This isn't just a problem with extensions, though. It's a problem with everything. Always has been and always will be.
This is why people should be extremely cautious about becoming too attached to (or, worse, dependent on) any particular product or service. It can change ownership (and therefore policies) at any time.
This wasn't a big problem with software just 20 years ago. Sure, the software you used could be bought by someone else, but that just meant you might choose not to get the next version. Software didn't automatically update, and licenses were eternal and mostly tied to physical tokens, like a disk or a fancy sticker. At some point your beloved software might become obsolete, but that was because it was outpaced in improvements by other better software, not because yours got any worse.
And, to be honest, it doesn't even really have to be a problem now. I use almost entirely FSF or Open Source software. Of the proprietary software I use, it's still software that I have an installable copy of and I'll be able to keep using it for as long as I have a machine that can run it.
I don't do automatic updates and actively prevent that from happening. Automatic updates are a plague that means you can't rely on the software anymore, if for no other reason than an update may (and likely will, eventually) remove or otherwise bork the very aspect that made it valuable to you.
But I'm a weirdo and take care to ensure that I actually own and control the software I use. I see people getting burned because they're at the mercy of a company all too often.
It has happened in open source, too: OpenOffice was once well-respected, but 10 years ago we needed to switch to LibreOffice. (and I bet still not everyone has noticed)
No, there is a huge difference. The Avast extension can update without warning adding whatever kind of tracking or leaks they want. The old OOo version won't do that.
Using open source isn't enough any more, now that everything's tightly coupled and expects the latest version. Can't run a new version of anything without "upgrading" your window manager, session manager, dbus, udev, kernel, whoops the new kernel broke compatibility with the drivers for your hardware? Too bad.
I've switched to FreeBSD and things mostly stay working, but I've already seen steps in the direction that Linux has gone, so I fear it's just a matter of time.
In theory yes, but they only help with needing specific solibs which is actually a minority of the problems you see nowadays IME. In terms of things like having the wrong dbus sessions/interfaces available in your environment, flatpak/snap/etc. seem if anything to be making things worse.
How about not talking past each other and declaring victory? The majority of software, prior to the internet, were necessarily optional. There were corporate lock-ins. These are not the software most people purchased/owned.
2000-2005, the biggest automatic updates that consumers had to deal with were Windows (Office, OS, etc) updates and games. Valve's Steam, which had come into prevalence (notably Counterstrike:Source), World of Warcraft, etc.
By 2008 (Google Chrome), automatic updates were common. I would say the ship had sailed by 2005. Yes, this is 1 full generation ago.
Sometimes this is more annoying than helpful, and I only speak with a tiny bit of hyperbole here.
On several different SaaS softwares used at my employer I have found myself asking if they have entire teams of highly compensated UX professionals and graphics designers who justify their continued employment by changing the interface every 3 months by just enough to annoy me after I finally remap my brain to the latest locations of the tools and buttons.
But the barriers to releasing and distributing software were much higher, as you had to work out to get it to people, and incremental release were basically impossible. So software was controlled by a handful of big companies.
The industry had more smaller players compared to today and a better chance to sell. The barriers were higher but expectations lower. Plus you had a fragmentation of computers and high margins. Trade shows and flea markets, magazines, shareware and asking store owners directly were accessible ways.
Today we have the illusion of speaking globally but have been gatekept out by a handful of companies.
It's another prime example of why users should be wary of always choosing automatic software updates, and particularly wary of any company that uses security and "we know what's best for our dumb users" as an excuse for trying to stop users from using only a manual update process.
Its too much effort to manage each app's update. In the age of smartphones they push an update once a day, sometimes it feels like every 5 secs.
Plus if you look at the app store updates, most of the apps post nonsense in the release notes such as "fixed bugs", "Thank you for being a user of Lyft this update will make your experience even better!", or the worst kind:
"You know how sometimes you just become aware of how much tension you're holding in your body, then take a deep breath and slowly let it out? This update is like that. It's still Slack, just with a tiny bit less friction."
HOGWASH Slack, this update will likely cause friction! If only those people that write this crap got laid off, the world would be a tiny bit better :/
Maybe its time to declutter software that you don't control in your life just like how people declutter stuff. Every item is an additional tiny mental burden and the same goes for each closed source app installed on your phone. Maybe its better if we just forgo any "benefits" the app may provide and not bother anymore.
