To set the record straight once and for all and to prevent further unnecessary arguments with people who are convinced that I, as project lead, would not know about my own products, this post. Do with it what you will.
Let's go through the claims on that page, shall we?
This claim is based on a single thing that is not even the browser's fault, and has already been discussed with the responsible people and mitigated.Connects to a MASSIVE amount of trackers, and these requests can only be avoided on subsequent runs. Has geolocation, search suggestions, and auto-updates. Sends SSL certificates from the sites you visit. Together made 169 unsolicited requests upon my first run of it, but again, most of them can be avoided on subsequent runs.
If this is your first run of Pale Moon, it will automatically connect to its first run webpage (http://palemoon.org/firstrun.html), which in turn will make a bunch of requests for location-aware Google Ads.
Pale Moon's start page
By default, Pale Moon's start page is set to https://palemoon.start.me, and it will automatically make a connection to it upon its first run. That page will then (again) make a bunch of requests for various trackers
The claim that it "connects to a massive amount of trackers" is the fact that, for a short while, the start portal run by start.me was using a "real-time bidding" system for the single display ad on the start page (there to offset the costs of running the portal) which would connect to many different ad networks (which also does not equal trackers, by the way - most connections involved in such systems don't track anything; in fact they have to be minimal in content and executed fast or the bidding will be so not "real-time" that an ad is never served, which makes no money at all). I've already indicated this was undesirable to the people at start.me and they have replaced the RTB system with a much simpler and less intrusive dynamic-loading ad.
Now the real question is: does the browser doing what it is supposed to do (load a web page) make it spyware? Absolutely not. To suggest as much is displaying a rather critical lack of understanding of web software. it would be a different story if the browser code itself would be contacting all sorts of data collecting servers, but it is not -- so what is the big deal? Apparently, according to the author, we are not allowed to have any ads on either the default start page or the default landing page for new installations. So it then becomes... namecalling because we are still short on patrons to remove those ads or because this is actually more than a hobby to do as an aside to a paying job? Calling it "spyware" certainly won't get us more patrons, so in the end the article is actively harming our project. Thanks, dude. Really appreciate your support for FOSS.
The reality is that developing and hosting software costs money. If the software is free to use, then it has to be paid from somewhere. Now, this can either be hidden like the "big players" do, collecting big data in the application itself and selling that, in the open like we do by having a display ad on the website/portal, be funded by donations that have consequences (and with that I mean e.g. the practice of big corporations "buying influence" in Open Source with large donations), or be funded completely by donations or other voluntary contributions without attached consequences. We are working on the latter option, but until we have enough donations we will have to pay for some things with ads because that is simply how a "free software economy" works.
First off, we do not hard-block NoScript (and this has been discussed at length on the forum already), we do not prevent other blocking extensions either, and we are certainly not "actively working against the interests of our privacy-concerned users" just because we are soft-blocking a known-problematic extension that will cause issues even including browser crashes. So this is yet another claim that is false, where the author is taking an exception and presenting it as the rule just to try and press the point and support the extremely negative bias in the article.Blocking privacy-enhancing addons
Pale Moon blocks privacy enhancing addons like noscript, citing this rationale for blocking such an imporant addon: "NoScript is known to cause severe issues with a large (and growing) number of websites. Unless finely tuned for every website visited, NoScript will cause display issues and functional issues. " So, it looks like Pale Moon's developers are actively working against the intrests of its privacy-concerned users, and would rather allow websites to execute malicious ECMAScript programs on unsuspecting user's machines, than to be blamed for a broken website. To disable this blocklist, set extensions.blocklist.enabled to false in about:config.
So, automatically updating lists of malicious extensions (no quotes around malicious) and other extensions and plugins with known stability and/or security issues, pro-actively keeping users protected also between browser releases, is making the browser "spyware"?Auto-updates
Pale Moon will automatically update itself, addons and search engines, as well as its blocklist.xml file with the addons it considers "malicious". Some of these can be turned off from the GUI, and some only from about:config.
Search suggestions from a privacy-respecting search engine are considered bad. Please explain this one to me. If you agree with the search engine selection for being privacy-respecting, why would you strike down against search suggestions from that very same engine? You either trust the provider or you don't - that's not context-dependent.Search Suggestions
The default search engine is the privacy-respecting DuckDuckGo, however search suggestions are enabled by default, which could send a request for every letter you've typed, all while you think it stays in-browser until you press Enter. Can be turned off by right-clicking the search bar.
... completely false. It does not. It uses ip-api.com and has so for many years, with a simple get request containing only public information (your public IP address as part of the standard HTTP packet) and only requesting the minimum response needed for geolocation. On top, websites can never request this without explicit user consent.Geolocation
Pale Moon connects to Mozilla's geolocation services.
Once again false! Checking the validity in most cases does not necessitate sending anything to a third party.OCSP querying
Will automatically check every site's SSL certificate to see if it is valid, which necessitates sending it to a third party. Can be turned off from the GUI.
OCSP querying is almost always done by checking a stapled OCSP response, which does not contact OCSP servers directly and therefore does not send anything to a third party. Even if it does, what is sent to an OCSP server is only public certificate data to check if a certificate has been revoked or not. This is a normal, essential part of checking the authentication and security of connections to secure servers.
So, all in all there are a lot of things in the article that are plainly wrong, and other parts of the article are taking a very, very biased and peculiar stance towards what is just normal practice.
P.S.: Want the ads to go away? Become a patron! If we reach the necessary monthly goal, they will be removed.