Inconsistency: Tracking users with Google Analytics on pages promoting Privacy

[Florent Fayolle]

Hello,

Everything is described in this bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1003391

To summarize, the whatsnew page sends an Ajax request to Google Analytics each time the user clicks on its button.

That's sad to see a webpage that promotes Firefox as the browser that defends privacy (which it does) but that in fact tracks users' actions on it.

Someone reported this issue in this tweet (in French) telling (with sarcasm) that Mozilla is not trustable concerning privacy, and I feel upset about that:
https://twitter.com/HTeuMeuLeu/status/461207250410164226/photo/1

Florent

[Michael Kelly]

The issue of privacy vs. analytics is a complex one. There's a few
different questions that need to be answered to justify Mozilla's use
of Google Analytics. I'm just a lowly webdev who doesn't know too much
about official stances and tech, but here's my take:

First: Is it okay to track user actions and analyze them? Here you're
balancing our ability to measure how we're doing and improve with the
amount of data we collect about users. Anonymizing the data so as to
make it difficult to identify an individual user from the data is one
way of making this privacy-friendly while still being able to take
advantage of vital information on how effective we are.

Next: Is it okay to use a third-party service for analytics? This is a
question of trust: Are there any third-party providers that we believe
are trustworthy enough to handle user data with the same respect for
privacy that we do? Note that this doesn't have to be blind trust. We
can, for example, use a legal contract to require them to handle the
data as we see fit. We can also choose a third-party that has a Terms
of Service document that explains how they use their data in a way that
we agree with. At an extreme, we could use a provider that has some
technical solution that makes it impossible for them to use the data
improperly, but I don't know of any major analytics platform that does
this nor do I know whether that's practical.

Finally: Does Google Analytics meet our criteria for third-party
analytics? This comes down to checking GA against the criteria from the
second question. Will they agree to a contract that outlines our
requirements? Do their Terms of Service describe a way to handle data
respectfully?

Stacy Martin from Mozilla's Privacy team helped consider this question,
and concluded that GA did meet our requirements for privacy-respectful
analytics. As mentioned in the bug, there was a discussion when we
first switched to GA that outlines the details:
https://groups.google.com/forum/#!msg/mozilla.governance/9IQvIubDOXU/0tWVVlrUJOQJ

---

Judging from suggestions about alternative analytics services, some of
the objection seems to be against the third answer, that Google is not
trustworthy enough. I think that Google can be trusted in this case,
not because they're inherently trustworthy, but because a) we
(supposedly) have a legal contract with them, b) their service offers
options to anonymize data, and I assume their terms of service explain
how that option works such that they'd be in trouble if they were
lying, and c) they are much more visible and well-known than other
analytics providers, which to some extent makes it easier to know when
they're violating terms (as many many people are using and "watching"
them).

Hope that helps outline the situation a bit better. Please correct me
if I've made any glaring mistakes. :D

- Mike Kelly

> _______________________________________________
> governance mailing list
> gover...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/governance

[benoit...@gmail.com]

On Wednesday, April 30, 2014 3:54:21 PM UTC+2, Michael Kelly wrote:
> Stacy Martin from Mozilla's Privacy team helped consider this question,
>
> and concluded that GA did meet our requirements for privacy-respectful
>
> analytics. As mentioned in the bug, there was a discussion when we
>
> first switched to GA that outlines the details:
>
> https://groups.google.com/forum/#!msg/mozilla.governance/9IQvIubDOXU/0tWVVlrUJOQJ

I've read the previous discussion again and I think we may want to revisit this decision, at least as a long-term goal.

First, it was made two years ago when Mozilla wasn't so vocal about Privacy and User control as our core values. We hadn't tools like Lightbeam producing a heavy cognitive dissonance when visiting that page (incidentally, I didn't saw it on first try because I asked Adblock Plus to prevent websites from tracking me).

One could say that Lightbeam isn't smart enough to detect if we opted for anonymized tracking and that we should fix that. I think thas isn't the problem. The problem is we are using a tracking tool from the very same company that we argue is tracking us online, by sending them all information they would need to track us.

It doesn't matter if Mozilla has an agreement with them because:
* The user doesn't know that. Even if https://bugzilla.mozilla.org/show_bug.cgi?id=1003804 was fixed, nobody reads all the small print. All they will see is we send their data to Google, period.
* If they don't trust that organization in the first place, no signed agreement will convince them anyway.

The other argument I saw is that Google Analytics is the best tool available on the market, and replacing it would be hard.

Hard because we would have to host it ourselves. Or buy external hosting and pay people to maintain that. Or find people to create new tools or improve existing ones (Piwik comes in mind) until they become as good, diverting them from more important tasks (not sure what they could be). Or that we would have to retrain staff to use the new tools.

I think these are bad excuses. The right thing being hard is never a good excuse for not doing the right thing. If that means hiring more people, or mobilizing more community members to achieve that goal, or lose a few months of good statistics, so be it. We've done the same thing before with several projects, like the Kuma platform for documentation and support.

In short, we just need to start putting our money where our mouth is, or stop pretending we care about all that privacy stuff.


--
Benoit

[Mike Hoye]

On 2014-04-30, 11:46 AM, benoit...@gmail.com wrote:
> I think these are bad excuses. The right thing being hard is never a
> good excuse for not doing the right thing. If that means hiring more
> people, or mobilizing more community members to achieve that goal, or
> lose a few months of good statistics, so be it.

The Open Web isn't suffering from a shortage of Right Things That Need
Doing right now, but time and money aren't infinite and there are places
that we can put employee and community effort that are way more
important to Mozilla's mission and the future of the Internet than
bailing out of Google Analytics.

If you'd like to know what those things are, and how you can help,
contact me! We have a ton of stuff that needs doing, and you can learn
about them in a bunch of places:

- Coding opportunities?
Take a look at http://whatcanidoformozilla.org/ and
Follow StartMozilla on Twitter at https://twitter.com/startmozilla/

- Helping test stuff?
Take a look at https://oneanddone.mozilla.org/ or
Try using a pre-release version of Firefox:
http://www.mozilla.org/firefox/aurora/

And that's just scratching the surface.

If you want to personally opt out of participating in Google Analytics,
everywhere, there's an addon for that here:

https://tools.google.com/dlpage/gaoptout

... but if we get to the point where that's the most important thing, or
even one of the top twenty most important things, that Mozilla can put
time and resources towards? That'll be a pretty remarkable day, if you'd
like to help us get there.



- mhoye

[Pascal Chevrel]

Le 30/04/2014 18:11, Mike Hoye a ï¿œcrit :

Mike,


This is not a acceptable answer.

Obviously you don't know Benoit. He has been deeply involved in the
Mozilla project for at least 10 years, he is one of our core localizers
for French, he was there when there was no money, no employee and we had
to build products on our own machines. He probably did more for mozilla
as a volunteer than many did as employees.

Lecturing a core contributor, a volunteer that devoted countless hours
of work for free for Mozilla over a decade, on, I cite ￜ Right Things

That Need Doing right now, but time and money aren't infinite and there
are places that we can put employee and community effort that are way
more important to Mozilla's mission and the future of the Internet than

bailing out of Google Analytics. ￜ is hurting me deeply as a mozillian.

He is not some random would-be volunteer making unreasonable requests.
Dismissing his opinion and lecturing him on priorities saying that we
have bigger fishes to fry and that you can assign him bugs and tasks to
help him achieve your goals if he is bored is just plain rude and
disrespectful. Disrespectful to him and our community. And by community,
I mean core contributors that made Mozilla what it is today. If as
employees we dismiss the opinion of the very people that helped create
Mozilla, our most active core community of volunteers, that's a problem.

