The news about 'Mozilla China had been discovered to 'do some evil', our policy toward customized build of Firefox by local MoCo

[Irvin Chen]

Recently on Oct. 24, a post had been published on a popular China's tech.
forum 'Solidot',
subject under 'Mozilla China had been discovered to 'do some evil'.

This news had been quick spreading widely on China's forums and news site.
The original news article had been read for more than 10k times, and repost
more than 60k times (according to Google search result for the article's
title).
I think it's hard to estimate how many people had encountered the news,
but it definitely not positive impress we'd like to have of Mozilla's
branding.

Here I give a quick translate on it's content, most of the news were
duplicated from this source:
#
# Mozilla China been discoverd to "do some evil"
# Author: WinterIsComing
# 2013/11/24
#
# The customized homepage and fast dial extension (xpi file) from
Mozilla China had been discovered that it will change the user's
shortcut links.
# If users (from China) added a shortcut to 'Jing Dong market'
(www.jd.com) on their home page,

# that quick link will be redirected to a affiliates link (
http://count.chanet.com.cn/click...www.jd.com” ).
# Developer of the extension from China even as humor as to add a
comment in the source codes - "do some evil here".

#


Even worse is that, we only provide the "customized build" to user (which
user called it 'Firefox China version')
on Mozilla Online's website. ( http://firefox.com.cn )
:MattN had created bug 946082, suggested that we add link for user who'd
like to download "non-favored, global version of Firefox" on Mozilla
Online's website.
https://bugzilla.mozilla.org/show_bug.cgi?id=946082 (Consider including a
link to Mozilla Corp. builds from www.firefox.com.cn)
and you can found that a similar bud had been fixed months ago for Mozilla
Taiwan's website.
https://bugzilla.mozilla.org/show_bug.cgi?id=888718 (mozilla.com.tw firefox
include a few addons by default install (people are worried about the
authenticity of the installer)

I think the problem it arise is that "How do we make money 'ethics' out of
user's behavior",
and "What is our policy toward customized build from different Mozilla
Corporation".


Irvin Chen
Liaison, Mozilla Taiwan community

--
@ irvinfly: community liaison
moztw.org Mozilla Taiwan community

[Anonymous.]

I found that I forgot to including the article link, oops.
http://www.solidot.org/story?sid=37355

Irvin Chen於 2013年12月4日星期三UTC+8下午2時27分56秒寫道：

[Li Gong]

Irvin,

Indeed we discovered the "joker" msg in the same way, and have removed that part with an update. Joking aside, there are many complicated sides to this situation, some of which you may or may not be familiar with. In recent months, there are many severe cases of traffic hijacking in China, prompted in part by various promotional programs run by some large companies (whose names I shall not name here right now). For example, a media player, once installed, will change installed browser behavior so that all browser traffic for some type get credited to the media company, which will then obtain money from the beneficiary of that type of traffic. There are many such cases, especially this year. We are caught between some big land grab/battle among major internet companies in China, coupled with everything-goes techniques. If we do nothing and just stand there, we will be reduced out of any significance or influence.

Having said that, our BD team, in counter-attack or maybe better described as self-defense, did go overly aggressive in this particular case. Once we are aware of the situation, it has been immediately corrected. The teams and actual members involved are definitely learning lessons from this episode. We continue to watch closely over such sensitive areas and hopefully we won't make the same mistake again.

Thanks,

Li
--
Li Gong (宫力), PhD
Senior VP of Mobile Devices &
President of Asia Operations &
CEO of Mozilla China/Taiwan
Mozilla Corporation

> _______________________________________________
> governance mailing list
> gover...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/governance

[Irvin Chen]

Hi Dr. Li,

The point is that we do redirect the user's link for some affiliate program
in Firefox China build, as you said 'our BD team did go overly aggressive
in this particular case.'

It's not related to how other company do things, it's about how we do
things under Mozilla's brand.

And I don't see why this approach can help us won the browsers battle in
China, for that we actually lose the user's trust on Mozilla in this case?

So to be clearly, is there any policy we'd made after the news published,
to state it clear that "We don't redirect user's link in anyway, in order
to earn money", or it is only fixed for this case only?

And what is our globally policy, toward local MoCo customized build, such
as Fx Taiwan version and Fx China version. Do we (or staff in Beijing)
reach any agreement that "We do provide choice for user, to select between
local version and global version", or we'll keep stick to "We only provide
local MoCo Fx build to user on local MoCo site" ?


Irvin

[Li Gong]

> The point is that we do redirect the user's link for some affiliate program in Firefox China build, as you said 'our BD team did go overly aggressive in this particular case.'

That was a mistake, and once discovered, has been corrected. There were some lapse in the release final check and verification procedures, that we will improve.

> It's not related to how other company do things, it's about how we do things under Mozilla's brand.

It may sound logical but to state this in an absolutely way is totally naive. We never do things in complete isolation. We have been forced to do untold number of things because actions on the part of others. If your opponents fight dirty, sometimes you have to fight back dirty. Of course you can choose to stay high moral and clean and healthy and play hero all you want, but the day you cease to exist, you no longer matter. There is a delicate balance here, and that is still being found out.

As for the policy questions, I will leave it other forum members to comment.

Li
--
Li Gong (宫力), PhD
Senior VP of Mobile Devices &
President of Asia Operations &
CEO of Mozilla China/Taiwan
Mozilla Corporation

[Rubén Martín]

Hi,

I had to read all the messages twice to understand the problem. If I
understand correctly:

- Mozilla Online offers a custom China Firefox version.
- This version includes a default bookmark on quick dial thumbnails.
- This link points to a site with an affiliate code.
- The code included a joke message "do some evil here".
- Tech press was alarmed because of this and some recent problems in
China about adware moving traffic to pages with affiliates codes.

