Update to Firefox Hello Privacy Notice

[el...@mozilla.com]

Hi everyone,

We would like to update our Privacy Notice for Firefox Hello[1], to reflect our usage of Google Analytics and Optimizely for analytics and inform users how to opt-out. Our use of these analytics was already part of our Privacy Notice for all Mozilla websites[2][3], but we wanted to make it clear that this included Firefox Hello. We also wanted to make sure users were provided notice of the opt-out mechanisms for each. Below is the language that we are adding:

* **Analytics**: We may also use cookies and third party services to help us understand in the aggregate how users engage with Hello. We use:

* Google Analytics, which places a cookie on your device, to obtain metrics on how users engage with Hello. This helps us to improve the Hello service.

* Optimizely, which places a cookie on your device, to help us test variations of Hello. This helps us offer better experiences to Hello users.

---------------------------------------

You can control individual cookie preferences and opt-out of web analytics and
optimization tools. Learn More

* **Cookie History**: You can accept or decline individual cookies in the preferences
in the appropriate settings within your web browser. For Firefox, this can be
found in the Tools/Options/Privacy history section. Note that certain features
of Hello may not function properly without the aid of cookies.

* **Analytics & Optimization**: If you do not want data about your interaction with
Hello to be collected by Google Analytics, you can install the Google Analytics
Opt-out Browser Add-on. The add-on keeps your visits anonymous and prohibits
data transmission to Google Analytics. If you do not want data about your
interaction with Hello to be collected by Optimizely, you can opt-out by
visiting Optimizely's opt-out website for more information.

You can also see the changes to the privacy policy on Github[4], which we are targeting for November 30, and we look forward to any feedback you might have.

Thanks,
Elvin

[1] https://www.mozilla.org/en-US/privacy/firefox-hello/
[2] https://groups.google.com/forum/#!topic/mozilla.governance/xs7Sfyxc4As
[3] https://www.mozilla.org/en-US/privacy/websites/
[4] https://github.com/mozilla/legal-docs/commit/c7535610c36e59d048d5138861058174c77755df

[Nikos Roussos]

On Tue, Nov 24, 2015 at 12:14 AM, el...@mozilla.com wrote:
> * **Analytics & Optimization**: If you do not want data about your
> interaction with
> Hello to be collected by Google Analytics, you can install the Google
> Analytics
> Opt-out Browser Add-on. The add-on keeps your visits anonymous and
> prohibits
> data transmission to Google Analytics. If you do not want data about
> your
> interaction with Hello to be collected by Optimizely, you can opt-out
> by
> visiting Optimizely's opt-out website for more information.

Shouldn't "Do Not Track" be enough? Or at least "Tracking Protection",
if enabled?

[Thomas Zimmermann]

Hi

> * **Analytics & Optimization**: If you do not want data about your interaction with
> Hello to be collected by Google Analytics, you can install the Google Analytics
> Opt-out Browser Add-on. The add-on keeps your visits anonymous and prohibits
> data transmission to Google Analytics. If you do not want data about your
> interaction with Hello to be collected by Optimizely, you can opt-out by
> visiting Optimizely's opt-out website for more information.

Users have to install an add-on and visit a website to opt-out? This is
ridiculous.

If a user says 'no' to Telemetry in the Browser options, it should be
switched off *in the Browser*.

>
> You can also see the changes to the privacy policy on Github[4], which we are targeting for November 30, and we look forward to any feedback you might have.
>
> Thanks,
> Elvin
>
> [1] https://www.mozilla.org/en-US/privacy/firefox-hello/
> [2] https://groups.google.com/forum/#!topic/mozilla.governance/xs7Sfyxc4As
> [3] https://www.mozilla.org/en-US/privacy/websites/
> [4] https://github.com/mozilla/legal-docs/commit/c7535610c36e59d048d5138861058174c77755df

> _______________________________________________
> governance mailing list
> gover...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/governance

[Benjamin Kerensa]

AFAIK Google Analytics snippet code is non-free so this would not align
with Mozilla's manifesto if its being shipped
as part of the binary in Firefox.

Can you clarify on how this is implemented and whether non-free code is
being shipped with Firefox?

Either way I share others concerns that this seems like a invasion of user
privacy and contrary
to Mozilla's marketing campaigns which suggest it is a champion of user
privacy and user choice.

Opt-out is not user choice.

> * **Analytics & Optimization**: If you do not want data about your
> interaction with
> Hello to be collected by Google Analytics, you can install the Google
> Analytics
> Opt-out Browser Add-on. The add-on keeps your visits anonymous and
> prohibits
> data transmission to Google Analytics. If you do not want data about your
> interaction with Hello to be collected by Optimizely, you can opt-out by
> visiting Optimizely's opt-out website for more information.
>

> You can also see the changes to the privacy policy on Github[4], which we
> are targeting for November 30, and we look forward to any feedback you
> might have.
>
> Thanks,
> Elvin
>
> [1] https://www.mozilla.org/en-US/privacy/firefox-hello/
> [2] https://groups.google.com/forum/#!topic/mozilla.governance/xs7Sfyxc4As
> [3] https://www.mozilla.org/en-US/privacy/websites/
> [4]
> https://github.com/mozilla/legal-docs/commit/c7535610c36e59d048d5138861058174c77755df
> _______________________________________________
> governance mailing list
> gover...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/governance
>

--
Benjamin Kerensa
http://benjaminkerensa.com

[Benjamin Kerensa]

Oh and just to add "but we wanted to make it clear that this included
Firefox Hello" so legal team is disclosing to
the end user after a feature is already live? How is this responsible
disclosure to let a user know after the fact
that you have added a tracking feature to Firefox that they have to opt-out
of?

