“do track or do not track?” — that is the question

Sid Stamm

5

For a while now, we’ve been talking about how the Do Not Track feature really has three states: “user says nothing”, “user says track”, and “user says don’t track”. In Firefox 4, we introduced two of these states with a checkbox (“user says nothing” and “user says don’t track”), and many people are voicing their desire to opt-out.

three-state DNT UI

Of course, it’s reasonable to expect some people want the tracking to improve the quality of ads they see; after all, the goal of this feature is to help each individual say what they want, whether it’s pro-tracking or not.

I just finished updating the Firefox tracking preference interface to give people the ability to say, “this tracking thing is fine, bring on the custom content!” This change is still experimental, but within a day or so it will be available in our Nightly builds for testing. Take a look, let us know what you think.

Search Suggestions for Firefox for Android: Another example of Mozilla’s approach to Privacy by Design

Alex Fowler

With the latest release of Firefox for Android, we’ve added the ability to get search suggestions from Google before you even finish typing. With the small screen and even smaller keyboard on users’ phones, anything that makes it easier to discover and access sites is a huge
improvement. The Awesome Bar already suggests bookmarks and recently visited sites. Now implementing Google’s search suggestions in Firefox for Android makes it that much easier to find sites users haven’t been to before.

Google can only make suggestions if it knows what you’re looking for. To do that, Firefox needs to send Google what you’re typing in the Awesome Bar as you type it. For many users, this makes sense. They know and trust Google and send completed search queries to Google anyway, so getting faster search suggestions is a welcome addition. 

Screenshot_searchprompt_3The first time you start typing in the Awesome Bar on your Android device, Firefox asks you whether you want search suggestions from Google. This is enabled by a prompt right where you’d look for the feature, so you can decide which experience you prefer and what you want to share. Of course, if you change your mind, you can always change your settings.

We added some other features to make search suggestions privacy-sensitive. For one thing, Firefox doesn’t ask Google for search suggestions if it looks like you’re typing a URL, like if you start with “www” or include a “:” or “/”. This means that even with search suggestions on, Google only gets asked about things you might actually want to search for, not every site you want to visit. We also make sure to get search suggestions (and searches themselves) over a secure HTTPS connection, so nobody else can view what you’re looking for.

You can try out the latest version for Firefox for Android with search suggestions now by going to the Google Play store on your computer or Android device.

Being social with privacy in mind

Tom Lowenthal

People really enjoy social features that help them connect with others. To offer these features, social networks often end collecting lots of personal info, and their users don’t always understand the tradeoffs involved. We want to offer social features in Firefox, but user privacy is fundamental to Mozilla’s DNA: it’s not something we can sacrifice. Given that, we’ve set out to find a way to combine these two aspects and enable an experience that folks can enjoy, safely.

With our latest beta, we’ve started testing a new social API right inside Firefox. This API provides an open, Web-based infrastructure that allows users to connect Firefox with their favorite social networks, creating an experience that’s social, still feels like Firefox, and most importantly still respects our privacy principles. The first implementer of our new social API is Facebook, and we expect many more implementations in the coming months.

One of the social API’s key requirements is that data is only sent to a social network when the user wants to send it. The new social features are completely opt-in and are disabled until you visit a social network site and decide to turn things on. Once enabled, Firefox loads several pages from your social network over secure connections. These pages are treated just as if you’d loaded them in another browser tab. They share cookies and other data like normal but they don’t get any special treatment or additional data from Firefox, nor are any part of your social activities sent to Mozilla. Facebook, for example, will know that you’ve turned on the feature and loaded the pages, just as if you had visited pages on the main site.

There’s a slight difference however. With the new API, social content is now persistent so the social network can add new features, like notifications, status updates and chat requests, even when you don’t have a browser tab open to their website. This new functionality doesn’t give your social network access to any additional information from your browser. Again: it’s a lot like having a tab open to your social network.

One of our favorite privacy-supporting features in the social API is the recommend button. Many websites add buttons that let you share content with your friends on social networks. When a site does this, those social networks can track which of their users visit those web pages. If we add this functionality in Firefox instead, you can still interact with your social network and share pages, but without the opportunity for tracking by all those social networks. It also allows you to share pages even if that page doesn’t include social sharing widgets. The recommend button in the URL bar — for Facebook, it’s a Like button — only sends the page’s URL to your social network when you click on it.

The Social API lets networks create an experience distinctive to the way people interact with them, using their own design and features, and without sacrificing user control or privacy. This is only a first step; we’ll be continuing to look at more features that enable new functionality from social providers while improving users’ choice, control and privacy.

The next phase of the Collusion project

David Ascher

Last week, I had the privilege of hosting a great meeting focused on the next phase of the Collusion project. With generous support from the Ford Foundation, we’re tackling a significant next phase in Collusion’s evolution.

First, a bit of background.  Collusion started off as an experimental add-on for Firefox by Atul Varma, in his quest to understand how cookies and tracking actually worked on the web.  Since that initial version, Collusion has evolved into a popular and influential tool, and sparked a broader research effort.  With hundreds of thousands of users, it’s helped us teach a lot of people about the web. A Collusion presentation by Mozilla CEO Gary Kovacs is now one of the  50 most-watched TED talks of all time.  Collusion has also been forked, with ports to Chrome and Safari from Disconnect.me

Like many Mozilla projects, Collusion’s  progress depends on contributions from staff, partners, and volunteers.  In this particular case, we have an interesting collection of people who will contribute in distinctive ways, from coding to visualization to infrastructure and metrics.  Also, like all Mozilla projects, this effort is open to participation by others, as I’ll mention in more detail below.

Over the next year or so, we agreed to dig in and take our research and the Collusion add-on forward in a few significant ways.

First, we realize that the user experience of Collusion needs refining and evolution.  The current add-on is most compelling in the context of a demo or a tutorial, and could include a good deal more storytelling and explaining than it does today. Second, the visualization of the connected graph that makes Collusion so compelling needs some tweaks, both in terms of scaling to larger graphs and presentation/visual design.

We also realize that the current add-on experience often surprises users with what they learn about third-party tracking on the web, but gives them little in the way of actionable next steps to take.  The point of Collusion isn’t to “freak people out,” but allow them to understand tracking, control how they’re being tracked, and lead to a better Internet experience for all.  We have yet to define the details of all those next steps, but some of them seem fairly clear.

Understanding that there are different kinds of uses of shared third-party HTTP requests (which is what Collusion tracks) is another important goal for our research. Some of them are fully in line with users’ desires and intents, and some are not.  We need to let users figure out which requests they want and which they’d rather avoid.

Critically, gaining a better understanding of how requests are used will help make Collusion useful for publishers as well as users.  Most publishers do have their visitors’ interests at  heart, and constantly optimize their sites to deliver a better experience.   Hopefully, Collusion will provide them with signals when their visitors don’t understand or appreciate the third-party services deployed.  Collusion could also provide useful market feedback to third parties and help them bridge the current divide with users, becoming more than silent parties to online experiences.

Much of this will start with letting users choose to contribute to a crowd-sourced data set about tracking on the web.  As with the test pilot project, we will build a system that lets Collusion users contribute to a rich data set about the web as experienced by everyday users, fostering a better understanding of today’s web by researchers, users, policymakers and industry.

I’m excited to be part of this effort, which could have meaningful impact on a broad set of actors — in part because we’ll be relying on input from a diverse set of perspectives, from designers and artists who will help us build further compelling visualizations of the data that we collect, to privacy researchers who will help us ask better questions of our data.

In the next few weeks, we’ll set up the “heartbeat” bits of the project — a weekly call, IRC channel, mailing lists, etc. If you’re interested in participating, check out the wiki page for details, or contact me directly.

Congratulations, Chrome Users

Alex Fowler

We’re glad to see that Google has taken the next step in their commitment to Do Not Track.

