Re: [Full-disclosure] Bug 718066 - [meta] Add feature to submit anonymous product metrics to Mozilla

[Valdis . Kletnieks]

On Fri, 10 Feb 2012 03:51:53 GMT, Nick Boyce said:
 OT: They should just make FF quality high and the design impeccable -

Quality high is always a nice concept.  But there's always 5 quality issues 
and
resources to fix only 3.  Obviously, you want to fix the 3 that matter most to
your users - but which 3 are they?  You really can't rely on bug reports or
surveys, because those tend to have a major self-selection bias.  Think about
it - how many people do you know that use Firefox?  How many of them have
had it crash or misbehave?  How many of them *reported* it?  Surveys have
the same problem - you can't easily run a survey of users who just want
to hit their sites and *do* stuff and find out what they want - because they'll
just skip your survey, hit their site, and *do* stuff.  Unless of course you 
make
the survey mandatory - in which case you tick them off because you got in
the way of hitting their site and doing stuff.

Or report the list of extensions and performance numbers -  it's one thing to
know that users have a range of launch times.  It's something else to know that
20% of users have *consistently* longer launch times on comparabie hardware.
But if you have data that shows that NoScript users take a 15% launch time hit,
*that* is something you can then go do something about.

Similar problems for impeccable design - if you want a browser that Joe 
Sixpack
will actually *use*, then you need data on how Joe actually wants to use that
browser.  And *asking* Joe never works - anybody who's had to do project
requirements will tell you that what the user *says* they want, what they 
*think*
they want, and what they actually need, are almost always 3 different things.

No, I'm not saying it's OK for the Mozilla crew to collect PII like that - but 
I can
certainly understand why they feel the temptation to do so...



pgpaPLdB9Z9Fa.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Bug 718066 - [meta] Add feature to submit anonymous product metrics to Mozilla

[Martijn Broos]

Hi,

I can imagine that developers want to have a clue what they need to repair.
I only have a problem the way they do it and the way my behavior is exposed 
without possible influence.

Let's say for the sake of argument, that 20% on similar hardware have a problem 
with loading times and the developers have the metrics to prove so (waiting 
times, load times, scripts I use,  etc...)
Would the conclusion be, that Firefox is at fault?
- What if the major part of that % is living in a certain continent?
- What if the major % has the same ISP?
- How is the spread of OS usage?
- etc, etc

Without the surrounding parameters known, you have a pile of bytes instead of 
DATA (people tend to mix those definitions). Of course you could make fuzzy 
statistics out of it, but like most mathematicians know: statistics prove 
predetermined conclusions.

Still would a 5% speed increase weigh up to the privacy of 200 million users?
Like in the bugtrack stated. If my instance of firefox is PII bound, you can 
trace my laptop, determine behavior, etc...
And to conclude: Modzilla states they don't intent to use the data in any other 
way:
I have a couple of  questions about the intent:
- Will that intent stay the same throughout the future? The intent can easily 
be changed when money gets involved.
- What if a legal entity (like a government, The Music branch protectors(to 
prove that the piratebay is used so often), etc...) kindly requests the data 
with a court-order?

Also take into account the following:
Since 2012, the Netherlands has a new law which forbids behavior analysis by 
persistent cookies...All advertisement companies are now looking into device 
identification.
Why: they can make more money when they show you the right adds.
Modzilla will help them a great deal if they can offer them a PII out of 
stock... And I see the comments, they won't do that! Do you want to bet 1 
million bugs over it that they won't do it?

-Original Message-
From: full-disclosure-boun...@lists.grok.org.uk 
[mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of 
valdis.kletni...@vt.edu
Sent: vrijdag 10 februari 2012 15:48
To: Nick Boyce
Cc: full-disclosure
Subject: Re: [Full-disclosure] Bug 718066 - [meta] Add feature to submit 
anonymous product metrics to Mozilla

On Fri, 10 Feb 2012 03:51:53 GMT, Nick Boyce said:
 OT: They should just make FF quality high and the design impeccable -

Quality high is always a nice concept.  But there's always 5 quality issues 
and resources to fix only 3.  Obviously, you want to fix the 3 that matter most 
to your users - but which 3 are they?  You really can't rely on bug reports or 
surveys, because those tend to have a major self-selection bias.  Think about 
it - how many people do you know that use Firefox?  How many of them have had 
it crash or misbehave?  How many of them *reported* it?  Surveys have the same 
problem - you can't easily run a survey of users who just want to hit their 
sites and *do* stuff and find out what they want - because they'll just skip 
your survey, hit their site, and *do* stuff.  Unless of course you make the 
survey mandatory - in which case you tick them off because you got in the way 
of hitting their site and doing stuff.

Or report the list of extensions and performance numbers -  it's one thing to 
know that users have a range of launch times.  It's something else to know that 
20% of users have *consistently* longer launch times on comparabie hardware.
But if you have data that shows that NoScript users take a 15% launch time hit,
*that* is something you can then go do something about.

Similar problems for impeccable design - if you want a browser that Joe 
Sixpack will actually *use*, then you need data on how Joe actually wants to 
use that browser.  And *asking* Joe never works - anybody who's had to do 
project requirements will tell you that what the user *says* they want, what 
they *think* they want, and what they actually need, are almost always 3 
different things.

No, I'm not saying it's OK for the Mozilla crew to collect PII like that - but 
I can certainly understand why they feel the temptation to do so...



DISCLAIMER : This message is sent in confidence and is only intended for the 
named recipient. If you receive this message by mistake, you may not use, copy, 
distribute or forward this message, or any part of its contents or rely upon 
the information contained in it.
Please notify the sender immediately by e-mail and delete the relevant e-mails 
from any computer.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Bug 718066 - [meta] Add feature to submit anonymous product metrics to Mozilla

[Nick Boyce]

On Wed, Feb 8, 2012 at 9:12 PM, . . kerdezd...@gmail.com wrote:

 https://bugzilla.mozilla.org/show_bug.cgi?id=718066

 what the hell is this?!

I'll bite ...  (I know your question was rhetorical)

It's a very bad idea IMO.

From TFA:
(https://wiki.mozilla.org/MetricsDataPing)

  Mozilla has a critical need to be able to understand
  the factors that cause installations of Firefox to no
  longer be used. The system must have some way to
  detect an abandoned installation.

Their proposed solution seems to be (from the bug and wiki) to include
code in Firefox to submit a lot of information to mozilla.org, on a
regular basis, about the individual FF installation ... date
installed, list of add-ons installed, with date each add-on installed,
date FF last used, OS type, FF version, whether up to date when last
used, etc.

Far too much information for comfort - sufficient to _enable_
fingerprinting and tracking of individual FF installation use (e.g.
is this browser installation using Tor the same as that other browser
not using Tor ?), even if that is not the _intention_.  Contravention
of EU data protection laws seems probable, or at least German laws.

OT: They should just make FF quality high and the design impeccable -
that's all they need do to win our hearts and minds (many other FLOSS
projects exist to attest to that).  The engineers know what's needed,
and the users have spoken out endlessly on the forums - metrics are
for managers.

Sigh.

Nick
-- 
public void Ballmer(Developers developers) throws Chair

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/