His email is a reasonable request, I am pretty sure some employees also
share his opinion, if we want to be serious about Mozilla as a global
organization in which our community opinion counts in the decision
process, then we can't behave as if only quarterly goals matter, we
can't have employees explaining our community that they don't get it. If
we can't listen to our core commmunity, the people that are on the
ground with our users, on the very sensitive topic of privacy, on the
*governance* group, then there is something wrong that needs to be fixed.


Pascal

[Mike Hoye]

On 2014-04-30, 1:19 PM, Pascal Chevrel wrote:

> Obviously you don't know Benoit. He has been deeply involved in the
> Mozilla project for at least 10 years, he is one of our core
> localizers for French, he was there when there was no money, no
> employee and we had to build products on our own machines. He probably
> did more for mozilla as a volunteer than many did as employees.

Though I didn't realise that Benoit was a longstanding Rep and community
member, I certainly meant no offense or disrespect; I should have looked
him up before clicking send, true, and I apologize for any offense to
Benoit or to the community he represents.

Nevertheless, I stand by my point: that while his request is not at all
unreasonable, and his desire for privacy is noble and well-aligned with
Mozilla's mission, in order for Mozilla to be successful - both
symbolically, and in a boots-on-the-ground practical sense - we need to
manage our limited resources without ever taking our eyes off our
highest priorities. And, I don't mean our priorities in terms of
quarterly goals and bug numbers, I mean in the big-picture, long-game
Victory For The Manifesto sense.

It seems like it would take a lot of work to rally and grow a community
around replacing existing web-analytics software, and it's not entirely
clear who would directly or indirectly benefit from that, or what the
costs would be.

In contrast other efforts, like webcompat evangelism for FirefoxOS and
FIrefox for Android, for example: those look a lot more like a banner
people will rally behind to make the Web better, have a clear near-term
payoff and help cut a path to a better future.

My argument is ultimately that we need to engage the world as we find
it, with the best tools the world offers us today, if we're going shape
the future effectively. I can understand his frustration at our reliance
on a lot of Google tools, and he's not alone in that. But I think the
most important thing we can be doing with a dozen people isn't the long
migration of washing our hands of Google's tools and services, but by
building a world where it's still possible for viable competitors can
emerge.

- mhoye

[Majken Connor]

Yes, we have to be careful to distinguish between what Mozilla as an
organization is equipped to do and what Mozilla as a community is capable
of doing. It is acceptable to say that MoCo can't make this a priority with
dedicated resources at the moment, but that doesn't mean that if a group of
contributors decided it was worth doing that they shouldn't pursue it, and
that MoCo shouldn't then back it once it's hit critical mass.

If someone cares enough to do something that would have impact we shouldn't
try to talk them out of it. If they are willing to take on all the
obstacles, well that's how awesome things happen. Most awesome things that
happen also aren't the awesome things that everyone saw coming.

We spent a lot of time using this same argument - we focus on product, we
don't have resources - while social and the cloud have become the dominant
forces on the internet. Now browsers have standards and you're not locked
into a browser, but users are just as (or more) locked in now than they
were then, just from a different angle.

It's much better to say "these are the current obstacles and we're not
prepared to overcome them right now" or "this other organization is doing a
good job at addressing that issue." We won't know until after it's over
which fights were the right ones.


On Wed, Apr 30, 2014 at 1:19 PM, Pascal Chevrel <pascal....@free.fr>wrote:

> Mike,
>
>
> This is not a acceptable answer.
>

> Obviously you don't know Benoit. He has been deeply involved in the
> Mozilla project for at least 10 years, he is one of our core localizers for
> French, he was there when there was no money, no employee and we had to
> build products on our own machines. He probably did more for mozilla as a
> volunteer than many did as employees.
>

> Lecturing a core contributor, a volunteer that devoted countless hours of

> work for free for Mozilla over a decade, on, I cite « Right Things That

> Need Doing right now, but time and money aren't infinite and there are
> places that we can put employee and community effort that are way more
> important to Mozilla's mission and the future of the Internet than bailing

> out of Google Analytics. » is hurting me deeply as a mozillian.

>
> He is not some random would-be volunteer making unreasonable requests.
> Dismissing his opinion and lecturing him on priorities saying that we have
> bigger fishes to fry and that you can assign him bugs and tasks to help him
> achieve your goals if he is bored is just plain rude and disrespectful.
> Disrespectful to him and our community. And by community, I mean core
> contributors that made Mozilla what it is today. If as employees we dismiss
> the opinion of the very people that helped create Mozilla, our most active
> core community of volunteers, that's a problem.
>
> His email is a reasonable request, I am pretty sure some employees also
> share his opinion, if we want to be serious about Mozilla as a global
> organization in which our community opinion counts in the decision process,
> then we can't behave as if only quarterly goals matter, we can't have
> employees explaining our community that they don't get it. If we can't
> listen to our core commmunity, the people that are on the ground with our
> users, on the very sensitive topic of privacy, on the *governance* group,
> then there is something wrong that needs to be fixed.
>
>
> Pascal
>
>

[Michael Kelly]

On 4/30/14 11:46 AM, benoit...@gmail.com wrote:
> I've read the previous discussion again and I think we may want to revisit this decision, at least as a long-term goal.
>
> First, it was made two years ago when Mozilla wasn't so vocal about Privacy and User control as our core values. We hadn't tools like Lightbeam producing a heavy cognitive dissonance when visiting that page (incidentally, I didn't saw it on first try because I asked Adblock Plus to prevent websites from tracking me).
>
> One could say that Lightbeam isn't smart enough to detect if we opted for anonymized tracking and that we should fix that. I think thas isn't the problem. The problem is we are using a tracking tool from the very same company that we argue is tracking us online, by sending them all information they would need to track us.
>
> It doesn't matter if Mozilla has an agreement with them because:
> * The user doesn't know that. Even if https://bugzilla.mozilla.org/show_bug.cgi?id=1003804 was fixed, nobody reads all the small print. All they will see is we send their data to Google, period.
> * If they don't trust that organization in the first place, no signed agreement will convince them anyway.

IIRC, it was actually because of us that Google added the option to
anonymize the data, so there's an angle of "making the existing badness
better for everyone" here, but the point about trust is a good one.

There's a choice here (with more than these two options I imagine): do
we try to stick with GA and educate users / promote improving existing
analytics, or do we try to do it the absolute right way?

I'm on the side of improving existing analytics, because if we just do
our own thing, the most we're doing is setting a good example for
others. If we actually push services like GA to offer more
privacy-friendly options, we're improving the state of analytics privacy
for a large swath of the internet, which IMO is more effective.

- Mike Kelly

[Robert Kaiser]

benoit...@gmail.com wrote:
> * The user doesn't know that. Even if https://bugzilla.mozilla.org/show_bug.cgi?id=1003804 was fixed, nobody reads all the small print. All they will see is we send their data to Google, period.

That's the one argument that I think is most important here.

While Mozilla is OK with the contractual obligations, and I personally
do trust Google to hold those up (because it would be a legal and
reputation-wise problem if they don't) - but users out there see the
Firefox in-product pages call out to Google's Analytics services and
those are know as a track-the-internet service to many.
It doesn't matter if we have a contract that says they cannot aggregate
data from us with data from the rest of the world, because the user
doesn't know that. If we could have this point to a domain of ours and
that forwards the data to Google under the contract, it already would be
more trustworthy because it wouldn't lead the user to the conclusion
that we spread the data to Google's tracking services - as funny as that
sounds at first glance.

KaiRo

[Nikos Roussos]

On April 30, 2014 9:47:55 PM EEST, Robert Kaiser <ka...@kairo.at> wrote:

>benoit...@gmail.com wrote:
>> * The user doesn't know that. Even if
>https://bugzilla.mozilla.org/show_bug.cgi?id=1003804 was fixed, nobody
>reads all the small print. All they will see is we send their data to
>Google, period.
>

>That's the one argument that I think is most important here.
>
>While Mozilla is OK with the contractual obligations, and I personally
>do trust Google to hold those up (because it would be a legal and
>reputation-wise problem if they don't) - but users out there see the
>Firefox in-product pages call out to Google's Analytics services and
>those are know as a track-the-internet service to many.

This is why many people call this feature as Dark Pattern [1], because it doesn't actually mean "do not track". It's just about cutting off personalized ads. I've seen many Mozillians who stopped promoting this feature.


Piwik is an analytics tool that is much closer to Mozilla's values, Open Source and surprisingly it stops tracks you if you've made that choice on your browser settings. So if we have enough people from the community who want to step up and deploy/maintain it for at least some of our sites, the argument of "limited resources" would be void.


[1] http://darkpatterns.org/what_is_a_dark_pattern/
~nikos

[Florent Fayolle]

The question about using GA or not is crucial but rather a long-term question [1].
What worries me the most here is the AJAX requests made at each click on that page.

I agree with Benoit: we can't reassure our users by some little clauses accessible on some page on the web, because they won't read it. The users will focus on the screenshot of the tweet I posted above, think that Mozilla is tracking everything they do on that page, and laugh at what we say about Mozilla doing for their privacy. So, at least, that's bad for our image (especially in this time where Prism has been revealed).

Also, I wonder the purpose of collecting this data and especially by this way (that is, sending for each click). It looks like you would like to know how the user navigates in the tutorial. Maybe you (or the team in charge of this page) could clarify this? Wouldn't knowing the number of people going through the tutorial be enough?

[1] Even though this question is important for me too, and I am also a bit sad that we use Google Analytics instead of another free-software we could dope like what Mozilla did with Theora.

Florent

[Rubén Martín]

Hi,

I fully support Benoit words. I followed and was involved in the
discussion about the GA switch years ago and even with the explanation I
didn't feel comfortable with it.

As an example, at Mozilla Hispano sites, we used to have GA too.
Basically because it was the best and easiest way to do analytics when
we started back in 2007.

And even it was not a P1, and we were busy working on other stuff, we
took the decision to do what's right and make an effort to migrate to a
self-hosted Piwik instance [1].

* Was it a big effort? Yes.
* Are we now sure nobody will think we are not being consistent with
our values? Yes.

For me, the second question is what makes us sleep better at night ;)

Regards.

[1] http://www.mozilla-hispano.org/mejoras-en-la-privacidad-del-portal/ (es)

--
Rubén Martín [Nukeador]
Mozilla Reps Mentor
http://www.mozilla-hispano.org
http://twitter.com/mozilla_hispano
http://facebook.com/mozillahispano

[Michael Kelly]

I don't think he's on this mailing list, so I'm CCing Gareth Cull, who
is the Analytics Engineer for mozilla.org. He can answer any specific
questions about why a particular type of tracking was put on mozilla.org
(which may give insight into the greater purpose of this kind of analytics).

I'm not sure which specific page you're asking about, though. The tour?
And which button?

- Mike Kelly

[Florent Fayolle]

I am talking about this page:
https://www.mozilla.org/en-US/firefox/29.0/whatsnew/?oldversion=28.0

Each time a button is clicked on that page, a request is done:
http://i.imgur.com/85WsrUP.png

Florent

[Michael Kelly]

Re-CCing Gareth so he can answer. :D

- Mike Kelly

[Pascal Chevrel]

Le 01/05/2014 15:20, Michael Kelly a ï¿œcrit :

> I don't think he's on this mailing list, so I'm CCing Gareth Cull, who
> is the Analytics Engineer for mozilla.org. He can answer any specific
> questions about why a particular type of tracking was put on mozilla.org
> (which may give insight into the greater purpose of this kind of analytics).
>
> I'm not sure which specific page you're asking about, though. The tour?
> And which button?
>
> - Mike Kelly
>

Hi,

Was Piwik and other analytics solutions evaluated or was it just a
direct decision to go to GA because we know it scales to our needs and
everybody use it? If Piwik was evaluated and some features were missing,
did we open bugs, communicate with Piwik and expressed our needs? If
not, why? Which community members (not employees) were involved in the
project?

Looking at the Piwik site, it seems some big companies like T-Mobile use
it, I know the volume we have on mozilla.org so maybe Piwik doesn't
scale *yet* to out needs, but this is an open source project and as
such, fixable, and that doesn't mean that we have to fix it ourselves
btw. What I am afraid of is that we just picked google because of the
NIHSV syndrom (Not Invented Here in the Silicon Valley ;) ).

Like Mozilla Hispano, we are most likely to be using Piwik soon on
MozFr, we don't have a big need for analytics as we are more focused on
doing stuff than building metrics on what we did, but it seems to fit
all of our potential needs with a great UI. We won't be using GA as this
is the easy solution but we don't want to share the data our visitors
send us with an advertising company.

I think there is a disconnect between how employees see stuff and how
our community and users get to conclusions with the same data.
Employees, especially in the US were culture seems to be very focused on
contracts and private law, think that as long as a contract is signed
and exists between two companies, the problem is fixed. Our community
members don't trust those contracts, first because they don't have
access to it, and second because if they don't trust the party that
signed the contract, they won't trust the protection this contract will
bring them.

The trust our community has in us is not a given, it exists because we
have demonstrated in the past that we do good. When our community is
warning us that in some areas, we are breaking their trust and they see
a profound disconnect between our messaging and our actions, I think we
should listen to them and not discard their opinion just because
decisions are easier to take around the coffee machine among employees,
all living in the same area, from the same universities, with similar
curriculums than in public with the wider global world that Mozilla is ;)

Cheers

Pascal

[Pascal Chevrel]

Le 01/05/2014 15:20, Michael Kelly a ï¿œcrit :

> I don't think he's on this mailing list, so I'm CCing Gareth Cull, who
> is the Analytics Engineer for mozilla.org. He can answer any specific
> questions about why a particular type of tracking was put on mozilla.org
> (which may give insight into the greater purpose of this kind of analytics).
>
> I'm not sure which specific page you're asking about, though. The tour?
> And which button?
>
> - Mike Kelly
>

[Stormy Peters]

On Wed, Apr 30, 2014 at 3:09 PM, Florent Fayolle <
florent....@gmail.com> wrote:

> The question about using GA or not is crucial but rather a long-term
> question [1].
> What worries me the most here is the AJAX requests made at each click on
> that page.
>
> I agree with Benoit: we can't reassure our users by some little clauses
> accessible on some page on the web, because they won't read it. The users
> will focus on the screenshot of the tweet I posted above, think that
> Mozilla is tracking everything they do on that page, and laugh at what we
> say about Mozilla doing for their privacy. So, at least, that's bad for our
> image (especially in this time where Prism has been revealed).
>
> Also, I wonder the purpose of collecting this data and especially by this
> way (that is, sending for each click). It looks like you would like to know
> how the user navigates in the tutorial. Maybe you (or the team in charge of
> this page) could clarify this? Wouldn't knowing the number of people going
> through the tutorial be enough?
>

+1 to sharing what we are trying to measure. Gareth is the right person to
help us and the web productions team also has a blog where they could share
info like this.

