Internet Users Deserve Equal Rating Not Zero Rating

The FCC announced on Friday, February 3, 2017, it is stopping a review into wireless carriers that exclude certain applications, such as their own video streaming services, from counting against a customer’s monthly data caps, a practice known as “zero rating.”

The Commission also barred nine companies from offering affordable internet access to low-income Americans, reversing a decision from the previous administration.

We at Mozilla believe, bringing all of the internet to all people and ensuring the internet remains an open and competitive ecosystem, is one of the great challenges of our day.

By encouraging harmful business practices to continue in the market and discouraging companies from offering subsidized access to poor Americans, today’s moves by the FCC are a significant step backward.

Internet users deserve equal rating not zero rating. Equal Rating solutions are free of discrimination, do not have gatekeepers, and do not allow for pay-for-play schemes.

Discussing online security and risk

We live so much of our lives online. Building a healthier internet is part of protecting our way of life, and is central to Mozilla’s mission. But we can’t protect the Internet alone – it’s a shared responsibility. Participating in conversations with all the stakeholders allows us to learn from others in the field and to share the Mozilla perspective.

In our ongoing efforts to make the internet safer, Firefox Security Lead Richard Barnes will be speaking on a panel at Stanford Law School’s February 2 event “Government Hacking: Assessing and Mitigating the Security Risk.” To attend in person, RSVP here. We’ll also recap it here on the blog.

This continues in the theme of several of the panels I participated in late last year. I discussed the future of cybersecurity and internet privacy with industry leaders late last year – see below to read excerpts and watch the videos, and let us know what you think!

As part of the Coalition for Cybersecurity Policy & Law, I went to a day-long symposium, “Cybersecurity Under the Next President.” I discussed the process by which the government decides if and when to disclose security vulnerabilities. This is known as the vulnerabilities equities process, or VEP, and it is an important part of Mozilla’s work toward a secure internet due to the lack of government transparency about its use.

On this panel, I spoke about reforms the government could take to improve the current vulnerabilities equities process. “In a perfect world I would like this process to be robust – and that may mean a legislative solution such that they have to undertake this process and they have to have certain interests at the table when they consider a given vulnerability. I want them to have a timeline and a process set out that helps us understand how long it takes to get from discovery or acquisition, to consideration to disclosure or nondisclosure. We want independent oversight and transparency to the process… into how it works and how the disclosure is handled. We want to make sure that civilian agencies whose mission is to create trust, secure the internet and secure the American people are involved and engaged in this process. Those steps would significantly increase trust. Making sure that everything goes through the Vulnerabilities Equities Process would be very helpful.”

Video from this panel can be found here.

The next day, I joined a panel of academics and policy experts at the Center for Internet and Society at Stanford Law to address how government and industry can work together to strengthen the process and discuss varied perspectives.

At this event, part of the series co-hosted by Mozilla, I joined experts to explain the biggest problems with the current vulnerabilities equities process. “It only sees a small fraction or some fraction of the vulnerabilities held by the government. Specifically as we move into a connected world – the internet of things – more agencies are going to come into contact with more exploits.”

That’s why Mozilla believes it’s essential for the government to codify the use of the vulnerabilities equities process. “If we can make this go across the government — make it broadly used, that would be a significant step forward. Of course we would have to adequately resource that.”

To watch the video of the panel, visit


Enabling Trust: The Difference Between Being Trusted and Trustworthy

We are getting ready for Data Privacy Day, and you are likely to hear the word “trust” come up often. When you give your data to a company, you are trusting that company to act responsibly with it. And because data powers so many of the products and services we use, that trust is critical to the modern internet. But there is also a negative side to the way we talk about trust and privacy. For me, when I hear the word trust, I think someone is trying to sell me something. I hear, “Give me your data and don’t ask too many questions.”

This gets to the difference between being a trusted company and being a trustworthy company. Many of the companies you engage with online ask for your trust without earning. You interact with them everyday but you can’t really tell whether they’ve got your back behind the scenes.  They don’t give you meaningful choices over your privacy. They are trusted but not necessarily trustworthy. At Mozilla we strive to be both. At Mozilla, every day is Data Privacy Day.

cyber superhero

Building trust with your users around their data doesn’t have to be complicated. But it does mean that you need to think about user privacy and security in every aspect of your product.

