All posts in “Mozilla”

Facebook urged to offer an API for political ad transparency research

Facebook has been called upon to provide good faith researchers with an API to enable them to study how political ads are spreading and being amplified on its platform.

A coalition of European academics, technologists and human and digital rights groups, led by Mozilla, has signed an open letter to the company demanding far greater transparency about how Facebook’s platform distributes and amplifies political ads ahead of elections to the European parliament which will take place in May.

We’ve reached out to Facebook for a reaction to the open letter.

The company had already announced it will launch some of its self-styled ‘election security’ measures in the EU before then — specifically an authorization and transparency system for political ads.

Last month its new global comms guy — former European politician and one time UK deputy prime minister, Nick Clegg — also announced that, from next month, it will have human-staffed operations centers up and running to monitor how localised political news gets distributed on its platform, with one of the centers located within the EU, in Dublin, Ireland.

But signatories to the letter argue the company’s heavily PR’ed political ad transparency measures don’t go far enough.

They also point out that some of the steps Facebook has taken have blocked independent efforts to monitor its political ad transparency claims.

Last month the Guardian reported on changes Facebook had made to its platform that restricted the ability of an external political transparency campaign group, called WhoTargetsMe, to monitor and track the flow of political ads on its platform.

The UK-based campaign group is one of more than 30 groups that have signed the open letter — calling for Facebook to stop what they couch as “harassment of good faith researchers who are building tools to provide greater transparency into the advertising on your platform”.

Other signatories include the Center for Democracy and Technology, the Open Data Institute and Reporters Without Borders.

“By restricting access to advertising transparency tools available to Facebook users, you are undermining transparencyeliminating the choice of your users to install tools that help them analyse political ads, and wielding control over good faith researchers who try to review data on the platform,” they write.

“Your alternative to these third party tools provides simple keyword search functionality and does not provide the level of data access necessary for meaningful transparency.”

The letter calls on Facebook to roll out “a functional, open Ad Archive API that enables advanced research and development of tools that analyse political ads served to Facebook users in the EU” — and do so by April 1, to enable external developers to have enough time to build transparency tools before the EU elections.

Signatories also urge the company to ensure that all political ads are “clearly distinguished from other content”, as well as being accompanied by “key targeting criteria such as sponsor identity and amount spent on the platform in all EU countries”.

Last year UK policymakers investigating the democratic impacts of online disinformation pressed Facebook on the issue of what the information it provides users about the targeting criteria for political ads. They also asked the company why it doesn’t offer users a complete opt-out from receiving political ads. Facebook’s CTO Mike Schroepfer was unable — or unwilling — to provide clear answers, instead choosing to deflect questions by reiterating the tidbits of data that Facebook has decided it will provide.

Close to a year later and Facebook users in the majority of European markets are still waiting for even a basic layer of political transparency, as the company has been allowed to continue self regulating at its own pace and — crucially — by getting to define what ‘transparency’ means (and therefore how much of the stuff users get).

Facebook launched some of these self-styled political ad transparency measures in the UK last fall — adding ‘paid for by’ disclaimers, and saying ads would be retained in an archive for seven years. (Though its verification checks had to be revised after they were quickly shown to be trivially easy to circumvent.)

Earlier in the year it also briefly suspended accepting ads paid for by foreign entities during a referendum on abortion in Ireland.

However other European elections — such as regional elections — have taken place without Facebook users getting access to any information about the political ads they’re seeing or who’s paying for them.

The EU’s executive body has its eye on the issue. Late last month the European Commission published the first batch of monthly ‘progress reports’ from platforms and ad companies that signed up to a voluntary code of conduct on political disinformation that was announced last December — saying all signatories need to do a lot more and fast.

On Facebook specifically, the Commission said it needs to provide “greater clarity” on how it will deploy consumer empowerment tools, and also boost its cooperation with fact-checkers and the research community across the whole EU — with commissioner Julian King singling the company out for failing to provide independent researchers with access to its data.

Today’s open letter from academics and researchers backs up the Commission’s assessment of feeble first efforts from Facebook and offers further fuel to feed its next monthly assessment.

The Commission has continued to warn it could legislate on the issue if platforms fail to step up their efforts to tackle political disinformation voluntarily.

Pressuring platforms to self-regulate has its own critics too, of course — who point out that it does nothing to tackle the core underlying problem of platforms having too much power in the first place…

Is that fancy smart gadget a privacy nightmare? A new guide has answers.

A million watchful eyes.
A million watchful eyes.


These days, even your teddy bear might be out to get you. 

As the inevitable creep of “smart” features and products continues to turn everything from your refrigerator to your thermostat into a connected device, it’s worth taking a moment to consider just what you’re giving up in exchange for this wannabe Jetsons future. Thankfully, Mozilla has done a lot of that work for you with a new guide dedicated to just how insecure many smart devices are. 

