All posts in “Mozilla”

Is that fancy smart gadget a privacy nightmare? A new guide has answers.

A million watchful eyes.
A million watchful eyes.

Image: MIKAEL BUCK / REX / SHUTTERSTOCK

These days, even your teddy bear might be out to get you. 

As the inevitable creep of “smart” features and products continues to turn everything from your refrigerator to your thermostat into a connected device, it’s worth taking a moment to consider just what you’re giving up in exchange for this wannabe Jetsons future. Thankfully, Mozilla has done a lot of that work for you with a new guide dedicated to just how insecure many smart devices are. 

It’s right in time for the end-of-year shopping season, meaning you have no excuse to buy your parents one of these potentially compromised electronic gadgets as a holiday gift. And, if you send them the guide, they won’t have an excuse for buying you one, either. 

The Privacy Not Included guide, released Nov. 14, takes a look at a range of products and evaluates them on a host of basic security standards. After all, you should know if a company is publicizing your fitness tracker data, or if your internet-connected sex toy can be easily hacked

According to Mozilla, there are five minimum things that a product or company must do in order to avoid being a complete privacy disaster for its customers. 

“The product must use encryption,” explains the guide, “the company must provide automatic security updates, if a product uses a password, it must require a strong password, the company must have a way to manage security vulnerabilities found in their products, and the company must have an accessible privacy policy.”

The categories of products rated — toys and games, smart home, entertainment, wearables, health and exercise, and pets — cover much of the connected-gadget space, and make it clear that Mozilla isn’t playing nice. 

Take, for example, its description of the Amazon Echo Show and Dot. “Now you don’t just get to wonder if Alexa is listening to you, you get to wonder if she’s watching as well.” 

A nifty infographic breaks it down even further. 

Details on the Amazon Echo Show and Dot.

Details on the Amazon Echo Show and Dot.

Image: screenshot / mozilla

Mozilla also took the unique approach of asking people to vote on a product’s creepiness factor. For example, 61 percent of people who voted on the Amazon Echo Show and Dot said it was “super creepy,” and 80 percent said they were “not likely to buy it.”

Importantly, Mozilla didn’t just do this to dunk on smart device manufacturers. Rather, the non-profit was actually trying to put some power back in the hands of consumers. 

“We hope this guide helps consumers make smart and more informed holiday shopping decisions,” explained Mozilla’s vice president of advocacy Ashley Boyd in a press release, “while also inspiring them to demand that companies make it a priority to offer products that protect their privacy and security.” 

Here’s to hoping that consumer demand, armed with Mozilla’s guide, doesn’t fall on deaf corporate ears. 

Https%3a%2f%2fblueprint api production.s3.amazonaws.com%2fuploads%2fvideo uploaders%2fdistribution thumb%2fimage%2f86837%2f2d11b186 7b8f 4788 bd2a 0e1811988b13

Mozilla ranks dozens of popular ‘smart’ gift ideas on creepiness and security

If you’re planning on picking up some cool new smart device for a loved one this holiday season, it might be worth your while to check whether it’s one of the good ones or not. Not just in the quality of the camera or step tracking, but the security and privacy practices of the companies that will collect (and sell) the data it produces. Mozilla has produced a handy resource ranking 70 of the latest items, from Amazon Echos to smart teddy bears.

Each of the dozens of toys and devices is graded on a number of measures: what data does it collect? Is that data encrypted when it is transmitted? Who is it shared with? Are you required to change the default password? And what’s the worst case scenario if something went wrong?

Some of the security risks are inherent to the product — for example, security cameras can potentially see things you’d rather they didn’t — but others are oversights on the part of the company. Security practices like respecting account deletion, not sharing data with third parties, and so on.

At the top of the list are items getting most of it right — this Mycroft smart speaker, for instance, uses open source software and the company that makes it makes all the right choices. Their privacy policy is even easy to read! Lots of gadgets seem just fine, really. This list doesn’t just trash everything.

