[Privacy Reviews]Call For Comments: Google Suggest in Android

[Curtis Koenig]

The security team is asking for input on a privacy review for

Google search suggest in Firefox on Android with an opt out https://bugzilla.mozilla.org/show_bug.cgi?id=775087

This call for input will remain open until 2012.08.14 and then recommendations will be taken back to the team for discussion with them. Please help us identify any additional risks not already outlined in the wiki page, and also ways to ensure the risks are minimize. Please follow up to this thread directly to help focus the discussion and ensure we don't miss your feedback.
At the end of this input period, we will incorporate feedback provided into the review page, and follow up with the team to move forward.
Thanks,

--
/Curtis

[Curtis Koenig]

Sorry my bad, we don't have a wiki for this one, just the bug.

/Curtis

On 2012-08-07 12:25 PM, Kartikaya Gupta wrote:

> On 12-08-07 08:06 , Curtis Koenig wrote:
>> Please help us identify any additional risks not already outlined in
>> the wiki page,
>

> Which wiki page?
>
> Cheers,
> kats
>

[Sid Stamm]

On 8/7/12 5:06 AM, Curtis Koenig wrote:
> The security team is asking for input on a privacy review for
>
> Google search suggest in Firefox on Android with an opt out
> https://bugzilla.mozilla.org/show_bug.cgi?id=775087

tl;dr: Want to enable search suggestions by default for mobile firefox.
This means as you type anything in the address bar, it gets sent
key-by-key to google.

I'm not convinced on-by-default is the right choice, although it's
probably the easiest to implement. Instead of turning it on by default,
I think we should get a little creative; what if we show (where the
suggestions *would* be, were it on) an "on" switch that says something
like "enable suggestions (sends keystrokes to Google)"? I think this
would be an incredibly low-friction opt-in, and people who want search
suggestions from Google can really easily enable it.

-Sid

[James May]

FWIW this is how IE (8+ IIRC) on the desktop handles this with all search
providers. Not sure what they do on mobile. Your suggested text is almost
identical too. If this setting could be synced that'd be great also.

On 8 August 2012 06:17, Sid Stamm <sst...@mozilla.com> wrote:

> On 8/7/12 5:06 AM, Curtis Koenig wrote:

> > The security team is asking for input on a privacy review for
> >
> > Google search suggest in Firefox on Android with an opt out
> > https://bugzilla.mozilla.org/show_bug.cgi?id=775087
>
>

> tl;dr: Want to enable search suggestions by default for mobile firefox.
> This means as you type anything in the address bar, it gets sent
> key-by-key to google.
>
> I'm not convinced on-by-default is the right choice, although it's
> probably the easiest to implement. Instead of turning it on by default,
> I think we should get a little creative; what if we show (where the
> suggestions *would* be, were it on) an "on" switch that says something
> like "enable suggestions (sends keystrokes to Google)"? I think this
> would be an incredibly low-friction opt-in, and people who want search
> suggestions from Google can really easily enable it.
>
> -Sid

> _______________________________________________
> dev-planning mailing list
> dev-pl...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-planning
>

[Matt Brubeck]

On 08/07/2012 01:17 PM, Sid Stamm wrote:
> I'm not convinced on-by-default is the right choice, although it's
> probably the easiest to implement. Instead of turning it on by default,
> I think we should get a little creative; what if we show (where the
> suggestions *would* be, were it on) an "on" switch that says something
> like "enable suggestions (sends keystrokes to Google)"? I think this
> would be an incredibly low-friction opt-in, and people who want search
> suggestions from Google can really easily enable it.

See https://bugzilla.mozilla.org/show_bug.cgi?id=769145 for quite a bit
of discussion of this option.

[madhav...@gmail.com]

On Tuesday, August 7, 2012 4:17:03 PM UTC-4, Sid Stamm wrote:
> On 8/7/12 5:06 AM, Curtis Koenig wrote:
>
> > The security team is asking for input on a privacy review for
>
> > Google search suggest in Firefox on Android with an opt out
> > https://bugzilla.mozilla.org/show_bug.cgi?id=775087
>

> tl;dr: Want to enable search suggestions by default for mobile firefox.
>
> This means as you type anything in the address bar, it gets sent
> key-by-key to google.

So, this is certainly a summary of the costs, but I think I can add a bit about the benefits.

The UX team would like to include Google Suggest suggestions in Firefox on Android's "awesomescreen" as the user types. In other words, when a user types in the combined URL/search bar, we would use the Google Suggest API to show some google search suggestions for what's been typed so far; these suggestions would show up in their own area of the screen, above the suggestions pulled from the user's own history/bookmarks (i.e. awesomebar results).

Here's a screenshot of what this looks like: http://www.flickr.com/photos/madhava_work/7538623222/in/photostream

The value here is that the suggestions not only shorten the "yes! that's what I'm looking for" process, as on desktop, but also very often short circuit the need to type out the entirety of what the user is searching for. This is of huge user-value on mobile, specifically; it's a capability that other mobile browsers take advantage of, and that we currently lack.

I've been using it, and already I find it hard to go back.

On the subject of it sending everything to Google -- my understanding is that Google handles search suggest user-data differently (more privately?) than with thing generally entered into a Google search field. Confirmation or other detail here from others on this list would be very helpful.

Anyway - while a low-friction opt-in (i.e. "would you like search suggestions?") might seem like a reasonable compromise here, our position is that this feature is SO useful on mobile that we'd rather not introduce a speedbump at all, rather than just trying to minimize one. Again - we offer an opt-out in our browser preferences.

[finnb...@gmail.com]

Posted to https://bugzilla.mozilla.org/show_bug.cgi?id=769145 but probably more appropriate here:

Everyone agrees we should change something, and the 2 opinions seem to be, in content opt-in (A) and opt-out(B). The main complaint against opt-in is that most users wont, the main complaint against opt-out is it will mess things up for privacy conscious users before they find out and react (and ensuing media frenzy based on previous comments made by mozilla people).

Worst case for A is feature is disabled (same as no change, presumably progressivly worse over time as users drop firefox, eventually assumed to be very bad)

Worst case for B is media feeding frenzy with firefox as main dish. Unlikely to do deadly harm, but could be significant, almost entire effect will be instantaneous.

Clearly, its best to be sure of anything we can be sure of. Media feeding frenzies are pretty random, so instead, look at the other missing data. If we build the best opt-in we can, what does telemetry tell us the opt-in rate is. if we do this for nightly, it wont even get into a release (though that might produce skewed results). and if the result is <80%, then we know it isn't good enough, if the result is >95% we know it probably is good enough. if it's somewhere in the middle, we can argue some more.

Even if we let it release, the result will be (at worst) a mildly annoying option for 6 weeks whilst we find out what we want to do. At best we'll find out our opt-in is super good, and this entire argument was pointless. Even if we go with A in the end, wont it be better to lead into it for 6 weeks and giving the privacy conscious lot a chance to opt-out, which would reduce the harm done?

Isn't that better than continuing the argument and then risking one or the other result without knowing for sure?

[Zack Weinberg]

On 2012-08-08 9:51 AM, madhav...@gmail.com wrote:
>
> On the subject of it sending everything to Google -- my understanding
> is that Google handles search suggest user-data differently (more
> privately?) than with thing generally entered into a Google search
> field. Confirmation or other detail here from others on this list
> would be very helpful.

I just want to stick in here the observation that the additional privacy
exposure from this feature is not simply because additional user data is
revealed *to Google*. A passive eavesdropper on the same network as the
client can potentially learn what is being searched for, even if all the
actual data is encrypted, because the *size* of each suggestion result
reveals what was typed. See
http://research.microsoft.com/pubs/119060/WebAppSideChannel-final.pdf
for more details.

(Google's Suggest API could include countermeasures for this, and I
don't know if they do or not. The paper is from 2010.)

> Anyway - while a low-friction opt-in (i.e. "would you like search
> suggestions?") might seem like a reasonable compromise here, our
> position is that this feature is SO useful on mobile that we'd rather
> not introduce a speedbump at all, rather than just trying to minimize
> one. Again - we offer an opt-out in our browser preferences.

I can see where you're coming from, but I think having a low-friction
opt-in is actually _better_ UX here, because telling users that they
have a choice here will give both privacy-concerned and
privacy-unconcerned users the warm fuzzies.

zw

[Sid Stamm]

On 8/8/12 10:23 AM, Zack Weinberg wrote:
> On 2012-08-08 9:51 AM, madhav...@gmail.com wrote:
>>
>> On the subject of it sending everything to Google -- my understanding
>> is that Google handles search suggest user-data differently (more
>> privately?) than with thing generally entered into a Google search
>> field. Confirmation or other detail here from others on this list
>> would be very helpful.
>
> I just want to stick in here the observation that the additional privacy
> exposure from this feature is not simply because additional user data is
> revealed *to Google*.

For me, it's about avoiding surprises. Firefox users may or may not
realize we're sending data to any third party (in this case, Google) as
they type stuff in the single text-entry field. So Google's treatment
of the data isn't the focus -- their privacy policy is fine. The focus
is whether or not users expect us to send data to another organization.

With the proposed UI, it's not clear that the suggestions are coming as
a result of queries to Google; they seem to be suggestions from Firefox
saying "hey, you may want to Google these."

Surprises in this scenario would manifest two types of reactions:
reactions of "I didn't know you sent Google what I just typed!" and
"OMG, you're using my data plan even though I don't want to search!"

Eavesdroppers are an issue here too (thanks for mentioning this, Zack),
but my own goal is helping keep our users aware of what we're doing with
their data.

> [snip]

>> Anyway - while a low-friction opt-in (i.e. "would you like search
>> suggestions?") might seem like a reasonable compromise here, our
>> position is that this feature is SO useful on mobile that we'd rather
>> not introduce a speedbump at all, rather than just trying to minimize
>> one. Again - we offer an opt-out in our browser preferences.
>
> I can see where you're coming from, but I think having a low-friction
> opt-in is actually _better_ UX here, because telling users that they
> have a choice here will give both privacy-concerned and
> privacy-unconcerned users the warm fuzzies.

+1.

-Sid

[Jet Villegas]

I like the low-friction approach on Fennec as the awesomebar database is rather sparse on my Android phone. Since we're talking about Android here (and not desktop or B2G,) didn't the user already agree to a "We are Google, we already know everything you do on this phone" privacy policy when they first started? In other words, why shouldn't the Android user expect it to just work?

-- Jet

[Ian Melven]

i would argue that there is some subset of users for which the value proposition of Firefox for Android is to NOT have Google know everything
you do on your Android phone - their reaction to being implicitly opted in without notification to sending everything entered in the
awesomebar to Google would likely be quite negative. They are almost certainly a minority, fwiw.

i would suggest setting up Sync to improve your awesomebar DB as well :)

Personally I think it's excellent there's an in-UI preference to opt out of search suggestions, it addresses my concerns,
but then again I understand the situation wrt privacy and search suggestions more than the 'average user'
perhaps and I've been watching this feature for some time due to the privacy concerns as well.

It would be great to at least loudly message this change to users and exactly how to opt-out if it ships as opt-out.

thanks,
ian

[Robert Kaiser]

madhav...@gmail.com schrieb:

> Here's a screenshot of what this looks like: http://www.flickr.com/photos/madhava_work/7538623222/in/photostream

Hmm, that means the "traditional" awesomebar results I'm looking for are
even more likely to be below the visibility threshold than right now -
and on the phone I already am often not seeing them because the virtual
keyboard also takes up some space and there's only 4 results or so
shown. As I only want to search in rare cases and most often want to
call up a page I have already seen on the phone or synched desktop, this
means the UX would become worse through suggestions.
And I didn't even start on privacy there. ;-)

Robert Kaiser

[Johnathan Nightingale]

On Aug 8, 2012, at 12:22 PM, Ian Melven wrote:

> i would argue that there is some subset of users for which the value proposition of Firefox for Android is to NOT have Google know everything
> you do on your Android phone - their reaction to being implicitly opted in without notification to sending everything entered in the
> awesomebar to Google would likely be quite negative. They are almost certainly a minority, fwiw.

I agree with all of this - those users exist, should be recognized and given choice, and are a minority...

> Personally I think it's excellent there's an in-UI preference to opt out of search suggestions, it addresses my concerns,
> but then again I understand the situation wrt privacy and search suggestions more than the 'average user'
> perhaps and I've been watching this feature for some time due to the privacy concerns as well.

