Being social with privacy in mind

Tom Lowenthal

People really enjoy social features that help them connect with others. To offer these features, social networks often end collecting lots of personal info, and their users don’t always understand the tradeoffs involved. We want to offer social features in Firefox, but user privacy is fundamental to Mozilla’s DNA: it’s not something we can sacrifice. Given that, we’ve set out to find a way to combine these two aspects and enable an experience that folks can enjoy, safely.

With our latest beta, we’ve started testing a new social API right inside Firefox. This API provides an open, Web-based infrastructure that allows users to connect Firefox with their favorite social networks, creating an experience that’s social, still feels like Firefox, and most importantly still respects our privacy principles. The first implementer of our new social API is Facebook, and we expect many more implementations in the coming months.

One of the social API’s key requirements is that data is only sent to a social network when the user wants to send it. The new social features are completely opt-in and are disabled until you visit a social network site and decide to turn things on. Once enabled, Firefox loads several pages from your social network over secure connections. These pages are treated just as if you’d loaded them in another browser tab. They share cookies and other data like normal but they don’t get any special treatment or additional data from Firefox, nor are any part of your social activities sent to Mozilla. Facebook, for example, will know that you’ve turned on the feature and loaded the pages, just as if you had visited pages on the main site.

There’s a slight difference however. With the new API, social content is now persistent so the social network can add new features, like notifications, status updates and chat requests, even when you don’t have a browser tab open to their website. This new functionality doesn’t give your social network access to any additional information from your browser. Again: it’s a lot like having a tab open to your social network.

One of our favorite privacy-supporting features in the social API is the recommend button. Many websites add buttons that let you share content with your friends on social networks. When a site does this, those social networks can track which of their users visit those web pages. If we add this functionality in Firefox instead, you can still interact with your social network and share pages, but without the opportunity for tracking by all those social networks. It also allows you to share pages even if that page doesn’t include social sharing widgets. The recommend button in the URL bar — for Facebook, it’s a Like button — only sends the page’s URL to your social network when you click on it.

The Social API lets networks create an experience distinctive to the way people interact with them, using their own design and features, and without sacrificing user control or privacy. This is only a first step; we’ll be continuing to look at more features that enable new functionality from social providers while improving users’ choice, control and privacy.

The next phase of the Collusion project

David Ascher

Last week, I had the privilege of hosting a great meeting focused on the next phase of the Collusion project. With generous support from the Ford Foundation, we’re tackling a significant next phase in Collusion’s evolution.

First, a bit of background.  Collusion started off as an experimental add-on for Firefox by Atul Varma, in his quest to understand how cookies and tracking actually worked on the web.  Since that initial version, Collusion has evolved into a popular and influential tool, and sparked a broader research effort.  With hundreds of thousands of users, it’s helped us teach a lot of people about the web. A Collusion presentation by Mozilla CEO Gary Kovacs is now one of the  50 most-watched TED talks of all time.  Collusion has also been forked, with ports to Chrome and Safari from Disconnect.me

Like many Mozilla projects, Collusion’s  progress depends on contributions from staff, partners, and volunteers.  In this particular case, we have an interesting collection of people who will contribute in distinctive ways, from coding to visualization to infrastructure and metrics.  Also, like all Mozilla projects, this effort is open to participation by others, as I’ll mention in more detail below.

Over the next year or so, we agreed to dig in and take our research and the Collusion add-on forward in a few significant ways.

First, we realize that the user experience of Collusion needs refining and evolution.  The current add-on is most compelling in the context of a demo or a tutorial, and could include a good deal more storytelling and explaining than it does today. Second, the visualization of the connected graph that makes Collusion so compelling needs some tweaks, both in terms of scaling to larger graphs and presentation/visual design.

We also realize that the current add-on experience often surprises users with what they learn about third-party tracking on the web, but gives them little in the way of actionable next steps to take.  The point of Collusion isn’t to “freak people out,” but allow them to understand tracking, control how they’re being tracked, and lead to a better Internet experience for all.  We have yet to define the details of all those next steps, but some of them seem fairly clear.

Understanding that there are different kinds of uses of shared third-party HTTP requests (which is what Collusion tracks) is another important goal for our research. Some of them are fully in line with users’ desires and intents, and some are not.  We need to let users figure out which requests they want and which they’d rather avoid.