Irvin, so your concern is about having a custom build for a locale, the
affiliate bookmark, know the rationale of having it or the joke message
that was already removed?

Regards.
--
Rubén Martín (Nukeador)
Mozilla Reps Mentor
http://mozilla-hispano.org
http://twitter.com/mozilla_hispano
http://facebook.com/mozillahispano

[Dirkjan Ochtman]

On Wed, Dec 4, 2013 at 10:33 AM, Rubén Martín
<nuke...@mozilla-hispano.org> wrote:
> I had to read all the messages twice to understand the problem.

Could you please provide a little more context?

Cheers,

Dirkjan

[Irvin Chen]

Hi Rubén,

I'll add some more info to clearly your understanding, with underline __.

- Mozilla Online offers a custom China Firefox version. __and only
provide this version to user on our China website.__
- This version includes a default __extension__ to provide quick dial
__function. (it's a different front page to normal Firefox.)__
- __If user added a link on quick dial to a online market (www.jd.com)
and click that short-cut, it will be automatically redirected through a
affiliate website.__
- The code __which do the redirect__ included a joke message "do some

evil here".
- Tech press was alarmed because of this and some recent problems in
China about adware moving traffic to pages with affiliates codes.


Irvin

On Wed, Dec 4, 2013 at 5:33 PM, Rubén Martín
<nuke...@mozilla-hispano.org>wrote:

[Irvin Chen]

I try to be even more clearly, (sorry for my english ;)

1.
* Local MoCo made their custom build ( other than normal locale build) for
business reason, and only provide download to this custom build on local
website.
* This means, people in China cannot choose to download non-custom zh-CN
Firefox on our China site.

We have to choice between
* "We do provide choice for user, to select between local custom version
and global version" or
* "We only provide local MoCo custom build on local MoCo site"
on this issue.

2.
* We redirect the fastdial shortcut to a online store, which user added,
through a affiliate company, and we earned money form that.
* Although user will not notice they'd been redirected.
* (For ex., It's same behavior as that some website will redirect user's
link to Amazon through SiteTag's affiliates link.)

The policy choice of this issue is that
* "We don't redirect user's saved link in anyway, in order to earn money" or
* "We do redirect user's saved link through some 3rd party website's
service to make money".

[Francesco Lodolo [:flod]]

Il 04/12/13 10:37, Dirkjan Ochtman ha scritto:

> On Wed, Dec 4, 2013 at 10:33 AM, Rubén Martín
> <nuke...@mozilla-hispano.org> wrote:

>> I had to read all the messages twice to understand the problem.

> Could you please provide a little more context?

Same reaction when I read Rubén's message this morning, you may want to
check the spam folder (there should be 4 messages before it, for me all
marked as spam).

Francesco

[Rubén Martín]

So this affiliate thing is similar to the search engine agreements we have,
so when you search from search box Mozilla gets revenue.

But, which is weird from a user point of view, is that a manually added
bookmark adds this affiliate code to get Mozilla revenue and you have no
way to change that.

[Irvin]

Another different to our search engine agreement is that, when you search Google/Yahoo through Firefox’s search box, it’s Google/Yahoo who paid Mozilla for this behavior. But in this case, it’s 3-rd party affiliate company paid to Mozilla, for we redirect user through their service.

(imaging if Bing company paid Mozilla for redirect every user’s Google/Yahoo search through their service. The user maybe will not noticed because redirect happened quickly, but Bing will know when and what user is looking.)

Is it look like we're encourage 3-rd party ad companies to paid us for let them tracking our user?

[Rubén Martín]

2013/12/4 Irvin <ir...@moztw.org>

> Another different to our search engine agreement is that, when you search
> Google/Yahoo through Firefox’s search box, it’s Google/Yahoo who paid
> Mozilla for this behavior. But in this case, it’s 3-rd party affiliate
> company paid to Mozilla, for we redirect user through their service.
>
> (imaging if Bing company paid Mozilla for redirect every user’s
> Google/Yahoo search through their service. The user maybe will not noticed
> because redirect happened quickly, but Bing will know when and what user is
> looking.)
>
> Is it look like we're encourage 3-rd party ad companies to paid us for let
> them tracking our user?
>

Uhm, that sounds bad, *really* bad.

What chanet.com.cn does with the data, which kind of data is collected?
What's the aggregated value this redirect offers to the users? How does a
redirect generates revenue? Do they add ads?

For example, we use tracking links on the newsletter emails, but I assume
it's for analytics purposes and for users that accepted the newsletter
privacy policy. In this case, the tracking is added to a manually added
bookmark sending data to a third party.

Does the China version have a different privacy policy than regular
Firefox? Are they informed about it before downloading? Are we cool with
this?

All this sounds very un-mozilla.

[Li Gong]

This incident is NOT about privacy and date collection at all. This is about traffic credit. Do not want to dive too much into the details and complexities due to all the parties involved, but one more significant problem worth pointing out is that some of the big affiliates owners in China who are supposed to pay for traffic (because that is what affiliates are for) are actively trying to avoid paying people (including us). Sometimes one is forced to work with one of "their" third-parties. Other times it is cat and mouse game. Basically, unless you are here and know what's going on, it is very hard to armchair general about how to deal with it. (However, I want to note that this incident itself is not a general "grab all traffic" thing; it was aimed at a particular affiliate for a particular situation at a particular time. Again, that slipped thru, got noted later, and amended.)

