January 19, 2007

Critiquing the Mozo (draft) principles

What follows is a long set of criticisms on the Mozilla draft principles. Like the original document, these are quite drafty; and also hypercritical.

That's because that's what is needed now: hard words. Agreement isn't much use; it is indistinguishable from aquiescence, ignorance, and real agreement.

  1. Transparency. It may have escaped the techie community, but it hasn't escaped the business community: transparency is the way that we publically audit the operation. That is, if the deals and procedures and actions are transparent, then everyone can see through and confirm the logic.

    The reason we do this is simple: because we distrust the words of the insiders. Not because they are nasty people, but because the systems are complex, the objectives aren't clear, and there is too much money washing around. Fraud is a 'when,' not an 'if.'

    The alternate is opacity. Which means we outsiders can't see in. Which positively means that Mozo could do some tricky deals that wouldn't survive a skeptical public ... and it negatively means that deals that shouldn't survive will carry on to cause more and more complications.

    I've been there and done that. Opening yourself up to scrutiny is painful, and it is more work. But sometimes deals that I've favoured have been shot down by outsiders, and in retrospect, they've been right.

    So when I read this:

    #8. Transparent community-based development processes promote participation, accountability, and trust.

    what strikes is that *development* processes are to be transparent, but not other processes. So deals can be conducted in secret? Strike One!

    #9. Commercial involvement in the development of the Internet brings many benefits; ...

    Strike Two! "...brings many benefits" leaves out the essential truth -- that it brings many costs! How can we trust these principles when they are couched in such miserly touchy-feely words, evading the hard truth?

    Don't be subtle. Be blunt. Benefits *and* costs, please. Which leaves us to consider:

    ... a balance between commercial goals and public benefit is critical.

    Where in the mission or in the principles or anywhere is it stated that commercial deals are a necessary part of Mozilla?

    Strike Three! Take a walk. There is no assumption of commercial activity; you chose it, now explain it.

    Mozilla has a choice. It can live off donations (which are listed in the financial report, the top 5 donors all being named, thanks to IRS rules). When it chooses to accept a commercial deal from Google, and participate in their mission to swallow the whole earth, or with Yahoo, and participate in their mission whatever that is, then it behoves Mozilla to explain to the user base why this is positive, and why this is negative. And how Mozilla has protected its user interests, positively.

    Not the other way around. As written, these principles do not surface the core dilemma that Mozilla may be able to do more good towards its mission if it accepts commercial deals.

    Which begs so many questions that go unanswered: who chooses? who benefits? Where did the 54 million go? What did I personally pay in accepting the stealth search deal? Are they tracking my queries? Does Mozilla know what it has done?

    The reason they aren't answered is because they aren't admitted in the principles, which is reflective of what you admit to yourselves.

  2. A wider problem with Mozilla in its current form is that it has no other owners to exercise governance over the board. Normally a shareholder's meeting will convene and kick out the board from time to time ... but this isn't possible with an non-profit association.

    So Mozilla should be looking for ways to improve that. Looking at the published accounts for 2005, there was some $54 million flowing through, which equals a whole lot of potential for trouble. Ask yourselves this: how are you going to be keeping your eye on principles when you find the first scam diverting funds within?

    So there is a massive need for scrutiny. Who is going to be able to push the CEO out for authorising nefarious things, as happened recently at HP, more or less?

    There are many ways to do this; but they all involve opening up to outside scrutiny. That's the first emotional barrier to deal with.

  3. Security, #4. This is a difficult one, for me, personally:

    #4. Individuals’ security on the Internet is fundamental and cannot be treated as optional.

    Basically, we as a discipline do not have a good view of what the word security means. For every definition, there are people who firmly believe that it's wrong, and can show it. So in a sense, this might backfire and further entrench today's definition, whichever it is.

    In one sense, resorting to the *Individual's* security might indicate that Mozo will look at what hurts users most: phishing, spam, OS viruses, dodgy sites, etc. Which seems a good idea, but see below.

    I think the best we can say is that the more people put security on their agenda, the more likely it is that progress might be made. But you can only really put it into the Principles if you care to make it stick.

    Which indicates a weakness: maybe, if security is still a difficult area in Mozilla, then it should be taken off the list, until it is resolved. Do you or do you not want to have a security mission? Is it something special that you do, and you go all out for; or is it something you do to a "general standards level," no worse, but no better than anyone else?

    You don't want something weak and limiting to hold you back.

  4. A little further afield, let's do some scenario planning. If all the things in this shrill article come to pass -- it's a scenario, no more -- do Mozilla's principles come under attack?

    What to do? Should Mozilla prepare a new set of principles? Not worry about it too much? Leave the USA and encamp to Switzerland?

    This gets us into the area of asking just how far can we rely on Mozilla to protect us. Recent admissions from Skype, by way of example, have indicated that they can breach the security of their phone calls. Can Mozilla breach the security of some of their products? Would they? Do they have an established and documented procedure to deal with this?