Critically, gaining a better understanding of how requests are used will help make Collusion useful for publishers as well as users.  Most publishers do have their visitors’ interests at  heart, and constantly optimize their sites to deliver a better experience.   Hopefully, Collusion will provide them with signals when their visitors don’t understand or appreciate the third-party services deployed.  Collusion could also provide useful market feedback to third parties and help them bridge the current divide with users, becoming more than silent parties to online experiences.

Much of this will start with letting users choose to contribute to a crowd-sourced data set about tracking on the web.  As with the test pilot project, we will build a system that lets Collusion users contribute to a rich data set about the web as experienced by everyday users, fostering a better understanding of today’s web by researchers, users, policymakers and industry.

I’m excited to be part of this effort, which could have meaningful impact on a broad set of actors — in part because we’ll be relying on input from a diverse set of perspectives, from designers and artists who will help us build further compelling visualizations of the data that we collect, to privacy researchers who will help us ask better questions of our data.

In the next few weeks, we’ll set up the “heartbeat” bits of the project — a weekly call, IRC channel, mailing lists, etc. If you’re interested in participating, check out the wiki page for details, or contact me directly.

Congratulations, Chrome Users

Alex Fowler

We’re glad to see that Google has taken the next step in their commitment to Do Not Track.

Now that all the major browsers have their DNT implementations well underway, it’s time for advertisers and publishers to do their part, including Google’s own ad folks. While some publishers like Twitter and the Associated Press respect users with DNT enabled, and many independent ad tech companies have done so, as well, there is not yet widespread support. Everyone will soon be able to express their tracking preference, so we eagerly look forward to the day when people can trust that their privacy choices will be honored as they browse the Web.

It’s also noteworthy that Google and Microsoft have decided to implement their own user interfaces for Do Not Track. Mozilla is currently working on the second release of Do Not Track within Firefox, and we remain the only mobile browser to support it. With all these different UI experiments, users have many good options for privacy in their browser of choice and we’ll be able to more quickly determine which approaches best meet users’ expectations.

Alex Fowler

Do Not Track: It’s the user’s voice that matters

Alex Fowler

Today, Microsoft announced a change in how it will be implementing Do Not Track (DNT) in Internet Explorer. In a pre-release version of IE10, Microsoft will automatically start sending a DNT header on behalf of its users to not be tracked by third parties across the Web.

We appreciate seeing Microsoft putting its full weight behind DNT, especially given Firefox was the lone browser supporting DNT just one year ago. This will make DNT more mainstream and bring more attention to the important issue of user control.

We look forward to learning more about Microsoft’s new DNT implementation, as well as its implications for the standards work currently underway. And for the Web community, we thought it would be helpful to share our position, as well as the consensus view of the W3C Tracking Protection Group, about how we believe DNT can be most effective.

At its foundation, DNT is intended to express an individual’s choice, or preference, to not be tracked. It’s important that the signal represents a choice made by the person behind the keyboard and not the software maker, because ultimately it’s not the browser being tracked, it’s the user. In the words of the W3C group, which is made up of leading consumer privacy groups and industry representatives including Microsoft:

“Key to that notion of expression is that it must reflect the user’s preference, not the preference of some institutional or network-imposed mechanism outside the user’s control.” (Tracking Preference Expression, W3C Editor’s Draft, 29 May 2012)

DNT is not an off switch for a particular technology, rather it is the expression of an individual user’s desire being reflected in code — and that’s what makes the feature great. Do Not Track transcends specific technology and gets to the heart of what matters: how a user’s browsing habits are used.

There are three different signals to consider in broadcasting the user’s preferences for tracking:

  1. User says they accept tracking
  2. User says they reject tracking
  3. User hasn’t chosen anything

Firefox defaults to state 3: we don’t know what the user wants, so we’re not sending any signals to servers. This causes the presence of the signal to mean more — the signal being sent should be the user’s choice, not ours. Therefore, Firefox doesn’t broadcast anything until our user has told us what to send.

DNT allows for a conversation between the person sitting behind the keyboard and the site that they want to visit. If DNT is on by default, it’s not a conversation. For DNT to be effective, it must actually represent the user’s voice.