I agree with this, too. Privacy conscious users have a choice which is pretty easy to find if they're looking for it. Most users benefit immediately from default-on and (here comes conjecture!) would leave it on if making an informed choice.

I agree with Madhava that I don't want things speed bumping our experience. Each choice like this is a thing that takes the user out of their flow, and I don't believe it will delight them to encounter one so soon after starting up. Even if I did, I'd trust madhava and his team to have more evidence-founded beliefs than me on the subject.

I'm still trying to figure out what I think of Sid's "no surprises" argument, though. It will surprise some people, absolutely. So will website metrics, third party cookies, local storage, and a lot of other things that the web does and that browsers help with. I'm not sure whether I agree that this surprise is one we should differentially avoid, given the significant UX win and ease of opt-out, but I'm not immediately convinced that Sid's wrong, either.

J

---
Johnathan Nightingale
Sr. Director of Firefox Engineering
@johnath

[Tom Lowenthal]

Johnathan Nightingale:

> I'm still trying to figure out what I think of Sid's "no surprises" argument, though. It will surprise some people, absolutely. So will website metrics, third party cookies, local storage, and a lot of other things that the web does and that browsers help with. I'm not sure whether I agree that this surprise is one we should differentially avoid, given the significant UX win and ease of opt-out, but I'm not immediately convinced that Sid's wrong, either.

It's worth noting that "no surprises" is Mozilla's number one privacy
principle, and "real choices" is number two [1].

I really want this feature: it's incredibly useful. However, if it
shipped turned on, I would feel hurt. I'm not sure how most folks would
notice and know that they can turn it off: it would certainly be a
surprise for many. An opt-out in settings would also make me feel as
though I wasn't given a choice: especially if I only found out about the
feature after the fact.


[1]: https://mozilla.org/privacy

[Matt Basta]

Tom Lowenthal:

> I really want this feature: it's incredibly useful. However, if it
shipped turned on, I would feel hurt. I'm not sure how most folks would
notice and know that they can turn it off: it would certainly be a
surprise for many. An opt-out in settings would also make me feel as
though I wasn't given a choice: especially if I only found out about the
feature after the fact.

It's clear that search suggestions would be very beneficial to user
experience for most users. It's also important that we shouldn't turn
them on without asking the user. I think we should look at innovative,
unobtrusive ways to prompt the user about this.

Would it be possible to put an opt-in prompt in the space where the
suggestions would otherwise show up? Something like "'Turn On Google
Autocomplete' or 'Ignore'" along with a setting in the settings page?
If need be, a "?" icon could be shown, opening a dialog with more
information about the implications of enabling suggestions.

This approach has two merits: 1.) It doesn't prompt the user until
they would otherwise use/see suggestions and 2.) It doesn't consume
more space than the suggestions otherwise would.

Thoughts or other ideas?

----- Original Message -----
From: "Tom Lowenthal" <t...@mozilla.com>
To: dev-pl...@lists.mozilla.org
Sent: Wednesday, August 8, 2012 3:28:10 PM
Subject: Re: [Privacy Reviews]Call For Comments: Google Suggest in Android

[beltzner]

Curtis,

Thanks for inviting comment. As historical context, I've argued against this sort of thing when looking at including suggestions in Firefox on Desktop, OmniBar style, in the past.

My opinions on this sort of issue haven't really changed in the past year or so. Yes, absolutely, 100%, suggestions are helpful; especially on a phone. I'm typing this on a phone right now, I feel the pain :) However, it seems to me like a one-time click on a big friendly row that says "Get suggestions from Google" is an easy, low friction way to ensure we're not leaking information without user consent. An Android message (or whatever the translucent text in a bubble at the bottom of the screen is called) could let users know that they can turn it off in Settings at any time. With the addition of a single tap, our cake is delicious and not in any way a lie. I do not feel user testing is a panacea for all design questions, but this is a case where we can validate the assertion that discoverabllity and experience isn't adversely affected through some simple study.

I agree that user expectations have likely changed, and that most users don't think about these sorts of privacy issues. I think that demonstrates that we (ie: Mozilla) have more work to do in terms of bringing the message and values of our mission forward to users.

(When we do send the information, I hope we would do it over HTTPS and, if at all possible, without sending the user's Google cookie unless they have signed in within the session)

cheers,
mike

[beltzner]

One thing Doug obliquely mentioned to me on twitter was that Fennec used to show the source of suggestions alongside them. It led me to this thought:

The first time the awesomescreen is opened, we could add a little delay to where the suggestions flow in that says "Getting suggestions from Ze Googles!" and perhaps even has a "no, dont!" link which jumps you over to settings, or a little wee x which turns it off (and then Android indicator thingie says "turn back on in the settings")

The point being: the mission is to inform and provide choice, it says nothing about defaults. So my sticking point is making sure that users know where the suggestions are coming from, and what they can do about it. I'm not dogmatic about opt-in, just about "it's magic and the user doesn't need to know about the potential hidden cost"

Thanks, Doug!

cheers,
mike

[Madhava Enros]

Hi everyone -

Thanks for all the concerns and suggestions so far -- this is very illuminating. Please keep them coming!

To sum up as we go, it sounds like there's broad agreement that this is a very useful feature. And it sounds like the biggest guiding principles here are that (1) we shouldn't surprise people with bad privacy outcomes (seems reasonable that, in the privacy world, all surprises are bad -- this differs from user-experience!); and (2) that we should give people real choices.

On the subject of surprise, I think it's worth pointing out that of the major browsers on Android (Chrome, Browser, Dolphin HD) -- all three do this, and in a way that makes it much less clear what suggestions are coming from where. Now, we don't make our decisions just based on what others are doing, but from a surprise perspective -- it seems more likely to me that people will be surprised that we _don't_ do this.

That said - transparency about what is happening with your data is a big deal for us. I actually quite like the core of something Beltzner suggested, above, which is to offer a "what is this?" associated with the Google search suggestions, maybe the first time or two. It would be a way to help people understand that their data is going somewhere, something that the other browsers don't do.