Coming back to the privacy policy, we have the same privacy policy as other parts of Mozilla. Whether one can enforce such policies in China, it is anyone's guess. For example, if you want to have the same level of guarantees at Baidu as what you may have at Google, then you cannot work with Baidu, because they just do not provide that sort of guarantees (whether they intentionally want to avoid that responsibility or they simply do not see reason to even discuss it, hard to figure out why -- like, in certain countries people do not eat dog meat and in places people do -- but Baidu does not have to). But even with Google providing guarantees on paper, there could be untold number of Snowdens out there waiting to tell their stories.

Li
--
Li Gong (宫力), PhD
Senior VP of Mobile Devices &
President of Asia Operations &
CEO of Mozilla China/Taiwan
Mozilla Corporation

[Li Gong]

Irvin,

> * This means, people in China cannot choose to download non-custom zh-CN Firefox on our China site.

You are incorrect again. People *can* choose to download any version they want. There is "other languages and editions" button right below the download button, where you could find all the 70+ versions of Firefox that are built routinely. Moreover, if a user chooses the locally built version, they can also configure which add ons they would have installed or not have installed. So, there are choices.

Thanks,

Li
--
Li Gong (宫力), PhD
Senior VP of Mobile Devices &
President of Asia Operations &
CEO of Mozilla China/Taiwan
Mozilla Corporation

On Dec 4, 2013, at 6:11 PM, Irvin Chen <ir...@moztw.org> wrote:

> I try to be even more clearly, (sorry for my english ;)
>
> 1.
> * Local MoCo made their custom build ( other than normal locale build) for business reason, and only provide download to this custom build on local website.
> * This means, people in China cannot choose to download non-custom zh-CN Firefox on our China site.
>
> We have to choice between
> * "We do provide choice for user, to select between local custom version and global version" or
> * "We only provide local MoCo custom build on local MoCo site"
> on this issue.
>
> 2.
> * We redirect the fastdial shortcut to a online store, which user added, through a affiliate company, and we earned money form that.
> * Although user will not notice they'd been redirected.
> * (For ex., It's same behavior as that some website will redirect user's link to Amazon through SiteTag's affiliates link.)
>
> The policy choice of this issue is that
> * "We don't redirect user's saved link in anyway, in order to earn money" or
> * "We do redirect user's saved link through some 3rd party website's service to make money".
>
> Irvin
>
>
>
>
>
> On Wed, Dec 4, 2013 at 5:48 PM, Irvin Chen <ir...@moztw.org> wrote:
> Hi Rubén,
>
> I'll add some more info to clearly your understanding, with underline __.

> Mozilla Online offers a custom China Firefox version. __and only provide this version to user on our China website.__

> This version includes a default __extension__ to provide quick dial __function. (it's a different front page to normal Firefox.)__

> __If user added a link on quick dial to a online market (www.jd.com) and click that short-cut, it will be automatically redirected through a affiliate website.__

> The code __which do the redirect__ included a joke message "do some evil here".

> Tech press was alarmed because of this and some recent problems in China about adware moving traffic to pages with affiliates codes.
>
> Irvin
>

> On Wed, Dec 4, 2013 at 5:33 PM, Rubén Martín <nuke...@mozilla-hispano.org> wrote:
> Hi,
>
> I had to read all the messages twice to understand the problem. If I understand correctly:

> Mozilla Online offers a custom China Firefox version.

> This version includes a default bookmark on quick dial thumbnails.

> This link points to a site with an affiliate code.

> The code included a joke message "do some evil here".

> Tech press was alarmed because of this and some recent problems in China about adware moving traffic to pages with affiliates codes.
> Irvin, so your concern is about having a custom build for a locale, the affiliate bookmark, know the rationale of having it or the joke message that was already removed?
>

> Regards.
>
> --
> Rubén Martín (Nukeador)
> Mozilla Reps Mentor
> http://mozilla-hispano.org
> http://twitter.com/mozilla_hispano
> http://facebook.com/mozillahispano
>
>
>

[Gijs Kruitbosch]

On 04/12/13, 09:06 , Li Gong wrote:
>> The point is that we do redirect the user's link for some affiliate program in Firefox China build, as you said 'our BD team did go overly aggressive in this particular case.'
>
> That was a mistake, and once discovered, has been corrected. There were some lapse in the release final check and verification procedures, that we will improve.

Something which is not clear to me: does the most current, publicly
available version of "Firefox China" (including the extension) still
exhibit the behaviour as described, modifying user-created
shortcuts/bookmarks/whatever to insert an affiliate code?

From the emails, it is not clear to me whether just the "joky" comment
was removed, or whether the code was changed to no longer do this.

~ Gijs

[Gijs Kruitbosch]

On 04/12/13, 09:06 , Li Gong wrote:

>> The point is that we do redirect the user's link for some affiliate program in Firefox China build, as you said 'our BD team did go overly aggressive in this particular case.'
>
> That was a mistake, and once discovered, has been corrected. There were some lapse in the release final check and verification procedures, that we will improve.

[Gijs Kruitbosch]

On 04/12/13, 09:06 , Li Gong wrote:

>> The point is that we do redirect the user's link for some affiliate program in Firefox China build, as you said 'our BD team did go overly aggressive in this particular case.'
>
> That was a mistake, and once discovered, has been corrected. There were some lapse in the release final check and verification procedures, that we will improve.

[Li Gong]

Both the code and the "joky" msg are removed.

