LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Re: Anonymous metrics collection from Firefox

[Posted February 8, 2012 by jake]

From:  beltzner <mbeltzner-AT-gmail.com>
To:  Benjamin Smedberg <benjamin-AT-smedbergs.us>
Subject:  Re: Anonymous metrics collection from Firefox
Date:  Mon, 6 Feb 2012 15:12:22 -0500
Message-ID:  <CAJM_dsre62jHokA-+iBP6sHpkR9BA-Z9q5H101==AOb_nGqNww@mail.gmail.com>
Cc:  "mozilla.dev.planning group" <dev-planning-AT-lists.mozilla.org>
Archive-link:  Article, Thread 

The wiki page is pretty clear about goals for the feature ("ability to
measure adoption, retention, stability, performance, and aggregated
search counts by engine") as well as requirements for success. What
it's lacking, other than in terms of caveats and warnings throughout
the documentation, is against which privacy principles those
requirements must be evaluated.

Recently Ben Adida posted on the Mozilla Privacy Blog
(http://blog.mozilla.com/privacy/2012/01/13/mozilla-to-off...)
outlining a series of design guidelines to use when designing new
features, and committing Mozilla to a basic policy of "no surprises,
real choices, sensible settings, limited data, and user control." I
think that the Data Safety Team he outlines in that post should
evaluate the proposal (once it reaches a final stage, see below!)
using those guidelines and making a judgement on whether or not it
meets the plain-language policy as stated.

The other thing the wiki page is lacking is an understanding of who is
running the project aside from the "metrics team." A clear project
owner should be identified, I think, so that we can better know what's
in plan, in flux, etc. Once there's a final proposal about what's to
happen, it can be judged and evaluated from a privacy perspective.

Our shared goal should be to try and design a system by which we
accomplish the laudable goals and requirements of the metrics team
(plainly: better understanding our product, its users, and how it's
being used) in a way that meets our high standards for data
sovereignty and privacy. We must build a better mousetrap. I suggest
people look to the Crash Stats efforts to this end, as they have long
avoided privacy-invasive actions (at non-trivial cost) while still
mining the available data to gain significant understanding of our
broad user base's experience with the browser.

Finally, and my own personal $0.02 on the issue: I think there are
ways of pre-cleaning data so that you get the benefit of aggregate
data collection (double-blinding, binning and grouping, etc) and the
easiest way to figure those ways out is to begin with the question:
what is the end state we're trying to get to? No data should be
collected without understanding exactly how that data will be
presented to its consumers; that way you can be sure to only collect
the minimum amount of data required to answer the question.

cheers,
mike

ps: let's remember that we're all on the same team here, and all want
what's best for Firefox and its users; think carefully before writing,
and always assume the best of your colleagues and community members
when participating in this discussion!
(Log in to post comments)

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds