Marshall Erwin, Director of Trust and Security at Mozilla

Rapid Fire: Marshall Erwin talks trust and security at Mozilla and Firefox

Trust is something you can grasp, but you can’t hold. Trust is as intangible as the pixels, bytes and data that occupy our digital lives, yet it’s core to the health and safety of our online relationships. For the last four years, Marshall Erwin has led trust and security at Mozilla, ensuring that the organization protects the privacy and security of its users and employees through its programs, initiatives and products like Firefox. While those decisions involve a close partnership with our engineering and product teams, the bottom line is that when it comes to actions related to trust and risk at Mozilla, Marshall is always at the table.

I caught up with Marshall about the state of online security, his years working on national security and which gymnastic event was his specialty.

~   ~ ~   ~

I have to say, you’re the first Director of Trust and Security I’ve ever met. Have you run into other heads of trust?
Yes, a lot of other companies have them. The truth is, trust is a very important concept for Mozilla, but across the industry it is not always a positive term because other companies will use it in a way that is sort of euphemistic. They might say “Look we’re going to vacuum up all your data, but you can trust us with it. Don’t worry.” So when you meet someone who is director of trust and security, that might be what they’re up to. And that is definitely not the approach that we take at Mozilla and Firefox.

What does trust mean at Mozilla?
Trust is a broader concept than security. Trust is essentially the idea that Mozilla has your back. Over time, we have made a set of decisions that not only protect your security on a day-to-day basis but also demonstrate that we are worthy of people’s trust and show that we are a responsible company where you can have trust in our products and want to use them. We have a set of data privacy principles to guide us, and you can have trust that if we collect your data we’re not going to abuse it.

I read you have expertise in intelligence and counterterrorism. Can you tell me more about that?
I spent roughly the first five years of my career in the CIA’s counterterrorism center. There’s a unique element to the job in the counterterrorism center where I got to support our operational work, helping to find members of al-Qaeda, for example, and understanding the threats that they posed. At the same time I would get to do things like write briefings for the president or actually brief the president, and do what we would describe as more analytic work. Overall it was an awesome experience. I really enjoyed my time there. It’s a pretty unique institution that I learned a lot from, where I was able to contribute to our security in a different way that I am today.

Which president did you work with?
Mostly President Bush. I left the agency around the time that Obama was coming into office, so a few of my written briefings may have gone to President Obama, but the vast majority went to President Bush. And I once briefed President Bush verbally, which was a really unique and strange experience in the Oval Office.

Were you actually in the Oval Office?
Just once. That briefing went well, but I don’t have a very crisp memory of it because mostly I was in awe that I was in the Oval Office.

What are you most excited about at Firefox right now?
Recently we’ve been talking about Firefox being a more opinionated browser, and what that’s going to mean in practice over the next year is releasing a bunch of really important privacy and security features that actively protect people from some of the malicious things that threaten them online. One that we’ve been public about and started testing last month is our Firefox Monitor service, which will notify people when they’ve been implicated in a breach.

What is one thing you do to protect yourself online?
There are plenty of things that we could all do, but the one tip that I tell everyone is to use a password manager. I use a password manager, and I think that overall the internet would be a more secure place if everyone used a password manager. I have my parents who are not technically sophisticated using a password manager, so that’s always my first point of advice.

Given your area of expertise, what do consider to be security issue that people should be thinking more about today?
I’ll tell you what I’ve been thinking about over the last year, and especially since the Cambridge Analytica scandal, is that the diversity of companies or parties that you interact with online everyday that are fundamentally not trustworthy but you trust them anyway. When I go online I’m not a fearful internet browser. I’m not paranoid, and I don’t encourage people to be paranoid or fearful when they go on the internet, but I do encourage people to really think and be explicit about what companies and parties they are engaging with and why they think they’re trustworthy. That is the ecosystem problem we face right now — that diversity of actors online who maybe you trust but you shouldn’t and if you thought just a little more about why you are trusting them with your data or your security, you might be better off.

Security aside, what is digital tool is essential to your daily life?
Putting security entirely aside, the one thing I consistently use is my podcast app. I listen to national security or technology podcasts for an hour or two every day.

What are some favorites?
The National Security Law podcast or the Lawfare podcast are two that I listen to regularly.

How do you like to disconnect?
I have two kids — a three year old and a one year old — so that’s actually how I spend a lot of my time. But writing would be what I try to do. If I’m really trying to disconnect, I write fiction. Short stories mostly. I have one draft novel sitting in my desk somewhere that I would love to get published at some point. It’s about my time in the counterterrorism center in the mid-2000s.

Ok, let’s get to some rapid fire questions. What’s a typical breakfast?
Coffee.

Cats or dogs?
Dogs. I don’t trust a lot of people online, and I don’t trust people with cats.

Android or iOS?
iOS.

Where do you get your news?
Online. The New York Times or Washington Post.

Walk, bike or drive?
Walk, typically, or drive if I really can’t walk.

Regarding books, do you go for audio, digital or print?
Typically print, if I really want to disconnect. I process better with paper.

What’s the last internet find you shared with someone?
I’m not a big social tool person online. Every once in a while I’ll read Twitter and tweet. I’ve never been a Facebook user.

When it comes to GIFs, hard or soft G?
It’s a hard G.

What’s something about yourself that people would be surprised to know?
I was a competitive gymnast from about age 10 to 25, first in the lower school, middle school and high school, then all the way through college and then a year after college.

What was your favorite event? It was definitely the rings. I was “the ring guy” through college. I was OK at the pommel horse, and I was really good at the rings.

~   ~  ~   ~

Marshall is too modest about his gymnastic accomplishments. A three-time national champion of the rings, he also bested Bam Bam the orangutan in a dead hang challenge.

~   ~  ~   ~

8/15 update: I asked Marshall a late follow-up question:

Your previous experience with the CIA must raise some eyebrows. Why did you move from an agency that isn’t known for transparency and openness to working for Mozilla?

That’s a fair question for people to have, although its counter intuitive to me personally because both roles focus on protecting people from the threats that we all face. I understand that people don’t agree with things the CIA has done. In fact, I don’t agree with some of the things CIA has done. I think its healthy to work for organizations with which you sometimes disagree. But I’m proud of the work I did to protect people from al-Qaeda. Today though, the most serious risks we face, as individuals and society, are digital threats.

There are very few organizations as committed and as well positioned as Mozilla to address that risk. That’s why I work here.

You asked specifically about transparency. Sure, transparency is important at Mozilla. But the key thing to understand is why it is so important for a company like us. Transparency isn’t just an abstract principle we stand behind. It is the foundation of the trust model we have with our user. You can verify in our code that what we say is true. You don’t have to take our word for it when we say we are protecting you.


Firefox. Fast for good.

Firefox is made by Mozilla, the not-for-profit champions of a healthy internet. Mozilla also tackles issues like privacy, misinformation and trolling by investing in fellowships, campaigns and new technologies designed to make the internet healthier.

Get the new Firefox.

4 comments on “Rapid Fire: Marshall Erwin talks trust and security at Mozilla and Firefox”

  1. GP SINGH wrote on

    Today’s web, security is the most needed thing and privacy also matter a lot when you are open to all world.

  2. European wrote on

    Is it true that Firefox plans to make all DNS queries from all users worldwide available to his former employer via Cloudflare and a natural security letter?

    1. M.J. Kelly wrote on

      No, but maybe you want to read up here: https://blog.nightly.mozilla.org/2018/06/01/improving-dns-privacy-in-firefox/

  3. kybernetes77 wrote on

    Thanks for the link, so everyone can verify that the correct answer is actually yes.