    So, although the principles are full of comforting words, what I don't see is anything that helps me determine how Mozo deals with the real hard questions. E.g., reporting on Chinese dissidents, or reporting on Iranian bomb-making plans encrypted in Thunderbird email? Does it make a difference if they are their dissidents or our terrorists?

    Or consider the slippery slope of Paypal. Look at the list of things you can buy now, or auction on eBay. It's a disaster for the public mission, and it's a story that will have Mozilla's name on it, one day.

  5. On principle #1:

    #1. The Internet is an integral part of modern life ...

    No, not quite. It is only prevalent in the 1st world. Basically, the rest of the world (worlds 2, 3, and 4 depending on your geopolitics) hasn't yet got to the point of integrating the Internet.

    Now, it may be that Mozo simply isn't in that business, in the same way that the Gates' and Soros' Foundations are. However, Mozo should be careful to a least be aware of how these principles are perceived outside their bailiwick.

    I recently looked at how to extend security systems like classical CAs into poor countries. It was very tough because those countries can't afford classical identity systems, and the CA world prays at that church. Suffice to say, it was possible, but one needs some extreme mental judo to do it, and the system needs to be well tuned.

    There is no criticism intended then, in focusing on only those with incomes to pay for 1st world standard laptops and 2 mobile phones. But let's be aware of our focus, because as time goes on, it trickles down and outwards.

  6. All in all, there is a gaping absence of thought here in who the stakeholders of the process are.

    Considering that the Principles project (like so many others within Mozilla) was conducted internally, we can immediately identify the most powerful stakeholders: insiders. Then, we can identify the weaker stakeholders as those who were left until the draft was complete. That is, the users.

    Is that right? In both senses of the word...

    Further, it may be unpopular, but there do exist other stakeholders. By way of example: CAs (a topic of much currency because of the polemic EV story), the legal process (courts, LEOs, civil suits, etc), foreigners versus those who are not foreign (the term becomes harder to define with every new political revelation), independent programmers who volunteer their efforts, dependent programmers who are volunteered by corporations, the very corporations who pay for the deals, the NGOs that do some good and useful work that want help (here I'm thinking of the "access" projects that FH pursues).

    Etc etc; the list of potential stakeholders is very long. Which leads us to their conflicts:

    • If it is right, then, that Mozo should treat its users fairly, it should also treat Google fairly. When the $10m cheque (check!) arrives, Google should know what they get for their money, and as importantly, what they don't get for their money.
    • Likewise, when a privacy activist works on the crypto libraries, he doesn't find that a backdoor was snuck in to reveal the chinese dissidents that he swore to protect.
    • Does a salaried Mozo employee have an interest in signing up the latest deal? Of course, as it helps their salary; but is that more or less biased than the corporately sponsored volunteer who is pressing the same deal, for the same unstated commercial flow?

    A critical first step is to identify the stakeholders. Then, identify which are yours. Principles 2 thru 5 speak to the individual. I would guess that you want to state that your primary mission, above all else, is to serve the individual on the Internet.

    If so, say so.

    Then, with a clear conscience, it will be easy to deal with the conflicts of dealing with corporations, governments, etc, all those who do not have your stakeholders as their mission.

  7. Mozilla is musing on the notion of signing up to these principles.

    If so, make them more certain. More principled.

    a. Not this:

    #2. The Internet is a global public resource that must remain open and accessible.

    That doesn't identify the crux of any pledge; because if it fails to remain accessible, then it wasn't our fault.....

    For anyone to treat it seriously, It has to be something like:

    Mozilla pledges to keep the Internet a global and public resource, open and accessible to all.

    If you believe in something, then stick your neck out. Failing to achieve what you believe in is far more honourable than succeeding to avoid the blame for something you might or might not have said.

    These principles are full of wishy washy stuff, that makes me think that the air in California is just nicer and less invasive to our thought processes.

    b. Consider #3:

    #3. The Internet should enrich the lives of individual human beings.

    That is soooo.... pre-Netscape! Where were you guys when they made the commercial browser?

    The Internet is a shared space for all -- be they humans, corporations, NGOs, dissidents and freedom fighters, criminals & terrorists, governments, both good, bad and atrocious.

    If you mean that Mozilla concentrates on the enrichment of the experience for individuals, and *not* the commercial interests of corporations, then so be it. Say it. But you'd better explain then why you take $54m from corporations, and nothing from people. And, please *identify* who your core and leading stake holders are.

    Or, if you mean that you'll enrich the success rates of various terrorist or criminal elements, in order to empower their individuality and spread the enlightenment, then please explain how we deal with the due process of the law. Start with how you reject the NSL ...

    Which all goes to say that putting in a wishy washy "principle" might be really useful to get "consensus" and "bring us all together" and make us "feel good about ourselves" but nobody else will believe it, and even your own people won't pay attention to it after its put in place.

    But it sure makes it easier for idle critics to idly criticise.

    c. Same with #4. Either sign up to protect the Individual's security, and actually do it, or take a number. Get in the queue.

