Re: Banned on MDN for adding referer warnings, please help.
On Mon, Oct 8, 2018 at 3:23 PM R0b0t1 wrote: > If they did ban him with no warning for proposing a feature(?) then I > think it is worth mentioning. There have been other very strange > executive decisions that I think need discussed as well, mostly > related to how ads are served in Firefox, but I don't want to bring > them up right now. > If you read through the thread, it's clear Mozilla asked him multiple times to stop adding red warning banners to MDN, then revoked his access when he didn't comply. Do you think there is something different that Mozilla could have done to handle this situation better? - Bil ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: Banned on MDN for adding referer warnings, please help.
On Mon, Oct 8, 2018 at 2:48 PM Bil Corry wrote: > > Hi Mark, > > Wow, there's a lot to unpack in this email thread. > > I'm not clear what you're asking for, I think you want community support to > add back in your warning banners regarding referrer privacy issues. If so, > please send a new email to the community asking for opinions about adding a > warning banner and mention that Mozilla is against adding the banners, but > please do not quote this entire thread. I have some thoughts about your > ask, but this thread is now unfortunately about the nature of your > disagreement with Mozilla instead of the substance. A new thread will > allow you to seek community feedback about your specific ask. > > Regarding Mozilla's behavior and your own; my interpretation reading > through the thread is that Mozilla heard your feedback, incorporated it > into MDN according to how they manage their content, and asked you not to > add the warning label. It escalated and they revoked your access to modify > content. > If they did ban him with no warning for proposing a feature(?) then I think it is worth mentioning. There have been other very strange executive decisions that I think need discussed as well, mostly related to how ads are served in Firefox, but I don't want to bring them up right now. Cheers, R0b0t1 > > - Bil > > > On Mon, Oct 8, 2018 at 9:36 AM Mark Richards > wrote: > > > Hey > > > > I've had my MDN account banned for trying to add referer warnings onto > > and elements or worse banned for involving authorities who are > > investigating the mess of microtargeting. It appears MDN are refusing a > > warning on the grounds it isn't a nice presentation, regardless of how > > irresponsible it is to not include it. > > > > I need help and as the security devs I hope given the extent to which > > Firefox has added config features and policies to try to reduce the referer > > mess there are community members who understand how significant this is. > > Whatever Firefox tries, other browsers have a bigger market share. > > Documenting the referer risks in MDN does stand a chance of better > > educating developers so they start paying attention to their third parties > > and for many it is imperative to do so given GDPR changes. > > > > A developer I know who recently finished a three month intensive course on > > the web advised there was no coverage of referer, which matches my CS > > degree experience over a decade ago. This isn't a one-off to me, I have met > > many developers who don't understand the risk or even have misconceptions > > about how it works (like thinking it's not sent on https sites). However > > this developer did say the course used MDN to teach about the web features > > and this matches my development experience, MDN is very much respected by > > the Dev community. It may well be the case MDN has a greater market share > > in the Dev community as an educational resource, than Firefox does with > > consumers as a browser. > > > > The Mozilla security blog has been multiple references to referers over the > > years, but most people are still having their browser history distributed > > piecemeal by it. Browsers still don't protect referers by default and even > > if that changed tomorrow it might be 5-10 years before everyone upgrades > > their various devices. > > > > https://blog.mozilla.org/security/2015/01/21/meta-referrer/ > > > > https://blog.mozilla.org/security/2018/10/02/supporting-referrer-policy-for-css-in-firefox-64/ > > > > https://blog.mozilla.org/security/2018/01/31/preventing-data-leaks-by-stripping-path-information-in-http-referrers/ > > > > With GDPR, the rules changed and are being copied in other jurisdictions. > > Businesses must have accountability and privacy by default, so referer is > > in conflict with local legislation not just because privacy or security > > breaches may have happened, but primarily because a business has to assess, > > document and decide on the risks of which systems get data about a user of > > their sites. Profiling of users, made possible by referers by default, was > > one of the motives for GDPR so is rightly part of regulators investigations > > now, but I'm not sure the regulators realised that the technical feature at > > the centre of it is the referer and how broken the web is for privacy. > > Tracking pixels are an image, a cookie and referers... The cookies have > > long been part of data protection discussions and laws, yet you can profile > > someone without a cookie (IP address) you can't do it without the referer > > (unless explicitly add the same functionality by code to the url, at which > > point it is an explicit act and can be justified by the author). Many > > places shouldn't get a referer, like CDNs. Most CDNs need to know who to > > charge (API key?) not a full referer. > > > > China is very interesting, the headlines aren't necessarily fines for data > > protection violations but over 11000 arrests. How m
Re: Banned on MDN for adding referer warnings, please help.
