Mozilla speaks out on French intelligence bill

Jochai Ben-Avie


Since Snowden, we have seen increasing government conversations about the appropriate limits of surveillance; Some states have sought to restrict their own access to information and others have focused on restricting access from other governments. Generally, we like this focus and support these kinds of efforts. However, we are deeply concerned about recent reports about an intelligence bill currently being negotiated in France. The French government is rushing this proposal through Parliament, with little to no consultation of key stakeholders, and the actual provisions under discussion seem to be changing often.

The proposals that have been made public — including those allowing for bulk collection of metadata, automated algorithmic analysis of user communications, and efforts to weaken encryption — threaten Internet infrastructure, user privacy, and data security. Not only are we concerned about the content of these proposals, but given our own commitment to openness, we are equally concerned by the manner in which this legislation is being developed. Secrecy and closed door discussions rarely create strong legislation.

While the specific provisions continue to change in this fast-moving political environment, Mozilla joins numerous French institutions, businesses, and civil society organizations in expressing deep concern about the proposals being put forward by the French government. In particular, we would oppose any law that:

  • Allows for pervasive monitoring of user communications, metadata, and Web activity. We believe that this is an inherently disproportionate violation of user privacy and fractures the trust that underlies the open Internet;
  • Undermines the strength of or the ability to use encryption. The world depends on encryption to ensure the security and privacy of communications and commerce;
  • Fails to include adequate privacy, due process, transparency, and judicial oversight safeguards or permits unnecessary data retention.

We are particularly concerned about proposals to place so-called black boxes in the infrastructure of communications providers to conduct algorithmic surveillance. This proposal effectively forces companies to permit government monitoring of all of their users’ online activity for a secret set of “suspicious” patterns of behavior.

Mozilla urges the French government to have a fully informed debate around this proposed bill. In particular, we urge consideration of the technical impacts on Internet infrastructure and user security. At a time when privacy and security are increasingly recognized as mutually reinforcing, the French government seems to be pitting these values against each other, at the risk of diminishing both.

Open Source Software and the Patent System

Denelle Dixon-Thayer


As we’ve highlighted in the past, we believe that the software patent system is challenging for open source software development.

Because of the short innovation cycle and continuous iteration of software development, long patent terms impede the rapidly iterative processes that sustain the pace of software innovation. The “FUD” (fear, uncertainty and doubt) caused by software patents in a rapidly innovating space can cause everyone, particularly open source projects, to be frustrated (for an example, one of many, look at Google’s and Microsoft’s open codec attempts to see this in action).

The problem has several aspects. First, overworked patent offices have lead to the issuance of many non-innovative (and therefore at least partially invalid) software patents (some commentators have suggested this may be 38% of software patents).  The number of patent applications only continues to grow, exacerbating this problem. Secondly, patent examiners who are strapped for time and resources mainly look to filings in the patent office itself as evidence of whether a patent claim is novel.  Unfortunately, this makes it hard to adequately evaluate new software patent applications and identify relevant prior art — especially when the prior art is located in open source repositories and wikis, outside of patent office filings. This landscape has allowed software patent applicants to successfully claim software functions without worrying about open source precedents that would otherwise invalidate their patents, and sometimes even without any meaningful limitation to a particular system or purpose.  Finally, once a patent is issued, it is very hard to invalidate. It can be at least two to four times the cost to invalidate a bad patent, even in the case where prior art is clear.

The threat posed by the growing pervasiveness of these types of overbroad and vague software patents is the shroud of FUD they cast over emerging and innovative technologies. It can feel impossible to know whether you are infringing someone else’s software patent, which can slow or frustrate innovation.  Aggressive patent litigation and settlement strategies have also created an atmosphere of FUD for the purpose of damaging open alternatives to proprietary products. Additionally, patent trolls have added uncertainty to open development by aggressively suing based on patent portfolios that allegedly cover foundational software technology. It is sadly ironic that much of the increasing costs of software patent issues are being borne by innovators themselves, including those in the open source community — the very individuals the patent system was supposed to incentivize.

Many of us (including the EFF, Engine Advocacy, Open Invention Network, and, to name a few) have addressed the issue in various ways. Each of these tactics have led to changes in the way we think about the issue as well as breaking away at various parts of the problem. As Mozilla, we need to do something different that leverages our position in the ecosystem as an open innovator. We have been thinking about this issue and, over the next few weeks, we’ll be working towards a Mozilla contribution to addressing the software patent problem. If you have thoughts about things we could do, we’d love to hear from you as well.