    You can blather on in press articles to your heart's content, behind Symantec, Microsoft, Oracle, Sun, the airlines, and other snake-oil salesmen. Nobody believes your words nor theirs about security any more.

    In the new world of security, only actions speak.

    d. Ditto with #7. If you believe in open source, then do it. Say:

    We only do free and open source software.

    Let others waffle on about why, and what the precise term should be.

  8. If it's a principle, it is simple, to the point, and cannot be misinterpreted. If there is room for discussion, it ain't a principle, and it's only yourselves you are fooling.

  9. Principles 1, 2, 6, 7, 10 speak to the common good. Once you identify your core stakeholder group, then these become tractable. If not, then not.

    Delving into vague goals of common good is generally not a good idea; smart people can abuse it and generally do so. It is far better to select a group and serve them than to serve a false god of a political ideal. Too many wars have been fought over capitalism versus socialist, christianity versus islam, representation versus taxation, freedom of speech versus right to live without fear of intimidation ... and it seems unwise to be diverted into those.

    Unless you are absolutely sure. Then, make it your core. If you believe you are going to protect freedom of speech, above all else, then say that. If not, then don't.

    Serving a browser alternate to the user public is a good enough mission without colouring it with such vagueries as enrichment, public benefit, etc etc.

  10. Consider:

    #8. Transparent community-based development processes promote participation, accountability, and trust.

    Right, but that's not what happened, is it?

    a. Firefox was written *after* that process failed. It was written by one guy or two guys, in frustration. Then another, and another ... but they joined *their* process, not some open blah blah feelgood exercise.

    Details of course are disputable but concentrate on the big dilemma here: your mission is to deliver the choice in browsing, etc. While as a principle, you promote open processes to enable that mission, there are exceptions.

    b. Which brings up a clash: mission versus principles. To my mind, the mission must come first. The principles come second. Where the principles get in the way of the mission, the principles are dropped, at least temporarily.

    So this entire document should headed with the Mission. And the priority should be clear.

    c. The original browser author(s) was right, of course, to go way outfield and start again. You need to accomodate all successes, in their time and place, because the mission says that delivery is more important.

    This is called "the internal marketplace" in business speak; which probably grates. But, think of your mission, not your politics.

    It's also an essential hubris -- encourage your own principles to be hacked. Because, at the end of the day, the individuals are opinionated, but the delivery is what counts.

Well, that was long, wasn't it :) It is slight but ignorable coincidence that there are 10 criticisms for 10 principles. The most important thing is that this is a process, and this is now open. Let's get stuck in; the result can only be better.

Posted by iang at January 19, 2007 05:44 AM | TrackBack

(Note: I speak only for myself, and not for the Mozilla Foundation.)

> That's because that's what is needed now: hard words.

Why? Hard words vs. agreement is a false dichotomy. Other people have managed to be critical without being rude. And, of course, being rude makes it much harder for people to actually take your points on board, because they are continually put off by your style.

This is a lesson it took me _years_ to learn.

I've commented on some of the things I disagree with. Other things I agree with wholeheartedly. But often, I read what you had to say, threw up my hands and said "I can't be bothered to try and engage with such a load of grandstanding, incoherent, historically-inaccurate, badly-argued sniping" (e.g. 3, 10). You may say this is my problem, and that I'm just avoiding criticism. Feel free to continue to think that if you like. Alternatively, once you've figured out how to express yourself in a way people actually enjoy reading, come over to the newsgroup and put your points there. You may be pleasantly surprised at the reception.

> When it chooses to accept a commercial deal from Google, and participate in
> their mission to swallow the whole earth, or with Yahoo, and participate in
> their mission whatever that is, then it behoves Mozilla to explain to the user
> base why this is positive, and why this is negative.

It's positive because we now employ 50+ people rather than 5, and because we have the ability to deploy servers and infrastructure to handle a userbase of 200 million plus. Because we have a shot at producing software which competes well enough with the market leader, in the correct time frame, to fulfil our primary mission of promoting choice on the Internet.

It's indeed possible that we could have continued to survive on donations, at a much lower level of activity. That may have been the route you would have chosen. But IMO we would have had a significantly smaller chance of taking this opportunity.

> Where did the 54 million go? What did I personally pay in accepting the
> stealth search deal? Are they tracking my queries?

It's in the accounts; nothing; and "read the source", respectively.

> You suggested: "Mozilla pledges to keep the Internet
> global and public resource, open and accessible to all."

Except that the Mozilla Manifesto is not just Mozilla (hopefully), which is why the principles are phrased as they are. And the wording above implies that keeping the Internet open and accessible is something totally within our power. Which it isn't. We can pledge to work towards it, strain every sinew etc. But a statement saying "it shall be so" is arrogance.

Lastly, it would be great if you were to configure your blogging software to allow some sort of markup, and say what is permitted. Having a commented discussion in just plain text is really difficult.

Posted by: Gerv at February 2, 2007 12:30 PM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.