Putting Our Data Privacy Principles Into Action


In November, we told you about Mozilla’s updated Data Privacy Principles, which inform how we build products, manage user data, and select and interact with partners. Today, Mozilla’s Content Services team is announcing its latest innovation in Web advertising – Suggested Tiles. This product demonstrates how we put those principles into action.

Suggested Tiles promotes specific content on our new tab page – this may be Mozilla content (such as our campaigns on policy issues), publisher content, or advertising. Relevance of the content to the user is based on the user’s interests. We define interest categories as a set of URLs that are related to the category. When one of those URLs appears in the user’s list of most frequently visited sites, we show the content. You can read more about this at our Advancing Content blog.

With Suggested Tiles, we’ve worked hard to deliver relevant content and advertisements to our users while respecting their privacy. We’ve pushed the logic down to the Firefox Browser, so we don’t collect information about our users to decide which advertisement to show. We provide easy to understand controls that allow users to turn off Suggested Tiles. And when the user does see or click an advertisement on the new tab page, we limit what data we collect about how the user interacts with the product.

The data could still allow us to learn something about the user’s history that we did not know before. To address this, we’ve taken a number of additional steps.

First, we put a system of rules in place to limit what Mozilla or our partners can infer about our users based on Tiles data. Each interest category must have a minimum of 5 URLs. We will attempt to construct interest categories such that no single URL is significantly more likely to appear in a user’s browsing history than any other URL in the category. Suggested Tiles also cannot be triggered based on combinations of URLs in the interest category. These rules allows us to balance privacy against contextual relevance, ensuring we can deliver useful content while obscuring the user’s browsing behavior.

Second, we’ve created a process to limit any conflicts of interests when we choose what URLs to include in a category. While our Tiles partners can suggest URLs to include, it’s the Content Services team that actually defines the interest categories. We’ve designated a separate role on the team, who isn’t involved in creating the interest categories, to approve the final categories. We will also make our interest categories publicly available, specifying the label of the bucket and the collection of URLs specified against it. You can currently see the interest categories we’ve created in our source code here.

And third, we’ve established several other safeguards. We discard IP addresses within 7 days of collection and collect no other unique IDs associated with Tiles. As we scale, we are only including one Suggested Tile per new tab page, which prevents impression data from providing a more complete portrait of the user’s history. And we only share reports containing aggregate impression and click data – number of impressions, clicks, etc. – with partners. No individual data will be provided to our advertising clients.

We put Mozilla’s five data privacy principles to work in Suggested Tiles. As we continue to innovate in this space, finding new ways to deliver relevant content, we will continue to put users at the center of our decisions by limiting what data we collect, providing transparency and user control, and using security practices that earn the trust of our users.

Mozilla Advocacy – 2015 Plan

Dave Steer


Mozilla Advocacy — Our 2015 Plan for Protecting and Advancing the Open Web

Advocacy is a relatively new area of focus for Mozilla. Our increased emphasis on advocacy is born out of the recognition that, like code, public policy has an impact on the shape and health of the open web — and that a vital force protecting the web will be the millions of people who consider themselves to be citizens of the web.

Over the next few weeks, the Mozilla Advocacy team — including Andrea Wood, Director of Digital Advocacy and Fundraising; Melissa Romaine, Advocacy Manager; Chris Riley, Head of Public Policy; Stacy Martin, Senior Manager of Privacy and Engagement; Jochai Ben-Avie, Internet Policy Manager; and, Alina Hua, Senior Data Privacy Manager —  will lay out our latest thinking about how we’re developing public policy and creating advocacy initiatives.

Our goal with Mozilla Advocacy is to advance the Mozilla mission by empowering people to create measurable changes in public policy to protect the Internet as a global public resource, open and accessible to all. Our three strategies to achieve this goal are:

  1. Leadership Development — Grow a global cadre of leaders — activists, technologists, policy experts — who advance the free and open web.