We introduced DNT to do just that: to give users a voice and let them tell sites that they don’t want to be tracked. We did this before knowing exactly how sites and advertisers would respond, and we still believe this is the most effective way for DNT to work.

Update (5-June): We’ve received a few comments asking if we believe all privacy defaults should be about letting users decide, even when that approach leaves users vulnerable. The short answer is “no”; our approach to DNT should not be viewed as a broad policy statement that will apply to other privacy and security considerations — our choice of opt-in for DNT is specific to the way the DNT feature works.

In carefully weighing our approach for appropriate DNT defaults, we talked with many members of the Mozilla community, privacy and technical experts and our users. The DNT feature relies on representing each individual’s desire to web sites, something that requires each user to activate the feature. In fact, a number of academic studies have found that there are users interested in personalized services and content, including targeted ads, so they would not like to have the header sent for them by default. Taken together, we believe the right starting point for a DNT system is a default of preference unknown.

Sid Stamm & Alex Fowler

Do Not Track Gains More Support around the Web

Alex Fowler

Mozilla introduced the Do Not Track header last year to give users more control over online tracking by third parties. Since launching Do Not Track, we have seen increased industry support and user adoption of the feature. Today, we are hosting a Do Not Track event at Internet Week New York and are happy to announce new adoption statistics and industry support.

We’re excited that Twitter now supports Do Not Track and global user adoption rates continue to increase, which signifies a big step forward for Do Not Track and the Web.

Current adoption rates of Do Not Track are 8.6% for desktop users of Firefox and 19% for Firefox Mobile users and we see the highest percentage of users turning on Do Not Track in The Netherlands, France and the United States.*

We conducted a survey of more than 10,000 Firefox users representing 140 countries and we found some interesting results. The survey showed that 49% of users surveyed believe their privacy is respected more when Do Not Track is enabled, as opposed to only 12% who feel that way without the setting. Also, the survey found users’ trust increases for browsers, publishers and advertisers who support Do Not Track. We will share more details and specific survey results soon.

We brought the industry discussion about Do Not Track to this year’s Internet Week New York to raise awareness about Do Not Track and encourage the digital media community to begin to work with it today. Speakers included Ed Felten, the Chief Technologist at the Federal Trade Commission; Brad Burnham, Partner, Union Square Ventures; Aleecia McDonald, Co-Chair, W3C Tracking Protection Group; Matt Tengler, Senior Director, Product Management, Jumptap; David Norris, CEO, Bluecava; and Colin O’Malley, CSO, Evidon.

We’re pleased to continue to see many positive steps forward for the Web as Do Not Track gains momentum and adoption.

*Mozilla does not collect or store personal information about our users to determine these statistics

Do Not Track is for Email Too

Sid Stamm

The guiding principles behind Do Not Track aren’t just for web browsers and pages. Tracking happens in a variety of ways, including through email, so we’re putting Do Not Track into Thunderbird.

Email Tracking. Sometimes email messages you receive contain external images — images that need to be loaded from the web to display the entire content of the message. This includes pixel tags and clear gifs. When your mail client renders the message, it has to go fetch the images from the web using the same technologies as a web browser. The upshot is that when the email is drawn on your screen, a web server can learn that you opened the message; this is how email tracking works. By attaching a unique ID to the URL for the image, the server can also know which specific message caused the request — including to which email address the message was sent. Email marketing organizations often use this information to track which messages you read, which links in messages you click, and then provide more customized messages in the future.

How to enable Do Not Track in Thunderbird

Thunderbird Support. A little while ago, I landed a patch that will add Do Not Track support to Thunderbird 15. While that release is a number of weeks away, if you’re using the Daily builds of Thunderbird, you’ve got the feature in Security options. This means that when you open email messages sent by marketing firms, you can enable DNT in Thunderbird to let them you don’t want to be tracked.

Next: Building Do Not Track into Thunderbird is just the first step. Next we will work with email marketing software providers to honor the DNT request. We’re reaching out to email industry leaders and introducing them to DNT and will keep you updated on what happens.

