sometimes it's just easier to make shit up

| 46 Comments

Sometimes it's easier to just make shit up than to actually research a story. That seems to be the case with the (no byline) story at Platinax Small Business News.

The article starts off by claiming that to use the phishing protection feature "properly, you have to send Google a record of every single website you visit." Not only is this blatantly false, but even the most cursory investigation of the feature would have revealed that.

Next, the writer tries to walk the absurdity back a bit by saying that "[phishing protection] does require an explicit opt-in". But once again he's wrong. Users get the benefit of this feature out of the box and without any privacy issues.

Had the author, who was too chickenshit to put his name on the story, actually looked into the feature, here's what he would have learned:

Firefox phishing protection offers users protection from online identity and credential scams by checking the visited sites against a local list of known bad sites. This list of bad sites is refreshed regularly by Firefox -- every 30 to 60 minutes. At no time are the users' visited sites shared with any third parties (or even with Mozilla) when using this feature in it's default, and quite capable, configuration.

If a user wants to make a slight improvement to the feature -- eliminating the 30 to 60 minute lag time between when a site is identified as bad and when Firefox gets the updated list, the user can dig deep into the preferences and find the option to do a "real-time" compare with the most up to date list at Google's server. If the user does check that box, she will be presented with a plainly worded description of what that means, including links to the applicable privacy policies.

This real-time compare is an optional enhancement to the phishing protection feature and is absolutely not required for the feature to provide real benefit to users. There are legitimate privacy concerns any time user data is shared with service providers and that is why this enhancement to the phishing protection feature is not enabled by default.

We take user privacy seriously. We always have and we always will. For a journalist to write such fiction, and to suggest that Mozilla has sacrificed user privacy because of some (unexplained) profit motive without having even a basic understanding of how the feature works is not only unprofessional, it's completely irresponsible and a threat to user safety and security.

46 Comments

Could you please append to your post a proper description anti-fishing feature in Firefox?

I've noticed you sometime point out articles saying how incoerent/stupid these are but still not provide any meat to your opposition :) It would most certainly help lowering the number of articles you consider inappropriate :)

Thanks

I have to say I prefer IE7's warning.

The flooding the address bar with red is genius, it's very attention grabbing and we should have it too.

Plus having a close button on the bubble is a bad idea. Lots of adverts these days float on top of pages with a close button, at a quick glance it could be mistaken for one of those.

Personally I'd prefer the complete page replacement that IE does.

I wish Firefox could query the server for updates to the local list more often -- perhaps every time I fetch a URL from a new hostname. It seems to me that wouldn't put any more burden on the server than the "send every URL I visit to Google" option, and IMO it would be a better balance between privacy and anti-phishiness. If I have history enabled and don't visit any new sites in a given day, it would put even less burden on the Google server.

I agree with Pete that replacing the page completely would be better. If users see something that looks like the site "behind" the warning, they'll be more inclined to want to get to that site and less inclined to read the warning.

It's an interesting rant, but of little substance.

"The article starts off by claiming that to use the phishing protection feature "properly, you have to send Google a record of every single website you visit." Not only is this blatantly false, but even the most cursory investigation of the feature would have revealed that."

If that's the case, and "proper" anti-phishing protection is already in place, then why do you need to even recommend Google as a protection option?

In fact, as you state:

"This real-time compare is an optional enhancement to the phishing protection feature and is absolutely not required for the feature to provide real benefit to users."

If it's so unimportant and optional, and "not a real benefit to users" then why are Mozilla seeking to send their user data to Google - where Google can do what they like with the data?

Perhaps if Firefox had recommended Microsoft's servers instead for this optional service there would be no difference to the argument?

"to suggest that Mozilla has sacrificed user privacy because of some (unexplained) profit motive without having even a basic understanding of how the feature works is not only unprofessional, it's completely irresponsible and a threat to user safety and security."

This is just ad hominem - to try and circle this round to claiming privacy protection concerns undermine safety and security, is the sort of argument I'd expect from Homeland Security, not part of the FF development team.

Let's be clear - I'm not against Mozilla doing this, and I'm not against Google.

But the point is that free provision of user data for unlimited corporate use *is* a privacy concern, is rampant on the internet - and is the underlining point of the news item.

Perhaps the fact that you don't take this concern very seriously is a key problem in the first place.

@Brian Turner:

If it's so unimportant and optional, and "not a real benefit to users" then why are Mozilla seeking to send their user data to Google - where Google can do what they like with the data?

Perhaps if Firefox had recommended Microsoft's servers instead for this optional service there would be no difference to the argument?

Well, who's to say you can't add Microsoft's servers instead? Or another provider, for that matter? If you want, you can: http://developer.mozilla.org/en/docs/Adding_phishing_protection_data_providers

Brian, it seems that you still don't understand the feature the way I believe it has been implemented in Firefox 2.

The list is ALWAYS the one from Google, the only difference between the two options is that with the one (the default by the way), the list is downloaded at a set interval to a local store, and then sites are checked locally against this list when you visit. With the "Google" option, it is instead sending info (basically the URL I believe) to Google so that it can do an immediate lookup against the very latest copy of the list. The only advantage here is that you are always assured of querying against the most recent copy of the Google list, instead of the locally cached copy which could be up to 60 minutes out of date.

So, like Asa said, the article is wrong. You are NOT required to send data to Google to use the Google list properly, since it is always the Google list being used. The only reason to send them the URL is so that you can be assured you are querying against the very latest info they have, instead of a cached (slightly older) version of their list. The list of phishing sites being checked against is the same with either option. The only difference is "uptodate-ness" of the information (by a sliding window of approx 30-60 minutes). Also, the default setting in Firefox DOES NOT send any data, so I find it odd that you would complain about it in the first place.

What I think does bare some clarification is the exact method that the phishing protection uses. It is not immediately clear (obviously) that the same list is being checked in either case.

Brian, it seems that you still don't understand the feature the way I believe it has been implemented in Firefox 2.

The list is ALWAYS the one from Google, the only difference between the two options is that with the one (the default by the way), the list is downloaded at a set interval to a local store, and then sites are checked locally against this list when you visit. With the "Google" option, it is instead sending info (basically the URL I believe) to Google so that it can do an immediate lookup against the very latest copy of the list. The only advantage here is that you are always assured of querying against the most recent copy of the Google list, instead of the locally cached copy which could be up to 60 minutes out of date.

So, like Asa said, the article is wrong. You are NOT required to send data to Google to use the Google list properly, since it is always the Google list being used. The only reason to send them the URL is so that you can be assured you are querying against the very latest info they have, instead of a cached (slightly older) version of their list. The list of phishing sites being checked against is the same with either option. The only difference is "uptodate-ness" of the information (by a sliding window of approx 30-60 minutes). Also, the default setting in Firefox DOES NOT send any data, so I find it odd that you would complain about it in the first place.

What I think does bare some clarification is the exact method that the phishing protection uses. It is not immediately clear (obviously) that the same list is being checked in either case.

Tim, indeed, I understand that's the case.

The big concern raised on Threadwatch, and reported on at Platinax, is that if a user does option for Google querying for phishing protection - which is obviously the stronger real-time protection - then there are no safeguards on how Google will use that private user data.

If you look around the web there's a general disgruntled chatter on the extent of Google's data collection, and lack of open assurances on how it is used - other than "as Google sees fit".

By tapping into Google's resources for this feature, without providing privacy safeguards against further use of the personal user data provided to Google, Firefox effectively serves as yet another data-mining tool for Google.

As before though, data-mining via free tools is rampant among ISP's, and that's precisely what the real story is. It's not about bashing Firefox, or even Google - it's about growing concerns on personal data collection and use for commercial purposes.

If anyone reads the Platinax item with that in mind, rather than a reaction that Firefox is being attacked, hopefully they'll see that communicated.

2c.

Brian:
Have you tried to enable the real time checking option?

If you do, you'll see that there are big warnings explaining that every url will be sent back to google, so if you still go ahead and enable it, then don't cry that you didn't understand what has been told to you.

Can you point to some verification for this 30 to 60 minute time frame. There doesn't seem to be any mention of it on either of these pages

http://www.mozillazine.org/talkback.html?article=20112
http://www.mozilla.com/en-US/firefox/phishing-protection/

Brian, do I understand correctly that you are the author of this article?

And I only want to repeat that this article is absolutely missing the point. Mozilla has gone great lengths to give users a useful protection without raising any privacy concerns. Yet they had to keep the option to do a check against the most recent version of the list - just in case that would become necessary (things change too fast on the internet to release a new version every time something happens). There are more than enough warnings there, anybody who chooses to use this option knows what he is doing.

