1. Any data collection at all deanonymizes the user, cf panopticlick.
2. Frankly even opt-out is not acceptable. I can't recommend any software that peridically asks users for data access, since there exist non-technical users who have a nonzero chance of clicking yes to everything. If they are related to me in some way this compromises my privacy also.
1. Any data collection at all deanonymizes the user, cf panopticlick.
This isn't true. Panopticlick collects a ton of data about your browser that this proposal will not. There has been a lot of research done in this area and we know how to collect anonymous datasets. https://arxiv.org/abs/1407.6981
Look at it from a security-conscious user's perspective: I would have to verify that:
1. The concept is sound.
2. It is implemented as described.
3. It is implemented with no bugs.
4. Mozilla is trustworthy
5. Any third-parties Mozilla involves in this process are also trustworthy.
6. All of the above will remain true.
Doing this would take a tremendous amount of both time and expertise, if even possible. If every piece of software I use makes me do this every year or so, I would get nothing else done.
In practical terms, your argument is no better than just saying, 'trust us, we're good for it', regardless of the merits of your tech. And we know Mozilla baked Google Analytics into FF's addon page, so trust is in short supply.
Except if you actually read and understood the link, points #1, 4, 5 aren't a concern. Moreover, points #2, 3, and 6 apply to just about every piece of software used.
what percentage of FF users on the planet do you expect could read a paper on differential privacy and actually verify those points, while understanding all the ifs and gotchas, and be able to tell if any of the arguments are wrong? What percentage of that elite group would actually be willing to devote the time and energy, for free, for every one of the thousands of softwares they use?
Not many, certainly. Which is perhaps why it's better for this to be implemented (since differential privacy is a known, rigorous definition for privacy), rather than to leave it up to the larger majority of users who (by your implication) don't understand it and won't be bothered to understand it.
...or you could just scrap the whole idea and not bother with it.
This is true for the user, too. If the only viable choices are 'verify claims at great cost and no gain every few months', or 'use some other privacy-respecting browser', I am going to recommend the second.
2. Frankly even opt-out is not acceptable. I can't recommend any software that peridically asks users for data access, since there exist non-technical users who have a nonzero chance of clicking yes to everything. If they are related to me in some way this compromises my privacy also.