[Privacy Reviews]Call For Comments: Google Suggest in Android

classic Classic list List threaded Threaded
52 messages Options
123
Reply | Threaded
Open this post in threaded view
|

[Privacy Reviews]Call For Comments: Google Suggest in Android

Curtis Koenig
The security team is asking for input on a privacy review for

Google search suggest in Firefox on Android with an opt out https://bugzilla.mozilla.org/show_bug.cgi?id=775087

This call for input will remain open until 2012.08.14 and then  recommendations will be taken back to the team for discussion with them. Please help us identify any additional risks not already outlined in the wiki page, and also ways to ensure the risks are minimize. Please follow up to this thread directly to help focus the discussion and ensure we don't miss your feedback.
At the end of this input period, we will incorporate feedback provided into the review page, and follow up with the team to move forward.
Thanks,

--
/Curtis

_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: [Privacy Reviews]Call For Comments: Google Suggest in Android

Curtis Koenig
Sorry my bad, we don't have a wiki for this one, just the bug.

/Curtis

On 2012-08-07 12:25 PM, Kartikaya Gupta wrote:
> On 12-08-07 08:06 , Curtis Koenig wrote:
>> Please help us identify any additional risks not already outlined in
>> the wiki page,
>
> Which wiki page?
>
> Cheers,
> kats
>

_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: [Privacy Reviews]Call For Comments: Google Suggest in Android

Sid Stamm-3
In reply to this post by Curtis Koenig
On 8/7/12 5:06 AM, Curtis Koenig wrote:
> The security team is asking for input on a privacy review for
>
> Google search suggest in Firefox on Android with an opt out
> https://bugzilla.mozilla.org/show_bug.cgi?id=775087


tl;dr: Want to enable search suggestions by default for mobile firefox.
 This means as you type anything in the address bar, it gets sent
key-by-key to google.

I'm not convinced on-by-default is the right choice, although it's
probably the easiest to implement.  Instead of turning it on by default,
I think we should get a little creative; what if we show (where the
suggestions *would* be, were it on) an "on" switch that says something
like "enable suggestions (sends keystrokes to Google)"?  I think this
would be an incredibly low-friction opt-in, and people who want search
suggestions from Google can really easily enable it.

-Sid
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: [Privacy Reviews]Call For Comments: Google Suggest in Android

James May-3
FWIW this is how IE (8+ IIRC) on the desktop handles this with all search
providers. Not sure what they do on mobile. Your suggested text is almost
identical too. If this setting could be synced that'd be great also.

On 8 August 2012 06:17, Sid Stamm <[hidden email]> wrote:

> On 8/7/12 5:06 AM, Curtis Koenig wrote:
> > The security team is asking for input on a privacy review for
> >
> > Google search suggest in Firefox on Android with an opt out
> > https://bugzilla.mozilla.org/show_bug.cgi?id=775087
>
>
> tl;dr: Want to enable search suggestions by default for mobile firefox.
>  This means as you type anything in the address bar, it gets sent
> key-by-key to google.
>
> I'm not convinced on-by-default is the right choice, although it's
> probably the easiest to implement.  Instead of turning it on by default,
> I think we should get a little creative; what if we show (where the
> suggestions *would* be, were it on) an "on" switch that says something
> like "enable suggestions (sends keystrokes to Google)"?  I think this
> would be an incredibly low-friction opt-in, and people who want search
> suggestions from Google can really easily enable it.
>
> -Sid
> _______________________________________________
> dev-planning mailing list
> [hidden email]
> https://lists.mozilla.org/listinfo/dev-planning
>
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: [Privacy Reviews]Call For Comments: Google Suggest in Android

Matt Brubeck-3
In reply to this post by Curtis Koenig
On 08/07/2012 01:17 PM, Sid Stamm wrote:
> I'm not convinced on-by-default is the right choice, although it's
> probably the easiest to implement.  Instead of turning it on by default,
> I think we should get a little creative; what if we show (where the
> suggestions *would* be, were it on) an "on" switch that says something
> like "enable suggestions (sends keystrokes to Google)"?  I think this
> would be an incredibly low-friction opt-in, and people who want search
> suggestions from Google can really easily enable it.