Stop mass surveillance under the PATRIOT Act

Jochai Ben-Avie


The U.S. Congress will soon decide whether to reauthorize one of the government’s most notorious mass surveillance programs. On June 1st, three sections of the PATRIOT Act are set to expire, giving us a rare opportunity to push for reforms that will protect our privacy while also keeping us safe.

One of the provisions up for review, Section 215, has been used by the National Security Agency (NSA) to collect all call records of nearly everyone in the United States. For every call you make, the details of who you called, when you called, and for how long the call lasted — an incredibly detailed map of your private life — are all indiscriminately gathered by the NSA on an ongoing, daily basis.

Today, Mozilla is launching a campaign to enable our community to send a clear message to Congress: rein in the NSA and stop mass surveillance.

We believe keeping us safe shouldn’t have to cost us our privacy. That’s why we’re pushing for Congress to significantly reform these parts of the PATRIOT Act. Take action now!

Mozilla’s Position on Surveillance Reform

Mozilla is launching this campaign because our mission calls us to do so. The fourth principle of Mozilla’s Manifesto states: “Individuals’ security and privacy on the Internet are fundamental and must not be treated as optional.” There’s a long list of reforms and regulations we think are needed to improve user security, privacy, and trust — things like closing government backdoors, ensuring strong encryption, putting in place stronger oversight and accountability, and improving preventative security practices. Today, we have an opportunity to begin the long road toward reform by pushing Congress to rein in one of the worst abuses of the NSA. More specifically, we want Congress to adopt:

  1. A strict ban on bulk collection activities under Section 215 of the PATRIOT Act, as well as Section 214 Pen Register/Trap and Trace authorities;
  2. Sufficient transparency reporting in order to be able to tell if bulk or mass surveillance is occurring (this could include a blend of corporate transparency reporting, government transparency reporting, and declassification of Foreign Intelligence Surveillance Court opinions);
  3. No new data retention mandates; and
  4. No new secret surveillance authorities, powers, or programs.

It’s been nearly two years since the Snowden revelations began, and yet Congress has not passed any meaningful reform of the NSA’s sweeping, untargeted collection of our private information. Click here to join us in demanding that Congress rein in these mass surveillance programs.

Want to learn more? Here are some FAQ:

Continue reading …

Say no to data retention in surveillance reform

Chris Riley


Despite nearly two years of revelations about the scope and scale of government surveillance practices, and the ensuing damage to user trust, security, and privacy, the U.S. Congress continues to delay passing meaningful reforms.

The current surveillance authority under discussion is Section 215 of the USA PATRIOT Act, which has been used to authorize mass surveillance by the NSA, including for all phone metadata. This law expires June 1, and must not be renewed as it stands today.

Our bottom line for this round of surveillance reform in the United States includes four key elements, without which user trust will continue to suffer:

  1.     A strict ban on bulk collection;
  2.     Sufficient transparency to be able to tell if bulk collection or mass surveillance is occurring, including declassification of Foreign Intelligence Surveillance Court opinions;
  3.     No new data retention mandates; and
  4.     No new surveillance authorities, powers, or programs.

One of the most contentious topics in the current legislative debate is whether to include mandatory data retention as part of Section 215 reauthorization and reform. The theory behind this “compromise” is that, when direct bulk collection by the U.S. government is eliminated, if telecommunications companies are not required to retain data, then some bits might be “lost” and not available for later law enforcement or intelligence access.

This is not a compromise, but rather an exercise in misguided pragmatism. The expectation of total after the fact information awareness by the U.S. government of the intimate details of our conversations is at the core of negative reactions to overbroad surveillance regimes and harm to trust online. It is an unnecessary, and harmful, posture for any democratic government to take. Data retention mandates are not a missing piece of the long-term surveillance ecosystem; they are a bridge too far.

Once we accept the principle that the government has a right to force records to be held onto so they can effectively go into the past, where does that stop?  What’s the limit?  Or are we paving the way to a world where nothing can be deleted just in case the government might want to look at it? It’s not hard to see how such a limitless program would quickly move from telephone records to Internet companies.

