But I think you're mis-characterizing this specific instance of the blocklist ping as "covert, opt-out surveillance" and the arguably fairly readable privacy policy as "legalese small print".
For a long time, I didn't even know Thunderbird had a privacy policy, and I've been using it for years. Why would anyone expect software they installed locally to need one? Thunderbird is a mail client, so why would they expect it to send data to anyone other than e-mails to their chosen recipients? And even if they knew the privacy policy existed, did anything suggest to them that they might want re-read that policy to find these changes when they were added? I assume the details were also on display in my local planning department in Alpha Centauri.
Incidentally, if you're reading this and thinking that I'm naive and/or over-reacting, you might want to stop and consider the company you're keeping. What other types of people use software that does things the user doesn't expect, collect data without advertising it, and make arguments about implied consent, the relevant disclosure being available somewhere hardly anyone will ever look, or how it's all done to improve the user's experience somehow? How many of those people do most of us like?
In any case, from both a practical and probably a legal perspective, anything that is not actively presented to a user is the electronic version of small print at best. You can rationalise this as much as you like, but the facts are:
1. Thunderbird is phoning home.
2. The user is not informed of this explicitly.
3. The user is certainly not actively giving their consent.
4. This still appears to be the case even if the user has explicitly opted out of sending telemetry when the software was first installed.
IMHO, any such policy is indefensible in 2015 if you want to be taken seriously as an organisation that protects privacy. This particular behaviour may be a minor infraction, but it's the general principle (and, frankly, your enthusiasm for defending it) that is of greater concern.
Edit:
the risk to the user of rogue plugins/extensions was and continues to be serious. (Plugins probably more than extensions; Thunderbird tends to pick-up all the plugins that Firefox would see and most adware/malware implementors seemed otherwise unconcerned with Thunderbird.)
WTF??!! Thunderbird is apparently automatically running a whole bunch of plug-ins that I only installed for Firefox and have long ago set (in Firefox) not to run automatically, or in some cases that I didn't even voluntarily install at all. None of these things have any business being in any sort of e-mail client at all. When and how the [multiple expletives deleted] did this happen? I thought you (generic 'you') were concerned about someone installing an extension that had a buggy update and caused a hang on start-up or something. The idea that someone could send, say, an HTML e-mail with something like Flash/Java/Silverlight embedded in it and have it run by default is moderately terrifying.
One thing that Thunderbird reports back to servers is telemetry usage, which helps provide feedback on whether or not rare charsets (e.g., VISCII) need to be supported or how much weight should be placed on implementation of, say, NTLM or GSSAPI.
Also, Thunderbird permits neither JavaScript nor plugins to run in emails. It does permit plugins in cases such as displaying an RSS feed inline.
My solution to the plug-in problem (not Thunderbird specific) is to not install Flash/Java RE/Silverlight on my machine at all. Not that that helps you here, but I do wonder why more people don't just remove such software.
As it happens, on the machine in question I have valid reasons for needing all of the above at times, hence their presence in Firefox but with activation on demand only.
But I have eight plug-ins installed in Thunderbird, and some of them I don't even know what they do. Why does Google need an update plug-in that I never requested or gave permission for to be installed in Firefox and Thunderbird?
For a long time, I didn't even know Thunderbird had a privacy policy, and I've been using it for years. Why would anyone expect software they installed locally to need one? Thunderbird is a mail client, so why would they expect it to send data to anyone other than e-mails to their chosen recipients? And even if they knew the privacy policy existed, did anything suggest to them that they might want re-read that policy to find these changes when they were added? I assume the details were also on display in my local planning department in Alpha Centauri.
Incidentally, if you're reading this and thinking that I'm naive and/or over-reacting, you might want to stop and consider the company you're keeping. What other types of people use software that does things the user doesn't expect, collect data without advertising it, and make arguments about implied consent, the relevant disclosure being available somewhere hardly anyone will ever look, or how it's all done to improve the user's experience somehow? How many of those people do most of us like?
In any case, from both a practical and probably a legal perspective, anything that is not actively presented to a user is the electronic version of small print at best. You can rationalise this as much as you like, but the facts are:
1. Thunderbird is phoning home.
2. The user is not informed of this explicitly.
3. The user is certainly not actively giving their consent.
4. This still appears to be the case even if the user has explicitly opted out of sending telemetry when the software was first installed.
IMHO, any such policy is indefensible in 2015 if you want to be taken seriously as an organisation that protects privacy. This particular behaviour may be a minor infraction, but it's the general principle (and, frankly, your enthusiasm for defending it) that is of greater concern.
Edit:
the risk to the user of rogue plugins/extensions was and continues to be serious. (Plugins probably more than extensions; Thunderbird tends to pick-up all the plugins that Firefox would see and most adware/malware implementors seemed otherwise unconcerned with Thunderbird.)
WTF??!! Thunderbird is apparently automatically running a whole bunch of plug-ins that I only installed for Firefox and have long ago set (in Firefox) not to run automatically, or in some cases that I didn't even voluntarily install at all. None of these things have any business being in any sort of e-mail client at all. When and how the [multiple expletives deleted] did this happen? I thought you (generic 'you') were concerned about someone installing an extension that had a buggy update and caused a hang on start-up or something. The idea that someone could send, say, an HTML e-mail with something like Flash/Java/Silverlight embedded in it and have it run by default is moderately terrifying.