Prefer:Safe in Firefox

[Afowler]

Today, we posted the following announcement about a new feature in Firefox called Prefer:Safe to the Mozilla Privacy Blog:

See https://blog.mozilla.org/privacy/2014/07/22/prefersafe-making-online-safety-simpler-in-firefox/

There's a draft spec being discussed this week at the IETF, as well, which you can read here:

See http://tools.ietf.org/html/draft-nottingham-safe-hint-02

Here's the text to the announcement:

Prefer:Safe -- Making Online Safety Simpler in Firefox

Mozilla believes users have the right to shape the Internet and their own experiences on it. However, there are instances when people seek to shape not only their own experiences, but also those of young users and family members whose needs related to trust and safety may differ. To do this, users must navigate multiple settings, enable parental controls, tweak browsers and modify defaults on services like search engines.

We're pleased to announce a smart feature in Firefox for just this type of user called Prefer:Safe, designed to simplify and strengthen the online trust and safety model. Developed in collaboration with a number of leading technologists and companies, this feature connects parental controls enabled on Mac OS and Windows with the sites they visit online via their browser.

How it works:

* Users on Mac OS and Windows enable Parental Controls.
* Firefox sees that the user's operating system is running in Parental Control mode and sends a HTTP header -- "Prefer:Safe" -- to every site and service the user visits online.
* A site or service looking for the HTTP header automatically supports higher safety controls it makes available, including honoring content or functionality restrictions.
* Users won't find any UI in Firefox to enable or disable Prefer:Safe, which becomes one less thing for kids to try to circumvent to disable this control.

Prefer:Safe demonstrates the power and elegance of HTTP headers for empowering users to communicate preferences to websites and online services. This is one reason we've been championing Do Not Track, which is a HTTP header-based privacy signal for addressing third-party tracking under development at the W3C. In this case, no other configurations are necessary at either the browser or search engine level for this user preference to be effective across the Web, which helps ensure the intended online experiences meet user expectations.

We're pleased that Internet Explorer has implemented this feature for their users, which along with Firefox, makes this capability relevant at scale right out of the box. We hope to see broader adoption of this feature in the near future.

For more information about Prefer:Safe, a draft specification has been submitted to the IETF (https://tools.ietf.org/html/draft-nottingham-safe-hint).

[dajbe...@gmail.com]

(deleted previous post as I conflated UI of turning on/off with notification that filtering was taking place)

[Gervase Markham]

On 23/07/14 10:41, dajbe...@gmail.com wrote:
> Again, while this is an elegant technical solution, I'm not sure it
> adequately addresses the *social* and pedagogical issues at stake
> here. Are we helping train a generation of web users to accept
> whatever restrictions they find in place, without question? Are we
> promoting web literacy?
>
> I'd love to discuss this further. :-)

I think that there's definitely a case for Firefox to indicate in the UI
that Prefer:Safe is active, even if (as I think is right) there is no UI
for switching it. We should have that discussion.

Gerv

[Pedro Worcel]

I think this is a great idea, websites that praise themselves for being
responsible around small children can now action on their words.

The fallacy here is that kids are less technically literate than their
parents. I don't think it would be harder for a child to change the boolean
value on about:config (following a web tutorial, which is bound to appear
the minute this feature becomes popular) than to find a switch on the
options. Password protection might be a good step forward! and storing only
a hash of the password on the hard-drive.

Just two cents from my paranoid self. :)

> _______________________________________________
> dev-privacy mailing list
> dev-p...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-privacy
>

[Devdatta Akhawe]

>
> I think that there's definitely a case for Firefox to indicate in the UI
> that Prefer:Safe is active, even if (as I think is right) there is no UI
> for switching it. We should have that discussion.

+1

This reminds me of suggestions to include a "This connection can be
monitored by your network admin" when the SSL Cert roots to a root
added by the admin of the network.

--dev

[Gervase Markham]

On 23/07/14 23:00, Pedro Worcel wrote:
> The fallacy here is that kids are less technically literate than their
> parents. I don't think it would be harder for a child to change the boolean
> value on about:config (following a web tutorial, which is bound to appear
> the minute this feature becomes popular)

I don't think there's a way to change this using about:config.