It’s right in time for the end-of-year shopping season, meaning you have no excuse to buy your parents one of these potentially compromised electronic gadgets as a holiday gift. And, if you send them the guide, they won’t have an excuse for buying you one, either. 

The Privacy Not Included guide, released Nov. 14, takes a look at a range of products and evaluates them on a host of basic security standards. After all, you should know if a company is publicizing your fitness tracker data, or if your internet-connected sex toy can be easily hacked

According to Mozilla, there are five minimum things that a product or company must do in order to avoid being a complete privacy disaster for its customers. 

“The product must use encryption,” explains the guide, “the company must provide automatic security updates, if a product uses a password, it must require a strong password, the company must have a way to manage security vulnerabilities found in their products, and the company must have an accessible privacy policy.”

The categories of products rated — toys and games, smart home, entertainment, wearables, health and exercise, and pets — cover much of the connected-gadget space, and make it clear that Mozilla isn’t playing nice. 

Take, for example, its description of the Amazon Echo Show and Dot. “Now you don’t just get to wonder if Alexa is listening to you, you get to wonder if she’s watching as well.” 

A nifty infographic breaks it down even further. 

Details on the Amazon Echo Show and Dot.

Details on the Amazon Echo Show and Dot.

Image: screenshot / mozilla

Mozilla also took the unique approach of asking people to vote on a product’s creepiness factor. For example, 61 percent of people who voted on the Amazon Echo Show and Dot said it was “super creepy,” and 80 percent said they were “not likely to buy it.”

Importantly, Mozilla didn’t just do this to dunk on smart device manufacturers. Rather, the non-profit was actually trying to put some power back in the hands of consumers. 

“We hope this guide helps consumers make smart and more informed holiday shopping decisions,” explained Mozilla’s vice president of advocacy Ashley Boyd in a press release, “while also inspiring them to demand that companies make it a priority to offer products that protect their privacy and security.” 

Here’s to hoping that consumer demand, armed with Mozilla’s guide, doesn’t fall on deaf corporate ears. 

Https%3a%2f%2fblueprint api uploaders%2fdistribution thumb%2fimage%2f86837%2f2d11b186 7b8f 4788 bd2a 0e1811988b13

Mozilla ranks dozens of popular ‘smart’ gift ideas on creepiness and security

If you’re planning on picking up some cool new smart device for a loved one this holiday season, it might be worth your while to check whether it’s one of the good ones or not. Not just in the quality of the camera or step tracking, but the security and privacy practices of the companies that will collect (and sell) the data it produces. Mozilla has produced a handy resource ranking 70 of the latest items, from Amazon Echos to smart teddy bears.

Each of the dozens of toys and devices is graded on a number of measures: what data does it collect? Is that data encrypted when it is transmitted? Who is it shared with? Are you required to change the default password? And what’s the worst case scenario if something went wrong?

Some of the security risks are inherent to the product — for example, security cameras can potentially see things you’d rather they didn’t — but others are oversights on the part of the company. Security practices like respecting account deletion, not sharing data with third parties, and so on.

At the top of the list are items getting most of it right — this Mycroft smart speaker, for instance, uses open source software and the company that makes it makes all the right choices. Their privacy policy is even easy to read! Lots of gadgets seem just fine, really. This list doesn’t just trash everything.

On the other hand, you have something like this Dobby drone. They don’t seem to even have a privacy policy — bad news when you’re installing an app that records your location, HD footage, and other stuff! Similarly, this Fredi baby monitor comes with a bad password you don’t have to change, and has no automatic security updates. Are you kidding me? Stay far, far away.

All together 33 of the products met Mozilla’s recently proposed “minimum security standards” for smart devices (and got a nice badge); 7 failed, and the rest fell somewhere in between. In addition to these official measures there’s a crowd-sourced (hopefully not to be gamed) “creep-o-meter” where prospective buyers can indicate how creepy they find a device. But why is BB-8 creepy? I’d take that particular metric with a grain of salt.

Pocket’s reading app won’t sound so robotic now

Last year, Mozilla made its first acquisition by snatching up Pocket, the Instapaper competitor that helps you save longer articles for later reading. Today, this popular reading app is getting a major update that gives its app a visual makeover, including a new dark mode, and most importantly, a better way to listen to the content you’ve saved.

Pocket had added a text-to-speech feature several years ago, so you could listen to an audio version of your saved articles, instead of reading them. Instapaper today offers a similar option.

But these text-to-speech engines often sound robotic and mangle words, leading to a poor listening experience. They’ll work in a pinch when you really need to catch up with some reading, and can’t sit down to do it. But they’re definitely not ideal.