Now that all the major browsers have their DNT implementations well underway, it’s time for advertisers and publishers to do their part, including Google’s own ad folks. While some publishers like Twitter and the Associated Press respect users with DNT enabled, and many independent ad tech companies have done so, as well, there is not yet widespread support. Everyone will soon be able to express their tracking preference, so we eagerly look forward to the day when people can trust that their privacy choices will be honored as they browse the Web.

It’s also noteworthy that Google and Microsoft have decided to implement their own user interfaces for Do Not Track. Mozilla is currently working on the second release of Do Not Track within Firefox, and we remain the only mobile browser to support it. With all these different UI experiments, users have many good options for privacy in their browser of choice and we’ll be able to more quickly determine which approaches best meet users’ expectations.

Alex Fowler

Do Not Track: It’s the user’s voice that matters

Alex Fowler

Today, Microsoft announced a change in how it will be implementing Do Not Track (DNT) in Internet Explorer. In a pre-release version of IE10, Microsoft will automatically start sending a DNT header on behalf of its users to not be tracked by third parties across the Web.

We appreciate seeing Microsoft putting its full weight behind DNT, especially given Firefox was the lone browser supporting DNT just one year ago. This will make DNT more mainstream and bring more attention to the important issue of user control.

We look forward to learning more about Microsoft’s new DNT implementation, as well as its implications for the standards work currently underway. And for the Web community, we thought it would be helpful to share our position, as well as the consensus view of the W3C Tracking Protection Group, about how we believe DNT can be most effective.

At its foundation, DNT is intended to express an individual’s choice, or preference, to not be tracked. It’s important that the signal represents a choice made by the person behind the keyboard and not the software maker, because ultimately it’s not the browser being tracked, it’s the user. In the words of the W3C group, which is made up of leading consumer privacy groups and industry representatives including Microsoft:

“Key to that notion of expression is that it must reflect the user’s preference, not the preference of some institutional or network-imposed mechanism outside the user’s control.” (Tracking Preference Expression, W3C Editor’s Draft, 29 May 2012)

DNT is not an off switch for a particular technology, rather it is the expression of an individual user’s desire being reflected in code — and that’s what makes the feature great. Do Not Track transcends specific technology and gets to the heart of what matters: how a user’s browsing habits are used.

There are three different signals to consider in broadcasting the user’s preferences for tracking:

  1. User says they accept tracking
  2. User says they reject tracking
  3. User hasn’t chosen anything

Firefox defaults to state 3: we don’t know what the user wants, so we’re not sending any signals to servers. This causes the presence of the signal to mean more — the signal being sent should be the user’s choice, not ours. Therefore, Firefox doesn’t broadcast anything until our user has told us what to send.

DNT allows for a conversation between the person sitting behind the keyboard and the site that they want to visit. If DNT is on by default, it’s not a conversation. For DNT to be effective, it must actually represent the user’s voice.

We introduced DNT to do just that: to give users a voice and let them tell sites that they don’t want to be tracked. We did this before knowing exactly how sites and advertisers would respond, and we still believe this is the most effective way for DNT to work.

Update (5-June): We’ve received a few comments asking if we believe all privacy defaults should be about letting users decide, even when that approach leaves users vulnerable. The short answer is “no”; our approach to DNT should not be viewed as a broad policy statement that will apply to other privacy and security considerations — our choice of opt-in for DNT is specific to the way the DNT feature works.

In carefully weighing our approach for appropriate DNT defaults, we talked with many members of the Mozilla community, privacy and technical experts and our users. The DNT feature relies on representing each individual’s desire to web sites, something that requires each user to activate the feature. In fact, a number of academic studies have found that there are users interested in personalized services and content, including targeted ads, so they would not like to have the header sent for them by default. Taken together, we believe the right starting point for a DNT system is a default of preference unknown.

Sid Stamm & Alex Fowler

Do Not Track Gains More Support around the Web

Alex Fowler

Mozilla introduced the Do Not Track header last year to give users more control over online tracking by third parties. Since launching Do Not Track, we have seen increased industry support and user adoption of the feature. Today, we are hosting a Do Not Track event at Internet Week New York and are happy to announce new adoption statistics and industry support.