Hi Mark, Wow, there's a lot to unpack in this email thread. I'm not clear what you're asking for, I think you want community support to add back in your warning banners regarding referrer privacy issues. If so, please send a new email to the community asking for opinions about adding a warning banner and mention that Mozilla is against adding the banners, but please do not quote this entire thread. I have some thoughts about your ask, but this thread is now unfortunately about the nature of your disagreement with Mozilla instead of the substance. A new thread will allow you to seek community feedback about your specific ask. Regarding Mozilla's behavior and your own; my interpretation reading through the thread is that Mozilla heard your feedback, incorporated it into MDN according to how they manage their content, and asked you not to add the warning label. It escalated and they revoked your access to modify content. - Bil On Mon, Oct 8, 2018 at 9:36 AM Mark Richards wrote: > Hey > > I've had my MDN account banned for trying to add referer warnings onto > and elements or worse banned for involving authorities who are > investigating the mess of microtargeting. It appears MDN are refusing a > warning on the grounds it isn't a nice presentation, regardless of how > irresponsible it is to not include it. > > I need help and as the security devs I hope given the extent to which > Firefox has added config features and policies to try to reduce the referer > mess there are community members who understand how significant this is. > Whatever Firefox tries, other browsers have a bigger market share. > Documenting the referer risks in MDN does stand a chance of better > educating developers so they start paying attention to their third parties > and for many it is imperative to do so given GDPR changes. > > A developer I know who recently finished a three month intensive course on > the web advised there was no coverage of referer, which matches my CS > degree experience over a decade ago. This isn't a one-off to me, I have met > many developers who don't understand the risk or even have misconceptions > about how it works (like thinking it's not sent on https sites). However > this developer did say the course used MDN to teach about the web features > and this matches my development experience, MDN is very much respected by > the Dev community. It may well be the case MDN has a greater market share > in the Dev community as an educational resource, than Firefox does with > consumers as a browser. > > The Mozilla security blog has been multiple references to referers over the > years, but most people are still having their browser history distributed > piecemeal by it. Browsers still don't protect referers by default and even > if that changed tomorrow it might be 5-10 years before everyone upgrades > their various devices. > > https://blog.mozilla.org/security/2015/01/21/meta-referrer/ > > https://blog.mozilla.org/security/2018/10/02/supporting-referrer-policy-for-css-in-firefox-64/ > > https://blog.mozilla.org/security/2018/01/31/preventing-data-leaks-by-stripping-path-information-in-http-referrers/ > > With GDPR, the rules changed and are being copied in other jurisdictions. > Businesses must have accountability and privacy by default, so referer is > in conflict with local legislation not just because privacy or security > breaches may have happened, but primarily because a business has to assess, > document and decide on the risks of which systems get data about a user of > their sites. Profiling of users, made possible by referers by default, was > one of the motives for GDPR so is rightly part of regulators investigations > now, but I'm not sure the regulators realised that the technical feature at > the centre of it is the referer and how broken the web is for privacy. > Tracking pixels are an image, a cookie and referers... The cookies have > long been part of data protection discussions and laws, yet you can profile > someone without a cookie (IP address) you can't do it without the referer > (unless explicitly add the same functionality by code to the url, at which > point it is an explicit act and can be justified by the author). Many > places shouldn't get a referer, like CDNs. Most CDNs need to know who to > charge (API key?) not a full referer. > > China is very interesting, the headlines aren't necessarily fines for data > protection violations but over 11000 arrests. How many of those are web > developers or directors of companies because of their website? How many > will it be in the future as regulators realise it's not the ad companies > that steal this data, but it's given away by websites protecting users > referers? > > https://asia.nikkei.com/Business/Business-Trends/China-s-strict-new-cybersecurity-law-ensnares-Japanese-companies > . > > UK has criminal prosecution options in its data protection laws and I hope > that those in the UK responsible for keeping tracking on the
Banned on MDN for adding referer warnings, please help.