Windows XP didn't have automatic updates in the beginning. So approximately nobody had the relevant security patches for Windows and IE. The result were Sasser and MyDoom.A on almost every Windows machine. It was a disaster.
It seems less risky to continue automatic updates and just accept the possibility of malicious ownership change.
Early always-connected computers with no NAT led to a lot of hard lessons. At this point many of those have been learned, and there's a lot more depth to network security. Operating systems and key tools like web browsers and ssh are hard enough that strictly necessary updates like heartbleed patches are few and far between, and are hard to miss. The majority of what gets pushed out now through automatic updates for OSs and key software is exploiting the update channel to deliver crap features that increase revenues or deepen the moats for the company pushing them. They want to ensure that they can collect maximum rent with the least effort for as long as possible.
Hopefully that abuse will reach a point where the camels back breaks, and the pain of freeing yourself from vendor lock-in becomes worth it, prompting smart consumers and businesses in large numbers to use and support principled software projects through contributions of money, code and labor.
Was it really a "disaster"? Or just a natural consequence that we must continue to accept if we truly believe in freedom?
People can learn and have personal responsibility, but the companies would rather use such examples for leverage to keep them ignorant and corral them into putting nooses of control around their necks.
What? Yes it did. Windows 98 had the first version of MS's Automatic Updates, with the Critical Update Notifications. Windows ME came with actual Automatic Updates, and so did XP.
> Windows XP didn't have automatic updates in the beginning. So approximately nobody had the relevant security patches for Windows and IE. The result were Sasser and MyDoom.A on almost every Windows machine. It was a disaster.
Except that this was due to a vulnerability in Windows which was fixed _after_ those worms ravaged the Windows users.
I don't recall the world ending because of a couple infected Windoze machines. Plus it made teenagers like myself a bit of cash for cleaning up friends'/relatives' computers.
The problem is that 99% of users will not be bothered with deciding anything regarding updates or any computer administration. So you either get automatic updates and situations like the current one, or you get out of date/exploited software.
True, but I don't think that justifies the practice at all.
At the very least, software needs to do what it used to do: make security updates separate from all other updates so users can just get the security bits.
Reminds me of the pending update to 1Password 7 that I keep declining because the change notes says all it does is adds a deprecation notice for 1password classic
I do this with git packages too. Sometimes I rely on something and the author then makes a move to go to a version 2.0 and ruin what I liked about the ux/ui or how the functionality behaved. I have a few privately forked packages now where I bugfix certain components alongside the author, but keep other legacy components, and even add my own functionality and behavior to my own needs.
Of course, in a world of walled gardens versus git repos, none of this very powerful use of ideas and computation can be done. I can't go to the Apple app store and easily cobble together my own franken app from what I find there. It's like a step back for innovation for our species when we set up these stupid profit seeking moats and gardens.
Ben Franklin on automatic updates: "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety."
This quote never made sense to me. My decision to prefer one of these over the other doesn't mean I don't deserve either. It's a decision I make with my own unique economic and threat parameters. Being "deserving" plays no role here.
Morals are about behaving right or wrong because that leads to good things or bad things, so, if you make the wrong choice (here, giving up some liberty for a small amount of safety) then you do indeed deserve what you get - neither - because you chose wrong.
Ye it doesn't make sense. These rule of thumbs need the implied "too much" in them from the get go, or people will use them to silly extremes in the wrong ways. That applies all too well to programmers.
The quote actually meant something rather different than people think and has been taken out of context.
Here's a discussion about it[0].
First, here's the TL;DR:
SIEGEL: So far from being a pro-privacy quotation, if anything, it's a pro-taxation and pro-defense spending quotation.
WITTES: It is a quotation that defends the authority of a legislature to govern in the interests of collective security. It means, in context, not quite the opposite of what it's almost always quoted as saying but much closer to the opposite than to the thing that people think it means.
And here's the detail, discussed just before the TL;DR (I put in some paragraph breaks):
SIEGEL: And what was the context of this remark?
WITTES: He was writing about a tax dispute between the Pennsylvania General Assembly and the family of the Penns, the proprietary family of the Pennsylvania colony who ruled it from afar.
And the legislature was trying to tax the Penn family lands to pay for frontier defense during the French and Indian War.
And the Penn family kept instructing the governor to veto.
