coming out with a private browsing mode in the next release, 3.1 if I'm not mistaken.

JIB said...

1) Enter about:config in the address bar

2) Type "rich" in the search filter and the only hit should be:

browser.urlbar.maxRichResults

3) Set its value to 0

4) No more awesomebar.

Grakker said...

I've never noticed that before. I just tried it. Nothing cached anywhere that I can tell. I'd be more than a little pissed if this was indeed a default behavior.

Are you sure that you don't have a bookmark folder with recent visits or something like that? RSS feed maybe?

Azerthoth said...

@jib, done that already. the fun bit is, if I go back in and turn it back on, all the hits from my non bookmarked pre 3.0 install show right back up again.

As I said, I have had all the "dont remember a thing" options set since my initial Sabayon install.

excessory said...

Everything I can find regarding the new location bar indicates that it pulls the urls from history and bookmarks. If you delete your history, the only links left should be bookmarks or IMO it's a bug and (as I've mentioned) should be reported.

When I delete my history, all that are left are bookmarks (indicated with a star).

If your location bar is picking up history after you have cleared your history - this sounds more like a 'history not deleting bug' as opposed to a location bar bug. I did a quick search on Bugzilla and there is a bug related to history not deleting: https://bugzilla.mozilla.org/show_bug.cgi?id=439795

Sam said...

If you're using Linux, you may just want to check that Firefox has write permissions on the folders it needs to access regarding history and cookies.

Des said...

One of the last written comments raises a good point; are you using Linux/Unix or Windows?

Ihar Filipau said...

If you want true and real privacy, I can rent you a bunker in middle of a desert...

Seriously, what a bunch of whiners. Privacy is important. But only to (very vocal) minority. Rest of people are pretty OK with the all additional services Fx3 provides.

If you feel that you found a bug (it sounds like that) then you definitely should file a bug in bugzilla and escalate its priority.

Because otherwise it's just whining of another blogger from the gray mass of bloggers who produce nothing but whining.

Michael V said...

I can understand your concern about privacy, and that sounds like a bug.

But why are people complaining about screen real estate for a feature that only shows up for short amount of time. The screen use is temporary. Yeah, if it took up a large amount of the screen all the time, it would be a big deal, but it just pops up, lets you do what you want, then goes away. It could use my entire screen and I wouldn't care, because it gets out of the way once I'm finished with it.

Honestly, take a look at the new KDE4 Menu. It's the exact opposite of what I want. Sure, it conserves screen real estate (I still don't know how that's supposed to help me), but I have to click, click, click everywhere and it bugs the Hell out of me. I greatly prefer menus that take up more of the screen and let me find what I'm looking for faster and easier.

Seriously, we humans can't multi-task (not when it comes to information rich inputs, read Brain Rules), so when I'm doing one particular thing, I don't need to see anything else. When I'm using a Gnome menu, I'm looking for an application, and don't need to see anything else on the screen at that moment. When I'm using the awesomebar, I don't need to see anything on the page, I just need to see the link I'm trying to find. Preserving screen real estate just for the sake of screen real estate makes absolutely no sense!

WE ARE *NIXED! said...

To the person who asked what Azerthoth uses as an OS, it should have been obvious when he said Sabayon. Sabayon is based on Gentoo, which uses the Linux kernel.

@Ihar Filipau

If you feel that you privacy is not that important, then be my guest. It's the principle of the matter. If you set something to not remember anything you do, then that feature should work hands down. Obviously what this person from the "gray mass of bloggers" has contributed something. If what Azerthoth said was not a significant contribution, then why are you wasting your time commenting on this post?

Sam said...

@we are *nixed

Should have picked that up, sorry. The point is still valid and worth looking into though.

On a related note, can he replicate his 'breach of trust' on Windows? I'm sure everyone is aware that this would help narrow down his problem to either his said 'breach of trust' or a plain old bug.

Robert said...

Just tested this on Windows Vista/FF 3 final, and was unable to duplicate it. I blew away my history and cache using the built-in Private Data clearing function (Tools --> Options --> Privacy --> Private Data --> Clear Now), and without restarting the browser tried typing in a number of sites that I'd visited today, but not bookmarked. Guess what...NONE of them came up in the Awesome Bar.

Azerthoth, check your perms and try it again...then report the bug on bugzilla. I'm sure the FF devs would like to know about the bug...not the "huge breach of public trust and privacy".

Doctor Mo said...

@Azer,

Make sure you are also deleting any saved sessions you may have.

I noticed a previously session's links appeared when I typed in the Awesomebar.

I use TabMixPlus and I told it to clear any of its saved session information.

That fixed the problem for me.