Categories: Data Safety privacy

Mozilla to Offer New User-Centric Services in 2012

At Mozilla, we’ve long focused on building software that gives users sovereignty over their online lives. This means designing in ways that provide people deeper insights into how the web works, unique software features to personalize their online experience, and controls over their personal data. Lately, we’ve been thinking about how user sovereignty has grown to depend on more than just the browser. Many web sites store extensive user data and act on behalf of the user. While the browser may be fully under the user’s control, many of the services that users enjoy are not. Sometimes, these web services handle data in ways that are of questionable value to the user, even detrimental.

It’s clear that Mozilla needs to step up and provide, in addition to the Firefox browser, certain services to enhance users’ control over their online experience and personal data. Mozilla’s Chairwoman, Mitchell Baker, puts it this way:

I believe it is imperative we develop additional offerings. We need open, open-source, interoperable, public-benefit, standards-based platforms for multiple layers of Internet life. […] We choose to take our values to where people live.

The services we’re imaging and working hard to launch over the coming weeks and months include: an innovative approach to identity, a mobile web-based operating system, and an app store. To offer these services, we’ll need to store user data on Mozilla servers at a much larger scale than we have to date. This requires great care and deliberation. We’ve started the process of figuring out how to do this and tried a few pilot evaluations. I’d like to tell you what we’re thinking and solicit your thoughts and ideas.

Our Current Approach — Firefox Sync

Mozilla already stores encrypted data with Firefox Sync, which lets millions of Firefox users keep bookmarks, history, and passwords synchronized across multiple installations of Firefox, including Mobile Firefox. We secure this data with cryptography more advanced than even that used by financial institutions. Typically, banks use transport-level encryption  (SSL): your data is encrypted in transit between your browser and the bank’s servers. Once it arrives at the bank’s servers, it is, of course,  decrypted. By comparison, Firefox Sync uses application-level encryption: your data is encrypted by Firefox before it’s sent over the network, and it stays encrypted once it arrives on our servers and is stored on our disks. Only your Firefox client can decrypt the data. Mozilla doesn’t have the decryption keys.

This means that we never see your data. If we suffered a server breach, or if someone walked out of our data centers with a few hard drives in hand, then your data would remain safe from prying eyes. Few other companies go to such lengths to secure your data.

The new services we envision will, whenever possible, continue to use this level of data security.

Limits of Application-Level Encryption

If we can’t see your data, then you’re incredibly safe, but we can’t do much to help you either. Application-level encryption is like the safe you keep in your closet: you can place valuables there, and you can retrieve them if you’re there in person, but you can’t easily ask a roommate to quickly tell you over the phone how much cash you have stored in the safe. By comparison, it’s easy to call a roommate and ask them to read you a phone number you left on the kitchen table. Some data is so valuable you need to keep it in a safe. Other data may not be quite as sensitive, and may be quite a bit more useful if you can get help managing, retrieving, and processing it. Something as simple as sending you reminders of friends’ birthdays requires the service to see that data when you’re offline.

I wrote previously about the limitations of encryption to safeguard data. Encryption isn’t magic. It isn’t appropriate for all applications. If we want to provide realistic alternative services that set an example of user sovereignty, then that will require storing user data on our servers, often without application-level encryption.

Design Guidelines

We propose a few starting design guidelines:

  • clear user benefit: there should always be a clear and direct user benefit that results from the data we collect. Aggressive user data storage “just in case it’s needed later” is not acceptable.
  • data inventory: we should always know what data we’re collecting, where and how it’s stored, and why the storage of each datapoint is crucial to the end-user feature. We should make sure users can easily get at this inventory, understand it, update it, or delete it.
  • minimize server-visible data: if we can implement a given feature by never sending data to the server, or by using application-level encryption, then we will.
  • minimize data retention: we should store data for as little time as possible. In particular, if we need servers only to provide a transit point for data, then that data should only transit, never be stored.
  • aggregate whenever possible: we will explore whether we can implement the feature with data aggregated across a significant number of users, rather than keeping individual data points. (Given the richness of these datasets, we cannot pretend that de-identification is particularly useful to protecting individual users.)

We want to vet every feature we consider by relying on existing  processes that the Mozilla Project knows well already: Bugzilla. Issues will be tracked in Bugzilla, with a high-level tracking issue we expect to call “Data Safety.”