Franklin felt that this was a great affront to the ability of the legislature to govern. And so he actually meant purchase a little temporary safety very literally. The Penn family was trying to give a lump sum of money in exchange for the General Assembly's acknowledging that it did not have the authority to tax it.
I don't think it's feasable to check the ownership before every update of every extension. Or what do you have in mind? Just delaying the update so there's at least a chance to catch the bad news?
It's not a problem with everything. Distributions tend to add editorial input here and try to do something they consider reasonable for their users, staking their own reputation on that without trying to pass it off to the component publisher.
For example, I doubt that Debian would would take an update from an upstream that is detrimental to their users. They would follow a friendlier fork first. Debian maintainers follow their users' interests first.
(I'm a Debian Developer)
Edit: and that means you can generally trust automatic updates on Debian.
This is why the push towards application sandboxing and distribution by the developers themselvs is IMO misguided.
I'd much rather have my applications run unrestricted but vetted and if neccessary patched by a trusted third party (the distro) than lock whatever dark patters and anti-features developers come up with into a box ... where it still has access to all interactions with that box.
In particular, I wouldn't trust a Firefox distributed by Mozilla without oversight but I still use the Firefox packaged by my distro.
> In particular, I wouldn't trust a Firefox distributed by Mozilla without oversight but I still use the Firefox packaged by my distro.
But in the case of something like Firefox, distros are barely vetting anything, and are reluctant to patch because such patching rapidly becomes unmaintainable. Most dependencies don't end up unbundled, either. So distribution Firefox packages are really external packages in distribution package clothing, more so than any other package, really.
This is why I want sandboxing anyway - because I understand the limits of what is practical.
And sandboxing and limiting interaction through well-defined interfaces is better for security anyway, because security vulnerabilities happen regardless, and sandboxing does provide some level of mitigation.
Finally, the distribution packaging model is insufficient for many users. Even if you are fine with it, most users want something newer than their distribution release, and we can see that they are prepared to give up security and system stability for it. This is a real need for these users, and sandboxed third party packaging mechanisms provide a real solution for them, even if you can manage without.
I think it's a particular problems with extensions because:
1. They usually mostly work in the background, don't need much interaction. It's almost like a built-in browser feature changing owners.
2. They are pretty difficult to find a business model for - as opposed to SaaS stuff and mobile apps, which people pay for rather commonly. So the choice is to a) Make no money b) Ask for donations (seems to only work if it's somewhat obnoxious) c) Make money in some creative (often shady) way d) Sell the thing.
Case in point -- I mortgaged my home with a local bank then without me knowing or being asked I became a Wells Fargo customer. At least you can uninstall the extensions :)
I strongly believe that selling ongoing loans to other companies should just be flat out illegal. You entered into a contract with your local bank, not Wells Fargo. It should not be legal any party in the contract to unilaterally rope the others into a contractual relationship with someone who was not involved.
I certainly don't remember all the terms of my mortgage, but surely there's a "we can resell your mortgage" provision in the terms that we bilaterally agreed to.
You are under no obligation to sign. They are under no obligation to accept a modified contract. Both sides can walk away. Both sides will be bummed, but the bank is likely to care a lot less.
These kind of libertarian explanations always conveniently neglect to mention any power imbalances between the parties. When called on it the response is usually just a less polite version of "oh well".
Actually it’s much easier than that, though not in the current interest rate environment: you just refinance, and likely save money along the way.
Note that your first mortgage in CA is nonrecourse, but a refinanced mortgage is not nonrecourse (meaning the lender can come after you personally if you end up underwater).
What would an alternative be in the case of a lender being sold? Force a balloon payment for the balance? It seems a better alternative to be able to transfer the loan like any other asset.
Why would it be unconscionable? I don’t understand why people would care if their loan is sold. My student loans have been sold a couple times and I didn’t mind. What’s the downside for the borrower?
Who owns the loan doesn't make a lot of difference, really, compared to who services the loan. But even still, you may not want to do business with some company for any number of reasons: maybe they treated you or someone you know poorly in the past; maybe you don't like how they do business; etc.
The loan servicer is more important --- some of them are terrible at their job and tend to misapply payments etc, causing extra work for the borrower.
