ITsecurity
twitter facebook rss

Mozilla proposes changes to the Privacy Principles

Posted by on July 19, 2014.

Today I received an email from Mozilla’s privacy list with proposed “Revisions to Privacy Principles” which I feel are a clear illustration that Mozilla is becoming a rogue player in the browser space and is now more interested in monetizing their users than protecting them.
Allow me to address each of the proposed changes in turn.

 

NO SURPRISES

Previous: Only use and share information about our users for their benefit and as spelled out in our notices.

New: Use information in a way that is transparent and benefits the user.

They have chosen to remove the word only which gives them broad scope to use and share much more information than they did previously and throwing in the word transparent should always ring alarm bells because it is so often misused to actually make things far more opaque (such as just hiding something in Terms and Conditions or a Privacy Policy). They have also completely removed the last part about notices, which would indicate they will no longer issues notices to users.

 

SENSIBLE SETTINGS

Previous: Establish default settings that balance safety and user experience appropriately.

New: Design for a thoughtful balance of safety and user experience.

It should be obvious why this one is bad – I have yet to see any technology company create a “thoughtful balance of safety and user experience” – instead, what this -always- means is they will push “user experience” as the priority and what you consider to be a good “user experience” is usually totally different to how they define it. In reality this will mean blocking privacy invasive practices by their “partners” will simply not happen because they will claim those partners have a significant positive impact on our “user experience”. This means we can never expect Mozilla to block third party cookies, enable Do Not Track at install or deal with issues such as WebRTC, local storage or HTML 5 Fingerprinting Techniques.

 

REAL CHOICES (removed)

Previous: Educate users whenever we collect any personal information and give them a choice whenever possible.

Mozilla will no longer provide users with a choice on what data they collect and how they use it. They claim they will give users more control but they are removing our right to choose whether they collect our data. This rings very loud alarm bells in my head and is a really bad change because experience tells us that whenever choice is removed users actually lose all control as well; you cannot have control in the absence of choice because choice is the most fundamental aspect of control.

 

LIMITED DATA

Previous: Collect and retain the least amount of user information necessary. Try to share anonymous aggregate data whenever possible, and then only when it benefits the web, users or developers.

New: Collect what we need, de-identify where we can and delete when no longer necessary.

Now we are into the meat of the changes – this is pure marketing speak and usually the type we see coming from Big Data companies like Yahoo and Google. Note they say “de-identify where we can” so they are not even guaranteeing that they will de-identfy the data they collect about you (which is a red-herring anyway) and this whole “delete when no longer necessary” effectively allows them to keep the data for as long as they choose because so long as they can find a use for that data, it is necessary (and Big Data’s entire existence is based on finding a use for -all- data). Also note the complete removal of “then only when it benefits the web, users or developers” – in other words if it benefits Mozilla or their partners, they will now collect and share data with whomever they choose.

 

USER CONTROL

Previous: Do not disclose personal user experience without the user’s consent. Innovate, develop and advocate for privacy enhancements that put users in control of their online experiences.

New: Establish enhancements that allow individuals to control their data and online experiences

Where to start with this one? The promise to obtain consent from users before sharing behavioural data is completely gone; but more alarming is that Mozilla have removed their promise to “innovate, develop and advocate for privacy enhancements”. This is related to the point above where they removed choice but promised more control.

 

TRUSTED THIRD PARTIES (relocated)

Previous: Make privacy a factor in selecting and interacting with partners.

Mozilla no longer believe that privacy is important enough to specifically mention in their “Privacy Principles” with regards to choosing their partners – which is a little odd considering these are privacy principles…

 

IN-DEPTH DEFENSE (added)

New: Innovate multi-layered security controls and practices, many of which are publicly verifiable by our global community.

I have included this so I cannot be accused of leaving it out, but the reality is this should be in their security principles and really is nothing to do with privacy principles and actually shouldn’t need mentioning at all since all software developers have a moral (and arguably legal) obligation to make their software secure. I suspect this was just added to appease after all the previous bad changes.

It should be noted that these are proposed changes and might change – although again experience would suggest that in reality very little is likely to change although some things might be re-worded to make them more opaque.

So there you have it – Mozilla seem to have gone rogue and it really is time someone developed a new privacy focused browser – I accept that challenge, so watch this space.

Author: Alexander Hanff


Share This:
Facebooktwittergoogle_plusredditpinterestlinkedinmail

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: Alexander Hanff, Expert Views, News | Tags: , , , , ,