Stormy

[Gijs Kruitbosch]

On 01/05/2014 15:43, Pascal Chevrel wrote:
> Looking at the Piwik site, it seems some big companies like T-Mobile use
> it, I know the volume we have on mozilla.org so maybe Piwik doesn't
> scale *yet* to out needs, but this is an open source project and as
> such, fixable, and that doesn't mean that we have to fix it ourselves
> btw. What I am afraid of is that we just picked google because of the
> NIHSV syndrom (Not Invented Here in the Silicon Valley ;) ).

It seems pretty obvious that running your own analytics system has
non-zero cost in terms of hours spent by both volunteer and employee
contributors, whereas an out-of-the-box solution provided by a third
party does not. I've seen several IT/web team folks, in several
situations, refer to the cost (in man hours, not dollars) of everything
they have to run, a lot of it not being central to our mission. The
ability to use a third party (irrespective of who they are) seems pretty
compelling. The previous discussion about this subject was public and
happened on the newsgroups/mailing lists (and I followed it at that
time, at which I was not an employee). Therefore, I don't think your
allegation of NIHSV syndrome makes any sense (and is somewhat insulting
because it's suggesting people haven't spent any time to consider this
decision, or did it in private when it was, in fact, public).

> I think there is a disconnect between how employees see stuff and how
> our community and users get to conclusions with the same data.
> Employees, especially in the US were culture seems to be very focused on
> contracts and private law, think that as long as a contract is signed
> and exists between two companies, the problem is fixed. Our community
> members don't trust those contracts,

You mean our volunteer community members? Employees are just as much
part of the community, thank you very much. And, I'm sorry, but as a
longtime volunteer and now (somewhat recent) European employee, I am
skeptical that people getting an employment contract suddenly have a
massive change of heart over how trustworthy contracts are. Don't try to
make this about "employees vs volunteers", please.

> The trust our community has in us is not a given, it exists because we
> have demonstrated in the past that we do good. When our community is
> warning us that in some areas, we are breaking their trust and they see
> a profound disconnect between our messaging and our actions, I think we
> should listen to them and not discard their opinion just because
> decisions are easier to take around the coffee machine among employees,
> all living in the same area, from the same universities, with similar

As far as I know, there are no other employees that went to the
university I got my MSc at (Imperial College, London -- I suspect some
went to University of Amsterdam (where I got my BSc) at some point, but
I'm not sure, and there'd definitely be <10), nor other people that live
in Birmingham (which probably just shows they're more sensible than me).
Certainly my direct colleagues are exclusively in other countries.
Please don't stigmatise employees, it's very hurtful both to the actual
employees and to the image volunteer contributors have of employees, and
doesn't do anything to further the "trust our community has in us" (who
is "our" and "us" in that sentence, anyway?)

I'm really worried about making this discussion out to be about whether
people in our community are employed by MoCo/MoFo or not. It isn't (and
if people feel we do need another discussion about this distinction or a
lack of communication or anything more general, please start another
thread).

It's about:
a) whether we trust Google to live up to their contractual obligations;
b) whether we think those contractual obligations are good enough both
in terms of actual fact, and in appearance to the outside world;
c) what alternatives we have, and whether they are better when
considering (a), (b) and the associated costs/rewards of the alternatives.

Different people seem to have different opinions on (a) and (b), but so
far nobody has seriously discussed (c). Just throwing up a name (or
looking at their website) and saying "why don't we use this?" isn't
serious discussion. If you're arguing it's better than GA, explain why,
and try to seriously estimate switching and running costs, not just the
PR implications or the suppositions that Google might be lying to us all.

I haven't looked into the details of (c) recently, but I imagine that
others have. In particular, I trust other members of the community
(volunteer or employee) to make good, informed decisions about their
areas of expertise/work, and to get the necessary privacy reviews and so
on. It seems unhelpful to speculate before those people have even
weighed in.

~ Gijs

PS: Just so we're clear, I work on Firefox for desktop and have nothing
directly to do with the decision to use GA or something else for this
particular part of our web properties, besides being a community member
with an opinion (which I will not share because so far there is not
enough data to see if that opinion makes sense, so discussing it seems
pointless).

[gc...@mozilla.com]

Hi Florent / Benoit,

I work on the Web Productions team as our Web Analytics and Optimization Engineer and can provide you with some context around what and why we track what we do on the whatsnew page.

First, I'd like to thank you for being an active community member and for engaging with Mozilla on this topic. Privacy is very important to Mozilla and me personally, and hopefully my explanation here will give you some insight as to how we leverage Google Analytics to improve the user experience on the web.

Let me start off by saying that we do not track or send any personally identifiable information to Google. Doing so would not only be against our internal policies, but also that of Google. As an Analytics professional, this is also a line I would not cross. And to re-enforce our commitment to privacy, we actively anonymize ip address data along with any requests that are being sent back to Google. This was actually a community driven suggestion that we implemented. You can read up more on this here: https://bugzilla.mozilla.org/show_bug.cgi?id=946705

So to answer your questions:

What are we tracking?
We are tracking engagement with links and buttons as the user navigates through the on boarding flow, which we analyze in aggregate.

Why are we tracking this?
Ultimately, we want our users to be able to get the most out of their experience with the Firefox browser. So we created an onboarding flow that educates the user about some new features and how to use the product. The content within the flow was developed and presented in 4 steps and we used event tracking to understand if people were dropping off at specific stages within the flow. If we were to find out that we were losing a significant number people at the first step in the tutorial, we would go back and review the content presented in that section and see if we can tweak or re-work it. Ultimately, the end goal of this flow is to present content that a user can understand and successfully navigate their way through an onboarding process and be more educated about the changes we made to the new Firefox. If we can do that, then hopefully we have created a more satisfying experience for the user as they browse the web.

If anything is not clear, please let me know. I'll be happy to respond back. We are just trying to leverage the data from this to improve our user's experience with our product.

Thanks,

Gareth

[Michael Kelly]

On 5/1/14 10:43 AM, Pascal Chevrel wrote:
> Was Piwik and other analytics solutions evaluated or was it just a
> direct decision to go to GA because we know it scales to our needs and
> everybody use it? If Piwik was evaluated and some features were missing,
> did we open bugs, communicate with Piwik and expressed our needs? If
> not, why? Which community members (not employees) were involved in the
> project?

I imagine Stacy Martin is a good person to ask, given she posted the
original thread.

> I think there is a disconnect between how employees see stuff and how
> our community and users get to conclusions with the same data.
> Employees, especially in the US were culture seems to be very focused on
> contracts and private law, think that as long as a contract is signed
> and exists between two companies, the problem is fixed. Our community

> members don't trust those contracts, first because they don't have
> access to it, and second because if they don't trust the party that
> signed the contract, they won't trust the protection this contract will
> bring them.

That's a good point. I meant to imply that the existence of a contract
can help increase trust, rather than "contract = solved", but your point
still stands; if the users don't trust Google, it's likely they wouldn't
trust a contract signed by them (and I can argue until I'm blue in the
face that having consequences for violating our trust is an important
factor, and that won't change people's distrust of Google).

