Op maandag 21 augustus 2017 17:56:44 UTC+2 schreef Georg Fritzsche: > Hi, > > for Firefox we want to better understand how people use our product to > improve their experience. To do that, we are planning to run a new SHIELD > study that tests how we can collect additional data in a privacy preserving > way. Check out the details below and send me your thoughts. > > The problem. > > One recurring ask from the Firefox product teams is the ability to collect > more sensitive data, like top sites users visit and how features perform on > specific sites. > > Currently we can collect this data when the user opts in, but we don't > have a way to collect unbiased data, without explicit consent (opt-out). > > Asks for sensitive data center most commonly around knowing something in > relation to which sites a user visits: > > - > > "Which top sites are users visiting?" > - > > "Which sites using Flash does a user encounter?" > - > > "Which sites does a user see heavy Jank on?" > > In summary most asks are for occurrences of an event X per domain (more > specifically eTLD+1 [1], e.g. facebook.com or google.co.uk). > > The solution. > > One solution is the use of differential privacy [2] [3], which allows us to > collect sensitive data without being able to make conclusions about > individual users, thus preserving their privacy. > > An attacker that has access to the data a single user submits is not able > to tell whether a specific site was visited by that user or not. > > The Google Open Source project called RAPPOR [4] [5] is the most widely > known and deployed implementation of differential privacy. > > We have been investigating the use of RAPPOR for these kind of use-cases, > with initial simulation results being promising. > > Our plan. > > What we plan to do now is run an opt-out SHIELD study [6] to validate our > implementation of RAPPOR. This study will collect the value for users’ home > page (eTLD+1) for a randomly selected group of our release population We > are hoping to launch this in mid-September. > > This is not the type of data we have collected as opt-out in the past and > is a new approach for Mozilla. As such, we are still experimenting with the > project and wanted to reach out for feedback. > > Georg > > References: > > 1: https://en.wikipedia.org/wiki/Public_Suffix_List > > 2: https://en.wikipedia.org/wiki/Differential_privacy > > 3: https://robertovitillo.com/2016/07/29/differential-privacy-for-dummies/ > > 4: https://github.com/google/rappor > 5: https://arxiv.org/abs/1407.6981 > <https://arxiv.org/abs/1407.6981>6: > https://wiki.mozilla.org/Firefox/Shield/Shield_Studies
Thank you for reaching out to the community for feedback on this topic! It is this kind of openness and transparency that makes me trust Mozilla's products more than anything else. Which brings me to the planned opt-out SHIELD study. I took the time to read a few things about the mechanism behind differential privacy, and while I believe this technology is promising and could be of value for Firefox to anonymize the more sensitive data, I don't think the goal of the study and the technology alone justify these data to be acquired in an opt-out fashion. The benefits (eliminating occasional performance issues on popular websites) do not weigh up against the drawbacks (perception that Firefox resorts to techniques that put the user out of control, negative media coverage, declining user trust). I also wonder how this can be compatible with the GDPR's principles of consent? So may I suggest to make this kind of anonymized but sensitive data collection always opt-in and persuade more users than ever (UX exercise!) to participate by building trust and informing about the purpose and the technology being used? Remember: trust takes years to build, seconds to break and forever to repair... _______________________________________________ governance mailing list governance@lists.mozilla.org https://lists.mozilla.org/listinfo/governance