Gerv

[Pedro Worcel]

> * Users won't find any UI in Firefox to enable or disable Prefer:Safe,
which becomes one less thing for kids to try to circumvent to disable this
control.

Oh, I assumed that this setting was being set in about:config. My apologies.

How is this flag going to be set? or is every version of firefox going to
ship with 'Prefer:safe'

[ky...@kmcnally.net]

On Thursday, July 24, 2014 6:24:21 AM UTC-4, Pedro Worcel wrote:
> > * Users won't find any UI in Firefox to enable or disable Prefer:Safe,
>
> which becomes one less thing for kids to try to circumvent to disable this
>
> control.
>
>
>
> Oh, I assumed that this setting was being set in about:config. My apologies.
>
>
>
> How is this flag going to be set? or is every version of firefox going to
>
> ship with 'Prefer:safe'
>
>

Firefox is looking at the setting at the OS level.

[Gervase Markham]

On 24/07/14 15:58, ky...@kmcnally.net wrote:
> Firefox is looking at the setting at the OS level.

There is a pref called safeHint.enabled:

http://mxr.mozilla.org/mozilla-central/source/netwerk/protocol/http/nsHttpHandler.cpp#90

However, this only allows you to enable it without the OS settings, it
doesn't allow you to override the OS. See here:

http://mxr.mozilla.org/mozilla-central/source/netwerk/protocol/http/nsHttpHandler.cpp#433

433 if (mSafeHintEnabled || mParentalControlEnabled) {

Note that this is an "OR" test.

As far as I can see, mParentalControlEnabled looks at the OS settings,
and is not overrideable by a pref.

Gerv

[el.cam...@gmail.com]

as a parent of a young child, this sound very interesting. This should certainly be mentioned on Mozilla support, as this page seems quite outdated: https://support.mozilla.org/en-US/kb/block-and-unblock-websites-with-parental-controls

Any chance it comes to Linux soon?

[manis...@gmail.com]

I like this, but I feel that the administrator should be able to turn on Parental settings for an account, but not have it percolate to Firefox. The reason is that Prefer:Safe gives more information to the websites which track you, and, more importantly, it helps scammers tweak their scams to suit their visitors.

Bug filed: https://bugzilla.mozilla.org/show_bug.cgi?id=1058007

-Manishearth

[benjamin...@gmail.com]

On Monday, August 25, 2014 1:54:30 PM UTC+2, manis...@gmail.com wrote:
> I like this, but I feel that the administrator should be able to turn on Parental settings for an account, but not have it percolate to Firefox. The reason is that Prefer:Safe gives more information to the websites which track you, and, more importantly, it helps scammers tweak their scams to suit their visitors.

I'm with Manish here (well, the bug and the request, not the 'I like this'), but I want to continue from there.

1) This header sends information to every server and there seems to be no way to opt out, for the responsible person (that's Manish's bug). Right now it would leak information, potentially allowing server operators to identify minors easily. It's a privacy leak, you're sharing information behind the back of the parents and admins (let's face it: If it's a feature that you turn on by default, most of the people out there wouldn't notice and start sending this mess).

2) This header is utterly useless, because it cannot do anything of value. If I turn on parental controls that means that I explicitly restricted a machine in a very specific way. It doesn't mean that I want to share that fact with the world, nor does this mean that the (internet) world should change randomly. I question the whole idea here. What would you have websites do when this header is sent? YouPorn should redirect to disney.com? I - as the admin of my network, as a father - might be absolutely fine with a 16yo to watch porn and might consider a block like that stupid, but use parental control features to make sure that the computer isn't keeping that teen awake at 3am. I might consider sites like the NRA offensive (Where should they redirect, what should they hide?).

2 boils down to "There's no moral value system that you can encode in a bool". Restricting a Windows machine to disallow running certain games ("You did something wrong, son. No more Awesomenauts for you for a week") doesn't mean that the internet should know about it and should have _zero_ consequences on the content online (If I wanted that, I'd restrict stuff w/ a filter/proxy).