Is the question here about whether Google can actually be trusted, or is
it about perception? In other words, are we worried that Google is
actually misusing the data, or are we worried that it _looks_ like
Google could be misusing the data? Or are we just worried that Google
_could_ misuse the data, hence Piwik and other locally-hosted solutions
being the suggestion?

> The trust our community has in us is not a given, it exists because we
> have demonstrated in the past that we do good. When our community is
> warning us that in some areas, we are breaking their trust and they see
> a profound disconnect between our messaging and our actions, I think we
> should listen to them and not discard their opinion just because
> decisions are easier to take around the coffee machine among employees,
> all living in the same area, from the same universities, with similar

> curriculums than in public with the wider global world that Mozilla is ;)

Agreed! I'm glad we're having this discussion, regardless of whether we
decide (who decides anyway?) to keep GA or to toss it.

- Mike Kelly

[Majken Connor]

I think the "master" question is: How would we know if Google is misusing
the data?

All of the others follow out of that. If we can't know whether or not
Google is misusing the data then it's a matter of faith, and that's not the
best position to be in.

[Pascal Chevrel]

Le 01/05/2014 17:17, Gijs Kruitbosch a ï¿œcrit :

> On 01/05/2014 15:43, Pascal Chevrel wrote:
>> Looking at the Piwik site, it seems some big companies like T-Mobile use
>> it, I know the volume we have on mozilla.org so maybe Piwik doesn't
>> scale *yet* to out needs, but this is an open source project and as
>> such, fixable, and that doesn't mean that we have to fix it ourselves
>> btw. What I am afraid of is that we just picked google because of the
>> NIHSV syndrom (Not Invented Here in the Silicon Valley ;) ).
>
> It seems pretty obvious that running your own analytics system has
> non-zero cost in terms of hours spent by both volunteer and employee
> contributors, whereas an out-of-the-box solution provided by a third
> party does not. I've seen several IT/web team folks, in several
> situations, refer to the cost (in man hours, not dollars) of everything
> they have to run, a lot of it not being central to our mission. The
> ability to use a third party (irrespective of who they are) seems pretty
> compelling.

There are companies offering Piwik as a third party solution, you don't
necessary have to host it yourself. Even if we had to host it ourselves,
there are areas in which we want to control our project and think long
term, we mostly host our own code instead of using bitbucket for hg for
example, we host our mailing lists instead of using third parties, we
host our own email services instead of delegating it to a third party,
we build our own datacenters instead of just renting etc. There is a
discussion here on what should be under direct Mozilla control, what can
be safely delegated to third parties and what should be a mixed world.
If we focus Mozilla as a provject on defending user privacy (and the Web
We Want campaign shows that this is what our user base wants us to
focus), then the question of what data we share with third parties
becomes even more important than it was 3 years ago.

> The previous discussion about this subject was public and
> happened on the newsgroups/mailing lists (and I followed it at that
> time, at which I was not an employee). Therefore, I don't think your
> allegation of NIHSV syndrome makes any sense (and is somewhat insulting
> because it's suggesting people haven't spent any time to consider this
> decision, or did it in private when it was, in fact, public).

I followed the discussion too, IMO it was more a communication of a
decision on using Google Analytics than a discussion on wether we should
use Google Analytics or not. Maybe Google Analytics is the best answer
to our needs, this is not actually the point, the point is that some of
our volunteer community does not agree and I think we should have a
civil discussion with them and see if some things should be reevaluated.
Maybe that means for example that we could propose Piwik (or another
equivalent open source solution) as a Mozilla hosted service for our
community sites, which would make it easier for community sites to
deploy safe analytics, would give us experience on what is potentially
lacking there and would allow us to study alternatives to google
analytics on real sites. I believe that at some point, we also need to
be on the server side because some things cannot be fixed on the client
side. Working with other projects that share our very same goals on user
privacy but on the server side seems like a win-win solution to me,
unless we want to reinvent the wheel there. I am actually not worried
about the employee/volunteer divide, I am worried about Mozilla working
in isolation to the wider ecosystem and not achieving its long term
goals because they seem to conflict with the short term goals.

>
>> I think there is a disconnect between how employees see stuff and how
>> our community and users get to conclusions with the same data.
>> Employees, especially in the US were culture seems to be very focused on
>> contracts and private law, think that as long as a contract is signed
>> and exists between two companies, the problem is fixed. Our community
>> members don't trust those contracts,
>
> You mean our volunteer community members? Employees are just as much
> part of the community, thank you very much. And, I'm sorry, but as a
> longtime volunteer and now (somewhat recent) European employee, I am
> skeptical that people getting an employment contract suddenly have a
> massive change of heart over how trustworthy contracts are. Don't try to
> make this about "employees vs volunteers", please.

A lot of employees didn't have a history of volunteering to Mozilla
before becoming an employee. A lot of the hiring is done through
internship programs with the same universities every year. You and I are
actually more exceptions than rules. So yes, by community in this
context I meant volunteer community. I tried not to forget to put
volunteer every time I used the word community in this one ;)

>
>> The trust our community has in us is not a given, it exists because we
>> have demonstrated in the past that we do good. When our community is
>> warning us that in some areas, we are breaking their trust and they see
>> a profound disconnect between our messaging and our actions, I think we
>> should listen to them and not discard their opinion just because
>> decisions are easier to take around the coffee machine among employees,
>> all living in the same area, from the same universities, with similar
>
> As far as I know, there are no other employees that went to the
> university I got my MSc at (Imperial College, London -- I suspect some
> went to University of Amsterdam (where I got my BSc) at some point, but
> I'm not sure, and there'd definitely be <10), nor other people that live
> in Birmingham (which probably just shows they're more sensible than me).
> Certainly my direct colleagues are exclusively in other countries.
> Please don't stigmatise employees, it's very hurtful both to the actual
> employees and to the image volunteer contributors have of employees, and
> doesn't do anything to further the "trust our community has in us" (who
> is "our" and "us" in that sentence, anyway?)

Please don't take your own personal story as a rule of how Mozilla works
and please, don't reply with such anger when you don't agree with
somebody else on a topic. The question is not on how distributed the
workforce is but how centralized the decision process is. In the case of
privacy matters, I think this is too centralized and that the
*volunteer* community is not involved enough or too late in the
process. We can't change the world with just employees, most of them in
North America, we need volunteers to be with us and in numbers, we need
different view points from the rest of the world on matters such as
privacy and net neutrality. That means also that some of the decisions
in our operations; not just on policy making, have to be done in close
collaboration with volunteers and that means taking their point of view
into account too, early, not after the fact. That also I think mean we
need to work more closely with other foundations anbd projects fighting
for an open web on the server side.

>
> It's about:
> a) whether we trust Google to live up to their contractual obligations;
> b) whether we think those contractual obligations are good enough both
> in terms of actual fact, and in appearance to the outside world;
> c) what alternatives we have, and whether they are better when
> considering (a), (b) and the associated costs/rewards of the alternatives.
>
> Different people seem to have different opinions on (a) and (b), but so
> far nobody has seriously discussed (c). Just throwing up a name (or
> looking at their website) and saying "why don't we use this?" isn't
> serious discussion. If you're arguing it's better than GA, explain why,
> and try to seriously estimate switching and running costs, not just the
> PR implications or the suppositions that Google might be lying to us all.

And we are back to what I asked initially, what evaluation was done on
alternatives to Google Analytics and why wasn't it shared? Even out of
curisosity, I'd like for example to know what are the strong/weak points
of all the solutions available on the market. And BTW it's not just a
question of PR, and like Benoit I think it's a question of consistency
between what we say and what we do on the field. You seem to discard the
opinion of other community members (both volunteers and employees) that
think that a self hosted or a less controversial third party solution
should be reevaluated today, I don't, I think it's the kind of things it
is good to put some thoughts on.