People

The following people have joined together to form a Mozilla Data Safety Team to develop these ideas and bring them into our product offerings:

  • Jay Sullivan, who leads the definition of great Mozilla products that embody our values,
  • Sid Stamm, who leads engineering for privacy in Firefox and the web platform,
  • Jonathan Nightingale, who runs the Firefox engineering group,
  • Alex Fowler, who leads privacy and policy and focuses on enhancing information management,
  • Brendan Eich, who has led from day one the technical direction of the Mozilla Project,
  • Michael Coates, who leads infrastructure security, overseeing applications, servers, & networks,
  • Chris Beard, who leads our marketing and engagement programs,
  • David Ascher, who leads Mozilla’s thinking on how users share and discover the Web,
  • Ben Adida, that’s me, I lead the Identity work at Mozilla

We  know we’ll need to grow this team to include individuals with more diverse backgrounds, people from inside and outside the Mozilla Project, and people from around the world. We’ll also need to be mindful of various local jurisdictions and customs in the way we design and host our services.

Beyond Compliance

Data safety requires careful compliance with regulation and best practices, but we aim to do more. We’ll be involving our most experienced software architects and security experts to  determine how to engineer better privacy. These discussions and iterations, like all existing security  and privacy reviews, will be public by default, so that they can be audited just like our source code (except when  those disclosures would give attackers a head-start, of course, in which case we’ll keep the information secret temporarily.) In addition, like all Mozilla projects, we’ll involve our users in the process of architecting for greater user sovereignty. It’s crucial that users understand the solutions we propose, the benefits provided by these solutions, and the ways in which their data is used to derive this benefit.

Sticking to our Principles

User sovereignty requires a great browser and a number of user-centric services. We would like to build some of these services, and we intend to do so with as strong a dedication as ever to our privacy principles: no surprises, real choices, sensible settings, limited data, and user control. We won’t sell or give away your data. We will always explain what data we store and why we store it. We will always let you leave and take your data with you, and we will always explain what benefit you get from this data collection.

We welcome your feedback, in blogs, on dev.planning, or on Twitter with the hashtag #mozdatasafety.

35 comments on “Mozilla to Offer New User-Centric Services in 2012”

  1. Ping from User Sovereignty for our Data | Mitchell's Blog on

    […] My colleague Ben Adida (tech lead for identity and user data and one of our resident cryptographers) has written a piece describing our thinking on how to build such products. […]

  2. anoncow wrote on

    “We will always let you leave and take your data with you”, how would I export all data out of Sync? 🙂

    1. Ben Adida wrote on

      we could probably provide different tools for that, but right now you can get all of your data out of sync by just connecting your Firefox to it. Also, the protocol is fully documented:

      http://docs.services.mozilla.com/

      and you can run your own sync server if you’d like.

  3. David Flanagan wrote on

    Ben,

    If I’m reading this post and Mitchell’s post (http://blog.lizardwrangler.com/2012/01/13/user-sovereignty-for-our-data/) that links to yours correctly, it sounds like the two of you are talking about slightly different things.

    The design guidelines you propose all seem great, but they seem to be intended to guide data storage for services that are not storage services. And Mitchell seems to be raising the possibility of Mozilla actually offering a cloud storage service. Obviously a “minimize retention” policy doesn’t make sense for a storage service, for example.

    1. Ben Adida wrote on

      David,

      “Minimize retention” still makes sense for a storage service. The point is that there is a lot of data you don’t need to retain. Of course, if the user *wants* the data to be retained, then you retain it. So “minimize retention” means you do that for data the user doesn’t need, and for the data the user needs, you store it.

  4. David Flanagan wrote on

    Ben,

    I didn’t mean to pick on the “minimize retention” guideline… Just observing that Mitchell seems to be proposing something that goes beyond what you’re talking about here.

    I wonder how much of the open user data storage problem could be solved by extending the Web Storage spec http://dev.w3.org/html5/webstorage/ to add cloudStorage to the existing localStorage and sessionStorage APIs. Or just by making localStorage something that could be synchronized across devices.

  5. Brendan Eich wrote on

    David: have you seen http://www.w3.org/community/unhosted/wiki/RemoteStorage from the http://unhosted.org/ folks?

    /be

  6. David Flanagan wrote on

    Brendan,

    I knew that unhosted was working in this space, but hadn’t seen those details. Thanks!

  7. Clochix wrote on

    Being a US company, Mozilla is subject to US laws, and things like the Patriot Act don’t seems to be compliant with your privacy principles. As a European citizen, I know that, even if my data are stored in a datacenter in Europe, the US agencies may ask to access them, and Mozilla would have no other choice than to obey to such a request and disclose my data.
    I trust Mozilla, but I know I can’t store any sensitive data using services provided by US companies, because of laws like the Patriot Act.
    How can you protect your user’s data against that sort of liberty killer laws ?

    1. Ben Adida wrote on

      The cross-jurisdiction issues are quite important, we agree. We must make our approach work for a world-wide audience, as Mozilla is not a US-centric project. We don’t have solutions to all of the issues you raise, yet. That’s part of what this post and future discussion are meant to address: raising all of the difficult aspects of these plans and discussing how best to approach them.

      1. Nicolas Barbulesco wrote on

        Well, what about this ? Mozilla stores the data in a data-center in Europe, and operates it through one of its offices in Europe. So data operating is subject to European laws, no to the Patriot Act.

      2. Kurt wrote on

        I don’t know all the, corporate, infastructures, involved in, operation, of, Mozilla/ Firefox, but, it, seems, to, me, (if at all possible) that, an, over seas (French German or whatever European nation) would have, local servers, that, would, tender, designated, “sensitve data”, at, the, discretion, of, the, client, and any, data, at risk, by, the Patriot Act would, be left to, the, European infrastructure of course, if, the, data is, business, related, I fully, understand, why an entity, (business) from, another country would, not want material related therein, perused, by, an, America, security organization.

    2. Carl Dillon wrote on

      As a Canadian I share your concerns. The US is seemingly on a track of exerting extra-territorial jurisdiction whenever it feels that its interests are at stake. The problem is that what they consider in their interest is both wide ranging and secret. At any moment they may consider what you are doing as in their interest to review and take action on or against.

      Cloud storage on any company system with any form of US presence is fraught with peril if you are keeping any sensitive data at all. This is an issue that cannot be resolved by any US based company as the issue is one of governmental policy – and often policy considered illegal in the international context by most other countries.

  8. Paul Booker wrote on

    It’s great to hear Mozilla starting to talk more about the need to get into Cloud services to protect user sovereignty on the Web . It’s surely only a matter of time now until we start talking about sovereignty on the social Web and federation.

    Best, Paul

  9. Paul Booker wrote on

    I love the Unhosted project.

    One thing I want to figure out this year is how you can have a social Web that is both Unhosted and OStatus Federated.

    Best, Paul

  10. Nicolas Barbulesco wrote on

    This comes close to my dream http://blog.lizardwrangler.com/2011/07/14/mozilla-in-the-new-internet-era-more-than-the-browser/#comment-21418 ; please have a look at it. But I would like my stored user data not to be restricted to identity. Sometimes, I need later some stuff I had written on the Web, and sometimes I don’t find it easily, and sometimes I don’t find it at all. Because I may not remember where I had written my creation, or the posted content may have moved or disappeared… I would love to have a global Web “Sent” box, where everything I write on the Web, with a magic “Archive this” checkbox ticked, get archived.

    Thanks, and keep up the good work !

    Nicolas

  11. Ping from Every moment counts in Mozilla’s bid for mobile relevance | Partners In Sublime on

    […] browsers, too. Here’s how Ben Adida, Mozilla’s tech lead for identity and user data, described Mozilla’s ambition for letting users control their data earlier this year: While the browser may be fully under the user’s control, many of the […]

  12. Ping from Every moment counts in Mozilla’s bid for mobile relevance on

    […] browsers, too. Here’s how Ben Adida, Mozilla’s tech lead for identity and user data, described Mozilla’s ambition for letting users control their data earlier this year: While the browser may be fully under the user’s control, many of the […]

  13. Ping from Every moment counts in Mozilla's bid for mobile relevance | Internet App developer on

    […] browsers, too. Here’s how Ben Adida, Mozilla’s tech lead for identity and user data, described Mozilla’s ambition for letting users control their data earlier this year: While the browser may be fully under the user’s control, many of the […]

  14. Ping from Every moment counts in Mozilla’s bid for mobile relevance | androidless.net on

    […] browsers, too. Here’s how Ben Adida, Mozilla’s tech lead for identity and user data, described Mozilla’s ambition for letting users control their data earlier this year: While the browser may be fully under the user’s control, many of the […]

  15. Ping from Every moment counts in Mozilla’s bid for mobile relevance | Download free apk, apps | Android freeware on

    […] browsers, too. Here’s how Ben Adida, Mozilla’s tech lead for identity and user data, described Mozilla’s ambition for letting users control their data earlier this […]

  16. Ayesh wrote on

    As a heavy Firefox user, I always look for “awesome” solutions, just like Firefox Sync. Bookmark some article in office and read it in home.
    And also, I think firefox is now in a very important status, with other competitors.

