On Thu, Dec 11, 2014 at 2:35 PM, Ryan Kelly <[email protected]> wrote: > On 11/12/2014 17:37, Mook wrote: >> >> Hi all,
> Thanks for taking the time to read and give detailed feedback! Thanks for responding! > I'm not the best person to answer these but I'll try to make sure they get > to the right place. That may mean spinning them off into separate bugzilla > bugs for legal review. Thanks for that too! >> - The privacy notice doesn't mention anything about things Mozilla >> *doesn't* have access to - as written, it's perfectly fine for Mozilla >> to have access to my synced passwords. That's... kind of a >> deal-killer for me. Was that intended? > > > I'm not clear what you're looking for here - do you want an explicit > statement along the lines of "mozilla does not have access to your > passwords"? > > For the record, we don't have such access. But I think I can see why it was > not explicitly drafted to say that, because... Yes, I'd like something like that (or at least, a version that says you can opt-out of the ability for Mozilla to see them). While the code currently doesn't allow such access, nothing prevents that code from being changed a year down the road. Note that this doesn't mean there is any reason to believe the change will happen; it's just that Mozilla has previously promised it can't, there would be less of a temptation for people in the furture to change. >> Can there at least be >> language about opting out of the ability to recover my password (and >> saying that Mozilla will honour that by explicitly not having access >> to those things in that case)? > > > ...during development, we had plans for an opt-in ability to recovery your > sync data in the event of a forgotten password. This was never implemented, > so there's currently nothing for you to opt out of. Yep, I had been lurking around the identity lists and caught some of that discussion, with the different classes of data and all that. The pages I can find on WikiMo seems to say that this doesn't actually happen, though, so yay. I _think_ this means that Mozilla still has no ability to read my data, similar to the way Weave did things? That question is somewhat academic, though, since code can always change, but explicit promises otherwise combined with a promise to not go back on your promises, not as much :) >> - Also for the terms: Section 7 (Terms; Termination) says that if I >> cancel my FxA account, the only sections that remain are 8, 9, and 11; >> notably, 5 (dealing with how Mozilla is allowed to handle things I >> send over) no longer applies. That means all my data must be >> immediately deleted? > > > I believe this is intentional, and we do delete your associated sync data if > you delete your firefox account. "Immediately" is probably too strong a > word, but we try to delete it in a timely manner. As long as Mozilla doesn't have the keys (Weave-style), that doesn't matter :) And even if it does, reasonably timely is still better than never :) (The other mail is received too, but I don't have any particularly interesting comments.) Thanks again for your responses, -- Mook _______________________________________________ Sync-dev mailing list [email protected] https://mail.mozilla.org/listinfo/sync-dev