We do ask our users to give us their data. That data can help us improve Firefox and give us insight into the health of the internet in general. But we also encourage our users to ask questions, we give them tools to answer those questions, and we make it easy to turn off data collection if they don’t like the answers they find.

For example, a few month ago we launched our first Context Graph experiment, which collects data about how Firefox users browse the web. This can be some pretty sensitive stuff, which is why we asked our users to opt into the collect. The code for that experiment is publicly available, along with the practices that govern the data’s use and the code for analysis we conduct on the data. We’ve tried to put similar tools in place – clear notices, public code and public data documentation – for Test Pilot, our platform for testing and learning from experimental features in Firefox.

What these examples show is that our approach to privacy is actually rooted in our open source culture and commitment to transparency. Transparency is of course a big privacy buzzword, second only to trust. But at Mozilla it actually means something.

Our commitment to transparency is what allows our users to make informed choices about the data we collect. It is also what allows them to hold us accountable when we make mistakes. And to be clear, we do make mistakes. Privacy can be tricky and, despite efforts to the contrary, we do sometimes make the wrong decision about the best way to protect our users. When we make those mistakes, you will know and you will tell us. We think that is a good thing. It is what makes Mozilla more worthy of your trust.

Our responsibility as a technology company is to create secure platforms, build features that improve security, and empower people with education and resources to better protect their privacy and security. All of that starts with your ability to actually see and verify, through our code and our actions, that we’ve got your back.

Lean Data Practices: Helping Businesses and Developers be more Privacy Aware

Data Privacy Day is just around the corner. If you are a business or developer that handles user data, you should always be working to create a more trusted relationship with your users around their data.

Building trust with your users around their data doesn’t have to be complicated. But it does mean that you need to think about user privacy and security in every aspect of your product.

That’s why, last year, we introduced the first version of our Lean Data Practices to help any developer or company start to think holistically about the decisions they make with their data.  Lean Data Practices can help even the smallest companies to begin building user trust by fostering transparency and user control.

Lean Data Practices are simple (and even come with a toolkit to make them easy to implement):

  1. stay lean by focusing on data you need,
  2. build in security appropriate to the data you have and
  3. engage your users to help them understand how you use their data.


We use these Lean Data Practices as a starting point for all of our decisions about data along with our Data Privacy Principles. We do this because, at Mozilla, we strive to be both trusted and trustworthy. Mistrust created by even just a few companies can drive a negative cycle that can damage a whole ecosystem. We believe that as more companies and projects use Lean Data Practices, the better they will become at earning trust and, ultimately, the more trusted we will all become as an industry.

Based on all the great interest and feedback we’ve received in this past year, we’re working on new modules that help customize the Lean Data Practices for marketers, non-profits and more that we’ll share later this year.

Patent Rights should be balanced by Consumer Rights

What if you couldn’t sell your old car without getting a patent license? What if you couldn’t bring your smartphone into the US without the phone maker’s permission? It would be surprising, to say the least. There’s even a good chance you wouldn’t feel like you owned the products that you bought.

That’s not the world we want to see. That’s why, today, together with EFF, Public Knowledge and others, we filed a brief with the U.S. Supreme Court explaining how a legal theory called “patent exhaustion” is a necessary boundary to protect consumers and prevent the overstepping of patent law on user rights.

Patentquest cropThe parties in the case are the laser printer manufacturer Lexmark, which owns patents covering their toner cartridges, and a small company named Impression Products, which acquires used Lexmark cartridges and sells them refurbished. The Federal Circuit decided that Impression Products infringed Lexmark’s patents when it bought these used Lexmark toner cartridges, imported them into the U.S., and resold them. On first impression, the case may seem a bit esoteric. But, when you take a deeper look, this ruling contradicts well established law meant to protect consumers.

A patent is a legally sanctioned monopoly during which the patent owner can exclude all others from certain activities, including making, selling or importing the patented invention. An important limitation on these rights is that they end when a product is sold, a doctrine called “patent exhaustion” that has been recognized in the U.S. for almost 150 years.