Thanks,

Li
--
Li Gong (宫力), PhD
Senior VP of Mobile Devices &
President of Asia Operations &
CEO of Mozilla China/Taiwan
Mozilla Corporation

On Dec 4, 2013, at 8:46 PM, Gijs Kruitbosch <gijskru...@gmail.com> wrote:

> On 04/12/13, 09:06 , Li Gong wrote:

>>> The point is that we do redirect the user's link for some affiliate program in Firefox China build, as you said 'our BD team did go overly aggressive in this particular case.'
>>
>> That was a mistake, and once discovered, has been corrected. There were some lapse in the release final check and verification procedures, that we will improve.
>

[Li Gong]

Both the code and the "joky" msg are removed.

Thanks,

Li
--
Li Gong (宫力), PhD
Senior VP of Mobile Devices &
President of Asia Operations &
CEO of Mozilla China/Taiwan
Mozilla Corporation

On Dec 4, 2013, at 8:46 PM, Gijs Kruitbosch <gijskru...@gmail.com> wrote:

> On 04/12/13, 09:06 , Li Gong wrote:

>>> The point is that we do redirect the user's link for some affiliate program in Firefox China build, as you said 'our BD team did go overly aggressive in this particular case.'
>>
>> That was a mistake, and once discovered, has been corrected. There were some lapse in the release final check and verification procedures, that we will improve.
>

[Pascal Chevrel]

Le 04/12/2013 13:49, Li Gong a ï¿œcrit :

> Both the code and the "joky" msg are removed.
>
> Thanks,
>

Hi,

How was this code reviewed before landing in our product?

Thanks,

Pascal

[Irvin Chen]

Hi,

On Wed, Dec 4, 2013 at 8:28 PM, Li Gong <lg...@mozilla.com> wrote:

> Irvin,
>
> * This means, people in China cannot choose to download non-custom zh-CN
> Firefox on our China site.
>
>
> You are incorrect again. People *can* choose to download any version they
> want. There is "other languages and editions" button right below the
> download button, where you could find all the 70+ versions of Firefox that
> are built routinely. Moreover, if a user chooses the locally built version,
> they can also configure which add ons they would have installed or not have
> installed. So, there are choices.
>

Good to know that user do have way to choice, that's my mistake that I
didn't notice this.

Verified that if user know the Firefox on firefox.com.cn is a custom build
(we didn't indicate that they're using a different version in any place,
right?) and they want to get a global version, they can click the "other
system and language" link below the big green button, and click "select the
language pack you want" link in next screen, then they can find the
non-custom version of zh-CN Firefox in all language list.

On my opinion, the approach on mozilla.com.tw (indicate "Taiwan Version" on
big green button, and implement a "you can also download global version"
link) is better then current way.

Also, I still notice that the choice is not provided on mozilla.com.cn ,
maybe we can fixed that also.

>
> Thanks,
>
> Li
> --
> Li Gong (宫力), PhD
> Senior VP of Mobile Devices &
> President of Asia Operations &
> CEO of Mozilla China/Taiwan
> Mozilla Corporation
>

>> - Mozilla Online offers a custom China Firefox version. __and only

>> provide this version to user on our China website.__

>> - This version includes a default __extension__ to provide quick dial

>> __function. (it's a different front page to normal Firefox.)__

>> - __If user added a link on quick dial to a online market (www.jd.com)

>> and click that short-cut, it will be automatically redirected through a
>> affiliate website.__

>> - The code __which do the redirect__ included a joke message "do some
>> evil here".
>> - Tech press was alarmed because of this and some recent problems in

>> China about adware moving traffic to pages with affiliates codes.
>>
>>
>> Irvin
>>
>> On Wed, Dec 4, 2013 at 5:33 PM, Rubén Martín <
>> nuke...@mozilla-hispano.org> wrote:
>>
>>> Hi,
>>>
>>> I had to read all the messages twice to understand the problem. If I
>>> understand correctly:
>>>

>>> - Mozilla Online offers a custom China Firefox version.
>>> - This version includes a default bookmark on quick dial thumbnails.
>>> - This link points to a site with an affiliate code.
>>> - The code included a joke message "do some evil here".
>>> - Tech press was alarmed because of this and some recent problems in

[Monica Chew]

Hello Li,

> This incident is NOT about privacy and date collection at all.

I respectfully disagree. Although the business reason for using the affiliate may have been traffic credit, privacy and data collection issues go hand-in-hand with redirecting traffic through third parties. I would like to encourage the BD team to talk to privacy folks at Mozilla when deciding to make one of these deals. Please see the "Trusted third parties" item at http://www.mozilla.org/en-US/privacy/.

> Coming back to the privacy policy, we have the same privacy policy as other
> parts of Mozilla. Whether one can enforce such policies in China, it is
> anyone's guess.

A very good point, and one that is true everywhere, not just in China.

Regards,
Monica

[L. David Baron]

On Wednesday 2013-12-04 15:32 +0800, Li Gong wrote:
> Indeed we discovered the "joker" msg in the same way, and have
> removed that part with an update. Joking aside, there are many
> complicated sides to this situation, some of which you may or may
> not be familiar with. In recent months, there are many severe
> cases of traffic hijacking in China, prompted in part by various
> promotional programs run by some large companies (whose names I
> shall not name here right now). For example, a media player, once
> installed, will change installed browser behavior so that all
> browser traffic for some type get credited to the media company,
> which will then obtain money from the beneficiary of that type of
> traffic. There are many such cases, especially this year. We are
> caught between some big land grab/battle among major internet
> companies in China, coupled with everything-goes techniques. If we
> do nothing and just stand there, we will be reduced out of any
> significance or influence.

How does our significance or influence depend on acting in this way?
Is it because of revenue that Mozilla China earns through Firefox
being credited as the source of traffic to sites? Or other reasons?