[Paul]

On Tuesday, 24 November 2015 10:15:06 UTC, Thomas Zimmermann wrote:
> Hi
>
> > * **Analytics & Optimization**: If you do not want data about your interaction with
> > Hello to be collected by Google Analytics, you can install the Google Analytics
> > Opt-out Browser Add-on. The add-on keeps your visits anonymous and prohibits
> > data transmission to Google Analytics. If you do not want data about your
> > interaction with Hello to be collected by Optimizely, you can opt-out by
> > visiting Optimizely's opt-out website for more information.
>
> Users have to install an add-on and visit a website to opt-out? This is
> ridiculous.
>
> If a user says 'no' to Telemetry in the Browser options, it should be
> switched off *in the Browser*.

Thomas pretty much sums up all logical thoughts. If it's impossible to collect the data required through Telemetry, then there's a good reason to extend the capabilities of Telemetry. In that light, it should also be noted that some users are happy to send usage data to Mozilla but not to third-party sources.

[Adam Roach]

There are some good points being made in this thread. There is also one
very understandable, innocent misconception about what these clauses
apply to. Hopefully, clearing up this misconception can lead to a more
focused, productive conversation.

Hello is a real-time communication product. When in use, there are
always two parties involved. One party uses a client that is built into
Firefox; that user generates a link and sends it to the other party. The
other party clicks on this link (in Chrome, Opera, Firefox, etc.), which
loads a web-based Hello client.

So there's a built-in client and a web client.

Google Analytics and Optimizely run on the Hello web client, which is a
Mozilla web property. They do not run as part of the built-in client
that is a part of Firefox.

--
Adam Roach
Principal Platform Engineer
a...@mozilla.com
+1 650 903 0800 x863

[Nikos Roussos]

On Tue, Nov 24, 2015 at 6:35 PM, Adam Roach <a...@mozilla.com> wrote:
> Google Analytics and Optimizely run on the Hello web client, which is
> a Mozilla web property. They do not run as part of the built-in
> client that is a part of Firefox.

Thanks Adam for the clarification. It wasn't very clear on the initial
mail (at least to me) that the Privacy updates on Helllo refer to the
web client only. In that case, there is no need for a user to use any
Addon to opt-out. Do Not Track should be enough. AFAIK Analytics
respects it (not sure about Optimizely). But we could go one step
further and respect DNT on our side [1].


[1] https://github.com/schalkneethling/dnt-helper

[Thomas Zimmermann]

Hi

Am 24.11.2015 um 17:35 schrieb Adam Roach:
> There are some good points being made in this thread. There is also
> one very understandable, innocent misconception about what these
> clauses apply to. Hopefully, clearing up this misconception can lead
> to a more focused, productive conversation.
>
> Hello is a real-time communication product. When in use, there are
> always two parties involved. One party uses a client that is built
> into Firefox; that user generates a link and sends it to the other
> party. The other party clicks on this link (in Chrome, Opera, Firefox,
> etc.), which loads a web-based Hello client.
>
> So there's a built-in client and a web client.
>

> Google Analytics and Optimizely run on the Hello web client, which is
> a Mozilla web property. They do not run as part of the built-in client
> that is a part of Firefox.
>

Thanks for clarifying. But this is just a technical detail. I don't
understand what the difference is for the users.

* Opt-out is still not user friendly (by design).
* It's still very complicated to opt out.
* We still transfer user data to 3rd parties.
* I guess that even users of the built-in client would be affected
because they are in the call.

As a solution, Hello could rather offer either participant of the call a
way of disabling Analytics as part of the calling process.

Best regards
Thomas

[tucker....@gmail.com]

> Do Not Track should be enough. AFAIK Analytics
respects it (not sure about Optimizely).

I don't think Google Analytics honors Do Not Track. That
wrapper you posted would be necessary to avoid tracking
users with DNT enabled.

Since Hello presents itself as a privacy-conscious app,
I think it should be extra careful about sending data
to third parties. On the Hello marketing page, it says:

> Because Hello is built right into Firefox, you can
> rest easy knowing that your conversations and
> information will remain private and secure.

It seems odd to allow the part that *isn't* built into
Firefox to send information to Google, like there are
two different standards of privacy based on if you start
the call and if you receive it. When someone starts a
conversation using Hello, they probably weren't expecting
the other person to have any information sent to a third
party, especially if that person has DNT enabled.

Adding something on the interface to disable Analytics
seems awkward to me -- after all, that's what DNT is for.