In general, our approach in UX on things like this has been to really try to get to a sensible default for most users' needs. If the tone of a potential opt-in is going to be "Get google suggestions? [yes/no]" -- and I think we'd want it to be at least that friendly, given how useful this will be and compared to the real risk -- then why aren't we making it the default? We don't actually want to dissuade people more than that, do we? This comes back to the "real decisions" point for me -- putting in an opt-in as friendly as we'd want doesn't tell anyone why they'd ever say no; making the opt-in more educational/threatening would seem disproportionate, to me, given the risks.

Incidentally, I haven't heard yet about whether Google's search suggest privacy policy is one we're happier sending user data to than the one they use for general web search. I'd heard this (uncited) but it would help to balance costs/benefits here.

[Madhava Enros]

Oh - some more detail about what Google does with suggest data here: http://googleblog.blogspot.ca/2008/09/update-to-google-suggest.html

[beltzner]

I really don't think that's current, as it's not consistent with what their current master privacy policy states.

Ultimately, though, I think we're on the same page. I don't think there's huge risk, but the value in educating people so that they aren't surprised - at some later date - to discover that we're sending information elsewhere when they type is quite high.

(Ultimately the decision lies with the people we trust to make Firefox, and I think this thread is a fantastic example of asking for feedback and listening while not being beholden to it. Well done!)

cheers,
mike

[Monica Chew]

As a point of comparison, on desktop there seems to be no way to disable
Google Suggest at all:

http://www.google.com/preferences

There is a radio button for enabling Google Instant based on network
connection (or not at all), but the help page on query autocomplete has
no way to disable it:

http://support.google.com/websearch/bin/answer.py?hl=en&answer=106230

From a usability perspective, turning off suggest in mobile by default
seems like a mistake. Turning it into a force-opt also has drawbacks,
since the same usability concerns in typing/interaction fatigue apply to
selecting preferences as they do to typing.

I am not sure the best solution, but it seems a combination of the above
2 factors means that mobile devices leak more information in general,
since there is strong tendency to want to streamline interaction. I
wonder if there's a user-friendly way to periodically remind the user
which 3rd parties Firefox is leaking data to, since this problem will
eventually apply to more than just Google, and at some point a force-opt
doesn't scale.

Monica

[Daniel Veditz]

On 8/9/12 4:51 PM, Monica Chew wrote:
> As a point of comparison, on desktop there seems to be no way to
> disable Google Suggest at all:
>
> http://www.google.com/preferences

You mean on the website? Sure, but when you're on a website (any
site) that site can capture all your keystrokes whether or not it
claims it isn't doing so.

On Desktop Firefox you can turn suggestions off through a checkbox
on the "Manage Search Engines" dialog. Click on the search engine
icon in the search box, and then open the dialog from the last item
on the menu that pops up.

On desktop Firefox we default suggestions on, but searches happen in
a separate specialized search box. There's enough context there that
as suggestions show up it should be clear it's coming from the
search provider. And even if it's not clear, the user's intention of
typing in that box is to send the search term to the provider in the
end. Most importantly, URLs the user types in the "address" box
don't get sent to the search provider.

The mobile browser doesn't have space for a separate search box so
it faces issues that don't impact the Desktop Firefox in the same
way. At least not at present. Some people would prefer that we
switch to a combined "omnibar" like Chrome, and if we did then
Desktop Firefox would face this same issue.

-Dan Veditz

[Monica Chew]

On 8/10/12 4:07 PM, Daniel Veditz wrote:
> You mean on the website? Sure, but when you're on a website (any site)
> that site can capture all your keystrokes whether or not it claims it
> isn't doing so.

True. My point was that anyone who opts into using Google Search by
visiting google.com can't opt out of Google Suggest at all.

> On Desktop Firefox you can turn suggestions off through a checkbox
> on the "Manage Search Engines" dialog. Click on the search engine
> icon in the search box, and then open the dialog from the last item
> on the menu that pops up.

Do you mean you can turn off suggestions by switching default providers?
I'd be curious what the metrics are on users who do that.

>
> On desktop Firefox we default suggestions on, but searches happen in
> a separate specialized search box. There's enough context there that
> as suggestions show up it should be clear it's coming from the
> search provider.

Why is it clear that the suggestions are coming from the search
provider, than say, the browser, or even local disk search?

> And even if it's not clear, the user's intention of
> typing in that box is to send the search term to the provider in the
> end. Most importantly, URLs the user types in the "address" box
> don't get sent to the search provider.

What's a URL vs. a search term in the context of global TLDs? (sorry if
I already missed this discussion)


On a side note, I've been thinking about ways to figure out what the
user really wants without the tyranny of dialog boxes, especially on
startup. What if, on installation, the message was "Thank you for
installing Firefox! How paranoid are you?" with a slider from 1-10. If
the user picks something high, then they're a great candidate for
cycling through all the many security and privacy related preferences.
If they pick something low, we set their defaults based on the prefs
that map to the vast majority of the userbase.

Thanks,
Monica

[Steve Wendt]

On 8/10/2012 4:07 PM, Daniel Veditz wrote:

> prefer that we switch to a combined "omnibar" like Chrome

Mozilla did it first... Firefox broke it. :-)

[Steve Wendt]

On 8/10/2012 4:35 PM, Monica Chew wrote:

> What if, on installation, the message was "Thank you for
> installing Firefox! How paranoid are you?" with a slider from 1-10.

Phrased like that, it makes me more suspicious/paranoid than I might
usually be. Not to start bikeshedding, but "How highly do you value
your security and privacy?" might be better phrasing?

[Monica Chew]

Sure, or even just "Would you like to configure Firefox now? This would
include choosing settings for security and privacy." If they answer yes,
you can start asking them questions like:

Who do you fear most finding out your browsing history?
- Friends and family
- Work colleagues
- Government
- Cloud services like Google

and so on... If they never pick "cloud services" then probably they
don't care about sending partial search queries to Google. Or if the do
pick it's a sign they also want DNT, or care about 3rd party cookies, or
explicitly want to set their search provider, etc. If they pick Friends
and Family we can recommend private browsing mode.

Monica

[Robert Kaiser]

Steve Wendt schrieb:

> On 8/10/2012 4:07 PM, Daniel Veditz wrote:
>
>> prefer that we switch to a combined "omnibar" like Chrome
>
> Mozilla did it first... Firefox broke it. :-)

No, we never showed search suggestions in the address bar. And I won't
even go into how weak and dumb the old address bar completion was
compared to the Firefox awesomebar. ;-)

That said, starting a search from the address bar has always worked in
Firefox, AFAIK, even though that search box exists in addition.

