[LINK] RFC: Negative Assessment of Mozilla BrowserID

Roger Clarke Roger.Clarke at xamax.com.au
Wed Jul 20 09:55:07 AEST 2011 

I had a call from, and an interesting chat with, Mozilla's Alex 
Fowler (policy) and Ben Adida and Dan Mills (tech leads on the 
privacy team).

They believe they have a better story to tell than I have been able 
to extract from their document.

In particular:
-   signing keys are per-email-address and short-lived (hrs to a day)
     and hence of quite limited use as a means of correlating traffic
-   they have ideas on how to encourage and support the use of
     'single-site email-addresses'
-   the database-server approach is intended only as a boot-strapping
     mechanism, and the authentication mechanism is intended to be
     implemented in the browser.  (To be fair, their page does say this,
     but I wanted to undermine the idea of sustaining the server)

They said they're working on other privacy-protective features for 
the browser family.  But they prettymuch accepted my statement that 
they're pushing a big rock up a steep hill, given how inherently 
marketer-friendly and consumer-hostile the current versions of 
Firefox have become.

They say they think they need a more privacy-oriented explanation of 
the initiative.  I encouraged separate papers for commercial 
web-sites, for intermediaries and technology providers, and for 
consumers.  (Naturally, sceptics in all three camps would want to 
read all three, but this way the pitch to each interest-group would 
be clear).

They intend an open call to privacy advocates for feedback, and I 
stressed the need to get a wide-enough list.  Alex mentioned CDT, and 
is ex-EFF.  I mentioned EPIC, PI and APF, and specifically referred 
to the valuable feedback I'd had on the PI Advisory Board list.

We'll see.

_______________________________________________________________________


Roger wrote on Sun, 17 Jul 2011 16:54:06 +1000
>Constructively negative comments are urgently sought on the 
>following exposure draft:
>          Reactions to Mozilla's BrowserID Proposal
>          http://www.rogerclarke.com/II/BrowserID-1107.html


Roger wrote on Tue, 19 Jul 2011 08:39:30 +1000
>Mozilla want to have a yarn with me.
>I've previously said very negative things about Mozilla's recent browsers:
http://mailman.anu.edu.au/pipermail/link/2010-March/087411.html
http://mailman.anu.edu.au/pipermail/link/2010-March/087415.html
http://mailman.anu.edu.au/pipermail/link/2010-November/090443.html
>
>But I've never done a solid analysis of their features, in order to 
>be specific about their anti-consumer nature.
>Can anyone point me to any such analyses?
>Re HTML 5 specifically, there's the NYT article of Oct 2010:
http://mailman.anu.edu.au/pipermail/link/2010-October/089788.html


-- 
Roger Clarke                                 http://www.rogerclarke.com/

Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW
Visiting Professor in Computer Science    Australian National University

More information about the Link mailing list