It would be remiss of me not to pass on news that Mozilla have finally crafted a strategy for phishing protection in Firefox. It actually took me a few days to realise this is news, indeed, the news we had been working towards for when the fight against phishing was still browser-centric. But I'm no longer looking in that area as the threats have moved on - frequent readers of FC need no reminder of that - and Mozilla's actions may be welcome albeit late.
Unfortunately, Mozilla appear to be shooting themselves in the feet. At least, they have taken a direction that is mysterious to those of us in the open source world: They have partnered with Google to use their central database to monitor for phishing sites.
The more I think of it, the only way to understand it is if one considers Mozilla Corporation as a commercial entity, only. They have partnered with another big player, rather than work with the community of software developers. This is what companies do - there is a preference to work with players larger than themselves if possible as that improves their brand and strength, and which helps them for the next deal. As Google and Mozilla have a strong relationship, and much funding has come via their google search box placement and other deals, it makes sense to further the relationship rather than go with Netcraft or Microsoft or the other central database players. And if one considers the offerings of other parties in the central database wars, it may well be that Google's are the best, or the least bad, depending on how you view it.
This all makes good business sense. But it comes with dangers - serious if not blindingly obvious ones. Firstly, Google's reputation has shifted from being the honest white knight riding in to save us from the evil Microsoft with amazing googley solutions .. to one of being the sneaky invader of all our data. Although not yet seen as 'evil' as Microsoft, their original strong capital from the 'do no evil' motto is now frittered away and they are seen as somewhere like 'evil in evolution' or perhaps 'evil in training'. (I see this a lot in the arts community where there are many projects looking at a future world of Google as master of our data - Google's recent foray in court against USG helped some there, but not enough to sway the undercurrent of concern.)
Mozilla for their part had a fantastic image in the public's mind as being a volunteer, open source, public minded organisation. But this view has also suffered, perhaps inevitably due to growth and the runaway success of Firefox, but also due to decisions made. Now, Mozilla is quite happily planning to pass all the URLs across without even debating it with the users ... Mozilla's good reputation can only suffer from this arrogance.
Mozilla's support base still believes that it is an open source operation, and this is a second danger. Such deals are not acceptable in that world and over on Mitchell's blog, she tussles with that dilemma:
A number of the comments I received refer to the dangers of doing anything with money. They express the concern that any programs involving money run the risk of contaminating our community, or of turning it into a mercenary group interested only in money. I understand the risks. I also believe there are risks in ignoring money. Firefox generates revenue now, that's a fact. So we need to deal with money. (And we have the privilege of being able to employ people to work full time on Mozilla, which I believe is necessary for a project of our size and scope. Not all open source projects believe this however, and some are wary of employees or almost any activity that requires the distribution of funds.)
When volunteers work for free and take away slices of their own lives to devote to the cause of getting good, free software out there, they do not expect someone else to then take it and rape it for their own profit. Especially, in preferring a good financial deal over the user's needs for privacy, and ignoring the free offerings of their own community, these decisions will only serve to exacerbate the split between Mozilla Corp's newly discovered commerciality and the original long-term support-base of volunteers.
This calls for a quite serious change management exercise, and also has severe ramifications for the brand. It's pretty clear that Mozilla knows as much about branding as the average brand manager knows about software. E.g., so close to nothing it is worthless or dangerous, notwithstanding their accidental acquiring of the stunning Firefox brand. Or, perhaps that underscores the point - the brand was as much or more built by community efforts.
To their credit, Mozilla now seems to know this: MBA preferred. Thank heavens for that. Some tips, to be violently ignored like all the earlier free "community" advice, no doubt: MBAs know the basics of branding but they are not specialists, and Mozilla probably needs a specialist in this area now, as well as a PR specialist. Evidently... Further, MBAs are just as useful over on the tech side. Some recent writings by Mitchell may also indicate that the coding monoculture that is Mozilla's archilles heel is finally being addressed:
Another issue is that we don't have an established path to meritocracy for non-technical roles. For potential developers, we know about several paths for getting involved and developing legitimacy - we know about the Quality Assurance path, we know about fixing bugs, we know something about hacking on the code, we know about writing a great extension and so on. We also have clear ways of identifying a person's known expertise -- they may be a peer for code, a "module owner" for code, etc. All of these are reasonably well understood roles within the project that convey a person's expertise.
We don't have analogous paths for non-engineering roles. We donít yet have ways for the non-engineering staff to indicate the scope of expertise of their colleagues.
Why is this Mozilla's archillies heel? It's been two years since people outside the above formal 'meritocracy' paths have been suggesting the path that was announced last week!
All that said, and drying our eyes over spilt milk, I'm not sure you need an MBA to tell you that handing over data is not a good strategy for the today's market. If you read the newspapers (any of them in America at least since February of 2005) you would have known that the hot issue for the public mind when it comes to IT and the net was and remains data safety - identity theft and the like.
So at a minimum, there must be some expectation that this has to have been discussed at great length within the company. So why no realisation that this could be a PR disaster?Posted by iang at June 7, 2006 12:10 PM | TrackBack