See https://bugzilla.mozilla.org/show_bug.cgi?id=769145 for quite a bit
of discussion of this option.

_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: [Privacy Reviews]Call For Comments: Google Suggest in Android

finnbryant
In reply to this post by Curtis Koenig
Posted to https://bugzilla.mozilla.org/show_bug.cgi?id=769145 but probably more appropriate here:

Everyone agrees we should change something, and the 2 opinions seem to be, in content opt-in (A) and opt-out(B). The main complaint against opt-in is that most users wont, the main complaint against opt-out is it will mess things up for privacy conscious users before they find out and react (and ensuing media frenzy based on previous comments made by mozilla people).

Worst case for A is feature is disabled (same as no change, presumably progressivly worse over time as users drop firefox, eventually assumed to be very bad)

Worst case for B is media feeding frenzy with firefox as main dish. Unlikely to do deadly harm, but could be significant, almost entire effect will be instantaneous.

Clearly, its best to be sure of anything we can be sure of. Media feeding frenzies are pretty random, so instead, look at the other missing data. If we build the best opt-in we can, what does telemetry tell us the opt-in rate is. if we do this for nightly, it wont even get into a release (though that might produce skewed results). and if the result is <80%, then we know it isn't good enough, if the result is >95% we know it probably is good enough. if it's somewhere in the middle, we can argue some more.

Even if we let it release, the result will be (at worst) a mildly annoying option for 6 weeks whilst we find out what we want to do. At best we'll find out our opt-in is super good, and this entire argument was pointless. Even if we go with A in the end, wont it be better to lead into it for 6 weeks and giving the privacy conscious lot a chance to opt-out, which would reduce the harm done?

Isn't that better than continuing the argument and then risking one or the other result without knowing for sure?

On Tuesday, August 7, 2012 1:06:18 PM UTC+1, Curtis Koenig wrote:
> The security team is asking for input on a privacy review for
>
>
>
> Google search suggest in Firefox on Android with an opt out https://bugzilla.mozilla.org/show_bug.cgi?id=775087
>
>
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: [Privacy Reviews]Call For Comments: Google Suggest in Android

madhava.enros
In reply to this post by Curtis Koenig
On Tuesday, August 7, 2012 4:17:03 PM UTC-4, Sid Stamm wrote:
> On 8/7/12 5:06 AM, Curtis Koenig wrote:
>
> > The security team is asking for input on a privacy review for
>
> > Google search suggest in Firefox on Android with an opt out
> > https://bugzilla.mozilla.org/show_bug.cgi?id=775087
>

> tl;dr: Want to enable search suggestions by default for mobile firefox.
>
>  This means as you type anything in the address bar, it gets sent
> key-by-key to google.

So, this is certainly a summary of the costs, but I think I can add a bit about the benefits.

The UX team would like to include Google Suggest suggestions in Firefox on Android's "awesomescreen" as the user types. In other words, when a user types in the combined URL/search bar, we would use the Google Suggest API to show some google search suggestions for what's been typed so far; these suggestions would show up in their own area of the screen, above the suggestions pulled from the user's own history/bookmarks (i.e. awesomebar results).

Here's a screenshot of what this looks like: http://www.flickr.com/photos/madhava_work/7538623222/in/photostream

The value here is that the suggestions not only shorten the "yes! that's what I'm looking for" process, as on desktop, but also very often short circuit the need to type out the entirety of what the user is searching for. This is of huge user-value on mobile, specifically; it's a capability that other mobile browsers take advantage of, and that we currently lack.

I've been using it, and already I find it hard to go back.

On the subject of it sending everything to Google -- my understanding is that Google handles search suggest user-data differently (more privately?) than with thing generally entered into a Google search field. Confirmation or other detail here from others on this list would be very helpful.

Anyway - while a low-friction opt-in (i.e. "would you like search suggestions?") might seem like a reasonable compromise here, our position is that this feature is SO useful on mobile that we'd rather not introduce a speedbump at all, rather than just trying to minimize one. Again - we offer an opt-out in our browser preferences.
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: [Privacy Reviews]Call For Comments: Google Suggest in Android

Zack Weinberg-2
On 2012-08-08 9:51 AM, [hidden email] wrote:
>
> On the subject of it sending everything to Google -- my understanding
> is that Google handles search suggest user-data differently (more
> privately?) than with thing generally entered into a Google search
> field. Confirmation or other detail here from others on this list
> would be very helpful.

I just want to stick in here the observation that the additional privacy
exposure from this feature is not simply because additional user data is
revealed *to Google*.  A passive eavesdropper on the same network as the
client can potentially learn what is being searched for, even if all the
actual data is encrypted, because the *size* of each suggestion result
reveals what was typed.  See
http://research.microsoft.com/pubs/119060/WebAppSideChannel-final.pdf 
for more details.

(Google's Suggest API could include countermeasures for this, and I
don't know if they do or not.  The paper is from 2010.)

> Anyway - while a low-friction opt-in (i.e. "would you like search
> suggestions?") might seem like a reasonable compromise here, our
> position is that this feature is SO useful on mobile that we'd rather
> not introduce a speedbump at all, rather than just trying to minimize
> one. Again - we offer an opt-out in our browser preferences.

I can see where you're coming from, but I think having a low-friction
opt-in is actually _better_ UX here, because telling users that they
have a choice here will give both privacy-concerned and
privacy-unconcerned users the warm fuzzies.

zw
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: [Privacy Reviews]Call For Comments: Google Suggest in Android

Sid Stamm-3
On 8/8/12 10:23 AM, Zack Weinberg wrote:

> On 2012-08-08 9:51 AM, [hidden email] wrote:
>>
>> On the subject of it sending everything to Google -- my understanding
>> is that Google handles search suggest user-data differently (more
>> privately?) than with thing generally entered into a Google search
>> field. Confirmation or other detail here from others on this list
>> would be very helpful.
>
> I just want to stick in here the observation that the additional privacy
> exposure from this feature is not simply because additional user data is
> revealed *to Google*.  

For me, it's about avoiding surprises. Firefox users may or may not
realize we're sending data to any third party (in this case, Google) as
they type stuff in the single text-entry field.  So Google's treatment
of the data isn't the focus -- their privacy policy is fine.  The focus
is whether or not users expect us to send data to another organization.

With the proposed UI, it's not clear that the suggestions are coming as
a result of queries to Google; they seem to be suggestions from Firefox
saying "hey, you may want to Google these."

Surprises in this scenario would manifest two types of reactions:
reactions of "I didn't know you sent Google what I just typed!" and
"OMG, you're using my data plan even though I don't want to search!"

Eavesdroppers are an issue here too (thanks for mentioning this, Zack),
but my own goal is helping keep our users aware of what we're doing with
their data.

> [snip]

>> Anyway - while a low-friction opt-in (i.e. "would you like search
>> suggestions?") might seem like a reasonable compromise here, our
>> position is that this feature is SO useful on mobile that we'd rather
>> not introduce a speedbump at all, rather than just trying to minimize
>> one. Again - we offer an opt-out in our browser preferences.
>
> I can see where you're coming from, but I think having a low-friction
> opt-in is actually _better_ UX here, because telling users that they
> have a choice here will give both privacy-concerned and
> privacy-unconcerned users the warm fuzzies.

+1.

-Sid

_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: [Privacy Reviews]Call For Comments: Google Suggest in Android

Jet Villegas
In reply to this post by madhava.enros
I like the low-friction approach on Fennec as the awesomebar database is rather sparse on my Android phone. Since we're talking about Android here (and not desktop or B2G,) didn't the user already agree to a "We are Google, we already know everything you do on this phone" privacy policy when they first started? In other words, why shouldn't the Android user expect it to just work?

