This was posted to Governance and Yammer last week. If you haven't had a chance to provide feedback, there is still time. We are sending to this list because we would especially like to get technical input by Monday, July 28th. -----------------------------------
Proposed Revision to Privacy Principles We’d like to propose changes to Mozilla’s Privacy Principles ( https://www.mozilla.org/en-US/privacy/principles/ ) which were originally created in 2010. Mozilla’s principles stem from the Manifesto and inform how we build our products and services, manage data, work with partners, and shape our public policy and advocacy work. Why Update? The updates are a response to change within Mozilla and beyond. In four years, Mozilla has grown and expanded with new products and services that didn’t exist in 2010. In 2014, the world around is often described as “post-Snowden”, after his revelations sparked an international debate about Internet privacy and surveillance. The Process The initial draft was reviewed by a cross-section of Mozilla, including legal, engineering, metrics, security, foundation, content services, and engagement. After incorporating feedback, we’re bringing it to Governance (and Yammer) for broader review. The Changes We are providing the summary of proposed updates in two formats for you to review -- text and slides. A text format is at the bottom of this post. The text includes a side-by-side comparison to the original Privacy Principles with the context for the changes to the proposed Trust & Safety Principles. The second format is in the form of slides at this Google Doc link ( https://docs.google.com/a/mozilla.com/presentation/d/1j6F3G4u8zTQflVupV8vFED21kCOsi_-oyi4WmqqNwxI/edit#slide=id.p ). The first slide includes Mozilla’s proposed Trust & Safety Principles along with a side-by-side comparison to the original Privacy Principles. The second slide summarizes the context for the changes, including the title change. Please note that these changes are not final and the wording may evolve based on feedback. Next Steps: Please read through the new Trust & Safety Principles and provide any feedback or questions you may have. This will be posted to Governance for 10 days -- we would love to have your input by Monday, 28 July 2014 . We plan to finalize the Trust & Safety Principles in August to update the Principles website https://www.mozilla.org/en-US/privacy/principles/ ) and communicate the changes more broadly. TEXT FORMAT OF CHANGES: TITLE: Previous: Mozilla Privacy Principles New: Mozilla Trust & Safety Principles Context: Intended to be broader than privacy, yet inclusive of both privacy and security. The term Trust & Safety is used by Twitter, EBay, Airbnb and others. NO SURPRISES Previous: Only use and share information about our users for their benefit and as spelled out in our notices. New: Use information in a way that is transparent and benefits the user. Context: Removed the word “only” because there may be disagreement over whether “only” covers indirect benefits (ex: collecting data that helps improve your experience). Did not remove ‘user benefit’, although received some feedback that it doesn’t fit well with no surprises. Replaced “as spelled out in our notices” with transparent, because it is broader than just notices, and transparency may also be achieved through user experience. SENSIBLE SETTINGS Previous: Establish default settings that balance safety and user experience appropriately. New: Design for a thoughtful balance of safety and user experience. Context: Replaced “Establish default settings” with “Design for” to be less repetitive with the title and focus on the engineering design phase. Replaced “appropriately” with “thoughtful” to indicate carefully considered tradeoffs. REAL CHOICES (removed) Previous: Educate users whenever we collect any personal information and give them a choice whenever possible. Context: Eliminated based on feedback that the difference between choice and control wasn’t clear, and that the conversation has moved to control, rather than choice. LIMITED DATA Previous: Collect and retain the least amount of user information necessary. Try to share anonymous aggregate data whenever possible, and then only when it benefits the web, users or developers. New: Collect what we need, de-identify where we can and delete when no longer necessary. Context: Replaced “collect and retain the least amount” with the broader “collect what we need”. Removed “only when it benefits” seemed broad enough that most things would fall in one of the three. Considered adding “collect only” but concerns about differences in definition (ex: indirect benefit vs. direct benefit). Replaced “share anonymous aggregate data” with “de-identify” because it goes beyond sharing - also includes storing. Added data deletion as an important part of limited data. These three pieces, limited collection, de-identification, and deletion are areas where businesses will need to have strong processes in place to honor these. USER CONTROL Previous: Do not disclose personal user experience without the user’s consent. Innovate, develop and advocate for privacy enhancements that put users in control of their online experiences. New: Establish enhancements that allow individuals to control their data and online experiences Context: Removed the sentence about consent, because it is more of an example of enabling control. Removed “advocate for” to simplify and to focus on direct engineering action. Added ‘control their data’. TRUSTED THIRD PARTIES (relocated) Previous: Make privacy a factor in selecting and interacting with partners. Context: Incorporated into the introduction as “select and interact with partners”. All principles inform how we work with partners, so this does not need to be a standalone principle. IN-DEPTH DEFENSE (added) New: Innovate multi-layered security controls and practices, many of which are publicly verifiable by our global community. Context: Initially called “Multi-Layered Security”, but based on input from Security members, the new term -- “Defense In Depth” -- more accurately describes Mozilla’s security approaches and practices. Considered “open source community” but shortened to “global community”. Thanks, Stacy Martin and Alina Hua Data Privacy Team -- Stacy Martin Senior Manager, Privacy and Engagement Mozilla 2 Harrison Street, Suite 700, San Francisco, CA 916-390-4845 (cell) st...@mozilla.com _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
