On Friday, July 18, 2014 4:33:33 PM UTC-7, Alina Hua wrote: > We'd like to propose changes to Mozilla's Privacy Principles > (https://www.mozilla.org/en-US/privacy/principles/ ) which were originally > created in 2010. Mozilla's principles stem from the Manifesto and inform how > we build our products and services, manage data, work with partners, and > shape our public policy and advocacy work. > > > > Why Update? > > > > The updates are a response to change within Mozilla and beyond. In four > years, Mozilla has grown and expanded with new products and services that > didn't exist in 2010. In 2014, the world around is often described as > "post-Snowden", after his revelations sparked an international debate about > Internet privacy and surveillance. > > > > The Process > > > > The initial draft was reviewed by a cross-section of Mozilla, including > legal, engineering, metrics, security, foundation, content services, and > engagement. After incorporating feedback, we're bringing it to Governance for > broader review. > > > > The Changes > > > > We are providing the summary of proposed updates in two formats for you to > review -- text and slides. > > > > A text format is at the bottom of this post. The text includes a side-by-side > comparison to the original Privacy Principles with the context for the > changes to the proposed Trust & Safety Principles. > > > > The second format is in the form of slides at this Google Doc link: > https://docs.google.com/a/mozilla.com/presentation/d/1j6F3G4u8zTQflVupV8vFED21kCOsi_-oyi4WmqqNwxI/edit#slide=id.p > > > The first slide includes Mozilla's proposed Trust & Safety Principles along > with a side-by-side comparison to the original Privacy Principles. The second > slide summarizes the context for the changes, including the title change. > > > > Please note that these changes are not final and the wording may evolve based > on feedback. > > > > Next Steps: > > > > Please read through the new Trust & Safety Principles and provide any > feedback or questions you may have. This will be posted for 10 days -- we > would love to have your input by Monday, 28 July 2014. We plan to finalize > the Trust & Safety Principles in August to update the Principles website > (https://www.mozilla.org/en-US/privacy/principles/ )and communicate the > changes more broadly. > > > > -- > > TEXT FORMAT OF CHANGES: > > > > TITLE: > > Previous: Mozilla Privacy Principles > > New: Mozilla Trust & Safety Principles > > Context: Intended to be broader than privacy, yet inclusive of both privacy > and security. The term Trust & Safety is used by Twitter, EBay, Airbnb and > others. > > > > NO SURPRISES > > Previous: Only use and share information about our users for their benefit > and as spelled out in our notices. > > New: Use information in a way that is transparent and benefits the user. > > Context: Removed the word "only" because there may be disagreement over > whether "only" covers indirect benefits (ex: collecting data that helps > improve your experience). Did not remove 'user benefit', although received > some feedback that it doesn't fit well with no surprises. Replaced "as > spelled out in our notices" with transparent, because it is broader than just > notices, and transparency may also be achieved through user experience. > > > > SENSIBLE SETTINGS > > Previous: Establish default settings that balance safety and user experience > appropriately. > > New: Design for a thoughtful balance of safety and user experience. > > Context: Replaced "Establish default settings" with "Design for" to be less > repetitive with the title and focus on the engineering design phase. > Replaced "appropriately" with "thoughtful" to indicate carefully considered > tradeoffs. > > > > REAL CHOICES (removed) > > Previous: Educate users whenever we collect any personal information and give > them a choice whenever possible. > > Context: Eliminated based on feedback that the difference between choice and > control wasn't clear, and that the conversation has moved to control, rather > than choice. > > > > LIMITED DATA > > Previous: Collect and retain the least amount of user information necessary. > Try to share anonymous aggregate data whenever possible, and then only when > it benefits the web, users or developers. > > New: Collect what we need, de-identify where we can and delete when no > longer necessary. > > Context: Replaced "collect and retain the least amount" with the broader > "collect what we need". Removed "only when it benefits" seemed broad enough > that most things would fall in one of the three. Considered adding "collect > only" but concerns about differences in definition (ex: indirect benefit vs. > direct benefit). Replaced "share anonymous aggregate data" with > "de-identify" because it goes beyond sharing - also includes storing. Added > data deletion as an important part of limited data. These three pieces, > limited collection, de-identification, and deletion are areas where > businesses will need to have strong processes in place to honor these. > > > > USER CONTROL > > Previous: Do not disclose personal user experience without the user's > consent. Innovate, develop and advocate for privacy enhancements that put > users in control of their online experiences. > > New: Establish enhancements that allow individuals to control their data and > online experiences > > Context: Removed the sentence about consent, because it is more of an example > of enabling control. Removed "advocate for" to simplify and to focus on > direct engineering action. Added 'control their data'. > > > > TRUSTED THIRD PARTIES (relocated) > > Previous: Make privacy a factor in selecting and interacting with partners. > > Context: Incorporated into the introduction as "select and interact with > partners". All principles inform how we work with partners, so this does not > need to be a standalone principle. > > > > IN-DEPTH DEFENSE (added) > > New: Innovate multi-layered security controls and practices, many of which > are publicly verifiable by our global community. > > Context: Initially called "Multi-Layered Security", but based on input from > Security members, the new term -- "Defense In Depth" -- more accurately > describes Mozilla's security approaches and practices. Considered "open > source community" but shortened to "global community". > > > > -- > > Thanks, > > > > Alina Hua and Stacy Martin > > Data Privacy Team
A quick update - thank you to everyone who provided us with feedback! We've summarized it in this Google doc, along with our responses, as an update on the actions we're proposing and the options we're considering based on your comments. We will post again when the Principles are final. https://docs.google.com/a/mozilla.com/document/d/18KpDi85Iguc0hI39UbxGG7gOPmQBcAU3WhSIOnal4bw/edit# Stacy Martin and Alina Hua Data Privacy Team _______________________________________________ governance mailing list [email protected] https://lists.mozilla.org/listinfo/governance