> Having said that, our BD team, in counter-attack or maybe better
> described as self-defense, did go overly aggressive in this
> particular case. Once we are aware of the situation, it has been
> immediately corrected. The teams and actual members involved are
> definitely learning lessons from this episode. We continue to
> watch closely over such sensitive areas and hopefully we won't
> make the same mistake again.

My understanding of what I've read in this thread is that Mozilla
China distributed builds had code that rewrote user-added bookmarks
to redirect them through another site, and thus somehow gain revenue
from the referral. So, based on that understanding, which might be
wrong:

Self-defense seems like ensuring that the traffic that we direct is
properly accounted for. (Defending others -- that is, ensuring that
other bookmarks or links don't get incorrectly reattributed -- also
seems like a reasonable move.) But changing a bookmark that a user
has made seems to go beyond self-defense.

But based on the reactions of others, it seems like I'm not the only
person having trouble understanding what happened here. I think it
would help other parts of the Mozilla community to better understand
the situation in China that you're describing, and what we're doing
there. For example: what mechanisms are being used for the
"crediting" of traffic, and what mechanisms are being used to
"hijack" that crediting or hijack traffic in other ways?

-David

--
𝄞 L. David Baron http://dbaron.org/ 𝄂
𝄢 Mozilla https://www.mozilla.org/ 𝄂
Before I built a wall I'd ask to know
What I was walling in or walling out,
And to whom I was like to give offense.
- Robert Frost, Mending Wall (1914)

[Li Gong]

In this part of the world, and probably true elsewhere, influence (in market) means market share, user numbers, net traffic, and revenue.

Self defense in part because the ultimate payer (the company that pays for traffic) in this particular case has been trying not to pay for for legitimate traffic so there was a "get back from them" element.

How the Internet functions in China would be considered highly complicated and unusual from a Silicon Valley perspective. Just to illustrate -- a vendor could send out (or sell) software that changes settings on completely unrelated software from another vendor; competing vendors vie to delete or disable each others software, publicly; a vendor could display via pop up a personal attack message on the CEO of its opponent company; a vendor could send another vendor to jail. All basically free of any constraints legal and otherwise. And we, once damaged, would practically have no recourse. And by vendors I mean largest Internet players, not bit players. And if the above are "doable", imagine what else are being done everyday.

Li
--
Li Gong (宫力), PhD
Senior VP of Mobile Devices &
President of Asia Operations &
CEO of Mozilla China/Taiwan
Mozilla Corporation

[Irvin Chen]

I want to narrow down the discussion to the finance revenue way for this
specific case, because what Dr. Li's sharing on "self-defanse" and how bad
behavior China internet companies can play, looks not so related to the
problem we have now. People play dirty game, not means we have necessary to
play it the same way.

I understand our colleagues in China is fighting a difficult war, faced
many strong and powerful opponent. No doubt they'll need enough bullet for
that. But the real point is that, what kind of the money we're using to
purchase those bullet.

There is a line laid in the middle of sensitive areas, of protect user's
privacy and gain revenue, which indicate the "Mozilla's Principle". It
maintains
the user's trust of our behavior, once we cross the line, we'll easily to
be judged as "the same company to do evil for profit as others". No-matter
where on the world we're standing, it's not what we'd like the Mozilla's
brand, and Mozillians to be treated as.

Although it cannot easily to clarify the boundaries, we have Privacy
principles and Manifesto to guide us once we faced the decision. Take this
case (redirect user's traffic through 3rd party to gain revenue) as
instance, it seems to counterpart our Privacy Policy[1],

* No Surprises - Only use and share information about our users for their
benefit and as spelled out in our notices.
* Real Choices - Educate users whenever we collect any personal information
and give them a choice whenever possible.
* User Control - Do not disclose personal user experience without the
user's consent. Innovate, develop and advocate for privacy enhancements
that put users in control of their online experiences.

We can also find it's related to the following Manifesto[2] clause of,

* Individuals’ security on the Internet is fundamental and cannot be
treated as optional.
* Commercial involvement in the development of the Internet brings many
benefits; a balance between commercial goals and public benefit is critical.


Thus this is my conclusion and suggest policy to prevent this 'incident'
for future,

"The revenue which gain from redirecting user traffic through 3rd party web
service, without notice to user in advance and provide an opt-out option,
is a non-moral money for Mozilla to earned."

It should be obvious and self-explained, and I believe Dr. Li will also
agree in this concept, or why shall we removed that part of code, after the
news broke out?

Irvin
MozTW, Taiwan community


[1] http://www.mozilla.org/en-US/privacy/
[2] http://www.mozilla.org/en-US/about/manifesto/

On Thu, Dec 5, 2013 at 8:51 AM, Li Gong <lg...@mozilla.com> wrote:

> In this part of the world, and probably true elsewhere, influence (in
> market) means market share, user numbers, net traffic, and revenue.
>
> Self defense in part because the ultimate payer (the company that pays for
> traffic) in this particular case has been trying not to pay for for
> legitimate traffic so there was a "get back from them" element.
>
> How the Internet functions in China would be considered highly complicated
> and unusual from a Silicon Valley perspective. Just to illustrate -- a
> vendor could send out (or sell) software that changes settings on
> completely unrelated software from another vendor; competing vendors vie to
> delete or disable each others software, publicly; a vendor could display
> via pop up a personal attack message on the CEO of its opponent company; a
> vendor could send another vendor to jail. All basically free of any
> constraints legal and otherwise. And we, once damaged, would practically
> have no recourse. And by vendors I mean largest Internet players, not bit
> players. And if the above are "doable", imagine what else are being done
> everyday.
>
> Li
>
>

[Robert Kaiser]

Li Gong schrieb:

>> It's not related to how other company do things, it's about how we do things under Mozilla's brand.
>
> It may sound logical but to state this in an absolutely way is totally naive.

