Tuesday, December 21, 2010

Thoughts on Mozilla and Privacy

Mozilla has followed Microsoft's lead, and committed to embracing some form of a do not track mechanism in the Firefox browser as soon as early 2011. While this is of course great news, the browser vendor still has a long way to go, particularly if it wants to be able to compete on privacy.

Do Not Track

At a presentation earlier this week, Mozilla's new CEO announced that the Firefox browser would soon include enhanced privacy features, stating that "technology that supports something like a Do Not Track button is needed and we will deliver in the first part of next year." This is great news for users of Firefox, and I look forward to seeing Mozilla taking an active role in the Do Not Track debate as it continues to evolve in Washington, DC.

Of course, Mozilla is not the only browser vendor to make a major privacy announcement in the last month -- just a few weeks ago, Microsoft revealed that the forthcoming beta of IE9 would include support for an ad tracking blacklist. In order to fully analyze Mozilla's announcement, and the organization's reasons for doing so, one must consider it in light of Microsoft's recent announcement, as well as the recent press coverage that both companies have received over their internal deliberations regarding privacy features.

Should Mozilla compete on privacy?

Years ago, when there were just two major browsers, Mozilla had a clear identity. Firefox was the faster, more stable, more secure, standards-compliant browser, with a large number of rich 3rd-party add-ons, including AdBlock Plus. Compared to the sluggish, buggy, popup-ad plagued Internet Explorer browser that is pre-installed on each new Windows PC, the decision to install Firefox was a no-brainer. Those consumers still using IE weren't doing so by choice, for the most part, but were using it because they didn't know there were other options -- hell, as this video demonstrates, they likely didn't even know what a browser is.

Fast forward to 2010, and the browser market has significantly changed.

Apple's 7 year old Safari browser totally dominates the company's iOS platform (primarily due to the company's terms of service which long banned competing browsers), comes pre-installed on all Macintosh computers, and has even made its way on to quite a few Windows computers by sneakily leveraging the iTunes software security update process.

Even more interesting has been the rise of Google's two-year old Chrome browser. It matches Mozilla on standards compliance, supports its own 3rd party extension ecosystem (including AdBlock software), and more importantly, it handily beats the currently shipping version of Firefox on both speed and stability. This has lead to a significant number of tech-savvy users ditching Firefox for Chrome.

The reason I mention this isn't to take a position on which browser is faster or more stable -- merely that Mozilla is now under increasing competitive pressure from Google and Apple, competition that simply didn't exist when IE was the only other game in town.

More than ever, Mozilla needs to be able to differentiate its product, and compete on features that it can win on -- beating Google on speed may be possible, but it'll be tough. Beating Google on privacy should be easy though...

Competing on privacy means more transparency

[Warning, browser vendor insider baseball below]

A few weeks ago, the Wall Street Journal revealed that Mozilla had "killed a powerful new tool to limit tracking under pressure from an ad-industry executive." The feature would have made all 3rd party tracking cookies "session cookies" by default (and thus cause them to be deleted after users shut down their browser).

[Full disclosure: I chat regularly with the WSJ journalists covering the web privacy beat, I provided them with background information on this story, and tipped them off to the communication between Simeon Simeonov and Mozilla.]

After post-publication complaints from Mozilla, the Journal added a correction note to the bottom of the article, stating:
Mozilla Corp. said it removed a privacy feature from a development version of its Firefox Web browsing software on June 8 because of concerns inside the company that the feature would spur more surreptitious forms of tracking and hamper the performance of companies that provide Web statistics and host content for other companies. The removal occurred before a conversation between advertising industry executive Simeon Simeonov and Jay Sullivan, Mozilla's vice president of products, which took place on June 9. A Nov. 30 Marketplace article about the removal incorrectly said that the feature was removed on June 10 in response to the concerns raised by Mr. Simeonov during his conversation with Mr. Sullivan.

Even after the correction, the article was not well received by members of the Mozilla Corporation. Asa Dotzler, Mozilla's Director of Community Development, described the Journal article as "bullshit" and "a complete fabrication designed to smear Mozilla and generate controversy and pageviews."