The whole IETF draft is nonsense, and that's easy to see by its use of quotation marks around "objectionable" and "safe". There's no consensus what that means here. Discussions elsewhere about this announcement/this "feature" in Fx quickly lead to 'COPPA' being used as an excuse, but that's quite a US/NA centric view. Nudity isn't a huge deal in large parts of Europe and a nipple seems (not that I'm an expert of foreign moral systems, but .. hey, neither are you or the website operators) to cause a major scandals in the US. During the Soccer Worldcup in Germany there was a flyer going around that helped US tourists prepare themselves for quite some cultural differences and "Things that you consider okay might be too violent" was on that list, together with the nudity reference before, i.e. "Expect a certain amount of nudity on TV, even during family times".

I summarized this feature elsewhere as asking the YouPorn admins to help with my parenting, to ask the internet to guess my moral boundaries. A "My parents didn't allow me to see unspecified things, take your guess" header. How can that NOT fail?

I'd be glad if you could reconsider this .. feature or at least postpone the introduction until Manish's bug is fixed. That'd still be a wrong opt-out (if you keep the announced behavior) thing instead of a more sensible opt-in - like Do Not Track, but it would be a lot more tolerable.

(Parent of two, although they're too young to browse the net yet: That is, they cannot grasp the concept, the older's not quite two. I'm not keeping them away from it in my role as a parent and discussing the future with my wife usually ends with "We won't do that" - ignoring punitive measures like I listed above, the "So you came home late, no FB for 10 days" way. Education and enlightment > Relying on random people online respecting a random header and doing what I think is best for my kids)

[Pedro Worcel]

I thought "safe" was a nice word for "not porn".

I.e. it will not prevent kids from accessing pages with racially
discriminatory content, but rather, it would prevent kids from accessing
porn. If the porn industry really wanted to respect the wishes of the adult
population, then they would see this header and reject the user, similarly
to how now they have a prompt asking whether you are older than 18.

[benjamin...@gmail.com]

On Monday, August 25, 2014 11:35:17 PM UTC+2, Pedro Worcel wrote:
> I thought "safe" was a nice word for "not porn".

So a Windows machine in a hotel lobby (which might use parental control to restrict users to IE and whatever) means that you're not allowed to look at content that might be considered 'explicit'?
In discussions elsewhere on the net people jumped on this feature and said "YES! My local popular newspaper always includes nude girls on page X, this feature can not make them NOT show that content".

Ignoring the ignorance and the naivety, the setup above means that a mature person might get a filtered view. Not because the administrators of the network want that (they .. didn't opt in, Mozilla thought that it's a great idea to make that decision for them, based on unrelated - "Only able to run IE" - restrictions). That seems off. People can argue numbers ("How many restricted hotel lobbies against how many restricted accounts of minors"), but I'd turn that right around ("How many restricted accounts that somehow, magically, want to have a filtered internet outside of their control").

> I.e. it will not prevent kids from accessing pages with racially
> discriminatory content, but rather, it would prevent kids from accessing
> porn. If the porn industry really wanted to respect the wishes of the adult
> population, then they would see this header and reject the user, similarly
> to how now they have a prompt asking whether you are older than 18.

Right. So .. IF that would be the idea behind this feature, why

- isn't the header called No-Porn: Yes

- is it tied into completely unrelated features of the underlying OS?

- is that considered a good idea? I mean.. I don't know a single person that had no access to porn in their teen years. Parents might decide that they want to fight windmills here, but Mozilla's not in a position to deduce that intention from a random/unrelated OS setting. "Cannot run Counter Strike" doesn't translate to "Should not be allowed to view porn online". It's not the same thing. It's not related. Both are decisions that the parents have to make for their kids, either by regulation (proxies, filters) or by education/social rules/open discussions ("Really, these sites are cheap and that's not real sex. Feel free to check it out and laugh about it, but don't mistake that for the Real Thing(tm)").

