All posts in Privacy

Looking Ahead: Challenges for the Open Web

Mozilla at the 2008 Summit in Whistler.  Mozilla Community at 2008 Summit. Taken by Gen Kanai

At the end of this week, I’m moving on after six amazing years at Mozilla. On August 25, I’ll be joining Reddit – another global open source project – as their first user experience designer. I’m ecstatic to help shape and design the future of another incredible community.

In looking back at all that’s changed in technology and the web since I joined Mozilla, I find myself humbled at the trials we’ve met and overcome. When I joined in 2008, we were smaller and scrappier. Fellow designer Alex Faaborg and myself stood before whiteboards, explaining how tabs on top of the URL bar were more efficient. The bug backlogs of Firefox 3 kept us up at night, but when we launched in July 2008 we made the Guinness Book of World Records for most software downloads in 24 hours1. Chrome didn’t even exist yet!

Of the challenges in Mozilla’s future, many are nearly universal for open source communities and largely unsolved. Here are three I find myself often returning to:

1. How do we protect users’ data when users consistently choose utility over privacy?

You can package it any way you like, but if your privacy-centric product even slightly hinders user enjoyment of the web, it won’t see wide adoption.

When prompted, users overwhelming cite online privacy (referring to data being shared with companies and governments) as a concern. A recent poll2 showed 26% of people were “extremely concerned” about privacy when using a search engine, with nearly 90% expressing some level of concern. And yet, 92% of those use Google and only 3% use DuckDuckGo, an explicitly non-tracking search engine. In the developing world and younger markets, users are even less concerned. Mozilla’s research team is currently investigating attitudes towards privacy in Malaysia and the Philippines, and most people they’ve spoken with don’t even have a concept “online privacy” aside from not wanting their friends and relatives to see all they’ve posted to social media.

Those of us who care about online privacy are increasingly at a values impasse with our users. The solution is not to simply inform, coax, or frighten users into taking security measures.

Most importantly, a world without the practical technological possibility of privacy is much scarier than one where users can choose, either actively or passively, to share their information.

2. How can global communities accommodate incompatible values?

Philipp asks if this is good for the company

Championing inclusiveness and diversity is an easy decision for most organizations. But when push comes to shove, members of any large community will still disagree fundamentally on many important values. The need to bridge fundamental divides is an inevitability.

As an example, open source contributors disagree vehemently when it comes to DRM. Is it better to follow the content industry and implement extensions so content owners can control how users share content? Or, is DRM’s current instantiation so harmful to an open web that it’s worth limiting user’s access to content to avoid supporting it? Both these views and many others exist amongst Mozilla contributors, yet ultimately decisions about what ships in Firefox must be made. When this happens, the community cannot simply shrink by the number of people opposed to the decision.

To successfully cooperate, global communities have to form a sustainable plurality. The key is allowing members to operate in a context of known responsibilities to each other, yet also generalized freedom to hold, express, and act on their views. Freedom of expression should exist by default, but the community will collapse if members don’t understand that they also have responsibilities that are defined and understood.

Furthermore, the balance of power between the community at large and its leadership is best when it is understood and predictable. Major organizational decisions are often be made by a few executives or benevolent dictators for life. Where and how these decisions are made as well as what was decided needs to be widely available for a community to cohere. The community must also know the difference between the organizational values which guide decisions and the personal values of leaders which do not. Realistically, the two are never wholly separate.

The question over “public vs. private” values in leadership has been addressed frequently at Mozilla. Perhaps the lines that separate public and private views cannot be entirely explicit, but acknowledging and engaging openly about differences bring strength to a community. Again, this is best where the role and position of leaders in making decisions is clear.

3. How can design culture embrace open source?

Affinity Diagramming with Firefox in Toronto

Within design communities, open source is still met with disinterest at best and derision at worst. This is hurting both open source and design.

The main barrier towards design culture embracing open source is a chicken-and-egg: few open source projects appear to value usability and design. Scratch-your-own-itch hacker culture assumes the creators of technology are its users, which deemphasizes the need for usability and accessibility. Additionally, feedback in open-source is heard mainly from a few power-users, and the temptation to appease them can thwart designs that would appeal to a wider audience.