-- Jet

----- Original Message -----
From: "madhava enros" <[hidden email]>
To: [hidden email]
Cc: [hidden email], [hidden email]
Sent: Wednesday, August 8, 2012 9:51:43 AM
Subject: Re: [Privacy Reviews]Call For Comments: Google Suggest in Android

On Tuesday, August 7, 2012 4:17:03 PM UTC-4, Sid Stamm wrote:
> On 8/7/12 5:06 AM, Curtis Koenig wrote:
>
> > The security team is asking for input on a privacy review for
>
> > Google search suggest in Firefox on Android with an opt out
> > https://bugzilla.mozilla.org/show_bug.cgi?id=775087
>

> tl;dr: Want to enable search suggestions by default for mobile firefox.
>
>  This means as you type anything in the address bar, it gets sent
> key-by-key to google.

So, this is certainly a summary of the costs, but I think I can add a bit about the benefits.

The UX team would like to include Google Suggest suggestions in Firefox on Android's "awesomescreen" as the user types. In other words, when a user types in the combined URL/search bar, we would use the Google Suggest API to show some google search suggestions for what's been typed so far; these suggestions would show up in their own area of the screen, above the suggestions pulled from the user's own history/bookmarks (i.e. awesomebar results).

Here's a screenshot of what this looks like: http://www.flickr.com/photos/madhava_work/7538623222/in/photostream

The value here is that the suggestions not only shorten the "yes! that's what I'm looking for" process, as on desktop, but also very often short circuit the need to type out the entirety of what the user is searching for. This is of huge user-value on mobile, specifically; it's a capability that other mobile browsers take advantage of, and that we currently lack.

I've been using it, and already I find it hard to go back.

On the subject of it sending everything to Google -- my understanding is that Google handles search suggest user-data differently (more privately?) than with thing generally entered into a Google search field. Confirmation or other detail here from others on this list would be very helpful.

Anyway - while a low-friction opt-in (i.e. "would you like search suggestions?") might seem like a reasonable compromise here, our position is that this feature is SO useful on mobile that we'd rather not introduce a speedbump at all, rather than just trying to minimize one. Again - we offer an opt-out in our browser preferences.
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: [Privacy Reviews]Call For Comments: Google Suggest in Android

Ian Melven

i would argue that there is some subset of users for which the value proposition of Firefox for Android is to NOT have Google know everything
you do on your Android phone - their reaction to being implicitly opted in without notification to sending everything entered in the
awesomebar to Google would likely be quite negative. They are almost certainly a minority, fwiw.

i would suggest setting up Sync to improve your awesomebar DB as well :)

Personally I think it's excellent there's an in-UI preference to opt out of search suggestions, it addresses my concerns,
but then again I understand the situation wrt privacy and search suggestions more than the 'average user'
perhaps and I've been watching this feature for some time due to the privacy concerns as well.

It would be great to at least loudly message this change to users and exactly how to opt-out if it ships as opt-out.

thanks,
ian


----- Original Message -----
From: "Jet Villegas" <[hidden email]>
To: "madhava enros" <[hidden email]>
Cc: [hidden email], [hidden email]
Sent: Wednesday, August 8, 2012 12:02:11 PM
Subject: Re: [Privacy Reviews]Call For Comments: Google Suggest in Android

I like the low-friction approach on Fennec as the awesomebar database is rather sparse on my Android phone. Since we're talking about Android here (and not desktop or B2G,) didn't the user already agree to a "We are Google, we already know everything you do on this phone" privacy policy when they first started? In other words, why shouldn't the Android user expect it to just work?

-- Jet

----- Original Message -----
From: "madhava enros" <[hidden email]>
To: [hidden email]
Cc: [hidden email], [hidden email]
Sent: Wednesday, August 8, 2012 9:51:43 AM
Subject: Re: [Privacy Reviews]Call For Comments: Google Suggest in Android

On Tuesday, August 7, 2012 4:17:03 PM UTC-4, Sid Stamm wrote:
> On 8/7/12 5:06 AM, Curtis Koenig wrote:
>
> > The security team is asking for input on a privacy review for
>
> > Google search suggest in Firefox on Android with an opt out
> > https://bugzilla.mozilla.org/show_bug.cgi?id=775087
>

> tl;dr: Want to enable search suggestions by default for mobile firefox.
>
>  This means as you type anything in the address bar, it gets sent
> key-by-key to google.