After looking at that article on Threadwatch (that the other article was supposedly "inspired by"), I must say that, while not deliberately stating it, they make it sound as if the default phishing protection scheme (the local copy of the Google list) is updated VERY infrequently. In reality, it's roughly once an hour.

To say something is updated "periodically" is a lot different than saying "once per hour".

I don't think it's incorrect to assume that, for most users, the difference in a real-time list check vs checking a list merely an hour old at most is quite negligible.

You may wish to refer to the Firefox Privacy Policy for some additional insight, located at:
http://www.mozilla.com/en-US/legal/privacy/firefox-en.html

"While it is possible that a URL sent to your service provider may itself contain Personally-Identifying Information, Mozilla's third party service providers have entered into a written agreement with Mozilla not to use Personally-Identifying Information for purposes other than to enhance and maintain their service[*]."

* Anti-phishing services

Sherman Dickman
Mozilla Corporation

The timing of the local list update is approximately 30 minutes, and updates will be tuned over time to provide the best protection possible.

No, the next release will be Firefox 360

The question is: does anybody have a better solution to providing real time anti-phishing protection without any privacy concern? Jesse's suggestion sounds like the closest to real time without privacy concerns.

Then again, it all sums up to how confident you feel with a specific provider. There is no way a user can be sure that when downloading an update to the local file, some information is not being sent back to the provider as part of the request.

I don't know how IE have implemented this or Opera is going to work this out but in the end there is a certain amount of trust necessary. Firefox at least gives the option: if you don't trust what you're told in the Terms of Service (which I guess should mean some kind of liability on the Google side), don't accept. If you don't trust Google at all, deactivate anti-phishing and try Netcraft toolbar if you trust it better. Hopefully Netcraft and other providers will offer the necessary hooks for Firefox and users will have choice.

Hey ar-tard ...

1) There's no link to Google's, or any other 3rd-party's, privacy policy in Firefox.
2) The article was explicit when it says:
Although, the feature does require an explicit opt-in, it�s an unwelcome trade-off for many Firefox users, who believe that there is no reason to tie-in phishing protection with providing free data to a billion-dollar multinational.

The antiphishing is absolutely brilliant. It's hard to imagine how it could be done any better. It's all there -- a warning you CAN'T miss, privacy, feedback (you can tell them you don't believe the warning), instant checking if you opt in, and 30-minute updates of local copies (I get anti-virus signatures once a week).

Cornelius: go to Tools, Options (or Edit, Preferences), Security and select Check by asking...; a dialogue appears with a link to Google's privacy policy.

I might add that whoever wrote the article could have gotten accurate and rather complete information simply by looking at the Firefox menu. It should take about 30 seconds to discover that the author got just about everything wrong.

I have a problem with this sequence:
---------
In fact, as you state:

"This real-time compare is an optional enhancement to the phishing protection feature and is absolutely not required for the feature to provide real benefit to users."

If it's so unimportant and optional, and "not a real benefit to users" then why are Mozilla seeking to send their user data to Google - where Google can do what they like with the data?
---------

The poster's statement following the quote sounds extremely deceptive and (I suspect) falsely expresses that Mozilla has stated that the enhanced phishing protection is unimportant and doesn't help users (by trying to contrast Mozilla's "provide real benefit" with the poster's "not a real benefit").

The default behavior provides one level of protection. The enhanced service provides a HIGHER level of protection. Its somewhat analogous to a "window bars" vs. "window bars and a burglar alarm" as ways to protect your home against intrusion.

The poster also implies nefarious motives to Mozilla, and that somehow they are in league with Google for unspoken inappropriate ends by "seeking" to have data sent to them. No facts, merely insinuation.

If this is an example of the level of journalism on display at this site, I doubt they'll ever be taken seriously.

I have a problem with this sequence:
---------
In fact, as you state:

"This real-time compare is an optional enhancement to the phishing protection feature and is absolutely not required for the feature to provide real benefit to users."

If it's so unimportant and optional, and "not a real benefit to users" then why are Mozilla seeking to send their user data to Google - where Google can do what they like with the data?
---------

The poster's statement following the quote sounds extremely deceptive and (I suspect) falsely expresses that Mozilla has stated that the enhanced phishing protection is unimportant and doesn't help users (by trying to contrast Mozilla's "provide real benefit" with the poster's "not a real benefit").

