Where did you see they are enabled? And what forum?

Oh, you are talking about #5907?

Im not sure you have really helped alleviate concerns raised as per your reply in the discussion topic raised. Id urge everyone to to realise that even making failing connections to servers and not turning off all telemetry for a firefox based browser (now that mozilla has openly admitted they sell your data https://news.ycombinator.com/item?id=43203096) does make your browser and data not private.

It is up to you to consider this issue closed rather than having an open discussion about how to improve the browser but it is clear that this browser is not private or zen in anyway.

@mauro-balades What exactly is the verdict here? This is looking like a wontfix decision to me, as this issue is closed without any particular reasoning.

The current implementation of Zen Browser contains several privacy inconsistencies that contradict its marketing as a "privacy-focused browser". When first run, the browser attempts to communicate with various tracking and telemetry endpoints without user consent. There are several DNS queries made, including requests to domains that seem unnecessary and could potentially compromise user privacy. These domains include (but are not limited to):

incoming.telemetry.mozilla.org
location.services.mozilla.com
firefox.settings.services.mozilla.com
detectportal.firefox.com
merino.services.mozilla.com
push.services.mozilla.com
services.addons.mozilla.org
zen-browser.app
updates.zen-browser.app
example.org
ipv4only.arpa
www.google.com
s2.googleusercontent.com
calendar.google.com
trello.com
web.whatsapp.com
www.notion.so
www.youtube.com
github.githubassets.com
a.slack-edge.com
abs.twimg.com

I've noticed that when a DNS query fails, it falls back to requesting domains like support.mozilla.org and us-west1.prod.sumo.prod.webservices.mozgcp.net

The current implementation fails to meet the bare minimum expectations to be even considered as a "privacy-focused" browser. There are some telemetry preferences which are not disabled by default, leading to telemetry requests being sent to Mozilla's servers, which seems contradictory to the idea of privacy.

The concern isn't specifically about Mozilla as the recipient (despite their recent change in business model toward ad-tech-driven revenue, as they removed the promise to never sell personal data), but rather about the principle of telemetry being enabled and collected without user knowledge or consent by default on a browser that explicitly markets itself as "privacy-focused".

When a Firefox fork like Zen Browser positions itself with statements like:

Zen is a privacy-focused browser that blocks trackers, ads, and other unwanted content while offering the best browsing experience!
Our Core Values: We are committed to making Zen the most ... privacy-focused browser out there.

Users would reasonably expect the following:

• Decoupling from potentially problematic Mozilla services (Pocket, Firefox Sync, etc.)
• All non-essential data collection to be disabled by default
• No unsolicited connections with default options to third-party services
• Independent search engine by default, since Google is known for collecting user data and monetizing it
• Minimization of fingerprinting vectors that could be used to track users

Im not sure the maintainers are interested in a discussion on this topic. You can view other discussions that have occurred in the discussions section around telemetry and privacy. They also went no where so I would advise all those who come across this browser and issue to not make use of this browser for now if privacy is your main driver.

@muzzah Unfortunately, the Zen Browser dev team has demonstrated both an unwillingness to engage with legitimate privacy concerns and a worrying level of technical incompetence in handling default preferences that directly affect browser's security.

The lack of basic browser security practices is clearly illustrated by the remote debugging backdoor issue. By enabling Remote Debugging by default while explicitly disabling connection prompts, the maintainer created a serious security vulnerability. This configuration change opened an attack vector that malicious actors could exploit for remote code execution.

Sadly, these fundamental security mistakes, combined with the dismissive attitude toward user privacy are concerning issues that undermine my trust in the project as a whole. Users deserve a browser built with security and privacy as foundational principles, not as afterthoughts.

now that mozilla has openly admitted they sell your data https://news.ycombinator.com/item?id=43203096

This is a misinformed take that has been debunked.
I will not go in depth on that since I don't think it's needed, there are a lot of people that have explained it already on social medias.

The domains listed are a legitimate issue, I won't ignore that.

In his last comment @0Ky has chosen to point out an old issues that had been peacefully resolved.
Think about it Zen got so many users in such a short time window, the devs were pressured and had to work as fast as possible to fix issues so there will be oversights of course.
The "backdoor" issue was fixed last year when Zen was booming... see #927 (comment)

Sadly, these fundamental security mistakes

If anyone wants my opinion these comments by @0Ky are bordering on malicious, but that's my opinion.

@AshtakaOOf I disagree strongly.

Here are some claims of this project

I think the backdoor issue clearly shows the lack of experience of these maintainers of these projects and the way they respond to these issues raised is also concerning. The popularity of this project doesnt and should not take away from the fact that if you market something in a certain way, you need to live up to that expectation. Just because your product becomes popular does not remove the obligation from you to live up to what you promise. Overights sure, but so many problems and ignoring legitimate concerns from people shows other intent. There is nothing malicious from myself or others here, I am a regular joe just like anyone concerned with privacy. If a product does not live up to its promises, is that my fault? Its the maintainers that should live up to the expectations they set out for themselves. Its their obligation, not ours. To be honest, its people like yourself who lower the bar for standards thats part of the problem. Especially in this day and age when privacy is being lost.

What if signal or whats app turned out to lack e2e encryption after all its marketing? Should we just be thankful and accepting of such a fraudulent claim just because they grew so quickly? I dont think so. You build it the right way, then you have a right to claim that something is private or secure.

I dont know what social media posts you refer to (I dont use it) but the fact that Mozilla went from similarly privacy foxued to selling data and runnings ads in the browser speaks otherwise. Again, we are accepting the bar being lowered so much that somehow we should be thankful to them for doing us a favor. Yeah, I dont think so.

Just to add here, @mauro-balades or someone from the moderators of the zen browser subreddit removed a similar post on reddit
https://old.reddit.com/r/zen_browser/comments/1jh0k0y/psa_zen_had_a_backdoor_enabled_by_default/

This is the kind of response and suppression of information that is being raised here. Its very concerning. Rather than have an open discussion on this topic they just want to hide it yet still claim the browser is secure

We didn't remove them, Reddit removes bots automatically

Sorry but I find it really difficult to read on 2 threads at the same time. Please just talk in #5907, thanks