As the nearly daily parade of data breaches make clear, amassing the personal information of everyone in the United States exposes those data to breach, theft, misuse, and abuse. Data acquired are data at risk, and this threat to user security and privacy is not acceptable. As Foreign Intelligence Surveillance Court Judge Reggie Walton noted in a recent ruling, data retention by government “increases the risk that information about United States persons may be improperly used or disseminated,” in particular because “the great majority of these individuals have never been the subject of investigation” for intelligence purposes. These same risks apply to data retention by companies.

In addition to making troves of private user information vulnerable to malicious actors, requiring companies to hold user data longer than necessary for business purposes would create additional liability and risk. In general, storing data for longer than it’s useful for any purpose should be avoided. To do so in support of intrusive surveillance practices is even more harmful. What’s more, at a time when 91% of Americans say they feel they have lost control over their own data, mandatory data retention would preclude new privacy-maximizing business models.

Finally, when Congress was last considering reform of Section 215, Attorney General Holder and Director of National Intelligence Clapper wrote that mandatory data retention was unnecessary, stating that the version of the USA FREEDOM Act then under consideration, “will accommodate operational needs while providing appropriate privacy protections.” These statements are as true today as they were at the end of last year.

Mandatory data retention under Section 215 reauthorization, or in any other law, will further harm trust online and will compound security risks for users and associated economic costs for the future.

Chris Riley, Head of Public Policy
Jochai Ben-Avie, Internet Policy Manager

Promoting international norm development in cybersecurity

Jochai Ben-Avie


From hacks of some of the world’s largest corporations (think Target, Home Depot), to critical vulnerabilities in widely used open source software like Heartbleed and Shellshock, to connected carmakers being woefully unprepared to identify and mitigate attacks, to companies like Sony exercising bad security hygiene even after previously suffering a major attack, the challenges to securing the internet and those who use it have never seemed greater.

Yet, none of these examples or many of the other exploits that have dominated the public imagination in recent years align with traditional government cyber security paradigms. To contribute to developing a more informed public debate in this arena, the Freedom Online Coalition, a group of 26 countries publicly committed to supporting global internet freedom, set up a multistakeholder working group on an “Internet Free and Secure,” of which I’m a member.

In addition to ongoing efforts to map where cybersecurity policy discussions are happening (with an eye to facilitating greater multistakeholder involvement) and developing normative recommendations, the working group also publishes long-form blogs on pertinent issues. Click here to see the latest edition co-authored by Senior Policy Officer for Internet Freedom at the Dutch Ministry of Foreign Affairs Simone Halink and me. In the post, we discuss the Global Conference on Cyber Space (GCCS), the world’s largest interministerial meeting on cybersecurity, and explore how international policy debates on cybersecurity need to evolve and improve in order to meet today’s challenges. The GCCS is taking place April 16 and 17 in the Hague, and Senior Vice President for Business and Legal Affairs Denelle Dixon-Thayer and I will be there to represent Mozilla.

Read the full post here.

Information sharing debates continuing in problematic directions

Jochai Ben-Avie


Recently, the U.S. Senate Select Committee on Intelligence held a closed-door hearing to markup the Cybersecurity Information Sharing Act (CISA). Mozilla has previously opposed CISA and its predecessor CISPA, and these changes do not alleviate our concerns. Simultaneously, in neighboring Canada, an aggressive counterterrorism bill would introduce similarly problematic surveillance provisions, among other harms.

But first, CISA. While the newly marked up version includes some improvements over the discussion draft circulated earlier this year, the substantive dangers remain. In particular, the bill:

  • Is still overbroad in scope, allowing near limitless sharing of private user data for a vague and expansive list of purposes that fall well outside the realm of cybersecurity;
  • Continues to require information to be automatically shared with “relevant agencies” including the NSA, which severely limits the power of the Department of Homeland Security (a civilian agency) to oversee information sharing practices and policies;
  • Allows for dangerous “defensive measures” (a rebranding of the previous version’s “countermeasures”) which could legitimize and permit “hacking back” in a manner that seriously harms the Internet; and
  • Provides blanket immunity for sharing private user information with still insufficient privacy safeguards, denying users both effective protection and remedy.

But the flaws of CISA are more than just the sum of its problematic provisions. The underlying paradigm of information sharing as a means to “detect and respond” or “detect and prevent” cybersecurity attacks lends itself more to advancing surveillance than to improving the security of the Web or its users. The primary threat we face is not a dearth of information shared with or by the government, but rather is often a lack of proactive, common sense security measures.

Moreover, data collected is data at risk, from the government’s failures to secure its own systems to the abuses revealed by the Snowden revelations. Putting more and more information into the hands of the government puts more user data in danger. Nevertheless, after passing the Senate Select Committee on Intelligence 14-1, CISA is scheduled to move to the full Senate floor imminently. This is a bad step forward for the future of the open Web.

Meanwhile in Canada, the Canadian Parliament is considering an even more concerning bill, C-51, the Anti-Terrorism Act of 2015. C-51 is sweeping in scope, including granting Canadian intelligence agencies CSIS and CSE new authority for offensive online attacks, as well as allowing these agencies to obtain significant amounts of information held by the Canadian government. The open-ended internal information-sharing exceptions contained in the bill erode the relationship between individuals and their government by removing the compartmentalization that allows Canadians to provide the government some of their most private information (for census, tax compliance, health services, and a range of other purposes) and trust that that information will be used for only its original purposes. This compartmentalization, currently a requirement of the Privacy Act, will not exist after Bill C-51 comes into force.

The Bill further empowers CSIS to take unspecified and open-ended “measures,” which may include the overt takedown of websites, attacks on Internet infrastructure, introduction of malware, and more all without any judicial oversight. These kinds of attacks on the integrity and availability of the Web make us all less secure.

We hope that both the Canadian Parliament and the U.S. Congress will take the time to hear from users and experts before pushing any further with C-51 and CISA respectively. Both of these bills emphasize nearly unlimited information sharing, without adequate privacy safeguards, and alarmingly provide support for cyberattacks. This is an approach to cybersecurity that only serves to undermine user trust, threaten the openness of the Web, and reduce the security of the Internet and its users. For these reasons, we strongly oppose both C-51 and CISA.





CISA threatens Internet security and undermines user trust

Jochai Ben-Avie


Protecting the privacy of users and the information collected about them online is crucial to maintaining and growing a healthy and open Web. Unfortunately, there have been massive threats that weaken our ability to create the Web that we want to see. The most notable and recent example of this is the expansive surveillance practices of the U.S. government that were revealed by Edward Snowden. Even though it has been nearly two years since these revelations began, the U.S. Congress has failed to pass any meaningful surveillance reform, and is about to consider creating new surveillance authorities in the form of the Cybersecurity Information Sharing Act of 2015.

We opposed the Cyber Intelligence Sharing and Protection Act in 2012 – as did a chorus of privacy advocates, information security professionals, entrepreneurs, and leading academics, with the President ultimately issuing a veto threat. We believe the newest version of CISA is worse in many respects, and that the bill fundamentally undermines Internet security and user trust.

CISA is promoted as facilitating the sharing of cyber threat information, but:

  • is overbroad in scope, allowing virtually any type information to be shared and to be used, retained, or further shared not just for cybersecurity purposes, but for a wide range of other offences including arson and carjacking;
  • allows information to be shared automatically between civilian and military agencies including the NSA regardless of the intended purpose of sharing, which limits the capacity of civilian agencies to conduct and oversee the exchange of cybersecurity information between the private sector and sector-specific Federal agencies;
  • authorizes dangerous countermeasures that could seriously damage the Internet; and
  • provides blanket immunity from liability with shockingly insufficient privacy safeguards.

The lack of meaningful provisions requiring companies to strip out personal information before sharing with the government, problematic on its own, is made more egregious by the realtime sharing, data retention, lack of limitations, and sweeping permitted uses envisioned in the bill.

Unnecessary and harmful sharing of personal information is a very real and avoidable consequence of this bill. Even in those instances where sharing information for cybersecurity purposes is necessary, there is no reason to include users’ personal information. Threat indicators rarely encompass such details. Furthermore, it’s not a difficult or onerous process to strip out personal information before sharing. In the exceptional cases where personal information is relevant to the threat indicator, those details would be so relevant to mitigating the threat at hand that blanket immunity from liability for sharing would not be necessary.