Another reason design culture hasn’t embraced open source stems from designers’ wariness over being taken advantage of. I remember Mark Mentzer, one of my Carnegie Mellon design professors, warning his students to “never work for free!” This attitude runs deep in design circles, and for good reason: we’ve become used to requests for work where the only payment will be “another piece in your portfolio.” Honoring those requests devalues design work as a whole.

But, open source is different from free labor. Just as developers do, designers love their work and often consider it a hobby as well as an occupation. The transformative potential of open source projects excites designers as much as developers. By insisting on excellent user experience, open source projects can show designers that they are communities that value design.

Another reason design culture hasn’t embraced open source is because code contributions fit more easily into open projects than design contributions. Any developer can jump into an open source project by taking and fixing a bug. Little context is needed beyond what’s provided in the ticket: current behavior, expected behavior, acceptance criteria. Patch written, reviewed, done, boom.

In design, more context and background is needed to “fix a problem,” which hinders potential community contributions. A design “bug” is harder to identify than most engineering bugs. Simply diagnosing them requires user research, collaboration, and context. Providing well-scoped design problems with dedicated mentors can help bring on contributors.



Mozilla Heart

To Mozilla, thank you for six amazing years. You’re my allies, my friends, and the most incredible people I know.


  1. Mozilla sets new Guinness World Record with Firefox 3 downloads 
  2. Right To Be Forgotten: Do Users Even Care? 

LinkedIn Accidentally Sends Private Email to Group List

A few minutes ago, I got a message from LinkedIn via the Bay-Area-UX list, a group I’m a member of.  The message is clearly not intended for me, but is a private discussion between a recruiter and a job applicant.  It potentially went out to every member of the Bay-Area-UX list.

I clicked “View/reply to this message” in order to notify the sender that his email had been mis-sent,  and I saw the following error:

This is a serious problem from a site which prides itself on security and privacy.  Hopefully this is a one-off error and not a common occurrence.  The conversation I received is clearly about a startup whose business is still under wraps.  All it takes is one mistake like this to ruin a business model and potentially the success of a fledgling startup.

Defeating the Cookie Monster: How Firefox can Improve Online Privacy

As we choose priorities for the next version of Firefox’s features and development, the Firefox team has been considering the state of the web and looking for areas where online content has changed faster than browser functionality. One area of concern is the growing use of private user data, especially by advertisers. User data being silently and persistently passed between sites and advertisers is disturbing for those with an interest in user choice and transparency on the web.

Privacy vs. Security

Privacy and security are related but distinct topics. Security refers to the prevention of material harm to the user. Avoiding theft, fraud, and data loss are all security issues. Browsers have been working to improve security for decades, prompted by increasingly sophisticated viruses, malware, and other exploits.
Privacy is a broader topic than security. It refers to users’ control over what they reveal about themselves online, whether or not what they reveal might lead to material harm. All internet users reveal some information about themselves to some sites, but the user has privacy if his discretion determines what information is shared with whom.

Firefox has Local Privacy but Needs Network Privacy

The Firefox team has already done some great work on local privacy with improvements such as Private Browsing mode, Clear Recent History, and Forget about this Site. These features give users better control over when their data is exposed and hidden on their own computer. However, wider privacy issues surface when data is shared over a network.

One major problem of the modern web is the ability for private user data to be collected by advertising companies via third-party cookies.

If sites provide rich interaction, they usually require user data. The problem occurs when users willingly share data with a site they trust, but unknowingly their data is shared with other sites and companies via third-party cookies. This is common practice and a growing revenue model online. It first received national attention in November of 1999, when the Federal Trade Commission held a workshop on online profiling and reported that it presented a privacy concern to consumers. The practice has grown since then, despite some failed attempts at regulation by the US’s Federal Trade Commission, the Interactive Advertising Bureau, and Britain’s Office of Fair Trading.

Any website you visit can contain ads and other components that send cookies from your browsing session on the domain you trust to an advertising domain. These third-party cookies can be used to track information about users across multiple sites and multiple browsing sessions, allowing web habits to be profiled and tracked. This data can tell companies limitless kinds of information, such as what purchases you make, what news you read, your income, if you’ve applied for work, and what dating sites you prefer. One manifestation of this data sharing is seeing to ads targeting users based on data and actions from other sites.