According to Dotzler:

The real timeline was this: Mozilla engineers prototyped the feature and put it into testing. Mozilla engineers discussed what kind of impact it might have on the Web and concluded that not only would it not be very effective and have some undesirable side effects, but that it would drive advertisers to build worse experiences where users had even less privacy and control. So Mozilla scrapped the feature and started work on designing a better feature. Later, some advertising reps met with Mozilla to let Mozilla know what they were up to on the privacy front and to talk with Mozilla about what it was up to.

I have had a few back and forth emails with Asa over the last few days, and have been frustrated by the experience. In any case, I disagree with him, and I actually believe that the WSJ's original timeline is pretty solid.

My understanding is that the timeline is something like this:

May 12, 2010: Mozilla developer Dan Witte files a bug in the Mozilla bug database, proposing a change to the 3rd party cookie handling code.

May 19: Dan creates patch to implement proposed change, uploads patch to bug tracking system for discussion/review.

May 24: Code review and approved by Mozilla developer Shawn Wilsher.

May 28: Dan's patch is merged into Firefox developer tree.

June 3: Word of patch reaches Jules Polonetsky of the Future of Privacy Forum, who blogs and tweets it.

June 4: Simeon Simeonov emails Mozilla CEO John Lilly, after seeing Jules' blog post.

(How do I know Simeon contacted John? Because Simeon called me up at 1:45PM EST on June 4 to tell me he had done so, after which, we spent 20 minutes debating the impact it would have on the ad industry and user privacy).

June 4, 7PM PST: Mozilla VP of Engineering Mike Shaver posts note to bug report, noting that it is a pretty major change, one that he was not aware of, and that there should be "a fair bit of discussion" about it.

June 8: Patch reverted.

While the WSJ's correction notes that the patch was reverted by Mozilla before Simeon Simeonov and Jay Sullivan, Mozilla's vice president of products, spoke on June 9, the story also mentions an earlier communication that took place between Mozilla's CEO and Simeon -- an email communication which no one at Mozilla has directly denied. This occurred several days before the patch was reverted, and 10 hours before Mozilla VP of Engineering Mike Shaver first commented on the patch.

Let me be clear - I do not believe that Mozilla buckled under pressure from the advertising industry. What I do believe, however, is that Mozilla's senior management had no idea about the existence of this patch, that it had been merged into the Mozilla developer tree several days before, or the major impact it would have on the Internet advertising industry until Mozilla's CEO was contacted by an advertising industry executive.

Once Mozilla's CEO received the email, he likely forwarded it to several people within Mozilla, and I suspect there were dozens of emails sent back and forth between management and the engineers about the patch and its impact on the Internet. As outsiders, we (Mozilla's users) are not privy to those conversations -- instead, we simply see Mike Shaver's comment about there needing to be more discussion about the issue, and then a few days later, a brief note is posted to the bug to say that the patch was reverted.

Yesterday, Mitchell Baker, the Chair of the Mozilla Foundation posted a note to her own blog, taking issue with the Journal article. In her response, Baker claimed that the WSJ story was "not accurate in any shape or form", adding that "decision-making at Mozilla is based on the criteria in the Mozilla Manifesto".

One of the principles in the Mozilla Manifesto is that "Transparent community-based processes promote participation, accountability, and trust."

Again, let me be clear - I think there are legitimate reasons for the decision to revert the 3rd party cookie handling patch, and that Mozilla's entire approach to cookies should be rewritten to better protect user privacy. However, I think it is pretty difficult for Mozilla's executives to argue that the decision to revert the patch was done according to the criteria in the Mozilla Manifesto. Simply put, a large part of the discussion happened behind closed doors, in email messages between Mozilla employees, none of which have been made public. There was very little transparency in the process.

There is a pretty significant missing part of the puzzle here, and I think that Mozilla has a responsibility to shine a bit more light on the internal discussions surrounding this patch.

Conclusion

I am a proud and happy Firefox user. I am on good terms with several Mozilla employees, and I have even developed a successful Firefox add-on, which was downloaded more than 700,000 times before I sold it earlier this year. The computer I am typing this blog post on was paid for with the profits from that sale. I want Mozilla to continue to enjoy great success.

I have watched over the last year or two as Google has eaten away at Mozilla's speed and performance advantage, and so I desperately want Mozilla to find an area in which it can out compete Google. I really do believe that privacy is that area.

However, for Mozilla to win on privacy, it needs to put users first, 100% of the time, and it needs to be very open about it. As an organization that receives the vast majority of its funding from an advertising company (Google), Mozilla needs to hold itself to the highest standard of ethics and permit its users to know the reasoning behind design decisions, particularly those that will impact Google and the other advertising networks.

Tuesday, December 07, 2010

Initial thoughts on Microsoft's IE9 Tracking Protection Announcement

While I am often critical of companies for their privacy practices, when they do good things, I think it is important to publicly praise them for it. As such, Microsoft deserves a significant amount of credit for moving the ball forward on privacy enhancing features in the browser. This blog post will reveal a few of my initial thoughts about Microsoft's announcement, and what I think are the politics behind its decision.

Briefly, Microsoft today announced that it will be improving the InPrivate Filtering feature in its browser -- which would have been a great feature, if the company hadn't intentionally sabotaged it in response to pressure from people within the company's advertising division.

When it was enabled by the user, InPrivate Filtering observed the 3rd party servers that users kept interacting with as they browsed the web, and once a server showed up more than a set number of times, the browser would block future connections to it. The feature was surprisingly effective, but unfortunately, Microsoft decided to require users to re-enable it each time they used their browser, rather than making the preference stick.

The company announced today that the forthcoming release candidate of IE9 will replace InPrivate Filtering with a Tracking Protection feature. The company is doing away with the automatic compilation of a list by the browser based on the users' own browsing, and instead shifting to a model where the user can subscribe to a regularly updated list of servers to which the browser will block all 3rd party connections.

If this feature sounds familiar, perhaps it is because Microsoft is essentially building AdBlock Plus into their browser, except that Microsoft itself will not be providing the list of ad networks. It will be up to consumer groups (or perhaps government regulators) to do that themselves.

It is important to note that once a user subscribes to such a list, as with the InPrivate Filtering feature, all 3rd party connections to the servers will be blocked. This means that not only will advertising networks on the list be blocked from tracking users, but IE9 will not even display advertising provided by those firms' servers.

Analysis

I have a few thoughts on this announcement. I'm short on time, and so I'm going to list them (in no particular order):

  • Realpolitik. This is a very savvy, strategic decision on Microsoft's part. I think that the company probably thinks its own advertising business (or at least, its own overall bottom line) will suffer less than its competitors. After all, Google gets most of its money from online advertising, whereas Microsoft still earns a vast sum of money from Office and Windows.

  • Do not track. This is almost certainly designed to impact the current debate on Do Not Track taking place in Washington DC. While the debate has thus far centered around a header based mechanism, Microsoft may well try to make the case that the FTC could supply a subscription list of known tracking servers, which consumers could then subscribe to by visiting www.donottrack.gov, or some similar URL.

  • Multiple domains. Once the EFF, NAI, ACLU and perhaps even FTC start distributing subscription lists of ad network servers, the online advertising industry will likely have to embrace a multi-domain model. That is, if they continue to serve both contextual (non-targeted) and targeted advertisements from the same domain name, then their servers' inclusion in subscription blacklists will mean that consumers will not see any of the advertisements they deliver, and not just avoid the tracking. Faced with the choice of not being able to show any ads, or just not being able to target users, the ad networks may have to swallow their pride, and roll out alternate, non-tracking domains and servers for contextual ads.

  • What is tracking. If the ad networks do shift to a multi-domain model, then they will likely argue that they should still be able to deliver persistent cookies to users from their non-tracking domains, if those cookies are solely used for the purpose of doing frequency capping, and sequencing of multi-creative advertising campaigns. They will also try and argue that retargeting should not be considered tracking. There will likely be an intense lobbying campaign by the advertisers to narrowly define tracking, at least for the purpose of any FTC or other government agency supplied blacklist.