We’re excited that Twitter now supports Do Not Track and global user adoption rates continue to increase, which signifies a big step forward for Do Not Track and the Web.

Current adoption rates of Do Not Track are 8.6% for desktop users of Firefox and 19% for Firefox Mobile users and we see the highest percentage of users turning on Do Not Track in The Netherlands, France and the United States.*

We conducted a survey of more than 10,000 Firefox users representing 140 countries and we found some interesting results. The survey showed that 49% of users surveyed believe their privacy is respected more when Do Not Track is enabled, as opposed to only 12% who feel that way without the setting. Also, the survey found users’ trust increases for browsers, publishers and advertisers who support Do Not Track. We will share more details and specific survey results soon.

We brought the industry discussion about Do Not Track to this year’s Internet Week New York to raise awareness about Do Not Track and encourage the digital media community to begin to work with it today. Speakers included Ed Felten, the Chief Technologist at the Federal Trade Commission; Brad Burnham, Partner, Union Square Ventures; Aleecia McDonald, Co-Chair, W3C Tracking Protection Group; Matt Tengler, Senior Director, Product Management, Jumptap; David Norris, CEO, Bluecava; and Colin O’Malley, CSO, Evidon.

We’re pleased to continue to see many positive steps forward for the Web as Do Not Track gains momentum and adoption.

*Mozilla does not collect or store personal information about our users to determine these statistics

Do Not Track is for Email Too

Sid Stamm

The guiding principles behind Do Not Track aren’t just for web browsers and pages. Tracking happens in a variety of ways, including through email, so we’re putting Do Not Track into Thunderbird.

Email Tracking. Sometimes email messages you receive contain external images — images that need to be loaded from the web to display the entire content of the message. This includes pixel tags and clear gifs. When your mail client renders the message, it has to go fetch the images from the web using the same technologies as a web browser. The upshot is that when the email is drawn on your screen, a web server can learn that you opened the message; this is how email tracking works. By attaching a unique ID to the URL for the image, the server can also know which specific message caused the request — including to which email address the message was sent. Email marketing organizations often use this information to track which messages you read, which links in messages you click, and then provide more customized messages in the future.

How to enable Do Not Track in Thunderbird

Thunderbird Support. A little while ago, I landed a patch that will add Do Not Track support to Thunderbird 15. While that release is a number of weeks away, if you’re using the Daily builds of Thunderbird, you’ve got the feature in Security options. This means that when you open email messages sent by marketing firms, you can enable DNT in Thunderbird to let them you don’t want to be tracked.

Next: Building Do Not Track into Thunderbird is just the first step. Next we will work with email marketing software providers to honor the DNT request. We’re reaching out to email industry leaders and introducing them to DNT and will keep you updated on what happens.

Rolling Out HTTPS Google search

Sid Stamm

23

Now in Aurora: Secure Google Searches are default. In Aurora when you search using the location bar, search box, or the right-click menu, your search will be sent to Google through a secure (HTTPS) connection. You won’t notice a difference in how you search, but your Google search suggestions and search results will be presented through a secure web site.

Enabling HTTPS for these searches shields our users from network infrastructure that may be gathering data about the users or modifying/censoring their search results. Additionally, using HTTPS helps providers like Google remove information from the referrer string. While Google users may expect Google to know what they are searching for, Firefox users may not be aware these search terms are often transmitted to sites they visit when they click on items in the search results; enabling HTTPS search helps sites like Google strip this information from the HTTP referrer string, putting the user better in control of when and to whom their interests are shared.

Encrypting our users’ searches is our next step into giving users better control over their data online. Enabling HTTPS for Google searches helps Firefox users maintain better control over who sees things they search for — queries that are often sensitive. We’re excited to see this improvement in our upcoming releases now that we, with Google’s help, have been able to provide our users a secure and responsive secure search.