The default behavior provides one level of protection. The enhanced service provides a HIGHER level of protection. Its somewhat analogous to a "window bars" vs. "window bars and a burglar alarm" as ways to protect your home against intrusion.

The poster also implies nefarious motives to Mozilla, and that somehow they are in league with Google for unspoken inappropriate ends by "seeking" to have data sent to them. No facts, merely insinuation.

If this is an example of the level of journalism on display at this site, I doubt they'll ever be taken seriously.

I think this is the first time I've seen the 30-60-minute period mentioned. Everywhere it's been "periodically" or "regularly," including the release notes and the Mozillazine article. When Opera announced that they would be adding a similar feature to 9.1, the discussion seemed to think Firefox updated the list once daily. (That was, of course, pure speculation, and recognized as such.)

Regarding privacy concerns, note the following passage from Firefox's privacy policy:

"While it is possible that a URL sent to your service provider may itself contain Personally-Identifying Information, Mozilla's third party service providers have entered into a written agreement with Mozilla not to use Personally-Identifying Information for purposes other than to enhance and maintain their service. "

Also, a minor correction regarding the list update intervals. Firefox generally updates the list of phishing URLs every 30 minutes, with the following exceptions:

  • If Firefox doesn't have a list of phishing URLs yet (f.e. because the user just installed it and is running it for the first time), Firefox downloads the list when the user first starts the browser.

  • Otherwise, Firefox first updates the list some random time between 0-5 minutes (on average, about 2.5 minutes) after the user first starts the browser.
  • Firefox next updates the list at some random time between 15-45 minutes (on average, about 30 minutes) after the first update.

To summarize: the first update happens between 0-5 minutes after you start Firefox, the second update happens 15-45 minutes after the first update, and the third and subsequent updates happen 30 minutes after the previous update.

I still don't see where everyone is coming up with this 30-60 minute time frame. It's not mentioned anywhere. How you can expect someone to make an educated decision about something when you give them a vague definition like "periodically" is beyond me. To the man on the street periodically means a lot less often than every 30 minutes.

Sherman:

"not to use Personally-Identifying Information for purposes other than to enhance and maintain their service"

Come on - this is a licence to data-mine and use personally identifiable user data as Google sees fit. It's the Firefox userbase handed on a plate to a billion-dollar corporation.

Again, it's not uncommon among ISPs with free service provisions - but the point is that it *is* a *privacy concern* that user data can be freely supplied for commercial purposes.

You can put whatever disclaimers you want on the service - and I agree they are clear - but if Firefox user privacy protection was a real concern the agreement would read something like:

"not to use Personally-Identifying Information, which will only be temporarily stored for a 30 day period before deletion".

glob, the point was not to be commented with the info but thanks for taking time to paste url. That's the kind of info that should have been in Asa's post at the first place (+ other pertinent content within comments).

I remember in some early v2 build with anti-phishing, there was a disabled feature for a user to change the anti-phishing provider list. It didn't make it to the final version of v2, might come back later.

Mathieu, that feature still exists. We don't have any additional providers included in the list, but it's possible to add a different provider through a simple extension.

- A

nice to see you respond with such finesse to critics, then you complain about opera "fanboys", funny

Brian, so your concern is with how enhanced anti-phishing works in FF2 or just the fact that it's Google the one who is receiving the requests?

I don't have enough "evidence" to endorse the "Google is evil" new mantra. But I acknowledge that this is a lot of valuable information that could be possibly tracked back to a single individual with some sort of combination of Ip address, cookie, and query string parameters. Now whether this is on Google's plans (together with violating the mentioned agreement it has with Mozilla), is some major talk, and a lot of users, including me, would really appreciate you pointing to some clue on this. Gut feelings? I will pass on that.

That said, I consider the local blacklist scheme, enough protection for ME.

"i stuck my penis in the doorbell.. now everybody knows.."

That's your own fault. I dont stick your peepee in public places, you shoudn't do it either.

It took me three days of digging around to find this explanation of how and when the anti-phishing tool is updated. I trust it's documented in the help file and I just missed it. But trust is the issue.