  2. Community — Assist, grow, and enable the wider policy & advocacy community.

  3. Grassroots Advocacy — Run issue-based campaigns to grow mainstream engagement with Mozilla and open web issues.

Each of these strategies ties directly to the goal of empowering people. Yet, as we execute there are still open questions that need input and more thought from the community. For instance, how can we create better scale and participation, recognizing that real impact happens when the community is empowered to take action on policy and advocacy initiatives. A key to this is making our own policy positions and advocacy efforts easier for people to understand and engage with.

We need you to play an active role. Because the web is growing in markets where we are not experts, the Mozilla community will play a central role in scaling efforts to protect the open web throughout the world. We invite you to help shape our thinking by reading the 2015 Policy & Advocacy Plan and offering input through this thread in the Mozilla Advocacy Community.

–Dave Steer, Director of Advocacy, Mozilla

Congress has only days left to reform surveillance law

Jochai Ben-Avie

UPDATE: The House passed the USA FREEDOM Act today 338-88. The following statement can be attributed to Mozilla Head of Public Policy Chris Riley:

“Mozilla is pleased to see the House vote overwhelmingly today to pass the USA FREEDOM Act. This legislation significantly curtails bulk collection under the Patriot Act and other authorities, and puts us on a path to a more private and secure Internet.

We urge the Senate to swiftly follow suit and vote to pass the bipartisan USA FREEDOM Act. We are staunchly opposed to any short- or long-term reauthorization of these sections of the Patriot Act absent meaningful reforms. Now is not the time to delay on these much needed reforms.”

Original post:

This week, the U.S. House of Representatives is scheduled to vote on the USA FREEDOM Act, a bipartisan, bicameral piece of legislation that would significantly reform surveillance activities conducted under the USA PATRIOT Act.

Mozilla supports this legislation, which passed out of the House Judiciary Committee on a 25-2 vote. This version of USA FREEDOM Act would:

  • curtail bulk collection activities under Section 215 as well as Pen Register/Trap and Trace and National Security Letter authorities;
  • bring increased transparency to surveillance activities, including through the declassification of Foreign Intelligence Surveillance Court (FISC) opinions and new reporting requirements on the government;
  • allow companies to report the scope and scale of national security demands in smaller ranges (bands of 500 as opposed to 1,000) than is allowed today;
  • enable outside attorneys to participate in FISC cases involving novel interpretations of law, providing an important check on the government; and
  • not require any data retention mandates.

While we believe many more surveillance reforms are needed, this legislation would be a significant step forward to enhancing user privacy and security. Indeed, the 2nd Circuit ruled last week that the government’s mass surveillance of call detail records — information about who you called, when you called, for how long you spoke, an incredibly detailed map of your private life — under Section 215 is illegal. Congress must act now to reform these surveillance authorities.

Despite the 2nd Circuit ruling and significant grassroots pressure (including from the Mozilla community), some senators are pushing for a reauthorization of these illegal surveillance activities without any reforms. Any delay in passing the USA FREEDOM Act is likely to lead to weakened reforms, so we urge Members of Congress to reject even a short term reauthorization of Section 215 and the two other PATRIOT Act statutes which are set to expire at the end of the month.

We hope the House will overwhelmingly approve the USA FREEDOM Act this week, reflecting the significant and diverse support for this legislation, and we hope that the Senate will swiftly follow suit in passing the bill without harmful amendments.


French National Assembly advances dangerous mass surveillance law

Jochai Ben-Avie

Mozilla is deeply concerned with last week’s overwhelming approval by the French National Assembly of the Projet de Loi Relatif au Renseignement, which intends to restructure the legal framework for French intelligence activities.

As currently written, the bill threatens the integrity of Internet infrastructure, user privacy, and data security. More specifically, the current bill authorizes France’s intelligence services to:

  • Pervasively monitor and store user communications, metadata, and Web activity about all users in France and abroad;
  • Force Internet service providers (and potentially other technology companies) to install “black boxes” in their networks to collect massive amounts of data and use algorithms to search for “suspicious patterns”;
  • Intercept user communications, including reading emails and tapping phones, without meaningful due process or oversight; and
  • compromise Internet infrastructure in France and extraterritorially.