Be careful here, because there are actually "absolutes" around at
Mozilla in some way, as you know.
Principle 5 in the Mozilla Manifesto for example says:
"Individuals must have the ability to shape their own experiences on the
Internet."

Now one may very well argue that redirecting users' personal bookmarks
without any knowledge on their side possibly breaking that pretty
absolute statement.

I know China is very different and probably hard to understand for me
and a lot of other people in this thread, but we need to be careful
there as even actions in China can weaken what our brand stands for in
other countries.

Robert Kaiser

[pika...@gmail.com]

Hi everyone, just here to provide some (useless) info:

* The WOT reputation of the redirected site(just for reference):
* https://www.mywot.com/en/scorecard/chanet.com.cn
* I really thought that Firefox allways stands much more at the users side than the "success" side
* Not learned much about Javascript(or any language the "patch" based on), but the code seems to try hiding its redirection activity to users, not something I would like to expect.

Ｖ字龍(Vdragon) <pika...@gmail.com>
Mozillian, part of Mozilla Taiwan community, student of NTOU, Ingress Enlightened player.

[cere...@gmail.com]

" There is "other languages and editions" button right below the download button, where you could find all the 70+ versions of Firefox that are built routinely.
"

This is called a choice.

In the cn site,you SHOULD provide direct link to the IDENTICAL installation packages with the ones which can be found in the official archive site.

https://ftp.mozilla.org/pub/mozilla.org/firefox/releases/

You knows IDENTICAL very well:

The same content with binary precision.
The same encapsulation that you can neither use your installation package nor your signing certificate.

Currently your product fails to comply with them.

在 2013年12月4日星期三UTC+8下午8时28分59秒，Li Gong写道：

[Gervase Markham]

On 04/12/13 08:06, Li Gong wrote:
> It may sound logical but to state this in an absolutely way is
> totally naive. We never do things in complete isolation. We have been
> forced to do untold number of things because actions on the part of
> others. If your opponents fight dirty, sometimes you have to fight
> back dirty. Of course you can choose to stay high moral and clean and
> healthy and play hero all you want, but the day you cease to exist,
> you no longer matter. There is a delicate balance here, and that is
> still being found out.

If there are companies out there modifying Firefox links to include
affiliate identifiers to that they get extra money, how does it hinder
or stop them for us to engage in the same behaviour?

If we engage in this behaviour, it seems like this is less "fighting
back dirty" and more "joining in on the opposition's side".

> As for the policy questions, I will leave it other forum members to
> comment.

I would have no problem whatsoever with Mozilla issuing a statement
which says: "We will never insert affiliate or tracking IDs into a
user's links or bookmarks without their explicit consent." I can't think
of a situation where that would ever be justified.

Gerv

[Axel Hecht]

One aspect of the situation that's unclear to me is if the bookmark link
we're talking about is actually our addition to the default bookmarks.
From the context, I think it might very well be.

If it was, I think it'd be fine for us to track its performance, with
explicit flags.

Given that you can't edit links from the default bookmarks after profile
creation, I can see why it's tempting to do so after the fact.

PS: There's some overlap between this and the mistakes we did back in
2004 with tracking the performance of the eBay plugin in the German
version. It'd obviously be great if we don't need to learn that lesson
every 10 years, but I can also relate to how easy it is to fall into a
trap like this.

Axel

[Irvin Chen]

Hi, as I know it's not a default bookmark, it'll modify
the user added shortcut link (on the bundle' fast dial addon)

Axel Hecht 於 2013年12月9日星期一寫道：

>
> One aspect of the situation that's unclear to me is if the bookmark link
> we're talking about is actually our addition to the default bookmarks. From
> the context, I think it might very well be.
>
> If it was, I think it'd be fine for us to track its performance, with
> explicit flags.
>
> Given that you can't edit links from the default bookmarks after profile
> creation, I can see why it's tempting to do so after the fact.
>
> PS: There's some overlap between this and the mistakes we did back in 2004
> with tracking the performance of the eBay plugin in the German version.
> It'd obviously be great if we don't need to learn that lesson every 10
> years, but I can also relate to how easy it is to fall into a trap like
> this.
>
> Axel

> _______________________________________________
> governance mailing list
> gover...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/governance
>

[Majken Connor]

So it's something like this?
https://addons.mozilla.org/en-US/firefox/addon/fast-dial-5721/

[Irvin Chen]

Yeah, the Firefox China ver and Taiwan ver come with a similar addon to
implement this, but it's likely not putting on the AMO. You may download
from here if you'd like to try,
http://g-fox.cn/chinaedition/addons/cehomepage-ii/cehomepage-0.9.36.xpi

Majken Connor 於 2013年12月10日星期二寫道：

[Chris Peterson]

On 12/9/13, 10:26 AM, Axel Hecht wrote:
> One aspect of the situation that's unclear to me is if the bookmark link
> we're talking about is actually our addition to the default bookmarks.
> From the context, I think it might very well be.

For the curious, here is a screenshot of the addon's "do some evil here"
code:

http://i.imm.io/1kHUM.jpeg

And the original thread that identified the addon behavior:

http://bbs.kafan.cn/thread-1655820-1-1.html


chris

[Chris Peterson]

On 12/9/13, 6:32 AM, Gervase Markham wrote:
> If there are companies out there modifying Firefox links to include
> affiliate identifiers to that they get extra money, how does it hinder
> or stop them for us to engage in the same behaviour?
>
> If we engage in this behaviour, it seems like this is less "fighting
> back dirty" and more "joining in on the opposition's side".