So, this is certainly a summary of the costs, but I think I can add a bit about the benefits.

The UX team would like to include Google Suggest suggestions in Firefox on Android's "awesomescreen" as the user types. In other words, when a user types in the combined URL/search bar, we would use the Google Suggest API to show some google search suggestions for what's been typed so far; these suggestions would show up in their own area of the screen, above the suggestions pulled from the user's own history/bookmarks (i.e. awesomebar results).

Here's a screenshot of what this looks like: http://www.flickr.com/photos/madhava_work/7538623222/in/photostream

The value here is that the suggestions not only shorten the "yes! that's what I'm looking for" process, as on desktop, but also very often short circuit the need to type out the entirety of what the user is searching for. This is of huge user-value on mobile, specifically; it's a capability that other mobile browsers take advantage of, and that we currently lack.

I've been using it, and already I find it hard to go back.

On the subject of it sending everything to Google -- my understanding is that Google handles search suggest user-data differently (more privately?) than with thing generally entered into a Google search field. Confirmation or other detail here from others on this list would be very helpful.

Anyway - while a low-friction opt-in (i.e. "would you like search suggestions?") might seem like a reasonable compromise here, our position is that this feature is SO useful on mobile that we'd rather not introduce a speedbump at all, rather than just trying to minimize one. Again - we offer an opt-out in our browser preferences.
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: [Privacy Reviews]Call For Comments: Google Suggest in Android

Robert Kaiser
In reply to this post by madhava.enros
[hidden email] schrieb:
> Here's a screenshot of what this looks like: http://www.flickr.com/photos/madhava_work/7538623222/in/photostream

Hmm, that means the "traditional" awesomebar results I'm looking for are
even more likely to be below the visibility threshold than right now -
and on the phone I already am often not seeing them because the virtual
keyboard also takes up some space and there's only 4 results or so
shown. As I only want to search in rare cases and most often want to
call up a page I have already seen on the phone or synched desktop, this
means the UX would become worse through suggestions.
And I didn't even start on privacy there. ;-)

Robert Kaiser

_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: [Privacy Reviews]Call For Comments: Google Suggest in Android

Johnathan Nightingale
In reply to this post by Ian Melven
On Aug 8, 2012, at 12:22 PM, Ian Melven wrote:

> i would argue that there is some subset of users for which the value proposition of Firefox for Android is to NOT have Google know everything
> you do on your Android phone - their reaction to being implicitly opted in without notification to sending everything entered in the
> awesomebar to Google would likely be quite negative. They are almost certainly a minority, fwiw.

I agree with all of this - those users exist, should be recognized and given choice, and are a minority...

> Personally I think it's excellent there's an in-UI preference to opt out of search suggestions, it addresses my concerns,
> but then again I understand the situation wrt privacy and search suggestions more than the 'average user'
> perhaps and I've been watching this feature for some time due to the privacy concerns as well.

I agree with this, too. Privacy conscious users have a choice which is pretty easy to find if they're looking for it. Most users benefit immediately from default-on and (here comes conjecture!) would leave it on if making an informed choice.

I agree with Madhava that I don't want things speed bumping our experience. Each choice like this is a thing that takes the user out of their flow, and I don't believe it will delight them to encounter one so soon after starting up. Even if I did, I'd trust madhava and his team to have more evidence-founded beliefs than me on the subject.

I'm still trying to figure out what I think of Sid's "no surprises" argument, though. It will surprise some people, absolutely. So will website metrics, third party cookies, local storage, and a lot of other things that the web does and that browsers help with. I'm not sure whether I agree that this surprise is one we should differentially avoid, given the significant UX win and ease of opt-out, but I'm not immediately convinced that Sid's wrong, either.

