On 6/9/15 7:02 PM, Mike Connor wrote:
On 9 June 2015 at 16:13, Dan Stillman <dstill...@gmail.com
<mailto:dstill...@gmail.com>> wrote:
The issue for me is the combination of the privileged integration
with how different it is from Firefox's own bookmarks architecture
a few icons over. If Mozilla hadn't previously deemed user
bookmark data so sensitive that it merited client-side encryption,
this wouldn't strike me as so odd.
Let's get this one out there. The original,
strong-crypto-despite-bad-UX Firefox Sync didn't resonate with a lot
of users. I know, I led work on it for years. It resonated with some
(many of whom didn't even trust Mozilla with the encrypted data!) but
the vast majority of users didn't understand or care about the added
security. It was more of a liability than an asset. Firefox Accounts
make a different tradeoff as a result, and it's unsurprisingly more
popular (and _useful_) as a result. We still encrypt data, however
it's derived from a username and password, not a fully random key.
Firefox Accounts is indeed a reasonable trade-off. But the point is that
ordinary Firefox users can still Firefox Sync and have their data
encrypted end-to-end. And given the events of the past two years, and
the extent to which even companies like Apple are touting the (more or
less) client-side-encrypted nature of some of their products, it's
disappointing to see Mozilla moving in the opposite direction.
And it's not a matter of trust. Again, Pocket seems like a great
company. But sensitive user data is being sent, and Mozilla and
users have no control over what's done with it, now or in the future.
I don't believe it's viable to try to build everything ourselves, or
limit the usefulness of our products out of concern for what _might_
happen. That's missing out on the best the Web has to offer, and the
best product experience for our users.
It's not really "might". Pocket is a VC-backed company. Short of an IPO,
the point is to sell themselves to another company, and when they do,
Firefox user data will go with them. Nothing nefarious might ever happen
with that data, but unless there's some sort of contract between Mozilla
and Pocket that says otherwise, that's not up to Mozilla.
And as Christopher Carpenter points out, in the meantime, it's sitting
on their servers, open to government requests (or hacks, or...).
But as for "might", there's also the other possibility, which I don't
believe anyone has mentioned: the service could be shut down. I can rest
assured that as long as I can run Firefox (and even after, since the
data is easy to export), I'll have access to my bookmarks and history,
whether or not they still sync with Mozilla's servers. If Pocket is
acquired and shut down, that's the end of years of saved user data.
That's the web, and people can make that choice when they decide whether
to use a service, but it doesn't strike me as a good default position on
Firefox users' data.
I think the significant majority of users don't think about where
their data is going, which is why it's up to privacy-focused
organizations like Mozilla to do it for them. We should at at
least acknowledge that Mozilla's position on what is acceptable
with regard to users' data has changed dramatically from when
Firefox Sync was designed. I imagine there were third-party,
unencrypted bookmark sync providers that Mozilla could have
partnered with to speed development of Firefox Sync, offer more
features, and avoid having to maintain a sync architecture. For
that matter, I imagine an unencrypted version of Firefox Sync that
was still run by Mozilla would have been significantly easier to
develop, but that's not what Mozilla chose to do.
We made a very different decision in 2008 than we'd make today. That
said, I don't believe the use case of a reading list is the same as a
bookmark provider. Bookmarks are a browser feature, while reading
lists/apps are a very specialized case that isn't constrained to
browsers. There are apps, e-reader integrations, web sites, and more
capable of consuming articles saved to these services. Pocket in
particular has a much bigger reach than Firefox in terms of mobile
devices (e.g. platforms we don't support), and that's one of the major
advantages of working with an established partner.
Well, when we start talking about e-reader integration, the arguments
that a service of this scope maybe needn't be a core Firefox feature
start to sound more reasonable. (iOS is important, but Firefox for iOS
is coming, as I understand it.) As far as I know, mobile versions of
Firefox have a reading mode, and they have bookmark syncing. Optionally
sending along the cached, cleaned page content seems like a natural
extension of that.
Beyond that, apparently there used to be a great Firefox extension
called Pocket that you could use if you needed to sync with a wider
array of apps and devices.
The question to ask is not whether we can build it, but
whether we can build it as well and as quickly, and what we
would be giving up if we committed to competing with the
existing services. Pocket's a market leader in this space,
and focused entirely on this space. Playing catch-up, and
investing enough in development to match their user value
proposition (especially their mobile coverage) would be
prohibitively expensive.
I think this is a false dichotomy. A version of this that
piggybacked on Firefox Sync, with its inherent data protections,
wouldn't need to — and couldn't, by definition — offer all of the
features of Pocket. But it would maintain Mozilla's position of
protecting bookmark data by default instead of shrugging and
shipping that data off to a third-party company without public
discussion.
I don't think "build a less useful product" is in line with what is
good for Firefox or our users. We actually did build this, and chose
to go with Pocket integration instead as it was considered a much more
usable product for our users. There are tradeoffs both ways, we chose
to ship the better product.
That's fair, but "useful" and "better" are open to debate. A reading
list that people can save to without worrying who will have access to
that data and that's guaranteed to preserve that data in perpetuity is
arguably the better product in some important ways.
_______________________________________________
governance mailing list
governance@lists.mozilla.org
https://lists.mozilla.org/listinfo/governance