We’ve previously voiced our concerns against this legislation, as did an impressive number of very diverse stakeholders ranging from Internet users, civil society groups, businesses, lawyers’ and magistrates’ unions, the French association of victims of terrorism, the French Digital Council, as well as administrative authorities such as the CNIL (French Data Protection authority), CNCDH (French National Consultative Committee for Human Rights). The legislators seem to have given little consideration to these myriad voices and, unfortunately, all of the proposed provisions we warned about in our previous post have been included in the bill that passed the National Assembly.

There is a stark discrepancy between the open and constructive discussions being held in international fora and France’s trajectory and disregard for the expressed concerns in these matters. For instance, while France was a founding member of the Freedom Online Coalition, a group of 26 governments committed to Internet freedom, the French government was disappointingly nowhere to be seen at the Coalition’s annual conference this week in Mongolia.

The Intelligence Bill now moves to the French Senate for consideration. We urge the French senators to uphold France’s international commitments, engage in a meaningful way with the concerns that have been raised by numerous stakeholders, and update the bill accordingly. All concerned actors can and should continue to speak out against the bill, for instance, through the Sous Surveillance campaign run by La Quadrature du Net and other civil society groups.

Finally, we call on France, as an international leader in upholding human rights around the world, to set a positive example for other governments rather than continuing on a course of eroding protections for users and undermining the open Internet.

Mozilla View on Zero-Rating

Denelle Dixon-Thayer


Our support of net neutrality is grounded in our belief that we all must fight to maintain an open, global, and growing Internet. Because of the scale and potential of the Internet, it must be an international effort. We see a growing focus on net neutrality around the world and believe that this focus is positive and necessary for the continued health of this valuable global asset.

In India, for example, the focus on net neutrality and the impacts of zero-rating have reached an important inflection point. This week, we sent a letter to the Prime Minister of India supporting net neutrality, in response to an open consultation by the Telecom Regulatory Authority of India on Internet services. The Indian Internet community, including many Mozillians, has spoken out expressing concerns with zero-rating and its impacts on an open Internet. Not surprisingly, we too are concerned, and Mozilla’s Executive Chairwoman Mitchell Baker posted to her blog to identify what those concerns are. The bottom line is that zero-rating may actually NOT connect the world’s unconnected billions to the Internet, in India or elsewhere.

Zero-rating does not at first pass invoke the prototypical net neutrality harms of throttling, blocking, or paid prioritization, all of which involve technical differentiation in traffic management. Instead, zero-rating makes some Internet content and services “free” by excluding them from data caps that apply to other uses of traffic (which can result in “blocking” of sorts if a user has no available data left in a billing period).

The impact of zero-rating may result in the same harms as throttling, blocking, or paid prioritization. By giving one company (or a handful) the ability to reach users at no cost to them, zero-rating could limit rather than expand a user’s access to the Internet and ultimately chill competition and innovation. The promise of the Internet as a driver of innovation is that anyone can make anything and share it with anyone. Without a level playing field, the world won’t benefit from the next Facebook, Google or Twitter.

There are many things we still don’t know about zero-rating. It’s a relatively new business model and there is not a lot of data about its benefits or its harms, so we don’t know with certainty what the long-term effects will be. We don’t have data on substitutability – how many users will reduce or even stop their open Internet use because they have to pay, while walled garden offerings are free to them. But we do have data indicating that a significant percentage of people confuse “the Internet” and “Facebook,” – in part because of Facebook’s Internet.org initiative – notably including a global survey by Quartz where over half of respondents agreed with a statement equating Facebook with the entire Internet.

There’s also missing data on the other side of the equation. There may be markets where affordability hurdles to access remain so significant that mobile networks can’t reach economies of scale to keep prices down. It may be possible that access to zero- rated services will help to give previously unconnected users a “taste” of the Internet leading them to demand access to the open Internet itself. The truth is we don’t know.

