This string is about Mozilla’s announced plan to remove the EV UI from Firefox in October. Over time, this will tend to eliminate confirmed identity information about websites from the security ecosystem, as EV website owners may decide it’s not worth using a n EV certificate if browsers decide to hide the data from users. As noted in my last message, this will be a tragedy for users, as browser phishing filters and other anti-phishing services currently rely on website EV data in their algorithms for protecting users.
It’s interesting to note that others in the security ecosystem, such as Facebook, are going exactly the opposite direction from Mozilla to deal with fraudsters operating under false names or posting anonymously (like phishers do), and are now actually *requiring* the use of third-party confirmed identity information before they are allowed to use Facebook’s platform. I include a link to today’s New York Times article on Facebook’s policy changes [1], and also Facebook’s actual announcement of the new rules requiring identity confirmation before posting. [2] I hope Mozilla will reconsider its plan to remove the EV UI and instead work on a better, more streamlined design for a new Firefox UI that tells users when confirmed identity is present, and when it is not. Apple seems to be handling this UI challenge well – just compare the UI on an iPhone for apple.com (green lock symbol, green URL for EV identity) to the UI for mozilla.org (black lock symbol, black URL for DV). Easy for users to see the difference, no need for users to scrutinize the actual EV identity information (unless they want to), tells users in a simple, binary way whether or not the website has confirmed identity behind it or is anonymous. And it fits nicely on mobile devices like iPhones – I assume Firefox is going to continue to show users at least what URL they’re at (like now), so that copying the Apple UI instead of the Chrome UI seems like it would be a relatively easy engineering task. By making the Mozilla and Apple UIs the same, we would also be taking a step forward in standardization of browser UIs, which makes it easier to educate users on how to understand what the UI means – something we should all support. @Mozilla – please give Facebook’s announcement on the importance of identity some consideration before you make a final decision on changing the Firefox UI. *** Facebook Announcement: Updates to Ads About Social Issues, Elections or Politics in the US People should know who is trying to influence their vote and advertisers shouldn’t be able to cover up who is paying for ads. That’s why over the past few years, we’ve made important changes to help ensure more transparency and authenticity in ads about social issues, elections or politics. Today, we’re sharing additional steps we’re taking to protect elections and prepare for the US 2020 election. Those steps include strengthening the authorization process for US advertisers, showing people more information about each advertiser and updating our list of social issues in the US to better reflect the public discourse on and off Facebook. New Disclaimer Requirements In 2018, we started requiring advertisers to get authorized before running ads about social issues, elections or politics. We also save those ads in an Ad Library so they’re publicly available for seven years. The authorization process already requires advertisers in the US to provide identification to confirm who they are and where they are located. Advertisers must also place a “Paid for by” disclaimer on their ads to communicate who is responsible for them. Despite these requirements, there are a number of cases where advertisers have attempted to put misleading “Paid for by” disclaimers on their ads. That’s why, starting mid-September, advertisers will need to provide more information about their organization before we review and approve their disclaimer. If they do not provide this information by mid-October, we will pause their ads. While the authorization process won’t be perfect, it will help us confirm the legitimacy of an organization and provide people with more details about who’s behind the ads they are seeing. Advertisers will have five options for providing more information, three of which demonstrate they are registered with the US government. If they choose one of the three government resource options, they will be allowed to use their registered organization name in disclaimers and the “i” icon that appears in the upper right-hand corner of their ads will read “Confirmed Organization.” In addition to providing their US street address, phone number, business email and a business website matching the email, they must provide one of the following: 1. Tax-registered organization identification number (i.e. EIN) 2. A government website domain that matches an email ending in .gov or .mil 3. Federal Election Commission (FEC) identification number We also want to ensure advertisers who may not have those credentials, such as smaller businesses or local politicians, are able to run ads about social issues, elections or politics. Advertisers can also choose one of the following two options: 1. Submit an organization name by providing a verifiable phone number, business email, mail-deliverable address and a business website with a domain that matches the email. 2. Provide no organizational information and rely solely on the Page Admin’s legal name on their personal identification document. For this option, the advertiser will not be able to use a registered organization name in disclaimers. For advertisers that choose one of these two options, the “i” icon will read “About this ad” instead of “Confirmed Organization.” The “i” icons help people on Facebook and Instagram better understand who’s trying to influence them and why. Now, with one tap, people will not only see information about the ad, but they’ll be able to see the information Facebook confirmed, such as whether an advertiser used an EIN or FEC identification number. This will allow people to confidently gauge the legitimacy of an organization and quickly raise questions or concerns if they find anything out of the ordinary. *** Looking Forward Over the coming months, we’ll share more information on our efforts to make elections safer and provide greater transparency on the ads and content people see on Facebook. These updates will include: *** 3. Requiring all Pages for national candidates or elected officials to go through Page Publishing Authorization, which requires that Page administrators turn on two-factor authentication and verify their primary country location so that we can confirm these Pages are using real accounts and are located in the US. 4. Exposing more information about a Page, such as the business or organization behind it. We know we can’t tackle these challenges alone. That’s why we’re calling for sensible regulation and working directly with governments, watchdogs and regulators. While our efforts to protect elections are ongoing and won’t be perfect, they will make it harder for advertisers to obscure who is behind ads and will provide greater transparency for people. We’ll continue to share updates as we take steps to protect people ahead of the 2020 US election and beyond. [1] https://www.nytimes.com/2019/08/28/technology/facebook-election-advertising-disinformation.html [2] https://newsroom.fb.com/news/2019/08/updates-to-ads-about-social-issues-elections-or-politics-in-the-us/ _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy