It would be remiss of me not to pass on news that Mozilla have finally crafted a strategy for phishing protection in Firefox. It actually took me a few days to realise this is news, indeed, the news we had been working towards for when the fight against phishing was still browser-centric. But I'm no longer looking in that area as the threats have moved on - frequent readers of FC need no reminder of that - and Mozilla's actions may be welcome albeit late.
Unfortunately, Mozilla appear to be shooting themselves in the feet. At least, they have taken a direction that is mysterious to those of us in the open source world: They have partnered with Google to use their central database to monitor for phishing sites.
The more I think of it, the only way to understand it is if one considers Mozilla Corporation as a commercial entity, only. They have partnered with another big player, rather than work with the community of software developers. This is what companies do - there is a preference to work with players larger than themselves if possible as that improves their brand and strength, and which helps them for the next deal. As Google and Mozilla have a strong relationship, and much funding has come via their google search box placement and other deals, it makes sense to further the relationship rather than go with Netcraft or Microsoft or the other central database players. And if one considers the offerings of other parties in the central database wars, it may well be that Google's are the best, or the least bad, depending on how you view it.
This all makes good business sense. But it comes with dangers - serious if not blindingly obvious ones. Firstly, Google's reputation has shifted from being the honest white knight riding in to save us from the evil Microsoft with amazing googley solutions .. to one of being the sneaky invader of all our data. Although not yet seen as 'evil' as Microsoft, their original strong capital from the 'do no evil' motto is now frittered away and they are seen as somewhere like 'evil in evolution' or perhaps 'evil in training'. (I see this a lot in the arts community where there are many projects looking at a future world of Google as master of our data - Google's recent foray in court against USG helped some there, but not enough to sway the undercurrent of concern.)
Mozilla for their part had a fantastic image in the public's mind as being a volunteer, open source, public minded organisation. But this view has also suffered, perhaps inevitably due to growth and the runaway success of Firefox, but also due to decisions made. Now, Mozilla is quite happily planning to pass all the URLs across without even debating it with the users ... Mozilla's good reputation can only suffer from this arrogance.
Mozilla's support base still believes that it is an open source operation, and this is a second danger. Such deals are not acceptable in that world and over on Mitchell's blog, she tussles with that dilemma:
A number of the comments I received refer to the dangers of doing anything with money. They express the concern that any programs involving money run the risk of contaminating our community, or of turning it into a mercenary group interested only in money. I understand the risks. I also believe there are risks in ignoring money. Firefox generates revenue now, that's a fact. So we need to deal with money. (And we have the privilege of being able to employ people to work full time on Mozilla, which I believe is necessary for a project of our size and scope. Not all open source projects believe this however, and some are wary of employees or almost any activity that requires the distribution of funds.)
When volunteers work for free and take away slices of their own lives to devote to the cause of getting good, free software out there, they do not expect someone else to then take it and rape it for their own profit. Especially, in preferring a good financial deal over the user's needs for privacy, and ignoring the free offerings of their own community, these decisions will only serve to exacerbate the split between Mozilla Corp's newly discovered commerciality and the original long-term support-base of volunteers.
This calls for a quite serious change management exercise, and also has severe ramifications for the brand. It's pretty clear that Mozilla knows as much about branding as the average brand manager knows about software. E.g., so close to nothing it is worthless or dangerous, notwithstanding their accidental acquiring of the stunning Firefox brand. Or, perhaps that underscores the point - the brand was as much or more built by community efforts.
