One of the aims of the add-on manager changes in Firefox 4 was to move to automatically installing updates for add-ons for as many users as possible. I believe that these were the relevant main goals that we talked about during development:

• Allow add-ons to update seamlessly and silently by default
• Allow users to turn on and off automatically installing updates for all add-ons
• Allow users to turn off automatically installing updates for individual add-ons
• Automatically download metadata updates for installed add-ons
• Allow add-ons or users the ability to disable downloading metadata for installed add-ons
• Pass a list of the installed add-ons to the discovery pane
• Allow add-ons or users the ability to disable passing an add-on to the discovery pane

Currently Implemented for Firefox 4

These are the settings available to users and the effects they have on the various requests to AMO that can happen while Firefox is running.

Settings

With so many goals of customisability it is unsurprising that we ended up with a multitude of settings. There are 3 in primary UI and 2 further ones hidden in about:config, some are global and some are per-add-on. The settings are meant to control the following things:

• Whether a daily request is made to AMO asking for new version and compatibility information for an add-on (referred to here as the update check)
• Whether a new version of an add-on is automatically installed when detected
• Whether an add-on is included in the list of add-ons sent with the daily metadata request (referred to as the metadata check)
• Whether an add-on is included in the list of add-ons passed to the discover pane (this has ended up being a side effect of other settings)

The following are the settings that exist now and where to find them. Although there is a short discussion of each there is more meat in the following section where they are tied to the actual AMO requests. I've given each setting a number because the wording is so similar across them that it gets confusing to refer to them otherwise.

Automatically Check For Updates (1)

In Firefox's options (Firefox - Preferences or Edit - Preferences or Tools - Options) in the Advanced, Update section there is a tick box to control automatically checking for updates to add-ons. It controls whether background update checks are made. It has existed since before Firefox 1.0.

Update Add-ons Automatically (2)

In the utilities menu of the add-ons manager is an option "Update Add-ons Automatically". It globally controls whether detected updates for add-ons are automatically installed. It defaults to On.

Per Add-on Automatic Updates (3)

In the details view for a single add-on the setting "Automatic Updates" controls whether detected updates for that add-on are automatically installed. It can be either On, Off or Default (which is the default) in which case the value from (2) is used. In the rest of this document when this setting is referred to it refers to the conflation of this and setting (2).

Metadata cache (hidden) (4)

The preference extensions.getAddons.cache.enabled controls whether background metadata checks are made. It defaults to On.

Per Add-on Metadata cache (hidden) (5)

The preference extensions.%ID%.getAddons.cache.enabled controls whether an add-on appears in the background metadata check. It defaults to On.

AMO Requests

The following are the important requests made to AMO, all requests naturally include the IP of the user's computer.

Manual Update Check

A user may right click on an add-on and select Find Updates. This initiates a manual update check for that add-on. Equally selecting Check for Updates from the utilities menu initiates a manual update check for all add-ons. These behave the same. No setting controls whether the update check itself can happen as it is user initiated. If a new version is found and setting (3) is On then the new version is automatically installed, otherwise it is listed in the add-ons manager where the user can choose to install it.

The request includes the following information:

• Application making the request
  • ID
  • Version
• Add-on details
  • ID
  • Version
  • Compatibility
  • Status (whether it is disabled or blocklisted)
• Operating system
• Platform
• User's locale
• Reason for update check

Install Time Update Check

When a new add-on is installed an update check may be performed in order to check that the add-on is compatibility with Firefox. No settings control whether this check can happen and any new versions found are ignored.

The request contains the same information as the manual update check.

Background Update Check

If setting (1) is On then once a day Firefox will perform multiple update checks, one for every installed add-on. For any new versions found if setting (3) is On then the new version is automatically installed.

The request contains the same information as the manual update check.

Install Time Metadata Check

If setting (4) is On and setting (5) is On then when a new add-on is installed a metadata check will be performed for it.

The request includes the following information:

• Application making the request
  • Version
• Operating system
• User's locale
• Startup time metrics
• Add-on ID

Background Metadata Check

If setting (1) is On and setting (4) is On and at least one add-on has settings (3) and (5) On then once a day Firefox will perform a single metadata check for all add-ons with settings (3) and (5) On.