Robert Kaiser

[Robert Kaiser]

Monica Chew schrieb:

> On 8/10/12 4:07 PM, Daniel Veditz wrote:
>> You mean on the website? Sure, but when you're on a website (any site)
>> that site can capture all your keystrokes whether or not it claims it
>> isn't doing so.
> True. My point was that anyone who opts into using Google Search by
> visiting google.com can't opt out of Google Suggest at all.

That's something so different than showing them in the browser UI. If I
open Google's website, I apparently want Google's way of things and
don't have a problem with sending data to them (as I have sent data to
them just by opening their site).
When I open Firefox for Android, I obviously have chose an alternative
to what Google/Android provides by default, and I may not want to send
data to them about exactly every step I'm taking (I'm using and Android
device, so I'm probably OK with sending *some* data to them, though,
otherwise I'd use e.g. an N9, a Firefox OS device, or so). In any case,
I might not expect every keystroke I make being sent to Google (and my
IP address being sent to Google, therefore them being able to make some
kind of profile of me - note the technical *being able*, which doesn't
care if they have currently some kind of policy where they state they
might not do that right now).

> What if, on installation, the message was "Thank you for
> installing Firefox! How paranoid are you?" with a slider from 1-10.

I'd see it as an insult if Firefox would call me or any other user
"paranoid".


Robert Kaiser

[Dan Veditz]

On 8/10/12 4:35 PM, Monica Chew wrote:
> On 8/10/12 4:07 PM, Daniel Veditz wrote: My point was that anyone

> who opts into using Google Search by visiting google.com can't opt
> out of Google Suggest at all.

Which is fine if you're intending to search on google. But if you're
just using your browser and typing in the direct URL to some internal
server you may not want to be sending that URL character by character to
Google until you hit "go" and aren't even doing a search.

>> On Desktop Firefox you can turn suggestions off through a checkbox
>> on the "Manage Search Engines" dialog. Click on the search engine
>> icon in the search box, and then open the dialog from the last
>> item on the menu that pops up.
> Do you mean you can turn off suggestions by switching default
> providers?

No, I mean you can manage your preferences to turn off suggestions for
your current search provider, including Google.

> I'd be curious what the metrics are on users who do that.

Probably small. But as I mentioned before suggestions in a dedicated
search box does not have the same potential privacy issues.

>> There's enough context there that as suggestions show up it should
>> be clear it's coming from the search provider.
> Why is it clear that the suggestions are coming from the search
> provider, than say, the browser, or even local disk search?

You're right, it's probably not that clear, which is why there's a
potential for negative surprises when users find out.

>> And even if it's not clear, the user's intention of typing in that
>> box is to send the search term to the provider in the end. Most
>> importantly, URLs the user types in the "address" box don't get
>> sent to the search provider.
> What's a URL vs. a search term in the context of global TLDs? (sorry
> if I already missed this discussion)

A URL can have sensitive information in the path. Let's leave the global
TLD debate out of this thread -- there's enough contention there for its
own topic.

> "Thank you for installing Firefox! How paranoid are you?"

I'd rather not greet people with a suggestion that they might have a
clinical diagnosis. Or conversely (if worded more nicely) make them feel
bad for not caring when we're obviously implying that they're stupid not to.

-Dan Veditz

[Henri Sivonen]

On Sun, Aug 12, 2012 at 10:13 PM, Dan Veditz <dve...@mozilla.com> wrote:
> On 8/10/12 4:35 PM, Monica Chew wrote:
>>
>> On 8/10/12 4:07 PM, Daniel Veditz wrote: My point was that anyone
>> who opts into using Google Search by visiting google.com can't opt
>> out of Google Suggest at all.
>
> Which is fine if you're intending to search on google. But if you're
> just using your browser and typing in the direct URL to some internal
> server you may not want to be sending that URL character by character to
> Google until you hit "go" and aren't even doing a search.

Regardless of whether the suggest feature ends up being opt-in or
opt-out, I think it should stop sending data to the search provider as
soon as the text entry looks address-ish. I.e. I think Firefox should
not send the string if it starts with something that looks like an URL
scheme or if it contains a dot or a slash (but no space) (this would
generally mean stopping the leakage after typing the first component
of the host name).

I have filed this as https://bugzilla.mozilla.org/show_bug.cgi?id=765201

This would mean:
* No leakage for pasted URL, because they start with http:, https: or the like.
* No leakage of importance when the user types "www.", since sending
the data would stop at the dot.
* Mitigated leakage (first component of the host name) when typing an
address that doesn't start with a URL scheme or "www.".
* Mitigated leakage of intranet URLs (since sending would stop at the
slash when typing "fileserver/something" where "fileserver" is really
a dotless hostname.
* Lack of suggestions for strings that are really intended as search
terms but have a dot or slash but no space.

--
Henri Sivonen
hsiv...@iki.fi
http://hsivonen.iki.fi/

[Johnathan Nightingale]

On Aug 13, 2012, at 8:37 AM, Henri Sivonen wrote:
> I have filed this as https://bugzilla.mozilla.org/show_bug.cgi?id=765201
>
> This would mean:
> * No leakage for pasted URL, because they start with http:, https: or the like.
> * No leakage of importance when the user types "www.", since sending
> the data would stop at the dot.
> * Mitigated leakage (first component of the host name) when typing an
> address that doesn't start with a URL scheme or "www.".
> * Mitigated leakage of intranet URLs (since sending would stop at the
> slash when typing "fileserver/something" where "fileserver" is really
> a dotless hostname.
> * Lack of suggestions for strings that are really intended as search
> terms but have a dot or slash but no space.

Yep, this all makes a ton of sense to me. It doesn't eliminate the discussion about the leakage of that first word (nor did you suggest as much), but it constrains its scope well.

[Monica Chew]

On 8/12/12 12:13 PM, Dan Veditz wrote:
> No, I mean you can manage your preferences to turn off suggestions for
> your current search provider, including Google.

Sorry for my confusion, it took me a while to find the checkbox "Show
search suggestions."

> "Thank you for installing Firefox! How paranoid are you?"
>
> I'd rather not greet people with a suggestion that they might have a
> clinical diagnosis. Or conversely (if worded more nicely) make them
> feel bad for not caring when we're obviously implying that they're
> stupid not to.