Mozilla’s Identity Platform Finalist for Federal Support

Alex Fowler

Partnering with City of San Francisco and MacArthur-supported Youth Organizations to Jump Start a Vibrant Identity Ecosystem

Mozilla is one of 27 finalists selected to compete for $10 million in funding as part of the US government’s National Strategy for Trusted Identities in Cyberspace (NSTIC). Our proposal brings together the City of San Francisco and participants in the MacArthur Foundation supported Digital Media Learning Competition to use Persona, our platform for trusted identity, as the basis for establishing, supporting, and seeding demand for a federated, secure, and dynamic identity ecosystem.

Mozilla wants to help make the Web better. We want the Internet to continue to drive creativity, education, and economic growth. And we want people to understand, shape and be in control as more and more of their lives go online.

Mozilla’s proposed pilot brings together multiple partners who reflect many of the more important roles people take on in their day-to-day lives online. From citizens accessing government sites and services, to consumers buying and using apps, and for parents providing their kids with access to educational content and learning tools, we believe Persona has huge potential to improve the log-in experience for millions of people.

“Forms are, unquestionably, the most common medium of information exchange between  government and citizens,” says Jay Nath, Chief Innovation Offier for the  City & County of San Francisco. “Working within a trusted identity  framework would let citizens automatically populate forms with their  information, let us increase the number of services available online,  and even potentially allow residents to use us to vouch for their  identity to other services. There are all sorts of efficiencies to be gained.”

“We’re working, through Open Badges and other programs, to build bridges  between what kids are learning in school and out of school,” states Connie Yowell, the MacArthur Foundation’s Director of Education. “These links need to be based on a framework for secure identity that builds  parents directly into the process and empowers kids to share information  within trusted networks. Solving this problem will open up amazing  opportunities around integrated and connected learning.”

We’re excited to have the City and County of of San Francisco and a number of participants in the Digitial Media Learning Competition, funded by the MacArthur Foundation, as partners in our NSTIC proposal.

Our Vision for User-centric Identity

Mozilla’s commitment to Persona is driven by a central tenet: that the web should answer to users. Online sites, services and apps offer tremendous value and potential, but they also make it easier for vendors to invade privacy, foster poor security practices by users, and present attractive targets for fraud.

We’re building Persona to help everyone benefit from online services while mitigating risk of misuse and abuse of user data.

Persona is designed around three core principles:

  1. Individuals should be in control of their personal data;
  2. Identity should be built on open standards, cross-platform and interoperable; and
  3. Identity should be federated: a diversity of Identity Platforms (IdPs) and Relying Parties (RPs) offering direct, anonymous, and pseudonymous certifications across public, private, and non-profit sector applications.

Through this pilot, Mozilla will work to address the remaining design, technical, legal, and business process barriers to widespread adoption and growth of trusted identity.

Persona is the Ideal Platform for an NSTIC Pilot

NSTIC is the Administration’s initiative to “improve upon the passwords currently used to log-in online” and to jump start “a vibrant marketplace that allows people to choose among  multiple identity  providers – both private and public – that would issue trusted  credentials that prove identity.”

Mozilla, the City & County of San Francisco, and a consortium of major web sites serving the children’s market sponsored by the MacArthur Foundation will launch a pilot that “demonstrate[s] the feasibility of the Identity Ecosystem, via projects that link multiple sectors, including multiple Identity providers and relying parties.”

We’ll design, build, and pilot the technical architecture, business and legal framework, and public-facing functionality of integrated implementations that see people able to:

  • Support citizen-to-government interactions with the City & County of San Francisco;
  • Make app experiences seamless with support for trusted identity, tying apps directly to users, and making them available on any device; and
  • Help kids learn online with MacArthur-funded youth organizations via COPPA-compliant, trusted identity systems that increase protection for children online and make possible new and innovative learning experiences.

Mozilla’s proposal was selected out of 186 submissions. Final proposals are due in early May. We hope to be among the final five to eight organizations selected to begin work this Fall to build a standards-based identity infrastructure that is privacy preserving, trustworthy and scalable.