On the other hand, you have something like this Dobby drone. They don’t seem to even have a privacy policy — bad news when you’re installing an app that records your location, HD footage, and other stuff! Similarly, this Fredi baby monitor comes with a bad password you don’t have to change, and has no automatic security updates. Are you kidding me? Stay far, far away.

All together 33 of the products met Mozilla’s recently proposed “minimum security standards” for smart devices (and got a nice badge); 7 failed, and the rest fell somewhere in between. In addition to these official measures there’s a crowd-sourced (hopefully not to be gamed) “creep-o-meter” where prospective buyers can indicate how creepy they find a device. But why is BB-8 creepy? I’d take that particular metric with a grain of salt.

Pocket’s reading app won’t sound so robotic now

Last year, Mozilla made its first acquisition by snatching up Pocket, the Instapaper competitor that helps you save longer articles for later reading. Today, this popular reading app is getting a major update that gives its app a visual makeover, including a new dark mode, and most importantly, a better way to listen to the content you’ve saved.

Pocket had added a text-to-speech feature several years ago, so you could listen to an audio version of your saved articles, instead of reading them. Instapaper today offers a similar option.

But these text-to-speech engines often sound robotic and mangle words, leading to a poor listening experience. They’ll work in a pinch when you really need to catch up with some reading, and can’t sit down to do it. But they’re definitely not ideal.

Today, Pocket is addressing this problem with the launch of a new listening feature that will allow for a more human-sounding voice. On iOS and Android, the listen feature will be powered by Amazon Polly, Mozilla says.

First introduced at Amazon’s re:Invent developer event in November 2016, Polly uses machine learning technologies to deliver more life-like speech. Polly also understands words in context. For example, it knows that the word “live” would be pronounced differently based on its usage. (E.g. “I live in Seattle” vs. “Live from New York.”) The technology has evolved since to support speech marks, a timbre effect, and dynamic range compression, among other things.

To take advantage of the updated “Listen” feature, users just tap the new icon in the top-left corner of the Pocket mobile app to start playing their articles. It’s like your own personalized podcast, Mozilla notes.

In addition, the app has been given a redesign that gives it a clean, less cluttered look-and-feel, and introduces a new app-wide dark mode and sephia themes, for those who want a different sort of reading experience.

The redesign includes updated typography and fonts, focused on making long reads more comfortable, as well.

[embedded content]

“At Mozilla, we love the web. Sometimes we want to surf, and the Firefox team has been working on ways to surf like an absolute champ with features like Firefox Advance,” said Mark Mayo, Chief Product Officer at Firefox, in a statement about the launch. “Sometimes, though, we want to settle down and read or listen to a few great pages. That’s where Pocket shines, and the new Pocket makes it even easier to enjoy the best of the web when you’re on the go in your own focused and uncluttered space,” he said.

The updated version of Pocket is live on the web, iOS and Android, as of today.

Mozilla pushes PayPal to make Venmo transactions private by default

Earlier this year, the FTC settled with PayPal over the company’s handling of privacy disclosures in its peer-to-peer payments app Venmo, but Mozilla doesn’t think the changes Venmo made as a result went far enough. This week, Mozilla says it delivered a petition signed by 25,000 Americans asking Venmo to set transactions shared in its app to private by default, instead of public.

As Mozilla explains, “millions of Venmo users’ spending habits are available for anyone to see. That’s because Venmo transactions are currently public by default — unless users manually update their settings, anyone, anywhere can see whom they’re sending money to, and why.”

Many Venmo users likely feel that it’s not very dangerous to share through Venmo’s feed – a key feature of its popular payments app – that they paid back a friend for part of the dinner, drinks or some concert tickets, for example.

But a Berlin-based researcher, Hang Do Thi Duc, recently studied the risks associated with this sort of over-sharing.

Do Thi Duc analyzed more than 200 million public Venmo transactions made in 2017 by accessing the data through a public API. This allowed her to see the names, dates, and transactions of Venmo users. She found that a lot could actually be gleaned from this data, including users’ drug habits in some cases, as well as their relationships, junk food habits, location, daily routines, personal finances, rent payments, and more.