    Google chrome sync, looks like a cool one for chrome users. But personally, I don’t want to see how many passwords I have saved in my account in just web interface.
    Get email and password of google account and bam – hacker has all the access to my entire digital life.

    I personally think security should he first and accessibility should be the second.

    Quickly accessing a bookmark in a Internet cafe is the most usual case in accessibility. I think developing some way to access bookmarks (not passwords) without security key will give sine relief to user.

  17. saf wrote on

    There is some concern about Google’s new policies. How will using Google as our search engine or gmail sent to Thunderbird interact with your security policies?

  18. Vicky wrote on

    I sure wish Mozilla Firefox was also an e-mail server – especially with the increased lack of privacy google is going to use beginning 3/1/12 for the gmail clients.
    Do you see this happening Mozilla’s future?

    1. BJ wrote on

      In response to Vicky who wrote: on January 28th, 2012 at 12:09 pm:

      I sure wish Mozilla Firefox was also an e-mail server – especially with the increased lack of privacy google is going to use beginning 3/1/12 for the gmail clients.
      Do you see this happening Mozilla’s future?

      My comment: I sure hope so. And I certainly wouldn’t mind paying for that ‘peace of mind’ I’d get switching everything to Mozilla. I’m getting bad vibes from Google just as I did before I made the switch from MSWindows to Linux.

  19. milan guevarra wrote on

    hello ben,…………….I would like to verify the word “encrypted”, what I mean I couldn’t clearly deep understand what does it mean?….is it a virus???……..I know you can help me this a little of confusion. thank you very much !!

  20. Mikkel Schau wrote on

    How do Mozilla’s ideas jibe with the new Google user data aggregation strategy which will come about March 1?
    Does Mozilla recommend another search engine to those who wish not to use Google and its carefully individualized search results

  21. Lee Hollimon wrote on

    I’ve been using Mozilla for over 3 yrs. and no way in hell would I use another browser.

  22. Era Ericsson wrote on

    @Mikkel

    i don’t think so, as Mozilla is already going the same way to collect data about their users.

    https://wiki.mozilla.org/MetricsDataPing
    http://blog.mozilla.org/metrics/

    @Ben
    the german IT-related press already started to discuss this issue.
    http://heise.de/-1432835

    And the related formum already shows that FireFox is losing market-share, because Mozilla even thinking about user data collection


    EE

    1. NO Datacollection only with Optin! wrote on

      I feel bad how naturally firms ignore personal security interests. Firefox has been and is still therefore my first choice because I can adjust and decide who gets what information about and from me. I want to be asked for permission and want to decide and adjust from start if I want to give you data or not. I don’t want to stop a already conducted mania for collecting data only after with an Optout!

      So when my Mozilla Firefox and security interests are not taken seriously my security issues and my decision, that admits an optional OptIn, then I look for a different browser.
      Mozillas one an strongest only selling point against other data acquisitiveness shoul be the strong respect of the Surfers safety in mind. To ignore it is equal harakiri.

    2. Ben Adida wrote on

      @Era,

      The Metrics Data Ping is only a proposal that is currently being debated with the community, not a feature of Firefox at this point. As described in this blog post, the driving issue will always be user benefit, and we will always publicly vet plans to ensure that we minimize any data collection to fulfill only the user benefit, nothing more.

  23. Ping from Firefox-Entwickler diskutieren Opt-out für Nutzerdatenmessung | virtualfiles.net on

    […] er in dieser Form gegen die Datenschutz-Prinzipien verstößt, die Mozilla-Mitarbeiter Ben Adida in einem Blogeintrag formuliert hatte. In einigen Ländern sei das Opt-out nicht […]

  24. Anu wrote on

    This is really a stupid idea. If i have to choose between privacy and Firefox, Firefox will lose.

  25. Ping from Mitchell Baker:捍衛你的雲端資料主權 | 訊息中心 | Mozilla Taiwan on

    […] 我的同事 Ben Adida(身份驗證和使用資料專案主管,同時也是一位密碼學家)發表了一篇文章 ,描述我們打造這類產品時的想法。 […]

  26. Ping from Firefox 10 起,附加元件將一律預設為相容 | 訊息中心 | Mozilla Taiwan on

    […] 我的同事 Ben Adida(身份驗證和使用資料專案主管,同時也是一位密碼學家)發表了一篇文章 ,描述我們打造這類產品時的想法。 […]