J

---
Johnathan Nightingale
Sr. Director of Firefox Engineering
@johnath

_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: [Privacy Reviews]Call For Comments: Google Suggest in Android

Tom Lowenthal
In reply to this post by Ian Melven
Johnathan Nightingale:
> I'm still trying to figure out what I think of Sid's "no surprises" argument, though. It will surprise some people, absolutely. So will website metrics, third party cookies, local storage, and a lot of other things that the web does and that browsers help with. I'm not sure whether I agree that this surprise is one we should differentially avoid, given the significant UX win and ease of opt-out, but I'm not immediately convinced that Sid's wrong, either.

It's worth noting that "no surprises" is Mozilla's number one privacy
principle, and "real choices" is number two [1].

I really want this feature: it's incredibly useful. However, if it
shipped turned on, I would feel hurt. I'm not sure how most folks would
notice and know that they can turn it off: it would certainly be a
surprise for many. An opt-out in settings would also make me feel as
though I wasn't given a choice: especially if I only found out about the
feature after the fact.


   [1]: https://mozilla.org/privacy
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: [Privacy Reviews]Call For Comments: Google Suggest in Android

Matt Basta
Tom Lowenthal:
> I really want this feature: it's incredibly useful. However, if it
shipped turned on, I would feel hurt. I'm not sure how most folks would
notice and know that they can turn it off: it would certainly be a
surprise for many. An opt-out in settings would also make me feel as
though I wasn't given a choice: especially if I only found out about the
feature after the fact.

It's clear that search suggestions would be very beneficial to user
experience for most users. It's also important that we shouldn't turn
them on without asking the user. I think we should look at innovative,
unobtrusive ways to prompt the user about this.

Would it be possible to put an opt-in prompt in the space where the
suggestions would otherwise show up? Something like "'Turn On Google
Autocomplete' or 'Ignore'" along with a setting in the settings page?
If need be, a "?" icon could be shown, opening a dialog with more
information about the implications of enabling suggestions.

This approach has two merits: 1.) It doesn't prompt the user until
they would otherwise use/see suggestions and 2.) It doesn't consume
more space than the suggestions otherwise would.

Thoughts or other ideas?


----- Original Message -----
From: "Tom Lowenthal" <[hidden email]>
To: [hidden email]
Sent: Wednesday, August 8, 2012 3:28:10 PM
Subject: Re: [Privacy Reviews]Call For Comments: Google Suggest in Android

Johnathan Nightingale:
> I'm still trying to figure out what I think of Sid's "no surprises" argument, though. It will surprise some people, absolutely. So will website metrics, third party cookies, local storage, and a lot of other things that the web does and that browsers help with. I'm not sure whether I agree that this surprise is one we should differentially avoid, given the significant UX win and ease of opt-out, but I'm not immediately convinced that Sid's wrong, either.

It's worth noting that "no surprises" is Mozilla's number one privacy
principle, and "real choices" is number two [1].

I really want this feature: it's incredibly useful. However, if it
shipped turned on, I would feel hurt. I'm not sure how most folks would
notice and know that they can turn it off: it would certainly be a
surprise for many. An opt-out in settings would also make me feel as
though I wasn't given a choice: especially if I only found out about the
feature after the fact.


   [1]: https://mozilla.org/privacy
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: [Privacy Reviews]Call For Comments: Google Suggest in Android

beltzner
In reply to this post by Tom Lowenthal
Curtis,

Thanks for inviting comment. As historical context, I've argued against this sort of thing when looking at including suggestions in Firefox on Desktop, OmniBar style, in the past.

My opinions on this sort of issue haven't really changed in the past year or so. Yes, absolutely, 100%, suggestions are helpful; especially on a phone. I'm typing this on a phone right now, I feel the pain :) However, it seems to me like a one-time click on a big friendly row that says "Get suggestions from Google" is an easy, low friction way to ensure we're not leaking information without user consent. An Android message (or whatever the translucent text in a bubble at the bottom of the screen is called) could let users know that they can turn it off in Settings at any time. With the addition of a single tap, our cake is delicious and not in any way a lie. I do not feel user testing is a panacea for all design questions, but this is a case where we can validate the assertion that discoverabllity and experience isn't adversely affected through some simple study.