The request includes the same information as the install time metadata check however it includes all add-on IDs that have settings (3) and (5) On.

Discovery Pane

If the user visits the Get Add-ons section of the add-ons manager then a webpage is loaded from AMO that can display information and recommendations.

The request includes the following information:

• Application making the request
  • Version
• Operating system
• User's locale

If setting (1) is On the the following information is also included for every add-on that has setting (5) On:

• Name
• Version
• Type
• Whether it is disabled
• Whether it is compatible
• Whether it is blocklisted

Internal Inconsistencies

We really have 3 different reasons for wanting to control parts of the update process.

No Background Requests

Some users don't want any background requests to be performed ever. Setting (1) and to a lesser extent setting (4) really solve this across the board. The requests it doesn't affect are initiated by the user in some way that could reasonably be expected to cause network requests.

No Automatic Upgrades

Some users don't want automatic upgrades of add-ons. Setting (3) controls this although with more flexibility than is probably necessary.

Keep Installed Add-ons Private

Some users don't want to reveal to AMO what add-ons they have installed. To a lesser extent certain add-ons don't want to reveal to AMO that they are installed.

For blanket hiding of all add-ons from the requests there is the following:

• Setting (1) essentially hides all add-ons from the background update check, metadata check and the discovery pane request however the install time update check and install time metadata check don't obey this.
• Setting (4) hides all add-ons from the background metadata check and install time metadata checks.

The metadata checks and discovery requests send lists of add-ons and so users can potentially be more concerned about them so we seem to believe that users may want to keep automatic update checking but stop discovery and metadata requests. There is currently no setting that does that globally. bug 635115

For per-add-on controls there is the following:

• Nothing can hide a single add-on from the manual update check. bug 635108
• Nothing can hide a single add-on from the install time update check. bug 635108
• Nothing can hide a single add-on from the background update check. bug 635108
• Setting (5) will hide a single add-on from the install time metadata check.
• Settings (3) or (5) will hide a single add-on from the background metadata check.
• Setting (5) will hide a single add-on from the discovery request.

These last 3 are clearly inconsistent. It isn't clear to me any longer why setting (3) which is about whether to automatically install new versions of add-ons should be involved in the decision to include an add-on in the background metadata check. It was probably a mistake to involve it but I don't think a particularly problematic one.

I'm not sure whether individual users will be interested in hiding specific add-ons from the metadata checks and discovery request. If they do then they must go into about:config to do it. I'm not sure we need to do more there.

Privacy Policy Problems

The privacy policy contains a couple of factual errors around what the settings control.

Get Add-ons Page

Firefox sends certain information to Mozilla, including the list of add-ons you have installed, Firefox version information, and your IP address. This communication only happens when the Get Add-ons area is open and can be turned off at any time by opting out of Automatic Updates from the Add-ons Manager

This implies to me that turning Off Automatic Updates, setting (2), will not transmit the listed information. In fact this has no effect at all. Were we to implement something like bug 635115 then it would only prevent the list from being sent, the other information would still be included. Setting (1) does control this but we likely don't want to steer users to this.

Add-on Information

This communication includes the list of add-ons you have installed, Firefox version information, how long it took Firefox to start up, and your IP address. You can turn off this functionality at any time by opting out of Automatic Updates from the Add-ons Manager.

This implies to me that turning Off Automatic Updates, setting (2), will not transmit the listed information. This is currently correct because we included setting (3) in the background metadata check controls however as noted above I'm not sure that was the right thing to do. Again setting (1) does control this.

Potential Improvements for Firefox 4

The privacy policy almost certainly needs some tweaks but as well as that the main identified issue is that there is no simple means for a user to stop sending information about installed add-ons to AMO through the metadata checks and discovery request. bug 635115

We should change to the following:

• Setting (1) should turn off the following requests as they are background, non-user-initiated requests:
  • Background update check
  • Background metadata check
• Setting (4) should turn off the following as they potentially expose private information:
  • Background metadata check
  • Install time metadata check
  • Including add-ons in the discovery request
• Only setting (5) should control whether a single add-on is included in the background metadata check, install time metadata check and the discovery request