We believe Congress should focus on reining in the NSA’s sweeping surveillance authority and practices. Concerns around information sharing are at best a small part of the problem that needs to be solved in order to secure the Internet and its users.

Victory for Net Neutrality – Let’s Take It Across the Finish Line

Dave Steer


{Cross posted from Feb 4th blog post in Mozilla Blog. Added FAQ.}

Today, we heard that we’ve won a stunning victory in the fight to protect net neutrality. The U.S. Federal Communications Commission (FCC) has put forward a draft proposal for strong, enforceable net neutrality rules based on classifying broadband as a Title II communications service.

We are on the cusp of meaningful protection for the free and open Web.  In the remaining days before the official vote on February 26th, policy makers will be subject to intense pressure from the cable and telecom industry lobby. So we need to keep working. To get net neutrality across the finish line, Mozilla is launching a campaign that enables our community to stand together and send a strong signal to Washington, DC policy makers.

The FCC’s proposal is consistent with what we all wanted.  It reclassifies broadband as a Title II communications service, giving the FCC the authority to prohibit blocking or slowing down content — in essence, ISPs will not be able to create Internet fast lanes for the few big corporate giants that can afford it, and slow lanes for the rest of us. The world is watching, and the decisions reached in the U.S. will influence the global policy approach.

But victory is never guaranteed.

There are a handful of powerful interests in the cable and telecom industry that want to control both what is possible and what is imaginable on the Web. They are scared of net neutrality because they want to decide what we see and what we can do. They set the rules to dominate the market while stifling the innovation and opportunity of the Internet economy. They are the gatekeepers. We are the customers. And they’ve set their lobbyists loose on Congress to raise false arguments, to stall progress, and to get the FCC to back down. We can’t let them do this.

Ahead of the vote on February 26th, Mozilla is launching an effort to take net neutrality across the finish line by mobilizing our community and ensuring that policymakers hear their voices loud and clear.

We’ve created a new, urgent petition that you can sign, so that your message — along with those of everyone else who speaks out — is sent directly to members of Congress. We’ve also joined forces with Fight for the Future, Demand Progress, and Free Press — key partners of ours in Stop SOPA and StopWatching.US — to enable our community to call their representatives of Congress. We will roll out this tool in the coming weeks as we get closer to the vote. We’re raising awareness across all of our major Firefox and Mozilla channels.

Taking on Goliaths is what the Mozilla community was born to do. The fight for choice in browsers; the fight to protect people’s privacy from government and corporate surveillance — these are the fights that have tipped the scales towards a Web where people have freedom and control.

Here we are – at another big tipping point for the Web. With days to go, this is our last chance to speak out before the FCC votes. Please stand with us.


Frequently Asked Questions

The Internet belongs to all of us. Protect net neutrality: Sign the Petition

Q: What is net neutrality?

A: Net neutrality is the principle that all data on the Internet must be treated equally. This means that Internet service providers (ISPs) and governments cannot discriminate what websites users can access, and they cannot prioritize or block content regardless of its source or how much users and providers pay.

Q: Why does net neutrality matter?

A: The Internet is a fundamental part of our daily lives — it is vital for innovation, learning and opportunity. Keeping it open ensures that it will remain a global, shared resource for everyone.

Q: What is Mozilla asking the U.S. Federal Communications Commission to do exactly?

A: We are asking the FCC to protect real net neutrality for all Internet users and content creators. We ask that they vote to reclassify the Internet under Title II, which gives the FCC the authority to make sure ISPs do not discriminate in their provision of services.

Q: If we want a free and open Internet, how is giving the government the authority to regulate it a good thing?

A: Title II doesn’t give the government the authority to regulate what happens on the Internet, but rather to protect the Internet and its users from discrimination and paid prioritization.

Q: Why is net neutrality in the news right now?

A: The FCC votes on February 26th, 2015 whether or not to classify broadband as a Title II communications service.  People commented to the FCC more than 4 million times in favor of Title II, the most public comments the commission has ever seen. This decision is historic, and many governments around the world are discussing their net neutrality policies this year; the decisions reached in the United States will influence global policy approach.

Q: What can I do to support net neutrality and take action to make my voice heard by the FCC?

A: If you live in the U.S., you can sign the petition and/or call your Congressional representative. Although the final decision will be made by the FCC — commissioners who are appointed and not elected — Congress determines the FCC’s budget, and has the political ability to undermine the FCC; this is why it’s critical for Congress and the FCC to align. If you live outside of the U.S,  please forward this to anyone you know in-country.