Patent exhaustion enables all of us to use the products we buy without needing a separate patent license, including re-selling those items second-hand. This is significant because, without these limits, you could be prohibited from doing many of the things you have always been able to do with the products you own.

In a world where the things we buy (from cars to smartphones to toner cartridges) are increasingly dependent on technology and sometimes hundreds of thousands of patents, it’s even more important that patent law protects the rights of users to freely use the products they purchase.

Calling on the New U.S Presidential Administration to Make the Internet a Priority

A new U.S. Presidential Administration takes office today. While there are many serious issues to tackle and many hard-fought debates to commence, no matter what your political views are, I think one thing we can all agree on is the need for progress on the issues that impact internet users around the world.

So, I’ll make a short and sweet request to all U.S. policymakers, new and returning:


Please make the internet a priority.

What do we mean by that?

Protect and advance cybersecurity.

Many of the most critical issues that affect internet users are related to cybersecurity. It’s about more than just attacks and protecting nation states. Encryption, secure communications, government surveillance, lawful hacking, and even online privacy and data protection, at the end of the day, are fundamentally about securing data and protecting users. It’s about the importance and challenges of the day to day necessities of making systems secure and trustworthy for the internet as a global public resource.

We’ve talked about how protecting cybersecurity is a shared responsibility.  There is a need for governments, tech companies and users to work together on topics like encryption, security vulnerabilities and surveillance.  We want to help make that happen.  But we need this Administration to sign on and sign up to do it.

A bipartisan Congressional working group recently released a report that concluded encryption backdoors aren’t really necessary and can, in fact, be harmful. The report included questions about other important cybersecurity issues as well, including “lawful hacking” by governments and government disclosure of security vulnerabilities. We were encouraged by these recommendations, but we need to see more progress.

Promote innovation and accessibility.

No one owns the internet – it is all of ours to create, shape, and benefit from. And for the future of our society and our economy, we need to keep it that way – open and distributed.

The internet gives everyone a voice and creates a place for self expression and innovation. We need to keep the internet open and accessible to all.

We need to create pathways and partnerships for the public and private sectors to work together to make progress on challenging issues like net neutrality, copyright and patent policy. We can also create a space for innovation by investing more in, promoting and using open source software, which benefits not only technology but also everything it touches.

What Else?

I promised to keep it short and sweet, so these are just a few of the most important internet issues we need to work on, together.

The Obama Administration worked well with Mozilla and other companies, researchers and constituents to make progress in these areas. We were pleased to see the recent appointment of the nation’s first Federal Chief Information Security officer as part of the Cybersecurity National Action Plan. We hope this type of bi-partisan activity continues, to advance cybersecurity and internet health for all of us.

We’re calling on you, new and returning U.S. policymakers, to lead, and we stand ready to work with you. We make this ask of you because we’re not your average technology company. We do this as part of our role as the champions of internet health. Mozilla was founded with a mission to promote openness, innovation and opportunity online. We fight and advocate for that mission everyday to protect and advance the health of the internet, in addition to creating technology products and solutions to support our mission.

We know there are many policy challenges in front of you and many competing priorities to balance, but we can’t sit back and wait for another blow to internet health – we must work together to make the internet as strong as possible.

Continuing Advances in Patent Quality

Patent maths

As we have previously written, long term patent terms impede the short innovation cycle and continuous iteration of software development. Innovation is harmed by overbroad software patents that cover large swaths of general activity and create uncertainty as to litigation. That’s why Mozilla submitted written comments today to the U.S. Patent and Trademark Office explaining our belief that recent U.S. Supreme Court rulings on what is eligible for patent protection have resulted in improvements to patent quality.

Two years ago, the U.S. Supreme Court unanimously ruled in Alice Corp. Pty. Ltd. v. CLS Bank International that patent claims that merely require generic computer implementation of abstract ideas are not patentable inventions. This was an important step towards mitigating the negative effects that overbroad and poorly written software patents have had for software developers, and the Internet as a whole. As a result, other federal courts have invalidated many other broad and abstract software patents, and the USPTO has made efforts to better incorporate subject matter eligibility in their examination procedures. Companies have also improved the quality of their patent applications and are more selective in filing applications. Our USPTO comments reaffirmed our belief that Alice has had a positive effect on the industry and should continue to be integrated into USPTO procedures and case law. We believe this would be disrupted if Congress were to prematurely intervene by altering or rolling back court rulings on patent subject matter eligibility.