Rolling Out HTTPS Google search

Sid Stamm

23

Now in Aurora: Secure Google Searches are default. In Aurora when you search using the location bar, search box, or the right-click menu, your search will be sent to Google through a secure (HTTPS) connection. You won’t notice a difference in how you search, but your Google search suggestions and search results will be presented through a secure web site.

Enabling HTTPS for these searches shields our users from network infrastructure that may be gathering data about the users or modifying/censoring their search results. Additionally, using HTTPS helps providers like Google remove information from the referrer string. While Google users may expect Google to know what they are searching for, Firefox users may not be aware these search terms are often transmitted to sites they visit when they click on items in the search results; enabling HTTPS search helps sites like Google strip this information from the HTTP referrer string, putting the user better in control of when and to whom their interests are shared.

Encrypting our users’ searches is our next step into giving users better control over their data online. Enabling HTTPS for Google searches helps Firefox users maintain better control over who sees things they search for — queries that are often sensitive. We’re excited to see this improvement in our upcoming releases now that we, with Google’s help, have been able to provide our users a secure and responsive secure search.

Mozilla’s Identity Platform Finalist for Federal Support

Alex Fowler

Partnering with City of San Francisco and MacArthur-supported Youth Organizations to Jump Start a Vibrant Identity Ecosystem

Mozilla is one of 27 finalists selected to compete for $10 million in funding as part of the US government’s National Strategy for Trusted Identities in Cyberspace (NSTIC). Our proposal brings together the City of San Francisco and participants in the MacArthur Foundation supported Digital Media Learning Competition to use Persona, our platform for trusted identity, as the basis for establishing, supporting, and seeding demand for a federated, secure, and dynamic identity ecosystem.

Mozilla wants to help make the Web better. We want the Internet to continue to drive creativity, education, and economic growth. And we want people to understand, shape and be in control as more and more of their lives go online.

Mozilla’s proposed pilot brings together multiple partners who reflect many of the more important roles people take on in their day-to-day lives online. From citizens accessing government sites and services, to consumers buying and using apps, and for parents providing their kids with access to educational content and learning tools, we believe Persona has huge potential to improve the log-in experience for millions of people.

“Forms are, unquestionably, the most common medium of information exchange between  government and citizens,” says Jay Nath, Chief Innovation Offier for the  City & County of San Francisco. “Working within a trusted identity  framework would let citizens automatically populate forms with their  information, let us increase the number of services available online,  and even potentially allow residents to use us to vouch for their  identity to other services. There are all sorts of efficiencies to be gained.”

“We’re working, through Open Badges and other programs, to build bridges  between what kids are learning in school and out of school,” states Connie Yowell, the MacArthur Foundation’s Director of Education. “These links need to be based on a framework for secure identity that builds  parents directly into the process and empowers kids to share information  within trusted networks. Solving this problem will open up amazing  opportunities around integrated and connected learning.”

We’re excited to have the City and County of of San Francisco and a number of participants in the Digitial Media Learning Competition, funded by the MacArthur Foundation, as partners in our NSTIC proposal.

Our Vision for User-centric Identity

Mozilla’s commitment to Persona is driven by a central tenet: that the web should answer to users. Online sites, services and apps offer tremendous value and potential, but they also make it easier for vendors to invade privacy, foster poor security practices by users, and present attractive targets for fraud.

We’re building Persona to help everyone benefit from online services while mitigating risk of misuse and abuse of user data.

Persona is designed around three core principles:

  1. Individuals should be in control of their personal data;
  2. Identity should be built on open standards, cross-platform and interoperable; and
  3. Identity should be federated: a diversity of Identity Platforms (IdPs) and Relying Parties (RPs) offering direct, anonymous, and pseudonymous certifications across public, private, and non-profit sector applications.

Through this pilot, Mozilla will work to address the remaining design, technical, legal, and business process barriers to widespread adoption and growth of trusted identity.

Persona is the Ideal Platform for an NSTIC Pilot

NSTIC is the Administration’s initiative to “improve upon the passwords currently used to log-in online” and to jump start “a vibrant marketplace that allows people to choose among  multiple identity  providers – both private and public – that would issue trusted  credentials that prove identity.”

Mozilla, the City & County of San Francisco, and a consortium of major web sites serving the children’s market sponsored by the MacArthur Foundation will launch a pilot that “demonstrate[s] the feasibility of the Identity Ecosystem, via projects that link multiple sectors, including multiple Identity providers and relying parties.”