Yes they can. I had a mortgage that was sold to Washington Mutual (no longer in business). They did an audit of my escrow account and sent me a check for $2000. I called and said this seems to be mistake. They said no. OK then. Two months later I get a notice from the county that the second half of property taxes was overdue.
WaMu pays after several phone calls. Then sends me a notice that my escrow account is $5000 in appears. So WaMu says that the 2000 was a mistake and I need to send that back, and that they are allowed to maintain an excess balance for taxes and insurance, so I need to send them another 3000 to bring the account current.
I refinanced with a different organization that week.
I was very happy to see them crater during the financial crisis.
You don't think another company coming in and demanding $3000 be paid early is changing the terms? Whatever you want to call it, it's bad. Even if it was authorized before, it's a very significant change to start demanding it. The practical terms have changed.
I assume every mortgage has terms to include funding an escrow account with the next ~12 +/- 6 months of property tax + insurance.
For sure, there is an adverse impact to a borrower who is not well versed in how mortgages work, but in terms of financial agreements, but unfortunately, the US does not punish financial companies for negligence in customer service.
> You don't think another company coming in and demanding $3000 be paid early is changing the terms?
No, because if (as here) the original mortgage contract included an escrow account, that contract surely allowed the mortgage holder to demand money to keep the escrow balance where they want it to be.
So no, they didn't change the terms of the mortgage contract.
When my mortgage was sold to a big bank I started getting charged a fee for "prepayment" (basically I'd do another payment against the principal once a year or when I had extra cash, which was a non-issue before the sale).
Refinanced with a local CU and stayed with them ever since.
> A lender cannot assess a prepayment penalty unless the penalty was included in the original terms of the loan.
> According to the Federal Register, Dodd-Frank Act provisions “generally prohibit prepayment penalties except for certain fixed-rate qualified mortgages where the penalties satisfy certain restrictions and the creditor has offered the consumer an alternative loan without such penalties.”
> For lenders that do charge these penalties, prepayment penalties cannot be imposed after the first three years of the loan term.
> When my mortgage was sold to a big bank I started getting charged a fee for "prepayment"
Are you sure? Whether a mortgage has prepayment penalties or not is one of the things that is specifically declared in every mortgage contract I've ever seen. They can't just change it after the fact.
I think who you are doing business with matters a great deal even if the mortgage terms don't change. You're still being forced to do business with someone that perhaps you strongly object to doing business with.
The company matters just as much as the product or service.
Who you are doing business with can change even if the legal company is the same. Suppose an executive retires, and a new one wants to make their mark, perhaps by cutting costs.
This is why tools are always better than products or services. Your hammer in the drawer isn't going to one day update itself and change. Neither is some of the bash tooling that's been around for decades. And should these things change, you always have your old versions of these tools in your drawers and storage drives.
I was thinking about this is the food and personal products space. I dreamed up something like requiring some kind of notation to denote how many steps you are away from a parent company. Direct private companies with no parent would have no notation, once a parent company buys the company and its brands put a dot for every parent company above the company of the product you're now purchasing. Something to make this transfer visible.
I think the thing to do there is to require that the controlling owner of the brand be mentioned in non-tiny print near the most prominent mention of the brand.
I agree. I also don't think this is something that's formally solvable in the general case, at least not in a way that's practical for distracted and non-technical users.
Instead, this is the kind of thing that needs to be solved on the policy level: Google and Mozilla have an interest in maintaining high-quality extension ecosystems, and ought to take a dim view of these kinds of ownership transfers.
That's a different issue. I can still run many old versions of software even if new versions are put out by some evil entity I no longer trust. Unless the software auto-updates. In which case I no longer have the old version.
AFAIK, it is not easy (or maybe not possible) to opt out of extensions updates.
This is why people should be extremely cautious against self-modifying software (ie unattended autoupdate) - it grants remote code execution on your computer to remote parties.
As a corollary, any private information that a publicly owned company has is for sale (since the company could be bought or merge), and any information any company has can be force-sold during bankruptcy proceedings.
Any time a company has physical access to your data, and says they will not sell it, they are lying (unless it is privately held, and never takes on debt / pays after delivery).
In particular, EULAs and other contracts do not protect your information in the above situations, since debt and shareholder obligations generally come before customer obligations, and the data is considered an asset.
This is why people should be extremely cautious about becoming too attached to (or, worse, dependent on) any particular product or service. It can change ownership (and therefore policies) at any time.