Our mission and work let us see first-hand how patents affect software development and innovation on the Open Web — from the software we write and ship, to our participation and collaboration on open standards. What’s more, our non-profit roots put us in a unique position to talk openly and candidly about patents. We are glad for the opportunity to provide this direct feedback to the USPTO on this very important subject for software developers, and open source projects everywhere.

Mozilla Comments on TRAI Free Data Recommendations

On December 19th, the Telecom Regulatory Authority of India (TRAI) released new recommendations on “Encouraging Data Usage in Rural Areas Through Provisioning of Free Data.” This is the latest salvo from the Indian regulator on what types of models for providing subsidized access to the internet should be permitted. While we have questions about how some of these recommendations will be implemented, we’re glad to see TRAI continuing to uphold the Data Services Regulation and interested to see how two new innovations in providing access envisioned in these recommendations will be developed.

In February 2016, in its landmark Data Services Regulation, TRAI ruled that differential pricing practices (including many zero rating models) were too harmful to consumers and competition to be allowed in the market. Yet, according to the latest figures from TRAI, only 376 million of India’s 1.25 billion strong population are connected to the internet, clearly much work remains in the shared challenge to bring everyone online. To that end, TRAI’s Free Data consultation this summer contemplated additional, alternative models that might help bring all of the internet to all Indians. These latest recommendations are based on the feedback from that consultation.

In many respects, TRAI’s guidance follows the recommendations that Mozilla and other partners made in our submissions. TRAI rightfully notes that: “Systems that make free data a feasible model for all content and ISPs, and available to the maximum addressable consumer market, are clearly the more desirable,” and adds: “any scheme for the provision of free data should meet certain basic criteria… that it should not be possible for a TSP/ISP to use discriminatory pricing of certain data content as a service differentiator.”

TRAI also struck down “toll free models” which would allow a content/edge provider to subsidize the cost of accessing their website/service, and which was on of the models considered in the Free Data consultation. TRAI argued, as Mozilla and others did in our submissions, that this model would entail the same discriminatory effects as zero rating/differential pricing.

TRAI’s recommendations also include discussion of two models for providing free data. In the first, free data will be provided by third party aggregators which are “TSP agnostic,” (i.e., the aggregator does not have a relationship with any individual telecommunications company). Notably, TRAI requires that the activities of the aggregators “should not be designed to circumvent the Prohibition of Discriminatory Tariffs for Data Services Regulations.” While it’s unclear how the aggregator model will work in practice, and what companies would have an incentive to offer such a service, this explicit prohibition on circumventing the ban on differential pricing should be a strong bulwark against harms to users and competition. Moreover, we’re generally supportive of additional competition in the market for internet access, which often helps to drive down prices and provide additional benefits for users.

In the second model, TRAI recommends the creation of a scheme to provide 100 MB a month to rural users for up to six months to be paid for by India’s Universal Service Obligation Fund. This is very similar to the Klif phone model Mozilla pioneered with Orange in several sub-Saharan Africa and Middle Eastern markets whereby the user gets unlimited voice, SMS, and 500 MB of data per month (for 3-6 months depending on the market). As we have long said, if the argument is that “if one gives users a taste of the internet then they will demand the full internet,” that taste should be of the full, open internet, not just some parts of it. Moreover, while 100MB may seem paltry, both generally and in comparison to our Klif offering, TRAI cites a Cisco study stating that the average Indian typically uses 150MB per month.

This scheme does, however, raise certain privacy and data protection concerns, especially as this benefit will likely be tied to Aadhaar, the Government of India’s national biometric identity database. We’re sympathetic to the need to prevent double dipping, but users should never have to choose between their privacy and access to the internet. These concerns point to the need for comprehensive privacy legislation in India, which, as we’ve argued before, we believe should be a national policy priority.