Q: What happens if the FCC doesn’t vote in favor of Title II?

A: If broadband isn’t reclassified under Title II, it would be considered an “information service,” which will not be protected as well by the FCC. As an information service, your Internet access could be throttled, slowed down, or even blocked. Under Title II, the FCC will protect the free and open Web.

More questions? Check out these additional resources:

Net Neutrality Wiki:

Net Neutrality: Concepts:

Net Neutrality: External resources:

Tumblr: Help the FCC Protect the Internet:

Reflections on CES 2015

Chris Riley


I just returned from the 2015 Consumer Electronics Show, and am writing to share a few reflections on the event. I spent most of my time at the “Innovation Policy” CES track, checking out sessions on net neutrality, privacy and the Internet of Things, and patent reform – all topics that will be the subject of many Internet policy headlines through 2015.

Continue reading …

Spotlight on Free Press: A Ford-Mozilla Open Web Fellow Host Organization

Dave Steer


{This is the final in a series of posts highlighting the Ford-Mozilla Open Web Fellows program host organizations. Free Press has been at the forefront of informing tech policy and mobilizing millions to take action to protect the Internet. This year, Free Press has been an instrumental catalyst in the fight to protect net neutrality. We are thrilled to have Free Press as a host organization, and eager to see the impact from their Fellow.}

Spotlight on Free Press: A Ford-Mozilla Open Web Fellow Host Organization
By Amy Kroin, editor, Free Press

In the next few months, the Federal Communications Commission will decide whether to surrender the Internet to a handful of corporations — or protect it as a space that’s shared and shaped by millions of users.

At Free Press, we believe that protecting everyone’s rights to connect and communicate is fundamental to advancing social change. We believe that people should have the opportunities to tell their own stories, hold leaders accountable and participate in policy making. And we know that the freedom to access and share information is essential to this.


But these freedoms are under constant attack.

Take Net Neutrality. In May, FCC Chairman Tom Wheeler released rules that would have allowed discrimination online and destroyed the Internet as we know it. Since then, Free Press has helped lead the movement to push Wheeler to ditch his rules — and safeguard Net Neutrality over the long term. Our nationwide mobilization efforts and our advocacy within the Beltway have prompted the president, leaders in Congress and millions of people to speak out for strong open Internet protections. Wheeler’s had to go back to the drawing board — and plans to release new rules in 2015.

Though we’ve built amazing momentum in our campaign, our opposition — AT&T, Comcast, Verizon and their hundreds of lobbyists — is not backing down. Neither are we. With the help of people like you, we can ensure the FCC enacts strong open Internet protections. And if the agency goes this route, we will do everything we can to defend those rules and fight any legal challenges.

But preserving Net Neutrality is only part of the puzzle. In addition to maintaining open networks for Internet users, we also need to curb government surveillance and protect press freedom.

In the aftermath of the Edward Snowden revelations, we helped launch the StopWatching.Us coalition, which organized the Rally Against Mass Surveillance and is pushing Congress to pass meaningful reforms. In 2015, we’re ramping up our advocacy and will cultivate more champions in Congress.

The widespread spying has had a particular impact on journalists, especially those who cover national security issues. Surveillance, crackdowns on whistleblowers and pressure to reveal confidential sources have made it difficult for many of these reporters to do their jobs.

Free Press has worked with leading press freedom groups to push the government to protect the rights of journalists. We will step up that work in the coming months with the hiring of a new journalism and press freedom program director.

This is just a snapshot of the kind of work we do every day at Free Press. We’re seeking a Ford-Mozilla Open Web Fellow with proven digital skills who can hit the ground running. Applicants should be up to speed on the latest trends in online organizing and should have experience using social media tools to advance policy goals. Candidates should also be accustomed to working within a collaborative workplace.

To join our team of Internet freedom fighters, apply to become a Ford-Mozilla Open Web Fellow at Free Press. We value excellence and diversity in our team. We strongly encourage applications from women, people of color, persons with disabilities, and lesbian, gay, bisexual and transgender individuals.

Be a Ford-Mozilla Open Web Fellow. Application deadline is December 31, 2014. Apply at