My bad for the poor word choice. Is there a way to generate privacy
preferences that reflect the user's needs while taking into account that
many people never change default settings [1][2], and giving them a way
to end the preference-choosing process at any time?

Monica

[1]
http://www.uie.com/brainsparks/2011/09/14/do-users-change-their-settings/
[2]
http://www.zdnet.com/blog/facebook/13-million-us-facebook-users-dont-change-privacy-settings/12398

[Justin Dolske]

On 8/9/12 10:56 AM, Madhava Enros wrote:

> On the subject of surprise, I think it's worth pointing out that of
> the major browsers on Android (Chrome, Browser, Dolphin HD) -- all
> three do this, and in a way that makes it much less clear what
> suggestions are coming from where.

This is an important point. Certainly Chrome (which has received the
brunt of criticism about this feature) has virtually no labeling as to
where these suggestions are coming from. [On my Chrome OS X install, I
just see "Google Search" appended to the first result -- which is more
about what it _does_ than where it _comes from_.]

This makes it easy to overlook where the suggestions come from. It's
easy to just think that the browser itself is suggesting it... Which
leads to surprise when users find out what's actually happening.

Contrast that with a clear and transparent labeling along the lines of
"Google Suggests...". That makes it much more apparent _who_ is doing
the suggesting, and directly leads to "how are they able to suggest
that." At which concerned users are able may very well go looking for a
way to turn it off or change to a different provider.

[Aside: This is where it's nice that Mozilla isn't playing both the
client and server sides. If Chrome was seeking to be as transparent as
we are, they'd have to deal with the oddity that "Google Suggests..."
still leaves ambiguity as to what's happening with your input.]

[Sid Stamm]

On 08/13/2012 08:37 PM, Justin Dolske wrote:
> On 8/9/12 10:56 AM, Madhava Enros wrote:
>
>> On the subject of surprise, I think it's worth pointing out that of
>> the major browsers on Android (Chrome, Browser, Dolphin HD) -- all
>> three do this, and in a way that makes it much less clear what
>> suggestions are coming from where.

To be absolutely clear, just because other browsers do this does *not*
mean it's the right thing to do. I think it's important that we're
forthcoming with our users and not sharing data with third parties
without their knowledge and consent.

I am less surprised/concerned about Chrome silently soliciting search
suggestions; if you install Chrome, it means you trust Google to some
extent. Google phoning home to Google wouldn't be as surprising as if
they invisibly sent suggestion queries to Bing, for example. People
installing Firefox, by contrast, trust Mozilla to a certain extent.
They may not trust Google as much and maybe they don't want Firefox
sending data to this third party without their knowledge.

> [snip]

> Contrast that with a clear and transparent labeling along the lines of
> "Google Suggests...". That makes it much more apparent _who_ is doing
> the suggesting, and directly leads to "how are they able to suggest
> that." At which concerned users are able may very well go looking for a
> way to turn it off or change to a different provider.

This is much more transparent than just showing the suggestions without
context ("Google suggests..." or "awesomebar suggests..."). We're still
sending some data to Google behind the scenes before the user can be
made aware, but this is at least more immediately discoverable.

> [Aside: This is where it's nice that Mozilla isn't playing both the
> client and server sides. If Chrome was seeking to be as transparent as
> we are, they'd have to deal with the oddity that "Google Suggests..."
> still leaves ambiguity as to what's happening with your input.]

Heh... I actually think it's a bummer we're not playing both sides. If
the search suggestions were coming from us, the potency of surprised
anger is probably less since it would be all one party (see my comments
about trust above). Granted, I don't think we're the right people to be
suggesting searches, unless there's some search engine project in Labs
that I don't know about. ;-)

-Sid

[Matt Brubeck]

On 08/15/2012 02:30 PM, Sid Stamm wrote:
> I am less surprised/concerned about Chrome silently soliciting search
> suggestions; if you install Chrome, it means you trust Google to some
> extent. Google phoning home to Google wouldn't be as surprising as if
> they invisibly sent suggestion queries to Bing, for example.

Chrome's suggestion feature is not tied to Google. Chrome offers on
first-run to set the default search engine to Yahoo or Bing, and if you
choose Bing then it sends suggestion requests to bing.com.

[Steve Fink]

On 08/08/2012 09:51 AM, madhav...@gmail.com wrote:

>
> Anyway - while a low-friction opt-in (i.e. "would you like search suggestions?") might seem like a reasonable compromise here, our position is that this feature is SO useful on mobile that we'd rather not introduce a speedbump at all, rather than just trying to minimize one. Again - we offer an opt-out in our browser preferences.
>

My personal opinion is that most users, myself included, are naive
enough to not realize that having instant suggestions appear necessarily
implies sending our searches to some remote 3rd party. I would actually
appreciate a low-friction opt-in *because* it informs me of that fact --
even though I would immediately select it anyway. (Which implies that
I'd also rather the text be less "want to see search suggestions?" and
more "send partial search to Google so it can provide suggestions as you
type?")

I also think it fits better with our mission and privacy policy, and
gives us privacy credibility, which is a critically important
distinguishing factor (and we don't have a huge number of those left to
kick around.) The fact that "everyone else does it" only strengthens
that argument.

(Minor side detail: for people who *don't* want to opt in, the
preference screen should make sure that "no" frees up the screen real
estate taken by the opt-in line(s).)

[Chris Hofmann]

On 8/15/12 2:15 PM, Steve Fink wrote:
> On 08/08/2012 09:51 AM, madhav...@gmail.com wrote:
>
>>
>> Anyway - while a low-friction opt-in (i.e. "would you like search
>> suggestions?") might seem like a reasonable compromise here, our
>> position is that this feature is SO useful on mobile that we'd rather
>> not introduce a speedbump at all, rather than just trying to minimize
>> one. Again - we offer an opt-out in our browser preferences.
>>
>
> My personal opinion is that most users, myself included, are naive
> enough to not realize that having instant suggestions appear
> necessarily implies sending our searches to some remote 3rd party. I
> would actually appreciate a low-friction opt-in *because* it informs
> me of that fact -- even though I would immediately select it anyway.
> (Which implies that I'd also rather the text be less "want to see
> search suggestions?" and more "send partial search to Google so it can
> provide suggestions as you type?")
>
> I also think it fits better with our mission and privacy policy, and
> gives us privacy credibility, which is a critically important
> distinguishing factor (and we don't have a huge number of those left
> to kick around.) The fact that "everyone else does it" only
> strengthens that argument.