While questions remain about how both of these schemes will be implemented, if everyone in India and beyond is going to come online, then further innovations and new thinking will certainly be needed. To this end, Mozilla has been working through our Equal Rating Innovation Challenge to spur new innovation to provide affordable access and cultivate digital literacy. More information about the Challenge is available at:

Bipartisan Congressional Group Confirms Encryption Backdoors Are Unnecessary

The bipartisan Congressional Encryption Working Group just released an end of year report after spending much of the last year looking into the decades-long encryption debate – and have squarely refuted the idea that weakening encryption is necessary to protect people.

The working group was formed after several high-profile cases where law enforcement asked for additional access to consumer devices, citing howe “the widespread adoption of encryption poses a real challenge to the law enforcement community and strong encryption is essential to both individual privacy and national security.”

We’ve talked about how protecting cybersecurity is a shared responsibility and we see increased need for governments, tech companies and users to work together on topics like encryption, security vulnerabilities and surveillance – as Denelle notes in her blog post here.

The report refutes the idea that encryption backdoors are a necessary (or good) solution and argues against laws that would mandate weakening encryption – saying that “any measure that weakens encryption works against the national interest.” The report acknowledges the profound impact that encryption has on law enforcement investigations and the “going dark” phenomenon, but cautions that there is no “one-size-fits-all” solution to the encryption challenge.

Four key observations are highlighted for the next Congress as they work on encryption related matters:

  • Any measure that weakens encryption works against the national interest.
  • Encryption technology is a global technology that is widely and increasingly available around the world. (it’s free and often open source)
  • The variety of stakeholders, technologies, and other factors create different and divergent challenges with respect to encryption and the “going dark” phenomenon, and therefore there is no “one-size-fits-all” solution to the encryption challenge.
  • Congress should foster cooperation between the law enforcement community and technology companies.

The Encryption Working Group also called for additional inquiry into topics including lawful hacking and the Vulnerabilities Equities Process (VEP), two areas that Mozilla has been advocating for reform to add transparency and accountability measures. The report said “stakeholders expressed concern that a legal hacking regime creates the wrong incentives for government agencies that should be working with private companies to patch vulnerabilities and improve cybersecurity” and the report included questions about the existing Vulnerability Equities Process (VEP) and how Congress might formalize it.

While we are encouraged by the Encryption Working Group report, it has findings and recommendations that are not currently binding. So, we will continue to work with legislators, tech companies and internet users to bring more education, awareness and advocacy for the protection of encryption and cybersecurity. We look forward to working with the next administration, Congress and government law enforcement agencies on protecting cybersecurity and national security.

The Invisible Patents in Your Holiday Shopping Cart

Despite the amount of technology in a shiny new smartphone, it’s hard not to feel a bit of sticker shock when buying one. Here’s something that may be even more shocking: as much as one third of what you paid for that new smartphone goes not for hardware but to pay patent royalties to companies you may not have even heard of.

This holiday season, we invite you to spend a few minutes getting to know the invisible patents buried in that new device.

The average smartphone is tied to almost 250,000 patents from hundreds of companies. Royalties for these patents contribute to, on average, roughly 30% of the price of a smartphone.


For a historical comparison, in 2002, the license costs built into the price of a DVD player only made up around 10% of its total price.


When you dig deeper into each component in a smartphone, you quickly see how these costs can start to add up. In some instances, the royalty cost dramatically outstrips the price of the component itself. For an extreme example, the materials and manufacturing costs of each WiFi chip tallies a few dollars while the combined licensing fees are over $50.


So, what’s the lesson here? In some industries, patents can positively influence the advancement of technology and research when those patents provide incentives for innovation. At the same time, patents can have a major impact on users’ pocketbooks. Equally important, the costs of patents and threat of patent suits can significantly impact start-ups and other smaller innovators that may need to pony up sums only affordable to big companies simply to create basic competitive products.

This is why Mozilla is working on identifying and reducing the negative effects of the patent system on innovation. From our legal initiatives to our work on open patent strategies and groundbreaking collaborations around royalty free standards we work hard to help keep the next generation of technologies open and innovative.

We hope that the next time you hold a new smartphone, marveling at both the technology and the cost, you’ll understand a bit more about what went into its price and what it takes to make the “Next Big Thing”.

The Smartphone Royalty Stack
Software Patents and the Return of Functional Claiming
CNet — DVD players no longer go it alone
EETimes — Taiwan joins Chinese effort on proprietary DVD format

Download a pdf of the charts.