Hey I've had my MDN account banned for trying to add referer warnings onto and elements or worse banned for involving authorities who are investigating the mess of microtargeting. It appears MDN are refusing a warning on the grounds it isn't a nice presentation, regardless of how irresponsible it is to not include it. I need help and as the security devs I hope given the extent to which Firefox has added config features and policies to try to reduce the referer mess there are community members who understand how significant this is. Whatever Firefox tries, other browsers have a bigger market share. Documenting the referer risks in MDN does stand a chance of better educating developers so they start paying attention to their third parties and for many it is imperative to do so given GDPR changes. A developer I know who recently finished a three month intensive course on the web advised there was no coverage of referer, which matches my CS degree experience over a decade ago. This isn't a one-off to me, I have met many developers who don't understand the risk or even have misconceptions about how it works (like thinking it's not sent on https sites). However this developer did say the course used MDN to teach about the web features and this matches my development experience, MDN is very much respected by the Dev community. It may well be the case MDN has a greater market share in the Dev community as an educational resource, than Firefox does with consumers as a browser. The Mozilla security blog has been multiple references to referers over the years, but most people are still having their browser history distributed piecemeal by it. Browsers still don't protect referers by default and even if that changed tomorrow it might be 5-10 years before everyone upgrades their various devices. https://blog.mozilla.org/security/2015/01/21/meta-referrer/ https://blog.mozilla.org/security/2018/10/02/supporting-referrer-policy-for-css-in-firefox-64/ https://blog.mozilla.org/security/2018/01/31/preventing-data-leaks-by-stripping-path-information-in-http-referrers/ With GDPR, the rules changed and are being copied in other jurisdictions. Businesses must have accountability and privacy by default, so referer is in conflict with local legislation not just because privacy or security breaches may have happened, but primarily because a business has to assess, document and decide on the risks of which systems get data about a user of their sites. Profiling of users, made possible by referers by default, was one of the motives for GDPR so is rightly part of regulators investigations now, but I'm not sure the regulators realised that the technical feature at the centre of it is the referer and how broken the web is for privacy. Tracking pixels are an image, a cookie and referers... The cookies have long been part of data protection discussions and laws, yet you can profile someone without a cookie (IP address) you can't do it without the referer (unless explicitly add the same functionality by code to the url, at which point it is an explicit act and can be justified by the author). Many places shouldn't get a referer, like CDNs. Most CDNs need to know who to charge (API key?) not a full referer. China is very interesting, the headlines aren't necessarily fines for data protection violations but over 11000 arrests. How many of those are web developers or directors of companies because of their website? How many will it be in the future as regulators realise it's not the ad companies that steal this data, but it's given away by websites protecting users referers? https://asia.nikkei.com/Business/Business-Trends/China-s-strict-new-cybersecurity-law-ensnares-Japanese-companies . UK has criminal prosecution options in its data protection laws and I hope that those in the UK responsible for keeping tracking on the NHS website face criminal prosecution (they had ample warning given it hit the news in 2010), but what is often amazing in raising complaints (which I've been doing for years now relating to referer leaks) is how often I'm advised by companies they don't send personal data, even when they load tracking on membership pages or similar that give away data that might put lives at risk in the wrong hands (various UK political parties have a history of being targeted by terrorism and they sent their membership lists to ad companies by loading tracking on members only areas, I've been advised by a major UK political party that they're under investigation for tracking). For anyone hands on with privacy impact assessments, you'll know you have to document which systems and third parties get personal data and a user's browsing habits linked to just an IP address, nevermind cookies, is personal data (most of us having relatively long lived IP addresses, even when not static, like those unique to our mobile device or family internet). If developers aren't thinking about referers, they're not completing their privacy impact a