A whopping 17% of our current mobile user base went the to trouble of
setting DNT. That's almost double the rate as desktop. So yeah, I'd
agree that privacy is an important feature our current set of mobile users.

-chofmann

>
> (Minor side detail: for people who *don't* want to opt in, the
> preference screen should make sure that "no" frees up the screen real
> estate taken by the opt-in line(s).)
>

[Ehsan Akhgari]

On 12-08-15 5:21 PM, Chris Hofmann wrote:
> A whopping 17% of our current mobile user base went the to trouble of
> setting DNT. That's almost double the rate as desktop. So yeah, I'd
> agree that privacy is an important feature our current set of mobile users.

Out of curiosity, is that percentage based on the release channel only?

Ehsan

[Justin Dolske]

On 8/15/12 11:30 AM, Sid Stamm wrote:
> To be absolutely clear, just because other browsers do this does *not*
> mean it's the right thing to do.

My fault for trimming Madhava's full context, which I think was simply
saying that that it's common and accepted by users of other browsers --
and he explicitly noted that we don't make decisions based just on what
others are doing.

> I am less surprised/concerned about Chrome silently soliciting search
> suggestions; if you install Chrome, it means you trust Google to some
> extent.

I'm not sure how well that argument applies here. I think that trust is
anchored in the primary premise and principles of the basic p-p-product
people are using (sorry, had a Max Headroom alliteration moment). To use
a car analogy -- because all good internet debates reduce down to cars
-- someone who buys a Ford with in-dash GPS navigation is highly
unlikely to extend that trust to Ford keeping records of their travels.
But Chrome is an oddball here -- is it a browser? Or is it part of a
tightly integrated set of Google services? I think it's somewhere in
between.

I would further posit that part of Firefox's value proposition is
finding a balance between a compelling (awesome) browser, while still
being mindful of security and privacy. We pick reasonable defaults
(which is what this discussion is about ;), and provide preferences and
add-ons for those whose concerns fall outside the norm.

Justin

[Dao]

On 16.08.2012 07:39, Justin Dolske wrote:
> I would further posit that part of Firefox's value proposition is
> finding a balance between a compelling (awesome) browser, while still
> being mindful of security and privacy. We pick reasonable defaults
> (which is what this discussion is about ;), and provide preferences and
> add-ons for those whose concerns fall outside the norm.

I'd phrase that differently, since people being undereducated in
technical areas impacts on whether they'll look for preferences. The
norm is that people don't know what's going on, which of course doesn't
mean that privacy is a non-issue for them. We need to take this into
account when picking defaults.

[Asa Dotzler]

On 8/8/2012 11:30 AM, Sid Stamm wrote:
> On 8/8/12 10:23 AM, Zack Weinberg wrote:
>> On 2012-08-08 9:51 AM, madhav...@gmail.com wrote:
>>>
>>> On the subject of it sending everything to Google -- my understanding
>>> is that Google handles search suggest user-data differently (more
>>> privately?) than with thing generally entered into a Google search
>>> field. Confirmation or other detail here from others on this list
>>> would be very helpful.
>>
>> I just want to stick in here the observation that the additional privacy
>> exposure from this feature is not simply because additional user data is
>> revealed *to Google*.
>
> For me, it's about avoiding surprises. Firefox users may or may not
> realize we're sending data to any third party (in this case, Google) as
> they type stuff in the single text-entry field. So Google's treatment
> of the data isn't the focus -- their privacy policy is fine. The focus
> is whether or not users expect us to send data to another organization.
>
> With the proposed UI, it's not clear that the suggestions are coming as
> a result of queries to Google; they seem to be suggestions from Firefox
> saying "hey, you may want to Google these."
>
> Surprises in this scenario would manifest two types of reactions:
> reactions of "I didn't know you sent Google what I just typed!" and
> "OMG, you're using my data plan even though I don't want to search!"

How is this different than the Search in Firefox on Windows/Mac/Linux. I
don't believe that I could find any mainstream Firefox users who
realizes that we're sending data to a third party when the user is
typing into the search box -- the search suggestions seem to be
suggestions from Firefox. The separate box probably helps us feel better
about some other privacy issues but I can't see how it helps at all on
the "avoiding surprises" front.

- A

[Dao]

On 16.08.2012 10:49, Asa Dotzler wrote:
> How is this different than the Search in Firefox on Windows/Mac/Linux. I
> don't believe that I could find any mainstream Firefox users who
> realizes that we're sending data to a third party when the user is
> typing into the search box -- the search suggestions seem to be
> suggestions from Firefox. The separate box probably helps us feel better
> about some other privacy issues but I can't see how it helps at all on
> the "avoiding surprises" front.

It's entirely different because what you type in the search box will
necessarily and obviously be exposed to the search provider when you
submit it.

[Jonathan Kew]

"When you submit it" is a key aspect. Suppose I begin typing a search
phrase, but have second thoughts before hitting Enter ("Hmm, I don't
think I want Google to know I'm interested in THAT after all"). So I
don't submit the query, I just delete it from the box - but (surprise!)
we've already sent it to Google anyway. Oops.

FWIW, I see a big difference between this happening when I go to
www.google.com and type into their web page, where it's clearer I am
interacting with Google's server, and the same thing happening when I
type into a Firefox search box. In this situation I might reasonably
assume that I'm only interacting with my copy of Firefox, until (unless)
I actually submit my search.

JK

[Chris Hofmann]

I believe this is all channels but would need metrics to verify.

About 10% if firefox mobile users are on the beta channel which is a
higher pct. than on desktop and that might be influencing the numbers.