To their credit, Mozilla now seems to know this: MBA preferred. Thank heavens for that. Some tips, to be violently ignored like all the earlier free "community" advice, no doubt: MBAs know the basics of branding but they are not specialists, and Mozilla probably needs a specialist in this area now, as well as a PR specialist. Evidently... Further, MBAs are just as useful over on the tech side. Some recent writings by Mitchell may also indicate that the coding monoculture that is Mozilla's archilles heel is finally being addressed:
Another issue is that we don't have an established path to meritocracy for non-technical roles. For potential developers, we know about several paths for getting involved and developing legitimacy - we know about the Quality Assurance path, we know about fixing bugs, we know something about hacking on the code, we know about writing a great extension and so on. We also have clear ways of identifying a person's known expertise -- they may be a peer for code, a "module owner" for code, etc. All of these are reasonably well understood roles within the project that convey a person's expertise.We don't have analogous paths for non-engineering roles. We don’t yet have ways for the non-engineering staff to indicate the scope of expertise of their colleagues.
Why is this Mozilla's archillies heel? It's been two years since people outside the above formal 'meritocracy' paths have been suggesting the path that was announced last week!
All that said, and drying our eyes over spilt milk, I'm not sure you need an MBA to tell you that handing over data is not a good strategy for the today's market. If you read the newspapers (any of them in America at least since February of 2005) you would have known that the hot issue for the public mind when it comes to IT and the net was and remains data safety - identity theft and the like.
So at a minimum, there must be some expectation that this has to have been discussed at great length within the company. So why no realisation that this could be a PR disaster?
Posted by iang at June 7, 2006 12:10 PM | TrackBackI think, you're being a bit unfair to Mozilla and Google here. Indeed, Google is best positioned to find phishing sites and it would be nice of them to provide all of us with some help in identifiing them. It would also be nice of Mozilla to build this capability into their next browser.
Finally, it does not necessarily entail sending all URLs for check to Google; it's neither practical nor necessary.
Here's how I would do it: create a LOAF of phishing sites -- a (let's say 1 megabit) array of bits, where phishing sites are denoted by ones in the following way: the phishing URL is hashed and the last few (in this example 20) bits are used as an address in the LOAF. Only suspects (those colliding with this 20-bit hash of phishing sites) are sent over to Google for verification.
This solution would be efficient and privacy-preserving at the same time. I won't be surprised if the actual thing was something along these lines.
Iang wrote:
> It seems to be the central database model, which I
> sometimes call the Netcraft model:
Gets better, google just got more access to your information...
"Google has just released the Google Browser Sync extension [CC] for Firefox. This extension allows you to save your bookmarks, history and passwords on Google servers, effectively giving you a 'roaming profile,' which you can sync on any computer running Firefox (and the extension, of course)."
http://www.google.com/tools/firefox/browsersync/index.html
Posted by: Duane at June 9, 2006 05:25 AMHi Daniel, thanks for taking me to task! Here's my response, somewhat belated.
1. is Google the Best?
It is perhaps plausible that Google is well positioned to manage a database of potential phishing sites. But, consider that this is actually an "old" idea. I understand that Netcraft published the first version, and since then I've seen 6 or so variants. Which is to say, why Google? Why not me? Why not the US Department of Justice? The KGB?
Centralisation is a seductive concept. Although their implementation may be googley, does this really merit taking the risk that this information will inevitably be attached for other purposes?
2. Does Google preserve Privacy?
It didn't occur to me to consider whether they have designed in some privacy preserving system. That's because I assume it to be irrelevant to the long run. If they do privacy preserving now, that just means that they will unwind that some time in the future, when it becomes convenient.
Of course, I can't promise that. But experience with large corporations and such data issues would make assuming any other thing unreasonable. "First they say they don't collect that data, then they say ..."
I suppose to put this in a different context, let us consider that Google just successfully defended against an attempt of USDOJ to mine their data for some bogus reason or another. The other companies didn't bother. So Google is good, right? No, they are young. When they are as old as Yahoo or Microsoft or eBay, they won't be challenging in court. That's my prediction.
3. Is it unfair to criticise?
Well, I think the above answers it. If there is any merit in those arguments, someone has to criticise it (much as I hate being the public whipping boy here). Otherwise they'll just snowball the issue again and again, which is easier than doing the debate properly. Neither of these organisations seem to have engaged in public debate on this issue of privacy - that's fair?
Posted by: Iang at June 10, 2006 02:50 PM