I don't think Mozilla should "fight fire with fire". Rewriting users'
bookmarks to inject our own affiliate ID is clearly not "self defense"
because that "feature" provides zero protection against malware from
rewriting our rewritten URLs.

Instead Mozilla should shine light on these companies' unscrupulous
behavior and win users with respectful privacy solutions. For example,
Firefox could include features like encrypted profiles (unlocked into
memory by "logging into Firefox") or cloud-based bookmarks (as part of
Firefox Accounts) to prevent tampering.


chris

[Chris Peterson]

On 12/17/13, 6:52 PM, Chris Peterson wrote:
> For the curious, here is a screenshot of the addon's "do some evil here"
> code:
>
> http://i.imm.io/1kHUM.jpeg

To avoid linkrot, here is a copy of the addon's code snippet:


_itemMigration: function(aItem) {
switch(aItem.url) {
case "http://www.jd.com/":
case "http://jd.com/":
let countryCode = GeoIP.info.country_code;
let region = GeoIP.info.region;

if (countryCode && region) {
if (!(countryCode == "CN" && region == "22")) {
// do some evil here
let newUrl =
"http://count.chanet.com.cn/click.cgi?a=498315&d=365155&u=&e=&url=http%3A%2F%2Fwww.jd.com";

// avoid the generated blank thumbnail
if (!this.PageThumbsStorage) {
Cu.import("resource://ntab/PageThumbs.jsm");
}
PageThumbsStorage.copy(aItem.url, newUrl);

aItem.url = newUrl;
}
}
break;
default:
break;
}


CN region 22 is Beijing, so the region check above specifically avoids
rewriting jd.com URLs for users in Beijing.


chris

[Asa Dotzler]

On 12/17/13, 8:30 PM, Chris Peterson wrote:
> Instead Mozilla should shine light on these companies' unscrupulous
> behavior and win users with respectful privacy solutions.

I think this could be an Western biased view. Why do you believe that
Chinese users will be receptive to those kinds of messages? My limited
experience suggests that, in general, they won't be.

I know that sounds strange, but China is a different world. I'm not
endorsing what happened here, and I have no problem with people calling
it out, but I'm fairly confident that strategery for and from the West
isn't going to be a winning approach in China.

- A

[Ehsan Akhgari]

On 12/18/2013, 5:03 PM, Asa Dotzler wrote:
> On 12/17/13, 8:30 PM, Chris Peterson wrote:

> > Instead Mozilla should shine light on these companies' unscrupulous
> > behavior and win users with respectful privacy solutions.
>

> I think this could be an Western biased view. Why do you believe that
> Chinese users will be receptive to those kinds of messages? My limited
> experience suggests that, in general, they won't be.

In that case Mozilla should do nothing. What you said is not an
argument for fighting fire with fire.

> I know that sounds strange, but China is a different world. I'm not
> endorsing what happened here, and I have no problem with people calling
> it out, but I'm fairly confident that strategery for and from the West
> isn't going to be a winning approach in China.

That may be true, but it doesn't mean that we should get down at the
same level of the other side in this battle.

Cheers,
Ehsan

[Asa Dotzler]

On 12/18/13, 8:35 PM, Ehsan Akhgari wrote:
> On 12/18/2013, 5:03 PM, Asa Dotzler wrote:
>> On 12/17/13, 8:30 PM, Chris Peterson wrote:

>> > Instead Mozilla should shine light on these companies' unscrupulous
>> > behavior and win users with respectful privacy solutions.
>>

>> I think this could be an Western biased view. Why do you believe that
>> Chinese users will be receptive to those kinds of messages? My limited
>> experience suggests that, in general, they won't be.
>
> In that case Mozilla should do nothing. What you said is not an
> argument for fighting fire with fire.

Is this addressed to me? I did not make and do not claim any such
argument or prescription.

>> I know that sounds strange, but China is a different world. I'm not
>> endorsing what happened here, and I have no problem with people calling
>> it out, but I'm fairly confident that strategery for and from the West
>> isn't going to be a winning approach in China.
>
> That may be true, but it doesn't mean that we should get down at the
> same level of the other side in this battle.

Where have I suggested anything like this?

- A

[Ehsan Akhgari]

On 12/18/2013, 11:49 PM, Asa Dotzler wrote:
> On 12/18/13, 8:35 PM, Ehsan Akhgari wrote:
>> On 12/18/2013, 5:03 PM, Asa Dotzler wrote:
>>> On 12/17/13, 8:30 PM, Chris Peterson wrote:

>>> > Instead Mozilla should shine light on these companies' unscrupulous
>>> > behavior and win users with respectful privacy solutions.
>>>

>>> I think this could be an Western biased view. Why do you believe that
>>> Chinese users will be receptive to those kinds of messages? My limited
>>> experience suggests that, in general, they won't be.
>>
>> In that case Mozilla should do nothing. What you said is not an
>> argument for fighting fire with fire.
>
> Is this addressed to me? I did not make and do not claim any such
> argument or prescription.

You argued that Chris' point is coming from a western point of view and
won't work on Chinese users, and I suggested that if that's true, then
we should have done nothing.

