One scar away from losing access to your ability to pay …

Biometrics can not really be changed. Except maybe through time or trauma (i.e. age or injury). They can be used to uniquely(?) identify a person - except maybe twins - at the expense of anonymity, which has it’s own set of problems.

But because they can not easily be changed they’re a terrible security feature. Once they leak, they’re unusable and you’re hosed. You can’t issue a new palm print for your bank account like you could a new chip card and password.

Also, just because you waved your hand over a scanner does not mean that you approve and consent of the transaction. With tap to pay there were ideas of mobile point of sales devices just tapping on peoples backpacks in a crowded area. You don’t even keep your biometrics markers in your pocket, they’re just out in the open for anyone with a camera. This may be bordering on paranoia, but a few years back (2014) German hackers from Chaos Computer Club took iris scans from Angela Merkel (then Chancellor of Germany) and finger prints of Ursula von der Leyen (then Minister of defense) using nothing but press fotos. Cameras have only gotten better.

TL;DR: Biometrics can be used for identification but should never be used for authorisation.

Why you should care?

Because the debate is not about whether or not you have something to hide.

It’s about your right to consent. You should have the right to say no. And you should have the right to change your mind for any reason. You should have the right to regain control of who can store, access or process your data.

Depending on where you live you may have such rights, or you may not. And the political debate is about granting, strengthening, weakening or revoking these rights. And you should care about having these rights, whether you use them or not.

You should absolutely have web environment integrity. Your browser should not allow the website to do things that you don’t approve of, so the integrity of your computer can be ensured.

Wait, that’s not what they mean, is it? Oh no … 🙄

Yea, I feel like Google has this a bit backwards. As always, I like to turn the metaphor on it’s head. You’re not visiting a website, you’re inviting a website. You’re allowing the website to use your system resources, bandwidth, CPU cycles, etc. And what you do with your own system is none of the websites business. They can protect their business model on the server side, if they need to. But maybe they just need better business models.

I don’t mean some obscure about:config setting. I want it to show me some indication (doesn’t have to be a popup, those have their own set of issues) that tells me “Firefox blocked x extension on this site [enable it]” - like they do for popup windows that have been blocked.

They have a knowledgebase article explaining why …

… that doesn’t explain why. Yes it explains the technical mechanism by which extensions can be blocked, but no explanation why this feature is even there. There’s just a sentence about “various reasons, including security considerations.”

I think it would help if they explained some of those “various reasons”, maybe with an example. Then I might even agree that those are situations where that might improve the user experience. Or the security.

But I would absolutely demand a transparent process for how, why and by who these decisions get made. And possibly a way to enable the extension regardless - you open a page, an extension is blocked, you get a notification explaining why and giving you an override option.

Part of me wants to believe that this is just very poorly communicated. Mozilla has been doing this for a while, for example extensions don’t work on addons.mozilla.org or any of the about: pages. And that seems reasonable to me. But I also don’t like the thought of mozilla policing what a user is or isn’t allowed to do.