Still, prohibition through legislation or regulation, a path some governments have taken or are considering, may not be the right answer. Taken to an extreme regulation could chill some innovation and could result in industry not taking collective action. Even worse, regulation could allow governments to determine which content could/should be zero-rated – and the benefit of net neutrality is that no entity should get to decide which content a user has access to. Different markets and political environments require individual analysis. In some contexts, such as Netflix’s abandoned zero-rating plans in Australia, resolution may occur as a result of public pressure, without formal action.

We understand the temptation to say “some content is better than no content,” choosing a lesser degree of inclusion over openness and equality of opportunity. But it shouldn’t be a binary choice; technology and innovation can create a better way, even though these new models may take some time to develop. Furthermore, choosing limited inclusion today, even though it offers short-term benefits, poses significant risk to the emergence of an open, competitive platform that will ultimately stifle inclusion and economic development.

There are alternative approaches that could serve as solutions to the challenges that zero-rating seeks to address. For example, Mozilla has sought to create such an alternative within the Firefox OS ecosystem. Our partnership with Grameenphone (owned by Telenor Group) in Bangladesh allows users to receive 20 MB of data usage for free each day, in exchange for viewing an advertisement. Our partnership with Orange will allow residents of multiple African countries to purchase $40 Firefox OS smartphones that come packaged with 6 free months of voice, text, and up to 500 MB per month of data. Scaling up arrangements like these could represent a long-term solution to the key underlying problems of digital inclusion and equality.

Likely, the solution will be found in some combination of: new approaches and business models; potential increases in philanthropic engagement as Mitchell’s post suggests; and technology and business innovations to reduce the costs of connectivity. But whatever the mix is, preserving the level playing field that drives innovation and competition on the Internet must be the baseline.

We’ve tried to outline here some of the positive and negative issues associated with zero-rating. More education about these issues, and affordability and accessibility challenges, will be part of working out the right solutions. Multi-stakeholder roundtables and incubation challenges around alternative solutions to affordability problems are also likely fruitful pathways. Or maybe solutions will come from academia and think tanks, through research driven white papers. Mozilla will be exploring these options further in the months to come.

We look forward to working with the Mozilla community, others in industry, civil society, governments and other actors to think through how best to provide everyone with access to the full diversity of the open Web. We hope you’ll join us in these conversations.

Denelle Dixon-Thayer, SVP, Business and Legal Affairs
Chris Riley, Head of Public Policy
Jochai Ben-Avie, Internet Policy Manager

Comments sought on Internet governance transition

Chris Riley

The Internet is part of the fabric of our society and our economy, and its governance affects countless aspects of our lives. Empowering individuals to have a voice in shaping the Internet is one of Mozilla’s core principles. Another of those core principles is that continued effectiveness of the Internet depends on decentralized participation worldwide.

We’ve engaged with global Internet governance a few times in past years, from the perspective of advocating for meaningful empowerment of Internet users. Often, the contrast is between so-called “multistakeholder” models and increased direct governmental control – as was the case in 2012, when we engaged in an active debate over whether to expand International Telecommunications Union (ITU) jurisdiction deep into the Internet, something we consider to be a bad idea. In contrast, open discussion forums like the Internet Governance Forum allow for more equitable participation between governments, businesses, and users of the Internet. We consistently support IGF as the best home for collective policy development as it touches the Internet.

Today, one of the major issues in Internet governance is the transition of oversight of certain technical administrative functions away from the U.S. government, where it has resided for decades, to a multistakeholder body. These functions are implemented by a number of groups, but the most well-known is ICANN, a non-profit organization that holds significant responsibility for managing policy decisions around domain names (like “mozilla.org” and “firefox.com”). (For more background: The Global Commission on Internet Governance has produced a thorough paper on this issue.)