Once again, maybe GA was the perfect solution 2 or 3 years ago when we
were not an organization focusing on defending our users privacy, but
our recent change of focus also means that some of the decisions made in
a different context could need a reevaluation. And maybe this
reevaluation will mean that we should actually keep GA because other
tools are lacking in features or can't scale to our needs. But once
again, this is not a tooling question, it is a policy question.

Happy labor day :)

Pascal

[David Bruant]

Le 01/05/2014 16:58, Stormy Peters a �crit :

> On Wed, Apr 30, 2014 at 3:09 PM, Florent Fayolle <
> florent....@gmail.com> wrote:
>
>> The question about using GA or not is crucial but rather a long-term
>> question [1].
>> What worries me the most here is the AJAX requests made at each click on
>> that page.
>>
>> I agree with Benoit: we can't reassure our users by some little clauses
>> accessible on some page on the web, because they won't read it. The users
>> will focus on the screenshot of the tweet I posted above, think that
>> Mozilla is tracking everything they do on that page, and laugh at what we
>> say about Mozilla doing for their privacy. So, at least, that's bad for our
>> image (especially in this time where Prism has been revealed).
>>
>> Also, I wonder the purpose of collecting this data and especially by this
>> way (that is, sending for each click). It looks like you would like to know
>> how the user navigates in the tutorial. Maybe you (or the team in charge of
>> this page) could clarify this? Wouldn't knowing the number of people going
>> through the tutorial be enough?
>>
> +1 to sharing what we are trying to measure. Gareth is the right person to
> help us and the web productions team also has a blog where they could share info like this.

As felt appropriate, consider adding this information to
https://bugzilla.mozilla.org/show_bug.cgi?id=1003804 (or file a
complementary bug)

David

[Jim]

The problem is that Mozilla do no understand privacy. This web page
demonstrates this in many ways. The web page should have been designed
to work even with JavaScript disabled and this is the core failure. If
the web page had been designed to work well with JS disabled then it
would have been designed to collect feedback explicitly rather than
using JS to track users behind the scenes, and the user would have
remained in control. It could have worked without using AJAX, but could
still have used JS to enhance the page.

The feedback Mozilla is trying to gather on the usability of the page
could have been obtained using 'feedback' buttons.

A web page championing privacy and user control should have been a
example of how to do-it-right, but it was a shocking example of how to
screw up. It even promoted Facebook and Twitter. It has damaged the
cause of privacy on the web.

Jim

On 2014-05-01 19:27, Majken Connor wrote:
> I think the "master" question is: How would we know if Google is
> misusing
> the data?
>
> All of the others follow out of that. If we can't know whether or not
> Google is misusing the data then it's a matter of faith, and that's not
> the
> best position to be in.
>
>
> On Thu, May 1, 2014 at 11:32 AM, Michael Kelly <mke...@mozilla.com>
> wrote:
>
>>
>>
>> On 5/1/14 10:43 AM, Pascal Chevrel wrote:
>> > Was Piwik and other analytics solutions evaluated or was it just a
>> > direct decision to go to GA because we know it scales to our needs and
>> > everybody use it? If Piwik was evaluated and some features were missing,
>> > did we open bugs, communicate with Piwik and expressed our needs? If
>> > not, why? Which community members (not employees) were involved in the
>> > project?
>>
>> I imagine Stacy Martin is a good person to ask, given she posted the
>> original thread.
>>

>> > I think there is a disconnect between how employees see stuff and how
>> > our community and users get to conclusions with the same data.
>> > Employees, especially in the US were culture seems to be very focused on
>> > contracts and private law, think that as long as a contract is signed
>> > and exists between two companies, the problem is fixed. Our community

>> > members don't trust those contracts, first because they don't have
>> > access to it, and second because if they don't trust the party that
>> > signed the contract, they won't trust the protection this contract will
>> > bring them.
>>
>> That's a good point. I meant to imply that the existence of a contract
>> can help increase trust, rather than "contract = solved", but your
>> point
>> still stands; if the users don't trust Google, it's likely they
>> wouldn't
>> trust a contract signed by them (and I can argue until I'm blue in the
>> face that having consequences for violating our trust is an important
>> factor, and that won't change people's distrust of Google).
>>
>> Is the question here about whether Google can actually be trusted, or
>> is
>> it about perception? In other words, are we worried that Google is
>> actually misusing the data, or are we worried that it _looks_ like
>> Google could be misusing the data? Or are we just worried that Google
>> _could_ misuse the data, hence Piwik and other locally-hosted
>> solutions
>> being the suggestion?
>>

>> > The trust our community has in us is not a given, it exists because we
>> > have demonstrated in the past that we do good. When our community is
>> > warning us that in some areas, we are breaking their trust and they see
>> > a profound disconnect between our messaging and our actions, I think we
>> > should listen to them and not discard their opinion just because
>> > decisions are easier to take around the coffee machine among employees,
>> > all living in the same area, from the same universities, with similar

>> > curriculums than in public with the wider global world that Mozilla is ;)
>>
>> Agreed! I'm glad we're having this discussion, regardless of whether
>> we
>> decide (who decides anyway?) to keep GA or to toss it.
>>
>> - Mike Kelly

[David Bruant]

Le 02/05/2014 05:46, Jim a �crit :

> The feedback Mozilla is trying to gather on the usability of the page
> could have been obtained using 'feedback' buttons.

If by that you mean that the web page could have a button that pops up a
form that people fill in and submit, this is nonsensical (if you meant
something else, please correct me).

Among other things, human beings are both not fully self-aware (far away
from it, myself included) and irrational. The type of feedback you get
from observing how people do behave has nothing to do with what people
would say they do (only a fraction would give feedback, so there is a
"self-selection" bias and this fraction would say what it thinks, not
what it does).
The questions asked on the form also create a bias since they
necessarily direct the answers.

The very position and size of the button would create a bias based on
people screen size for instance.

I may be exagerating, but I feel a feedback button would mean lots of
time processing the answers where a statistical bias (well, several)
making any result questionable.

David

[Bob Clary]

Gareth

Thanks for taking the time to reply. I completely support your goals and
laud the improvements that we have seen due to the measurements of
visitor behavior on mozilla.org and the refinement of the content to
better engage our web site visitors.

But...

On 05/01/2014 08:08 AM, gc...@mozilla.com wrote:

>
> Let me start off by saying that we do not track or send any
> personally identifiable information to Google. Doing so would not
> only be against our internal policies, but also that of Google. As an
> Analytics professional, this is also a line I would not cross. And to
> re-enforce our commitment to privacy, we actively anonymize ip
> address data along with any requests that are being sent back to
> Google. This was actually a community driven suggestion that we
> implemented. You can read up more on this here:
> https://bugzilla.mozilla.org/show_bug.cgi?id=946705
>

I have had a problem with Google ever since they announced they would
anonymize ip addresses after 18 months by dropping the last octet of the
ip address, 12.214.31.144 -> 12.214.31.0. This is is the same
anonymization they use for Google Analytics
<https://support.google.com/analytics/answer/2763052?hl=en>

I believe this level of anonymization is 'privacy theater' since it has
been known for some time that binning data is not effective at
anonymization. See
<http://impcenter.org/wp-content/uploads/2013/09/Simple-Demographics-Often-Identify-People-Uniquely.pdf>.
Perhaps pseudo-anonymization would be a more accurate characterization.

While the goals are laudable and the achievements are important, I do
think that in the long term we should keep in mind the need to
transition away from Google Analytics on mozilla.org.

Mike, thanks for the pointer to the Google Analytics Opt-out Browser
Add-on. I was unaware of it.

/bc

[Jim]

On 2014-05-02 07:45, David Bruant wrote:

> Le 02/05/2014 05:46, Jim a écrit :
>> The feedback Mozilla is trying to gather on the usability of the page
>> could have been obtained using 'feedback' buttons.
> If by that you mean that the web page could have a button that pops up
> a form that people fill in and submit, this is nonsensical (if you
> meant something else, please correct me).

A pop-up form is not an option for a non-JS page. You need to understand
the constraints and then apply creative design within these constraints.
For example, a row of attractive feedback buttons that work with JS
disabled, and when JS is enabled zoom in on these when leaving the page
with a request to select one to leave a feedback selection.

> Among other things, human beings are both not fully self-aware (far
> away from it, myself included) and irrational. The type of feedback
> you get from observing how people do behave has nothing to do with
> what people would say they do (only a fraction would give feedback, so
> there is a "self-selection" bias and this fraction would say what it
> thinks, not what it does).
> The questions asked on the form also create a bias since they
> necessarily direct the answers.
>
> The very position and size of the button would create a bias based on
> people screen size for instance.
>
> I may be exagerating, but I feel a feedback button would mean lots of
> time processing the answers where a statistical bias (well, several)
> making any result questionable.

Listen to yourself. Observing how people behave while they are not
aware!

Why even waste time on this. A simple HTML form would have sufficed.

Or find another way. For example add an option to allow users to choose
to participate in an A/B choice.

Jim

[David Bruant]

Le 03/05/2014 05:52, Jim a écrit :
> On 2014-05-02 07:45, David Bruant wrote:
>> Le 02/05/2014 05:46, Jim a écrit :
>>> The feedback Mozilla is trying to gather on the usability of the
>>> page could have been obtained using 'feedback' buttons.
>> If by that you mean that the web page could have a button that pops up
>> a form that people fill in and submit, this is nonsensical (if you
>> meant something else, please correct me).
>
> A pop-up form is not an option for a non-JS page.

Why? There are various ways to make HTML&CSS-only popups, most of which
work in all modern browsers (expect maybe IE6/7, I'd need to test. Worst
case, we'd loose their feedback, big deal?)

> You need to understand the constraints and then apply creative design
> within these constraints. For example, a row of attractive feedback
> buttons that work with JS disabled, and when JS is enabled zoom in on
> these when leaving the page with a request to select one to leave a
> feedback selection.

This is an atrocious user experience. When someone wants to leave the
page, they want to... leave the page, not give you feedback.
They may answer negatively just out of this frustration and there would
be no way to distinguish between this frustration and another
frustration. Also, a bunch of buttons is a very small amount of
information. Maybe not even a relevant one.

>
>> Among other things, human beings are both not fully self-aware (far
>> away from it, myself included) and irrational. The type of feedback
>> you get from observing how people do behave has nothing to do with
>> what people would say they do (only a fraction would give feedback, so
>> there is a "self-selection" bias and this fraction would say what it
>> thinks, not what it does).
>> The questions asked on the form also create a bias since they
>> necessarily direct the answers.
>>
>> The very position and size of the button would create a bias based on
>> people screen size for instance.
>>
>> I may be exagerating, but I feel a feedback button would mean lots of
>> time processing the answers where a statistical bias (well, several)
>> making any result questionable.
>
> Listen to yourself. Observing how people behave while they are not aware!

I admit I haven't checked /privacy, but I can only imagine users are
informed there about this practice.
I'll repeat what I said elsewhere [1]:
"Note that a website is already capable to "track" every single click
(to other pages within the same domain) and know your navigation
patterns within the website. I'll go further by saying that this is
possible even without cookies (look for "web keys" or "capability URLs".
These weren't aimed at tracking, but could be use for that purpose).
I don't see how recording other clicks is that awful."

Every serious website has some form of HTTP logging (most often for
post-mortem security purposes). That's definitely some form of
"observing how people behave while they are not aware". If you're
uncomfortable with this idea, I'd recommend not going to any website
just to be sure :-/
More realistically, I'd recommend to inform yourself on common practices
of saving informations about users and wonder how much you're okay with
them.

> Why even waste time on this. A simple HTML form would have sufficed.

I explained at length how much bias that would introduce thus making
this idea impractical.
The point is not to gather information for the sake and pleasure of
gathering information. This information is gathered to understand how
people use the website (and nobody cares how each individual
specifically use the website, the purpose is to understand trends,
overall reactions) and use this information to understand how to adjust
the website so people find more easily what they came for.

> Or find another way. For example add an option to allow users to
> choose to participate in an A/B choice.

That's an interesting idea.

David

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1003391#c14

[Florent FAYOLLE]

Hello Gareth,

Thanks for your answer, but I am still a bit unhappy with the
explanation provided, because a contract is not a good argument for me
(and for lots of people too, especially after Prism has been revealed).
Though I understand the needs of these requests.

As a compromise, couldn't these AJAX requests be made only when
Telemetry is active? Technically, Telemetry would send a special request
header for Mozilla websites. Or at least, for the whatsnew pages, which
only concerns Firefox users.
Thus, only the people who would have agreed to share their usage of
Firefox would be concerned by this data collection.
I think and hope that the population having activated Telemetry would be
representative enough.

Also, I saw the bugzilla report #858839
<https://bugzilla.mozilla.org/show_bug.cgi?id=858839>, about not
including any Google Analytics scripts when Do Not Track (DNT) was
active, being rejected because of the interpretation in bugzilla #731314
<https://bugzilla.mozilla.org/show_bug.cgi?id=731314>. I think it is a
good idea and I don't understand why you don't see DNT as an polite
inquiry from the user to not include any tracking scripts (not only for
advertisement), including GA. After all, quoting
https://www.mozilla.org/en-US/dnt/ :
> Mozilla Firefox offers a Do Not Track feature that lets*you express a
> preference not to be tracked by websites*. When the feature is
> enabled, Firefox will tell advertising networks and other websites and
> applications *that you want to opt-out of tracking* for purposes
> _*like*_ behavioral advertising.
Could you please reconsider the status of**bugzilla #858839 please? And
thus do not use GA in the whatsnew page in the case DNT is active?

As a bonus:
- you could somehow inform the visitor of these websites that they
accept to help Mozilla to do these surveys (and offer an option to
disallow ).
- you could consider moving to another solution, such as Piwik, of
course after a study. Please, reconsider this after the revelation of
Prism and knowing that Piwik must have been improved.

I know that I may be considered a bit hard to please, but that's because
I see Mozilla as a leader about the issue of privacy.
Really, I would have given up the idea of debating about that if I
wasn't encouraging what Mozilla (including its community) does for that.

Florent

[Jim]

On 2014-05-03 08:34, David Bruant wrote:
> Le 03/05/2014 05:52, Jim a écrit :
>> On 2014-05-02 07:45, David Bruant wrote:
>>> Le 02/05/2014 05:46, Jim a écrit :
>>>> The feedback Mozilla is trying to gather on the usability of the
>>>> page could have been obtained using 'feedback' buttons.
>>> If by that you mean that the web page could have a button that pops
>>> up
>>> a form that people fill in and submit, this is nonsensical (if you
>>> meant something else, please correct me).
>>
>> A pop-up form is not an option for a non-JS page.
> Why? There are various ways to make HTML&CSS-only popups, most of
> which work in all modern browsers (expect maybe IE6/7, I'd need to
> test. Worst case, we'd loose their feedback, big deal?)