We’ll design, build, and pilot the technical architecture, business and legal framework, and public-facing functionality of integrated implementations that see people able to:

  • Support citizen-to-government interactions with the City & County of San Francisco;
  • Make app experiences seamless with support for trusted identity, tying apps directly to users, and making them available on any device; and
  • Help kids learn online with MacArthur-funded youth organizations via COPPA-compliant, trusted identity systems that increase protection for children online and make possible new and innovative learning experiences.

Mozilla’s proposal was selected out of 186 submissions. Final proposals are due in early May. We hope to be among the final five to eight organizations selected to begin work this Fall to build a standards-based identity infrastructure that is privacy preserving, trustworthy and scalable.

Zeroing in on DNT:1

Tom Lowenthal

In DC, sixty representatives from diverse groups sat together for three days this week and continued the hard work of defining a Do Not Track standard we can all live with. With contributors from the major web browser makers, many different industries, the privacy community, academia, and both the EU and US policy communities, this open process continues to be a meeting of the minds where everyone has a voice. We made great progress and it was fantastic to have so many smart people coming to consensus decisions at our fourth in-person meeting of the W3C Tracking Protection Working Group. After three days, we have two proposals with lots in common.

Tech Specs

We’re close to having a complete technical design for Do Not Track. We’re still working on a few details, but the major technical hurdles have been crossed, and very few points of disagreement remain. Here are the headlines:

  • We know how a site tells its users that it follows DNT, using a well known URI.
  • We’ve mapped out most of the JavaScript API that allows sites and users to talk about opt-ins and opt-outs.

First Parties

A first party is web content that users have meaningful interaction with. There can be multiple first parties on a page. For example, if you visit this page, you have meaningful interaction with Mozilla: we’re the place you’re trying to talk to. If we put a Facebook “Like” button on our page, Facebook would be third party unless you choose to interact with them by clicking the “Like” button. If you did, Facebook becomes a first party along with Mozilla. This approach is much better than definitions which expect only one first party per page, and require all first party webservers to have the same domain name. Best of all, it fits easily with the way that we actually use the web.

First parties don’t have to do much honor a user’s privacy request. If you go to Amazon, we assume that you’re trying to interact with them. Do Not Track will not get in the way of you seeing personalised shopping suggestions or having things shipped to your address. To have so much latitude to use data without undue constraints, Amazon just has to do two things:

  1. They have to respond and promise to follow the W3C Recommendation for Do Not Track, and
  2. they mustn’t share your data with other people, or mix it with data from other sites.

First parties can outsource data processing if they want. If a site outsourcea analytics, that’s fine. They just have to make sure their analystics company keeps data about their users separate: no mixing data from lots of sites.

Third parties

Third parties are a remarkably simple concept: anyone who isn’t a first party or a user.

Anyone, first party or third, can use data without restriction as long as they make sure that it can’t be linked to a particular user. We discussed what you might need to to do make sure that data really can’t be linked back to someone. Some of the approaches were based on k-anonymity or estimates of uniqueness based on characteristics of users who do not have Do Not Track enabled.

It’s also fine to keep server logs for a brief time before they’re rotated out and processed, but this period needs to be short, and logs mustn’t be used for anything else during this period.

We agreed there are some things like security and fraud control which are so important that even business that have no interaction with users need to be able to do them. The web is the platform and we should be careful when tinkereing with the engines that power it. We don’t want implementation of Do Not Track to harm the web, just make it safer.

Differences

Our two current proposals differ as to how “large” a party is. One proposal thinks of a party based on corporate ownership; the other makes decisions based on user expectations and branding. For many websites, this distinction makes no difference. However, for companies with many different unrelated brands this choice determines whether we think it’s more important to avoid costly implementations and restrictions for companies which currently share all their data between brands, or to avoid surprising users who have no idea how far their data can flow.

The group is split as to whether third parties can continue to use unique identifiers to enable those critical uses that are still allowed. For example, can third parties use unique identifiers to fight fraud and bill for ad impressions? How about for frequency capping to eliminate showing the same ad multiple times, even if that means knowing sites a user has visited where the ad displayed? We have more work to do here: how can we best support privacy without breaking business? We spent several hours talking through different possible approaches, from the purely technical to the purely administrative and everything in between.