The underlying problem remains: The IETF draft already admits that the whole concept is muddy and unclear, that a site 'may' have a 'safe' version and 'should' serve a safe version if that header is present.

Again: The administrator of the machine that is running Fx (=> Parent, in the most common example) is never asked if that is intended. I'd say it probably isn't by default, no.

The IETF draft MIGHT (yeah, not really. Not in my world. But I'm trying to play along and be nice..) make sense in a shared network environment (the draft mentions school networks), where a central proxy might inject that header.

I'd still argue that this is utter BS, because random sites on the web won't (and cannot) guess the school's rules of conduct and what is okay or not here. But that would at least be a somewhat conscious (if misguided) decision made by an admin. The Fx feature forces this crap on random people on the internet, because "It's better for you". This feature cannot increase safety (the IETF draft explicitly states that safe is undefined and that there are risks of disclosing stuff) or trust (Trust? In what? That website operators make sure that the internet is 'clean' for my kids?).

Putting my obvious disgust aside, I would be honestly interested to hear about a use case that lead to this feature. A use case that scales to the world-wide population of Fx users, that is. Why is 'Prefer:Safe' a good idea and a reasonable default for the Fx users in the US of A, Germany, Russia, China, Israel, Iran and Iceland? What study lead to the discovery that says 'If people enable local OS restrictions, they want to share that with the world and would prefer a filtered internet experience, obviously with a magic crystal ball that helps identify the content that isn't 'safe'" in random locations like the ones I mentioned above?

I'm prepared to offer excuses/admit that I'm wrong, but at this point I'd bet that this a) doesn't exist and b) cannot exist, ever.

It's like listening to a US radio show where everything explicit is replaced with a beep. Or like looking at various 'hide your face' rules in Muslim countries. Judging them is easy. I can call out the US for being prude, can bash Islamic states for backwards ideas, but the fact is that I'm and outsider. I have no voice and should just shut up, stop judging other people's life. This latest feature means that Mozilla is now trying to step in a territory where it has no say. Mozilla stands for freedom, choice and diversity, not for cannot-even-opt-out headers for censorship.

What on earth (and again, despite the attitude and my obvious stance in this post, I'm curious) ever made this look like a good idea?

[jba...@gmail.com]

I was just going through the release notes to find out what you've inflicted on me lately, and I found this turkey.

People have already pointed out that this is being set based on OS settings that don't really indicate something like this should happen. Other people have pointed out that it silently changes the Web experience for people who haven't personally opted in, and that is a pretty questionable move ethically. And of course it's obvious that it's not that hard to circumvent this sort of thing.

So I'll just add out that...

First, this isn't going to communicate anything useful, since you don't define what's "safe" or "objectionable", and it's 100 percent guaranteed that the site's guess about that is going to differ from what the user who turned it on thought it would be. Sometimes radically. Of course, users who intentionally turned it on will be just the sort of people who *think* the whole world does or should share their opinions, so there ought to be some amusing fireworks.

Second, this is going to get just about as much legitimate site adoption as do-not-track got. Why would you even dream that sites would bother with this?

Third, the name buys into the foolish and dangerous idea that seeing something on a screen can be "unsafe".

Fourth, you are signalling scam sites that a potentially gullible person may be on the other end of the line, and you are signalling troll sites that they can get a rise out of people by putting up "objectionable" content.

I think I'll set up my own site to notice the header and redirect to instructions on evading parental controls.

You guys need to stop wasting resources on obviously doomed non-features like this, stop making pointless UI changes all the time, and get to work on cleaning up the core code of your browser. When can I expect process-per-tab? When do you plan to go a whole release with no critical security bugs?

[Brendan Eich]

sokup...@gmail.com wrote:
> When do you plan to go a whole release with no critical security bugs?

The rest of your message hit some targets, but this is a cheap shot.
Name one living, used-by-enough-people-to-target browser that has done that.

It's a lofty goal and one Rust and Servo were developed to help hit, but
anyone promising it is selling you snake oil. That you demand it as if
it were both nearly in reach and credible to claim *for any browser*
undermines the rest of your post.