I agree that user expectations have likely changed, and that most users don't think about these sorts of privacy issues. I think that demonstrates that we (ie: Mozilla) have more work to do in terms of bringing the message and values of our mission forward to users.

(When we do send the information, I hope we would do it over HTTPS and, if at all possible, without sending the user's Google cookie unless they have signed in within the session)

cheers,
mike
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: [Privacy Reviews]Call For Comments: Google Suggest in Android

beltzner
One thing Doug obliquely mentioned to me on twitter was that Fennec used to show the source of suggestions alongside them. It led me to this thought:

The first time the awesomescreen is opened, we could add a little delay to where the suggestions flow in that says "Getting suggestions from Ze Googles!" and perhaps even has a "no, dont!" link which jumps you over to settings, or a little wee x which turns it off (and then Android indicator thingie says "turn back on in the settings")

The point being: the mission is to inform and provide choice, it says nothing about defaults. So my sticking point is making sure that users know where the suggestions are coming from, and what they can do about it. I'm not dogmatic about opt-in, just about "it's magic and the user doesn't need to know about the potential hidden cost"

Thanks, Doug!

cheers,
mike
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: [Privacy Reviews]Call For Comments: Google Suggest in Android

Madhava Enros-2
Hi everyone -

Thanks for all the concerns and suggestions so far -- this is very illuminating. Please keep them coming!

To sum up as we go, it sounds like there's broad agreement that this is a very useful feature. And it sounds like the biggest guiding principles here are that (1) we shouldn't surprise people with bad privacy outcomes (seems reasonable that, in the privacy world, all surprises are bad -- this differs from user-experience!); and (2) that we should give people real choices.

On the subject of surprise, I think it's worth pointing out that of the major browsers on Android (Chrome, Browser, Dolphin HD) -- all three do this, and in a way that makes it much less clear what suggestions are coming from where. Now, we don't make our decisions just based on what others are doing, but from a surprise perspective -- it seems more likely to me that people will be surprised that we _don't_ do this.

That said - transparency about what is happening with your data is a big deal for us. I actually quite like the core of something Beltzner suggested, above, which is to offer a "what is this?" associated with the Google search suggestions, maybe the first time or two. It would be a way to help people understand that their data is going somewhere, something that the other browsers don't do.

In general, our approach in UX on things like this has been to really try to get to a sensible default for most users' needs. If the tone of a potential opt-in is going to be "Get google suggestions? [yes/no]" -- and I think we'd want it to be at least that friendly, given how useful this will be and compared to the real risk -- then why aren't we making it the default? We don't actually want to dissuade people more than that, do we? This comes back to the "real decisions" point for me -- putting in an opt-in as friendly as we'd want doesn't tell anyone why they'd ever say no; making the opt-in more educational/threatening would seem disproportionate, to me, given the risks.

Incidentally, I haven't heard yet about whether Google's search suggest privacy policy is one we're happier sending user data to than the one they use for general web search. I'd heard this (uncited) but it would help to balance costs/benefits here.
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: [Privacy Reviews]Call For Comments: Google Suggest in Android

Ehsan Akhgari
On 12-08-09 1:56 PM, Madhava Enros wrote:
> Incidentally, I haven't heard yet about whether Google's search suggest privacy policy is one we're happier sending user data to than the one they use for general web search. I'd heard this (uncited) but it would help to balance costs/benefits here.

As far as I know that data is covered by the holistic Google Privacy
Policy <http://www.google.com/intl/en/policies/privacy/>.

Ehsan

_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: [Privacy Reviews]Call For Comments: Google Suggest in Android

Madhava Enros-2
In reply to this post by Madhava Enros-2
Oh - some more detail about what Google does with suggest data here: http://googleblog.blogspot.ca/2008/09/update-to-google-suggest.html
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
123