-chofmann

[Dao]

On 16.08.2012 12:20, Jonathan Kew wrote:
> On 16/8/12 10:19, Dao wrote:
>> On 16.08.2012 10:49, Asa Dotzler wrote:
>>> How is this different than the Search in Firefox on Windows/Mac/Linux. I
>>> don't believe that I could find any mainstream Firefox users who
>>> realizes that we're sending data to a third party when the user is
>>> typing into the search box -- the search suggestions seem to be
>>> suggestions from Firefox. The separate box probably helps us feel better
>>> about some other privacy issues but I can't see how it helps at all on
>>> the "avoiding surprises" front.
>>
>> It's entirely different because what you type in the search box will
>> necessarily and obviously be exposed to the search provider when you
>> submit it.
>
> "When you submit it" is a key aspect. Suppose I begin typing a search
> phrase, but have second thoughts before hitting Enter ("Hmm, I don't
> think I want Google to know I'm interested in THAT after all"). So I
> don't submit the query, I just delete it from the box - but (surprise!)
> we've already sent it to Google anyway. Oops.

This sounds like an edge case. If we had statistics about how often the
search term gets cleared without having been submitted, I'd bet the rate
would be <1%. This is not at all comparable to the awesome bar where we
make awesome suggestions based on the user's local history such that the
user likely won't need to search the web.

[Robert Kaiser]

Jonathan Kew schrieb:

> FWIW, I see a big difference between this happening when I go to
> www.google.com and type into their web page, where it's clearer I am
> interacting with Google's server, and the same thing happening when I
> type into a Firefox search box.

You still type it right next to the Google logo, and you see the list
displayed with "suggestions" being written in there, so it's pretty obvious.
When typing in the main location bar, that's different.

And all that said, I find that more and more the only conclusive
"elevator-pitch" argument putting Firefox over all other browsers out
there right now is our emphasis on privacy. If we take that away, I see
a real problem in how to tell people in passing why they should use
Firefox instead of other offers.

Robert Kaiser

[Justin Dolske]

I completely agree with your rephrasing. :)

But the devil's in the details. We could disable cookies, Javascript,
non-SSL, etc and have a browser that is much more resistant to security
and privacy issues. Of course it would be awful to use for most people,
and so that's a tradeoff we have made. Search suggestions is not nearly
so dramatic an issue, but it's still about balancing building a
compelling feature while being mindful of privacy.

Justin

[Madhava Enros]

On Monday, August 13, 2012 8:37:11 AM UTC-4, Henri Sivonen wrote:

> I have filed this as https://bugzilla.mozilla.org/show_bug.cgi?id=765201
>
>
>
> This would mean:
>
> * No leakage for pasted URL, because they start with http:, https: or the like.
>
> * No leakage of importance when the user types "www.", since sending
>
> the data would stop at the dot.
>
> * Mitigated leakage (first component of the host name) when typing an
>
> address that doesn't start with a URL scheme or "www.".
>
> * Mitigated leakage of intranet URLs (since sending would stop at the
>
> slash when typing "fileserver/something" where "fileserver" is really
>
> a dotless hostname.
>
> * Lack of suggestions for strings that are really intended as search
>
> terms but have a dot or slash but no space.

Agreed - thank you for putting this list together.

[Monica Chew]

I agree with Asa. I also don't think many users can differentiate
between URLs and search terms [1], or the difference between a search
initiated from the awesome bar, search bar, or search engine homepage.
Isn't that why the conflation between search terms and URLs in the
omnibar/awesomebar developed in the first place?

That being said, just because the UI is already not clear in the desktop
doesn't mean that we shouldn't try to make it clear what's happening in
the phone UI, although it doesn't make sense that the phone UI should be
held to a higher standard than the desktop UI.

Monica

[1] http://jonoscript.wordpress.com/2010/02/18/some-people-cant-read-urls/

[Dao]

On 18.08.2012 01:16, Monica Chew wrote:
> On 8/16/12 1:49 AM, Asa Dotzler wrote:
>> On 8/8/2012 11:30 AM, Sid Stamm wrote:
>>> For me, it's about avoiding surprises. Firefox users may or may not
>>> realize we're sending data to any third party (in this case, Google) as
>>> they type stuff in the single text-entry field. So Google's treatment
>>> of the data isn't the focus -- their privacy policy is fine. The focus
>>> is whether or not users expect us to send data to another organization.
>>>
>>> With the proposed UI, it's not clear that the suggestions are coming as
>>> a result of queries to Google; they seem to be suggestions from Firefox
>>> saying "hey, you may want to Google these."
>>>
>>> Surprises in this scenario would manifest two types of reactions:
>>> reactions of "I didn't know you sent Google what I just typed!" and
>>> "OMG, you're using my data plan even though I don't want to search!"
>>
>> How is this different than the Search in Firefox on Windows/Mac/Linux.
>> I don't believe that I could find any mainstream Firefox users who
>> realizes that we're sending data to a third party when the user is
>> typing into the search box -- the search suggestions seem to be
>> suggestions from Firefox. The separate box probably helps us feel
>> better about some other privacy issues but I can't see how it helps at
>> all on the "avoiding surprises" front.
> I agree with Asa. I also don't think many users can differentiate
> between URLs and search terms [1]

The link you cite says that many users don't grok URLs. They'll
completely ignore them rather than confusing them with search terms.
It's true that these users will search the web more often than they'd
need to. Too bad, but this is all within the range of expected behavior.
These users don't think they enter URLs; they actually search and
consistently see the search engine's result page. No surprises.

> or the difference between a search
> initiated from the awesome bar, search bar, or search engine homepage.

I don't see how this matters for the questions at hand.

> That being said, just because the UI is already not clear in the desktop
> doesn't mean that we shouldn't try to make it clear what's happening in
> the phone UI, although it doesn't make sense that the phone UI should be
> held to a higher standard than the desktop UI.

We're not talking about a higher standard. We simply don't submit typed
domains or the search terms for autocompleted awesome bar results to
search engines on the desktop.

[Mike Hommey]

On Sat, Aug 18, 2012 at 07:22:56PM +0200, Dao wrote:
> >I agree with Asa. I also don't think many users can differentiate
> >between URLs and search terms [1]
>
> The link you cite says that many users don't grok URLs. They'll
> completely ignore them rather than confusing them with search terms.
> It's true that these users will search the web more often than
> they'd need to. Too bad, but this is all within the range of
> expected behavior. These users don't think they enter URLs; they
> actually search and consistently see the search engine's result
> page. No surprises.

There are places where web search is actually the advertized canonical
way to get to a website. In Japan, I don't think I ever saw a URL on
television. On the other hand, they advertize "keyword 検索", where
keyword is usually the name of the program or the channel, and 検索
means search.

Mike