At the end of the day

It’s increadibly exciting to be forging a path forward that everyone can live with. We still have work to do, and these remaining differences are not minor. But we may reach consensus decisions by coming to agreement on these two issues where we differ at the same time, and addressing them together. With all this rough consensus, we may have to start looking at some running code. Stay tuned!

Do Not Track goes mobile: Mozilla demos privacy preference at Mobile World Congress

Alex Fowler

1

As part of our week of exciting announcements for Mobile World Congress, Mozilla is demonstrating the world’s first implementation of Do Not Track for a mobile Web OS. We’re also presenting a mock-up of the new 3-state setting for Do Not Track, as envisioned by the W3C.

This comes on the heels of major announcements from the White House, the Digital Advertising Alliance and Google about growing support for the privacy feature pioneered by Mozilla to provide users more choice and control over Web tracking.

Imagining how privacy and security can be core requirements in designing a mobile platform from the ground up, our support for Do Not Track in Boot to Gecko highlights the importance of Do Not Track on mobile, as well as desktop, devices.

Why this matters

As more and more Internet users access the Web from mobile devices, a growing gap exists in users’ ability to communicate a preference not to be tracked across all the ways in which they use the Web. Gartner Research predicts that by next year more people will be accessing the Internet on their mobile devices than those who will with their desktop computers.

Mozilla was the first major browser to provide its users with Do Not Track on desktop and mobile. Firefox for Android provides users with the ability to send the DNT header to websites visited via the browser, as well as to any third parties, just like they can send the header via desktop Firefox. As of February 26th, 18% of users of Firefox for Android had turned on DNT.

However, even if all the other native browsers on mobile followed our lead, there’d still be a gap where apps installed in mobile devices that include services from third parties, like advertisers and analytics, wouldn’t see the DNT header. To ensure that these parties also see users’ preferences not to be tracked, there needs to be a way to set the privacy preference at the OS level so apps can look for it.

How it works

Do Not Track can be enabled by accessing the preferences panel from a device running on Boot to Gecko. Just like in Firefox and Firefox for Android, the user scrolls to Do Not Track and turns the setting on (see illustration above). From that point forward, the device broadcasts the “DNT:1″ header. Any Web sites visited by the user and all apps running on the device can see the header, including any third party services running on those sites or apps.

Take for example the case of one leading mobile advertising company, Jumptap, which announced last week that it supports Do Not Track. For Book to Gecko users with DNT enabled either visiting a Web site via their mobile browser or running an app both with ads being supplied by Jumptap, the company shows the user untargeted ads and updates the user in its systems as opted-out. Presumably, this would also be the case for companies like BlueCava that use device fingerprints to identify devices across sites and apps. BlueCava was one of the first to implement support for Do Not Track.

Next steps

Our implementation in Boot to Gecko is intended to demo how the privacy feature can work with apps and encourage others to try similar implementations. As we saw with desktop with IE, Safari and soon Chrome and Opera, we hope other mobile OS providers will join our efforts on Do Not Track for mobile. We plan to begin working with app developers, too, to provide support for the privacy header. We’ll begin by focusing efforts on contributors to Mozilla’s Marketplace, which we announced would open for app submissions soon. We’ll also look to develop best practices with other app platform operators, which recently agreed to a request from California’s Attorney General to do more on privacy.

Through our work with the W3C Tracking Protection Group we’ve also started working on a three-state Do Not Track setting. Today, Do Not Track is either “off” or “on.” This doesn’t satisfy all the use cases on the Web nor fit well with laws in Europe. The three-state setting for Do Not Track will consist of “no preference,” “do not track,” and “allow tracking.” Details for how these preferences will be presented to a user are still being worked out, and we hope these will present some good opportunities to work with other browsers and the advertising industry to finalize the UI for Do Not Track.

I’ll be discussing our thoughts on Do Not Track for mobile and other privacy and security considerations as a speaker on Thursday’s “Mobile and Privacy: Are they Mutually Exclusive” at Mobile World Congress. If you’re in Barcelona, please join us.

Alex Fowler