Today, Pocket is addressing this problem with the launch of a new listening feature that will allow for a more human-sounding voice. On iOS and Android, the listen feature will be powered by Amazon Polly, Mozilla says.

First introduced at Amazon’s re:Invent developer event in November 2016, Polly uses machine learning technologies to deliver more life-like speech. Polly also understands words in context. For example, it knows that the word “live” would be pronounced differently based on its usage. (E.g. “I live in Seattle” vs. “Live from New York.”) The technology has evolved since to support speech marks, a timbre effect, and dynamic range compression, among other things.

To take advantage of the updated “Listen” feature, users just tap the new icon in the top-left corner of the Pocket mobile app to start playing their articles. It’s like your own personalized podcast, Mozilla notes.

In addition, the app has been given a redesign that gives it a clean, less cluttered look-and-feel, and introduces a new app-wide dark mode and sephia themes, for those who want a different sort of reading experience.

The redesign includes updated typography and fonts, focused on making long reads more comfortable, as well.

[embedded content]

“At Mozilla, we love the web. Sometimes we want to surf, and the Firefox team has been working on ways to surf like an absolute champ with features like Firefox Advance,” said Mark Mayo, Chief Product Officer at Firefox, in a statement about the launch. “Sometimes, though, we want to settle down and read or listen to a few great pages. That’s where Pocket shines, and the new Pocket makes it even easier to enjoy the best of the web when you’re on the go in your own focused and uncluttered space,” he said.

The updated version of Pocket is live on the web, iOS and Android, as of today.

Mozilla pushes PayPal to make Venmo transactions private by default

Earlier this year, the FTC settled with PayPal over the company’s handling of privacy disclosures in its peer-to-peer payments app Venmo, but Mozilla doesn’t think the changes Venmo made as a result went far enough. This week, Mozilla says it delivered a petition signed by 25,000 Americans asking Venmo to set transactions shared in its app to private by default, instead of public.

As Mozilla explains, “millions of Venmo users’ spending habits are available for anyone to see. That’s because Venmo transactions are currently public by default — unless users manually update their settings, anyone, anywhere can see whom they’re sending money to, and why.”

Many Venmo users likely feel that it’s not very dangerous to share through Venmo’s feed – a key feature of its popular payments app – that they paid back a friend for part of the dinner, drinks or some concert tickets, for example.

But a Berlin-based researcher, Hang Do Thi Duc, recently studied the risks associated with this sort of over-sharing.

Do Thi Duc analyzed more than 200 million public Venmo transactions made in 2017 by accessing the data through a public API. This allowed her to see the names, dates, and transactions of Venmo users. She found that a lot could actually be gleaned from this data, including users’ drug habits in some cases, as well as their relationships, junk food habits, location, daily routines, personal finances, rent payments, and more.

In other words, while the individual transaction itself may seem harmless, in aggregate these transactions can be very revealing about the person in question.

[embedded content]

Mozilla says it, along with Ipsos, also polled 1,009 Americans how they felt about Venmo’s “public by default” nature. 77% said they didn’t think that should be the case, and 92% said they don’t support Venmo’s justifications for making them public. (It thinks sharing is fun, basically.)

Venmo didn’t respond to Mozilla’s petition directly, but tells TechCrunch via a spokesperson that its takes its users’ trust seriously.

“Venmo was designed for sharing experiences with your friends in today’s social world, and the newsfeed has always been a big part of this,” the spokesperson said. “The safety and privacy of Venmo users and their information is always a top priority. Our users trust us with their money and personal information, and we take this responsibility and applicable privacy laws very seriously,” they added.

The company also pointed out it takes several steps to ensure some level of user protection, including not making sensitive transactions public, never publishing dollar amounts, and allowing users to control the publicity of the item, even after the fact.

As part of the FTC settlement, Venmo also had to make other changes, as well.

The company now has to explain to new and existing users how to limit the visibility of transactions through the use of privacy settings.

We recently saw this in the updated Venmo app, in fact.

Users are walked through a tutorial that spells out how you can change settings to make transactions private by default, or any time you choose.

Mozilla’s petition comes at a time when PayPal has been weighing whether or not it should change the default in Venmo from public to private, according to a report from Bloomberg last month.

Thanks to large-scale scandals like Cambridge Analytica and others involving user data being overexposed, timed alongside the rollout of new privacy regulations like Europe’s GDPR, many companies are reviewing their data protection policies.

Venmo’s casual over-sharing now feels like a holdover from an earlier, more naive time on the web, and it wouldn’t be surprising if it decided to later adjust the app’s settings to match where consumer sentiment is headed today.