The ability for advertisers to gain and use this data violates user privacy for several reasons:

  • It’s nearly impossible to detect. Much of the data-sharing happens in the background during a browsing session without asking or notifying the user. Users usually only discover what has happened when they are seeing targeted ads (long after the data has been transferred).
  • It occurs without user consent. Of the sites that are even aware of third-party cookie sharing, few give users control over how their data is shared with advertisers. Sites that do offer preferences sometimes phrase them in ways that disguise their purpose, such as “do you want relevant content to be shown based on your usage” rather than “do you want ads to be shown based on your personal data.”
  • It contradicts the user’s reasonable expectation of privacy. Some sites that knowingly share data present a false image of being responsible with user data. They may show the user preferences that imply control, assure users that their data is “safe,” or offer to let users read a lengthy privacy policy in order to hide their actual practices. Of course there’s a very special hell set aside for sites that change privacy settings to be more permissive once users have already signed up and entrusted their data.
  • It’s nearly impossible to prevent. Even a user who is privacy conscious and reads all privacy policies, keeps his privacy settings up to date, and avoids sites that don’t guarantee privacy isn’t necessarily safe. Any site he’s given data to could potentially use it without asking, and third-party cookies could be sent via ads and web bugs without the knowledge of the site’s owners. Heck, any site could be scraping identifiable information from his digital fingerprint.
  • It potentially embarrasses the user. Data sharing via third-party cookies takes information given by the user at some point in time and exposes it at another time. While the user may be discrete about where he is viewing certain content and even use Private Browsing Mode for items to not appear in history, advertisers using third-party cookies can expose user actions at times out of the user’s control.

So what can Firefox do to improve its story on privacy?

1. Provide intelligent defaults for third-party cookie behavior

Simply disabling third-party cookies isn’t the solution. Third-party cookies are necessary for legitimate web functionality such as embedded content, session management, mashups, etc. Most bank websites depend on third-party cookies for functions such as bill paying. The goal should not be to outright disable third-party cookies, but to be more intelligent about what behavior is allowed.

The http-state working group is currently working to produce a specification in multiple documents to lay out how clients should behave with regard to cookies (see current drafts here). Dan Witte, the cookie module owner at Mozilla, has been in communication with them and is doing his own work to develop a modern cookie standard. The goal is to create a guideline that Mozilla can follow that aligns with our Manifesto to protect user choice on the web. Dan’s already working on one way Firefox could address the problem by enabling third-party cookies, but only temporarily. His idea is to keep third-party cookies active only for the life of one tab. When the tab is closed, the cookies are deleted – advertisers could not track users from site to site. Dan will be blogging about this later with more details on his work.

2. Give users better control over how sites can access their information in Preferences

Currently, Firefox gives users precise, fine-grained control over the many ways that sites can access user data. All the user needs to do is change their on each Preference panel that effects site privileges:

As can be seen above, the current Firefox interface gives each site privilege type – saving passwords, cookies, etc – its own separate preference window. This design is framed around the implementation model rather than the user’s mental model, meaning it’s designed in a way that corresponds with how it was built rather than how users perceive the action they want to take. Having an individual window for each permission makes sense from an implementation standpoint, because each site privilege is separate in code. From the user’s perspective, however, it’s impossible to tell what privileges a particular site has. A better design would present controls in a site-centric rather than technology-centric view. If a user decides that he doesn’t trust site X and doesn’t want it to have any access, it would be more efficient to control all of site X’s access in one – not 15 – Preference windows. Alex Faaborg made this mockup to illustrate how a site-centric UI could be achieved:

While all of Firefox’s Preferences need to be improved, including site-centric privacy controls like Alex’s above for Firefox 4.0 would go a long way towards putting users back in control of their data.

3. Give users better control of their data while they are browsing

While a site-specific Preference panel will help users have better fine-grained control of their privacy when they’re configuring Firefox, there’s some options and information that can be exposed while the user is browsing. If a site has access to geolocation, for instance, this should be constantly indicated in Firefox’s interface. If a site is storing a password, this should be easy to change or remove without opening Preferences. Firefox’s Site Identity Button, which currently gives very little information about a site, could be improved to give information about a site’s privileges and the ability to change them.

It’s our goal for Firefox 4.0 to give users more control of their data, both by literally giving them controls and, more importantly, creating intelligent defaults that protect a user’s privacy and anonymity without breaking web functionality. It’s my hope that even simply exposing what access sites have to data will be positive for the web by eroding the sense of false security that many sites try to create for their users and creating awareness of and control over how, where, and when data is being shared.