In other words, while the individual transaction itself may seem harmless, in aggregate these transactions can be very revealing about the person in question.

[embedded content]

Mozilla says it, along with Ipsos, also polled 1,009 Americans how they felt about Venmo’s “public by default” nature. 77% said they didn’t think that should be the case, and 92% said they don’t support Venmo’s justifications for making them public. (It thinks sharing is fun, basically.)

Venmo didn’t respond to Mozilla’s petition directly, but tells TechCrunch via a spokesperson that its takes its users’ trust seriously.

“Venmo was designed for sharing experiences with your friends in today’s social world, and the newsfeed has always been a big part of this,” the spokesperson said. “The safety and privacy of Venmo users and their information is always a top priority. Our users trust us with their money and personal information, and we take this responsibility and applicable privacy laws very seriously,” they added.

The company also pointed out it takes several steps to ensure some level of user protection, including not making sensitive transactions public, never publishing dollar amounts, and allowing users to control the publicity of the item, even after the fact.

As part of the FTC settlement, Venmo also had to make other changes, as well.

The company now has to explain to new and existing users how to limit the visibility of transactions through the use of privacy settings.

We recently saw this in the updated Venmo app, in fact.

Users are walked through a tutorial that spells out how you can change settings to make transactions private by default, or any time you choose.

Mozilla’s petition comes at a time when PayPal has been weighing whether or not it should change the default in Venmo from public to private, according to a report from Bloomberg last month.

Thanks to large-scale scandals like Cambridge Analytica and others involving user data being overexposed, timed alongside the rollout of new privacy regulations like Europe’s GDPR, many companies are reviewing their data protection policies.

Venmo’s casual over-sharing now feels like a holdover from an earlier, more naive time on the web, and it wouldn’t be surprising if it decided to later adjust the app’s settings to match where consumer sentiment is headed today.

Answering its critics, Google loosens reins on AMP project

Accelerated Mobile Pages, or AMP, has been a controversial project since its debut. The need for the framework has been clear: the payloads of mobile pages can be just insane, what with layers and layers of images, Javascript, ad networks, and more slowing down page rendering time and costing users serious bandwidth on metered plans.

Yet, the framework has been aggressively foisted on the community by Google, which has backed the project not just with technical talent, but also by making algorithmic changes to its search results that have essentially mandated that pages comply with the AMP project’s terms — or else lose their ranking on mobile searches.

Even more controversially, as part of making pages faster, the AMP project uses caches of pages on CDNs — which are hosted by Google (and also Cloudflare now). That meant that Google’s search results would direct a user to an AMP page hosted by Google, effectively cutting out the owner of the content in the process.

The project has been led by Malte Ubl, a senior staff engineer working on Google’s Javascript infrastructure projects, who has until now held effective unilateral control over the project.

In the wake of all of this criticism, the AMP project announced today that it would reform its governance, replacing Ubl as the exclusive tech lead with a technical steering committee comprised of companies invested in the success in the project. Notably, the project’s intention has an “…end goal of not having any company sit on more than a third of the seats.” In addition, the project will create an advisory board and working groups to shepherd the project’s work.

The project is also expected to move to a foundation in the future. These days, there are a number of places such a project could potentially reside, including the Apache Software Foundation and the Mozilla Foundation.

While the project has clearly had its detractors, the performance improvements that AMP has been fighting for are certainly meritorious. With this more open governance model, the project may get deeper support from other browser makers like Apple, Mozilla, and Microsoft, as well as the broader open source community.

And while Google has certainly been the major force behind the project, it has also been popular among open source software developers. Since the project’s launch, there have been 710 contributors to the project according to its statistics, and the project (attempting to empathize its non-Google monopoly) notes that more than three quarters of those contributors don’t work at Google.

Nonetheless, more transparency and community involvement should help to accelerate Accelerated Mobile Pages. The project will host its contributor summit next week at Google’s headquarters in Mountain View, where these governance changes as well as the technical and design roadmaps for the project will be top of mind for attendees.