At Mozilla, we’ve been tracking this transition, along with other Internet governance developments, from the perspective of promoting trust online and protecting a healthy future for the global, open Internet. We support shifting oversight in this space from the U.S. government to an accountable multistakeholder body, and we’re glad to see progress on the transition, as well as transparency and openness in the process.

For the next few weeks, ICANN is seeking feedback from the public on its proposed transition processes. The first of these is a proposal to transition naming related functions. We encourage you to make your voice heard at this inflection point on evolving global Internet governance.

Update (May 7): ICANN opened its second proposal, on accountability, for public comment as well.

Mozilla statement on USA FREEDOM Act

Chris Riley

Today, a new version of the USA FREEDOM Act is being introduced in both the House and Senate, with bipartisan support. We’re sharing the following statement:

“At Mozilla, we believe that privacy and security on the Internet are fundamental. The version of the USA FREEDOM Act of 2015 proposed today represents a significant step toward enhancing user privacy and ending mass surveillance. The bill curtails bulk collection practices, increases transparency around surveillance requests, and keeps data retention and other new surveillance mandates out of the legislation. There is more to do to make sure that privacy and security on the Internet is protected for everyone around the world. We urge Members of Congress to follow through and enact these important reforms.”

Mozilla speaks out on French intelligence bill

Jochai Ben-Avie

Since Snowden, we have seen increasing government conversations about the appropriate limits of surveillance; Some states have sought to restrict their own access to information and others have focused on restricting access from other governments. Generally, we like this focus and support these kinds of efforts. However, we are deeply concerned about recent reports about an intelligence bill currently being negotiated in France. The French government is rushing this proposal through Parliament, with little to no consultation of key stakeholders, and the actual provisions under discussion seem to be changing often.

The proposals that have been made public — including those allowing for bulk collection of metadata, automated algorithmic analysis of user communications, and efforts to weaken encryption — threaten Internet infrastructure, user privacy, and data security. Not only are we concerned about the content of these proposals, but given our own commitment to openness, we are equally concerned by the manner in which this legislation is being developed. Secrecy and closed door discussions rarely create strong legislation.

While the specific provisions continue to change in this fast-moving political environment, Mozilla joins numerous French institutions, businesses, and civil society organizations in expressing deep concern about the proposals being put forward by the French government. In particular, we would oppose any law that:

  • Allows for pervasive monitoring of user communications, metadata, and Web activity. We believe that this is an inherently disproportionate violation of user privacy and fractures the trust that underlies the open Internet;
  • Undermines the strength of or the ability to use encryption. The world depends on encryption to ensure the security and privacy of communications and commerce;
  • Fails to include adequate privacy, due process, transparency, and judicial oversight safeguards or permits unnecessary data retention.

We are particularly concerned about proposals to place so-called black boxes in the infrastructure of communications providers to conduct algorithmic surveillance. This proposal effectively forces companies to permit government monitoring of all of their users’ online activity for a secret set of “suspicious” patterns of behavior.

Mozilla urges the French government to have a fully informed debate around this proposed bill. In particular, we urge consideration of the technical impacts on Internet infrastructure and user security. At a time when privacy and security are increasingly recognized as mutually reinforcing, the French government seems to be pitting these values against each other, at the risk of diminishing both.

Open Source Software and the Patent System

Denelle Dixon-Thayer

As we’ve highlighted in the past, we believe that the software patent system is challenging for open source software development.

Because of the short innovation cycle and continuous iteration of software development, long patent terms impede the rapidly iterative processes that sustain the pace of software innovation. The “FUD” (fear, uncertainty and doubt) caused by software patents in a rapidly innovating space can cause everyone, particularly open source projects, to be frustrated (for an example, one of many, look at Google’s and Microsoft’s open codec attempts to see this in action).

The problem has several aspects. First, overworked patent offices have lead to the issuance of many non-innovative (and therefore at least partially invalid) software patents (some commentators have suggested this may be 38% of software patents).  The number of patent applications only continues to grow, exacerbating this problem. Secondly, patent examiners who are strapped for time and resources mainly look to filings in the patent office itself as evidence of whether a patent claim is novel.  Unfortunately, this makes it hard to adequately evaluate new software patent applications and identify relevant prior art — especially when the prior art is located in open source repositories and wikis, outside of patent office filings. This landscape has allowed software patent applicants to successfully claim software functions without worrying about open source precedents that would otherwise invalidate their patents, and sometimes even without any meaningful limitation to a particular system or purpose.  Finally, once a patent is issued, it is very hard to invalidate. It can be at least two to four times the cost to invalidate a bad patent, even in the case where prior art is clear.

The threat posed by the growing pervasiveness of these types of overbroad and vague software patents is the shroud of FUD they cast over emerging and innovative technologies. It can feel impossible to know whether you are infringing someone else’s software patent, which can slow or frustrate innovation.  Aggressive patent litigation and settlement strategies have also created an atmosphere of FUD for the purpose of damaging open alternatives to proprietary products. Additionally, patent trolls have added uncertainty to open development by aggressively suing based on patent portfolios that allegedly cover foundational software technology. It is sadly ironic that much of the increasing costs of software patent issues are being borne by innovators themselves, including those in the open source community — the very individuals the patent system was supposed to incentivize.

Many of us (including the EFF, Engine Advocacy, Open Invention Network, and defensivepatentlicense.org, to name a few) have addressed the issue in various ways. Each of these tactics have led to changes in the way we think about the issue as well as breaking away at various parts of the problem. As Mozilla, we need to do something different that leverages our position in the ecosystem as an open innovator. We have been thinking about this issue and, over the next few weeks, we’ll be working towards a Mozilla contribution to addressing the software patent problem. If you have thoughts about things we could do, we’d love to hear from you as well.

Stop mass surveillance under the PATRIOT Act

Jochai Ben-Avie

The U.S. Congress will soon decide whether to reauthorize one of the government’s most notorious mass surveillance programs. On June 1st, three sections of the PATRIOT Act are set to expire, giving us a rare opportunity to push for reforms that will protect our privacy while also keeping us safe.

One of the provisions up for review, Section 215, has been used by the National Security Agency (NSA) to collect all call records of nearly everyone in the United States. For every call you make, the details of who you called, when you called, and for how long the call lasted — an incredibly detailed map of your private life — are all indiscriminately gathered by the NSA on an ongoing, daily basis.

Today, Mozilla is launching a campaign to enable our community to send a clear message to Congress: rein in the NSA and stop mass surveillance.

We believe keeping us safe shouldn’t have to cost us our privacy. That’s why we’re pushing for Congress to significantly reform these parts of the PATRIOT Act. Take action now!

Mozilla’s Position on Surveillance Reform

Mozilla is launching this campaign because our mission calls us to do so. The fourth principle of Mozilla’s Manifesto states: “Individuals’ security and privacy on the Internet are fundamental and must not be treated as optional.” There’s a long list of reforms and regulations we think are needed to improve user security, privacy, and trust — things like closing government backdoors, ensuring strong encryption, putting in place stronger oversight and accountability, and improving preventative security practices. Today, we have an opportunity to begin the long road toward reform by pushing Congress to rein in one of the worst abuses of the NSA. More specifically, we want Congress to adopt:

  1. A strict ban on bulk collection activities under Section 215 of the PATRIOT Act, as well as Section 214 Pen Register/Trap and Trace authorities;
  2. Sufficient transparency reporting in order to be able to tell if bulk or mass surveillance is occurring (this could include a blend of corporate transparency reporting, government transparency reporting, and declassification of Foreign Intelligence Surveillance Court opinions);
  3. No new data retention mandates; and
  4. No new secret surveillance authorities, powers, or programs.

It’s been nearly two years since the Snowden revelations began, and yet Congress has not passed any meaningful reform of the NSA’s sweeping, untargeted collection of our private information. Click here to join us in demanding that Congress rein in these mass surveillance programs.

Want to learn more? Here are some FAQ:

Continue reading …