Cheers,
Ehsan

[Irvin Chen]

On Thu, Dec 19, 2013 at 6:03 AM, Asa Dotzler <a...@mozilla.com> wrote:

> On 12/17/13, 8:30 PM, Chris Peterson wrote:

> > Instead Mozilla should shine light on these companies' unscrupulous
> > behavior and win users with respectful privacy solutions.
>

> I think this could be an Western biased view. Why do you believe that
> Chinese users will be receptive to those kinds of messages? My limited
> experience suggests that, in general, they won't be.
>

I don't believe the users can't distinguish what is the right and what is
wrong way to make profit, whether in China or in other place, otherwise we
won't see the threads to discover the issue and the news about it.

In the original thread with contains more than 130 responses, I see the
users' response considered MoCo and MoFo as different body, people show
their understand for our corp's profitable way (even if it's seems a little
bit 'scamp way' - from one of the user's reply[1]).

At least some of the Chinese users does felt the message that part of
Mozilla would do things wrong.

Many of the users (who had understand the existence of different 'Firefox
China build') had admit they choose to download 'international version'
instead of 'China build' from our .org site, and encourage other people to
do so [2][3]. The similar user's behavior of choice also happened in
Taiwan, after MoCo-TW begin to ship "Firefox Taiwan ver.", and been
discovered some of behavior tracking codes in the bundled extension.

I believed user can and will choose for their own good, if we do reveal the
difference and provide them choice, no matter is in China or in elsewhere.

I know that sounds strange, but China is a different world. I'm not
> endorsing what happened here, and I have no problem with people calling it
> out, but I'm fairly confident that strategery for and from the West isn't
> going to be a winning approach in China.
>

The culture is different from west to east, but the user have same relief
on web browsing - safely, faster, and customizable. As China grows, user
also grows and learns more, they'll eventually understand the difference of
what we do and what we said "we're building a product that cares you're a
human being, not based on that you own a wallet'.

I strongly encourage everyone to visit China, get a chance to have direct
communicate/discussion with our local community people (where you can find
them at cnmozilla-...@lists.sourceforge.net ) and users face by
face, and we may discover the right approach toward this world.


>
> - A

> _______________________________________________
> governance mailing list
> gover...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/governance
>

[1]
http://bbs.kafan.cn/forum.php?mod=viewthread&tid=1655820&page=13#pid30108217
[2]
http://bbs.kafan.cn/forum.php?mod=viewthread&tid=1655820&page=12#pid30093129

Irvin
Taiwan Community

[Asa Dotzler]

On 12/19/13, 7:38 AM, Ehsan Akhgari wrote:
> On 12/18/2013, 11:49 PM, Asa Dotzler wrote:
>> On 12/18/13, 8:35 PM, Ehsan Akhgari wrote:

>>> On 12/18/2013, 5:03 PM, Asa Dotzler wrote:
>>>> On 12/17/13, 8:30 PM, Chris Peterson wrote:

>>>> > Instead Mozilla should shine light on these companies' unscrupulous
>>>> > behavior and win users with respectful privacy solutions.
>>>>

>>>> I think this could be an Western biased view. Why do you believe that
>>>> Chinese users will be receptive to those kinds of messages? My limited
>>>> experience suggests that, in general, they won't be.
>>>

>>> In that case Mozilla should do nothing. What you said is not an
>>> argument for fighting fire with fire.
>>
>> Is this addressed to me? I did not make and do not claim any such
>> argument or prescription.
>
> You argued that Chris' point is coming from a western point of view
> and won't work on Chinese users, and I suggested that if that's true,
> then we should have done nothing.

I made no other argument than calling Chris' approach naive. If you'd
like to engage me in a discussion of what options there are besides "do
nothing" and "fight fire with fire" we can do that, but if you'll
re-read what I wrote, you'll see that I carefully stayed away from
prescriptions because that wasn't the point I thought most important.

My post was intended to point out that the strategies we employ in the
West naively applied to China probably won't work - and nothing more.

- A

[Ehsan Akhgari]

On 12/19/2013, 12:07 PM, Asa Dotzler wrote:
>
> On 12/19/13, 7:38 AM, Ehsan Akhgari wrote:
>> On 12/18/2013, 11:49 PM, Asa Dotzler wrote:
>>> On 12/18/13, 8:35 PM, Ehsan Akhgari wrote:
>>>> On 12/18/2013, 5:03 PM, Asa Dotzler wrote:
>>>>> On 12/17/13, 8:30 PM, Chris Peterson wrote:

>>>>> > Instead Mozilla should shine light on these companies' unscrupulous
>>>>> > behavior and win users with respectful privacy solutions.
>>>>>

>>>>> I think this could be an Western biased view. Why do you believe that
>>>>> Chinese users will be receptive to those kinds of messages? My limited
>>>>> experience suggests that, in general, they won't be.
>>>>
>>>> In that case Mozilla should do nothing. What you said is not an
>>>> argument for fighting fire with fire.
>>>
>>> Is this addressed to me? I did not make and do not claim any such
>>> argument or prescription.
>>
>> You argued that Chris' point is coming from a western point of view
>> and won't work on Chinese users, and I suggested that if that's true,
>> then we should have done nothing.
>
> I made no other argument than calling Chris' approach naive. If you'd
> like to engage me in a discussion of what options there are besides "do
> nothing" and "fight fire with fire" we can do that, but if you'll
> re-read what I wrote, you'll see that I carefully stayed away from
> prescriptions because that wasn't the point I thought most important.
>
> My post was intended to point out that the strategies we employ in the
> West naively applied to China probably won't work - and nothing more.

OK, thanks for the clarification, that's a fair point.

But I also have to say that as a non-westerner myself I often have a
very hard time understanding these types of western/non-western
distinctions, but that discussion can probably happen elsewhere.

Cheers,
Ehsan