I don't know much about Mozilla's privacy but in my opinion feel the need to immediately remove it from Firefox and push a new beta build
04.04.2016, 16:45, "Gijs Kruitbosch" <gijskruitbo...@gmail.com>: > On 04/04/2016 11:01, Romain Testard wrote: >> The privacy review bug is >> https://bugzilla.mozilla.org/show_bug.cgi?id=1261467. >> More details added below. > > See response at the bottom. > >> On Mon, Apr 4, 2016 at 11:23 AM, Gijs Kruitbosch <gijskruitbo...@gmail.com> >> wrote: >>> On 04/04/2016 10:01, Romain Testard wrote: >>> >>>> We would use a whitelist client-side to only collect domains that are >>>> part of the top 2000 domains (Alexa list of top domains). This >>>> prevents >>>> personal identification based on obscure domain usage. >>> >>> Mathematically, the combination of a set of (popular) domains shared could >>> still be uniquely identifying, especially as, AIUI, you will get the counts >>> of each domain and in what sequence they were visited / which ones were >>> visited in which session. It all depends on the number of unique users and >>> the number of domains they visit / share (not clear: see above). Because >>> the total number of Hello users compared with the number of Firefox users >>> is quite low, this still seems somewhat concerning to me. Have you tried to >>> remedy this in any way? >> >> We are aggregating domain names, and are not storing session histories. >> These are submitted at the end of the session, so exact timestamps of any >> visit are not included. > > But both Firefox and Hello sessions are commonly relatively short (<1d) > and numerous. That means lots of data points, which will likely be > enough to uniquely identify people even without exact timestamps of > their visits. (FWIW, from a technical perspective, there is no reason > why the submission time implies ("so") that exact timestamps of visits > are not included.) > >>> We looked into this approach originally although we found that we'd lose a >> level of granularity that can have an importance. We may find that Hello >> gets used a lot with a specific Website for a specific reason and using >> client side categories would prevent us from learning this. > > This was explicitly not in your original motivation, so you're moving > the goalposts here. If the goal is about separate categories or separate > sites then those are pretty distinct goals that require different > approaches. If the real point is "we have no idea, so we figured we'd > just get the data and then go from there", why not be upfront about it? > But in that case, yeah, why not consider a survey or something less > intrusive, like asking people explicitly what type of site they were > using, or asking if Mozilla can use the domain in question ? > >> Also Alexa >> website categories are far from perfect which would add another level of >> complexity to understand the collected data. > > At no point did I say I expected you to use their categorization, > whatever that is. Categorize as you see fit, rather than as Alexa does it. > > Conversely, if their categorization is questionable, then your scrubbing > of the Adult category sounds like it might need auditing? Also, why not > other categories like "Banking" or "Medical" (NB: no idea what > categorization Alexa employs, but these seem like categories that ought > to be scrubbed, too)? > >>> 6 months also seems incredibly long. You should be able to aggregate the >>> data and keep that ("60% of users share on sites of type X") and throw away >>> the raw data much sooner than that. >> Yes agreed, we'll look into what's the most optimal amount of time required >> to process the data and extract the useful information. I agree we should >> try to make this shorter - we'll learn from being on Beta and will adjust >> this accordingly. > > Well, why not make it 1 week to start with, and make it longer if you > don't get enough information from beta (with a rationale as to why that > is the case) ? > >>> Finally, I am surprised that you're sharing this 2 weeks before we're >>> releasing Firefox 46. Hasn't this been tested and verified on Nightly >>> and/or other channels? Why was no privacy update made at/before that time? >> >> We are shipping Hello through Go Faster. The Go Faster process allows us to >> uplift directly to Beta 46 directly since we're a system add-on >> (development was done about 2 weeks ago). >> Firefox Hello has its own privacy notice (details here >> <https://www.mozilla.org/en-US/privacy/firefox-hello/>). > > But shipping through go faster does not absolve you from adequately > testing changes and getting feedback on them. Is the add-on not getting > tested on nightly at all? Or at the same time as it goes to beta? When > will it be used on release - when 46 ships as release, or earlier, or later? > > It also seems like you filed the privacy review after the functionality > was implemented and is now shipping, which per > https://wiki.mozilla.org/Privacy/Reviews seems like it is too late to > incorporate meaningful feedback. I'm not on the privacy team, but that > order looks wrong to me. > > Finally, that privacy policy at no point says anything about Mozilla > having access to visited/shared domains and thereby potentially to > personally identifying information. > > ~ Gijs > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