Sure, so long as it can be done without JS then it is in the solution
space.

>> You need to understand the constraints and then apply creative design
>> within these constraints. For example, a row of attractive feedback
>> buttons that work with JS disabled, and when JS is enabled zoom in on
>> these when leaving the page with a request to select one to leave a
>> feedback selection.
> This is an atrocious user experience. When someone wants to leave the
> page, they want to... leave the page, not give you feedback.
> They may answer negatively just out of this frustration and there
> would be no way to distinguish between this frustration and another
> frustration. Also, a bunch of buttons is a very small amount of
> information. Maybe not even a relevant one.

Good point, don't do it. Spying on people is any even more 'atrocious
user experience' once they realize. Your current design, requiring JS,
is not privacy friendly and it is not consistent with fighting for our
privacy.

Client side apps are an opportunity to avoid some tracking. Arguing
that just because http server driven apps can log actions that this
should be accepted in privacy friendly client side apps is not
constructive for the privacy cause.

Are you even interested in understanding the issues?

Now, tell us why Facebook and Twitter were associated prominently with
children pleading for their privacy and control on the web? Did Mozilla
receive consideration for these placements? Has Mozilla's pragmatism
sold out the privacy cause yet again? These children do not understand
what your pragmatism has done, but I do, and you are using these
children, it disgusts me.

Jim

[David Bruant]

Le 05/05/2014 08:47, Jim a écrit :
> On 2014-05-03 08:34, David Bruant wrote:
>>> You need to understand the constraints and then apply creative
>>> design within these constraints. For example, a row of attractive
>>> feedback buttons that work with JS disabled, and when JS is enabled
>>> zoom in on these when leaving the page with a request to select one
>>> to leave a feedback selection.
>> This is an atrocious user experience. When someone wants to leave the
>> page, they want to... leave the page, not give you feedback.
>> They may answer negatively just out of this frustration and there
>> would be no way to distinguish between this frustration and another
>> frustration. Also, a bunch of buttons is a very small amount of
>> information. Maybe not even a relevant one.
>
> Good point, don't do it. Spying on people is any even more 'atrocious
> user experience' once they realize. Your current design, requiring JS,
> is not privacy friendly and it is not consistent with fighting for our
> privacy.

so disable JS altogether? Don't visit pages you don't trust?

I'm not sure what's the problem at hand. Mozilla collects information in
a way that is transparent enough that it triggered this thread. Mozilla
uses Google Analytics and explained that this choice fits with a set of
goals regarding user privacy (Mozilla is even in a contractual
relationship with Google Analytics to enforce this).
Mozilla informs its users about its practices on its websites. Gareth
Cull came to this thread to explain these practices. There are clear
opt-opts (like the GA opt-out addon).

What more do you want?
What do you want and can be realistically applied? Don't only consider
your end. Try to understand what's being done now, what's at stake and
provide an alternative where other goals aren't diminished.

I'm interested in these issues. I'm more interested in how to get to the
subtle balance of getting what you want done (understanding user
behavior) while preserving privacy.

> Now, tell us why Facebook and Twitter were associated prominently with
> children pleading for their privacy and control on the web?

I don't know. What is this children story? Never heard of it, but I'm
curious.

> Did Mozilla receive consideration for these placements? Has Mozilla's
> pragmatism sold out the privacy cause yet again?

Where does this "yet again" come from?
How is privacy compromised this time? The best argument I've read was
"despite having signed a contract, we can't trust Google after the Prism
revelations" and I find it weak. YMMV.

> These children do not understand what your pragmatism has done, but I
> do, and you are using these children, it disgusts me.

I'm not using any children. Nor is Mozilla to the best of my knowledge.
Are you plain trolling right now? This discussion stopped making sense
as soon as you brought "children" up :-/

David

[Ryan Kelly]

On 5/05/2014 6:26 PM, David Bruant wrote:
> Le 05/05/2014 08:47, Jim a écrit :
>
>> Now, tell us why Facebook and Twitter were associated prominently with
>> children pleading for their privacy and control on the web?
> I don't know. What is this children story? Never heard of it, but I'm
> curious.
>

>> These children do not understand what your pragmatism has done, but I
>> do, and you are using these children, it disgusts me.
> I'm not using any children. Nor is Mozilla to the best of my knowledge.

At a guess, this is likely in reference to the video on:

https://webwewant.mozilla.org

Which does indeed feature a bunch of children pleading for control and
privacy on the web, and they are indeed right above prominent facebook
and twitter "share" buttons.


Ryan

[David Bruant]

oh... I had missed this video... You just increased the best of my
knowledge.

Taking the last sentence of my last message back obviously.

Thanks,

David

[Stefan Arentz]

On Apr 30, 2014, at 9:54 AM, Michael Kelly <mke...@mozilla.com> wrote:

> The issue of privacy vs. analytics is a complex one. There's a few
> different questions that need to be answered to justify Mozilla's use
> of Google Analytics. I'm just a lowly webdev who doesn't know too much
> about official stances and tech, but here's my take:
>
> First: Is it okay to track user actions and analyze them?

We have a wonderful solution for that in the form of the DNT header.

We can simply load the Google Analytics code conditionally by doing something like:

<script>
if (navigator.doNotTrack !== “yes”) {
… insert the standard GA snippet here ...
}
</script>

Personally I think we should make this standard practice.

S.

[Stacy Martin]

Hi all, I work on the privacy team at Mozilla. In reading through these posts, I see two key lines of questioning:

1) How is analytics tracking consistent with Mozilla's values? And specifically, how is it consistent with valuing privacy?
2) Why do we use Google? And can we switch?

Because both of these require more detailed answers, my response is primarily around where to find more info in the near future. We work hard to use tracking in a way that is consistent with our values. It doesn't mean we don't do any tracking. Our websites privacy policy describes the tracking that we do and we're working on more ways to describe our practices in more detail and in more places in an effort to be as clear and transparent as possible. Some of what's in the works and/or under consideration includes - user research, privacy blog posts, a new SUMO section that will describe our practices in more detail than what's in our privacy notices, and some ways to use DNT and/or Tabzilla to describe our analytics tracking. I hope to have more to post soon and I welcome feedback.



On Tuesday, April 29, 2014 2:13:25 PM UTC-7, Florent Fayolle wrote:
> Hello,
>
>
>
> Everything is described in this bug:
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=1003391
>
>
>
> To summarize, the whatsnew page sends an Ajax request to Google Analytics each time the user clicks on its button.
>
>
>
> That's sad to see a webpage that promotes Firefox as the browser that defends privacy (which it does) but that in fact tracks users' actions on it.
>
>
>
> Someone reported this issue in this tweet (in French) telling (with sarcasm) that Mozilla is not trustable concerning privacy, and I feel upset about that:
>
> https://twitter.com/HTeuMeuLeu/status/461207250410164226/photo/1
>
>
>
> Florent

[Stacy Martin]

[Majken Connor]

Stacy,

While people are talking about switching from Google, the underlying
question really is how do we know we can trust Google? Yes, we have a
signed agreement with them, but would we be able to tell if they are
violating the agreement? If people are confident that we can hold Google
accountable in practice, not just in theory, then that would make a
difference in trust.