  • First to the party. When Google deployed SSL by default for users of Gmail in January, the company received widespread praise. When Microsoft followed suit in November (albeit not by default), the announcement received significantly less press, and even some criticism (for not doing it sooner, and not by default). The take-home message here is that the first company to roll out a privacy technology is the one that gets all the attention. Now that Microsoft has made this announcement, Google, Apple and Mozilla may be forced to follow, but if and when they do, they won't get nearly as much praise for doing so.

  • Competing on privacy. Microsoft has long wanted, and tried to compete on privacy, but never quite got it right. Most significantly, the company took the lead in adopting a strong search data retention, and IP address anonymizaton policy, in contrast to Google, which still continues to deceptively claim that its own policy of deleting a single octet from IP address logs is anonymization. While Microsoft offered far better privacy in this space, it failed in the battle to communicate these differences to the press, and Google received praise for offering far less. With this announcement, Microsoft appears to be yet again attempting to compete on privacy -- with any luck, the company will be successful in differentiating its product on these features.

  • Future proofing against 3rd party tracking. By opting to block connections to servers on the blacklist, Microsoft is offering IE9 users protection against more than just cookie based tracking. Flash cookies, evercookie, cache cookies, timing attacks, and even fingerprinting will all be blocked -- as long as the tracking is conducted by 3rd party servers. However, as Craig Wills and Balachander Krishnamurthy have documented, ad networks are increasingly using subdomain alias techniques (e.g. ads.publisher.com points to adserver.com) to bypass browser's 3rd party cookie blocking features. If ad networks find their servers blocked by IE, we may increasingly see them "innovate" around this blocking by further embracing alias subdomains and other sneaky techniques.

Conclusion

This is a great, pro-privacy and strategically savvy move on Microsoft's part. I am delighted to see companies competing on privacy, and building better features into their products. This announcement will likely have a significant impact on the current Do Not Track debate, and it will be interesting to see how the ad industry, the other browser vendors, and government regulators respond.

Thursday, December 02, 2010

DOJ's "hotwatch" real-time surveillance of credit card transactions

A 10 page Powerpoint presentation (pdf) that I recently obtained through a Freedom of Information Act Request to the Department of Justice, reveals that law enforcement agencies routinely seek and obtain real-time surveillance of credit card transaction. The government's guidelines reveal that this surveillance often occurs with a simple subpoena, thus sidestepping any Fourth Amendment protections.

Background

On October 11, 2005, the US Attorney from the Eastern District of New York submitted a court filing in the case of In re Application For Pen Register and Trap and Trace Device With Cell Site Location Authority (Magistrate's Docket No. 05-1093), which related to the use of pen register requests for mobile phone location records.

In that case, the US Attorney’s office relied on authority they believed was contained in the All Writs Act to justify their request for customer location information. In support of its claim, the office stated that:

Currently, the government routinely applies for and upon a showing of relevance to an ongoing investigation receives “hotwatch” orders issued pursuant to the All Writs Act. Such orders direct a credit card issuer to disclose to law enforcement each subsequent credit card transaction effected by a subject of investigation immediately after the issuer records that transaction.

A search of Google, Lexisnexis and Westlaw revealed nothing related to "hotwatch" orders, and so I filed a FOIA request to find out more. If the government "routinely" applies for and obtains hotwatch orders, why wasn't there more information about these.

It took a year and a half to learn anything. The Executive office of US Attorneys at the Department of Justice located 10 pages of relevant information, but decided to withhold them in full. I filed my first ever FOIA appeal, which was successful, albeit very slow, and finally received those 10 pages this week.



As the document makes clear, Federal law enforcement agencies do not limit their surveillance of US residents to phone calls, emails and geo-location information. They are also interested in calling cards, credit cards, rental cars and airline reservations, as well as retail shopping clubs.

The document also reveals that DOJ's preferred method of obtaining this information is via an administrative subpoena. The only role that courts play in this process is in issuing non-disclosure orders to the banks, preventing them from telling their customers that the government has spied on their financial transactions. No Fourth Amendment analysis is conducted by judges when issuing such non-disclosure orders.

While Congress has required that the courts compile and publish detailed statistical reports on the degree to which law enforcement agencies engage in wiretapping, we currently have no idea how often law enforcement agencies engage in real-time surveillance of financial transactions.