I work editing legal documents, and if ""not to use Personally-Identifying Information for purposes other than to enhance and maintain their service" is in fact the legal language agreed to, it is a license for Google to provide personal and individual service based on the information. They are, like a newspaper or magazine, a business that serves advertisers.

What's so hard for people to understand about the business model here? It's American business law and it's how this world works. The people who read the newspaper, magazine --or Google-- material are being served _to_ the advertisers. Look at the page layout of any of them.

Does "All the news that fits we print" sound familiar? Google just has huge pages, but they're still in the business of selling advertising, using the personal information they obtain about the readers to target it.

Duh!

The art of writing contract law is to say exactly what you're going to do, in ways that the other person's lawyer will understand. If Asa is a lawyer, then I'm worried. If Asa is not a lawyer, a lawyer should be giving the legal opinion here about what the contract actually says --- that's basic to understanding what's really been agreed to by whom.

> The question is: does anybody have a better solution to providing real time
> anti-phishing protection without any privacy concern? Jesse's suggestion sounds
> like the closest to real time without privacy concerns.

Instead of sending URLs to Google, it could send only a hash value.
(A proper hash would not be reversible to identify the URL, so privacy is
not sacrificed.) If Google indicates that the hash matches that of a
blacklisted site, then the browser could download the then-current blacklist,
and perform a secondary check locally.

Ta-da.

Now slashdot links to an article with 9 reasons not to download Firefox 2.

I've already written my views on the subject:
http://browserden.co.uk/blog/2006/10/29/9-reasons-not-to-upgrade-to-firefox-2/

The problem with sending a hash of the url is that you can't use regular expressions to match small variations in the url (either in the domain or in path/query components).

i had alot of fun using deerpark, it made feel like i was the man cause it was for beta testers only, i stuck through the updates like that.. until the official release.. thats probably why i'm still using the 1.5 release..0

I've read the "9 reasons not to download firefox 2" and I can sum it up for you right now : whiny babies whining like babies.
The guy says "don't upgrade because firefox 2 has a bug in it"
His solution apparently is to run IE6 because that has no bugs in it, and is totally secure. Then he goes on to say "Firefox 2 dosen't yet support every possible web standard -- therefore don't use it"
Again, he dosen't offer any solutions in his article, but we can only assume he uses some perfect, flawless browser like IE6 or 7, which have never had any bugs and support every possible standard completely. The concept of something incrementally adding more and more standards compliance over time is not comprehensible to him, or not acceptable.
Then he goes on to say you shouldn't use it because the options dialog is confusing, I almost spat my coffee all over my desk laughing myself into a choking coughing fit. This was my clue -- the guy who is complaining about Firefox 2 can't understand the options dialog -- WARNING!
I have to see his point here because IE hasn't change their options dialog since version 3 (nor most of the underlying code of the browser, that's why it's so solid, bug-free and standards compliant).
Again, there's no solutions offered in his little web-whine, but we can only assume he wants us to use IE6, which must be better, otherwise FF2 would be the best browser and he would be a total idiot for writing his article in the first place.

Where is this local list? All I can find is a short file "blocklist.xml", which contains only a URL. And mine was updated a little over 1 1/2 hour ago.

@Anotherguest: I believe it's the file, urlclassifier2.sqlite

Thanks, Kelson. That could be the list all right, and mine just updated after 50 minutes.

Following up, is the actual contract language from which Asa quoted available to read in full?
Has Lavasoft (Ad-Aware) been approached about providing a source list? Other anti-malware lists?

We agree with Brian. The Mozilla privacy policy is too vague for our paranoia/responsibility.
It's not that the interception of our data is definitely going to happen for comercial purposes at this stage, but it's just an added weakness that doesn't have to exist.

It should stay as a plug in and will definitely put us off FF2.

Why are people so up in arms over this?? The ability to contact Google direct IS AN OPTIONAL FEATURE WITH A BIG NOTICE SAYING WHAT IT MEANS!! Bloody hell, what are people suggesting you use instead - the options seem to be IE6/7 on windows (which is bull as that is riddled with privacy issues, not to mention security issues, bugs, a monopoly backer etc...), or possibly Opera (again proprietory and closed. How do we know it doesn't have privacy issues?).

If you don't like the feature, don't use it. Just shut the hell up and realise that it is not a big issue.

Seems to me like everyone's doing the homework for Brian.

Monthly Archives