/be

[jba...@gmail.com]

Fair point, Mr. Eich. Everything has bugs.

What I should have said was something more like "could you please put these resources into improving security, instead"?

Sorry. My whole post was too hotheaded.

[beezl...@gmail.com]

Please see this question I posted on the support forums:

https://support.mozilla.org/en-US/questions/1023771

This is a very heavy-handed approach you're taking with this. I do not want to filter what my kids see on the web. The only reason I have parental controls enabled is to enforce time limits on the computer use.

The only options I have to get around this are to either disable parental controls (unacceptable), or to tell them to use Google Chrome, which does not exhibit this behavior.

I don't mind that you're adding this feature. But you either need to put something in so that it can be disabled, or only make it take effect if any web content restrictions are applied. If there are no content restrictions, do not send the header.

[deba...@gmail.com]

This setting is incredibly annoying. It blocks things that aren't remotely "inappropriate" that my parents do not mind me watching. How can I turn this off? It doesn't even block anything inappropriate! Is it just stuck permanently on here, and can't be disabled?

[Bil Corry]

I just ran into this - my son was trying to watch a Minecraft-related Youtube video and because Firefox sends the Prefer:Safe header, YouTube wouldn't let him watch it. So I installed Chrome and now he doesn't have any issues with content being blocked. Interesting that Chrome doesn't support it, but YouTube does. Seems that Google found the sweet spot.

Good luck with the feature.


- Bil

[Pedro Worcel]

Since people having issues with this seem to be finding this thread, it may
be a good place to document how to change the windows setting in order to
disable this feature.

I am not an expert, but would it be correct saying that if parental
controls are disabled on Windows then firefox will ignore prefer:safe?

2014-10-08 8:43 GMT+13:00 Bil Corry <bil....@owasp.org>:

> I just ran into this - my son was trying to watch a Minecraft-related
> Youtube video and because Firefox sends the Prefer:Safe header, YouTube
> wouldn't let him watch it. So I installed Chrome and now he doesn't have
> any issues with content being blocked. Interesting that Chrome doesn't
> support it, but YouTube does. Seems that Google found the sweet spot.
>
> Good luck with the feature.
>
>
> - Bil
>
> -----Original Message-----
> From: dev-privacy [mailto:dev-privacy-bounces+bil.corry=
> owas...@lists.mozilla.org] On Behalf Of beezl...@gmail.com
> Sent: Sunday, October 05, 2014 8:57 PM
> To: dev-p...@lists.mozilla.org
> Subject: Re: Prefer:Safe in Firefox
>

[Doug Turner]

This is only enabled in child protected accounts. Do you think you want a preference (via about:config) to disable this feature?

> On Oct 7, 2014, at 2:30 PM, Pedro Worcel <pe...@worcel.com> wrote:
>
> Since people having issues with this seem to be finding this thread, it may
> be a good place to document how to change the windows setting in order to
> disable this feature.
>
> I am not an expert, but would it be correct saying that if parental
> controls are disabled on Windows then firefox will ignore prefer:safe?
>
> 2014-10-08 8:43 GMT+13:00 Bil Corry <bil....@owasp.org>:
>
>> I just ran into this - my son was trying to watch a Minecraft-related
>> Youtube video and because Firefox sends the Prefer:Safe header, YouTube
>> wouldn't let him watch it. So I installed Chrome and now he doesn't have
>> any issues with content being blocked. Interesting that Chrome doesn't
>> support it, but YouTube does. Seems that Google found the sweet spot.
>>
>> Good luck with the feature.
>>
>>
>> - Bil
>>
>> -----Original Message-----
>> From: dev-privacy [mailto:dev-privacy-bounces+bil.corry=
>> owas...@lists.mozilla.org] On Behalf Of beezl...@gmail.com
>> Sent: Sunday, October 05, 2014 8:57 PM
>> To: dev-p...@lists.mozilla.org
>> Subject: Re: Prefer:Safe in Firefox
>>