October 26, 2006

sometimes it's just easier to make shit up

Sometimes it's easier to just make shit up than to actually research a story. That seems to be the case with the (no byline) story at Platinax Small Business News.

The article starts off by claiming that to use the phishing protection feature "properly, you have to send Google a record of every single website you visit." Not only is this blatantly false, but even the most cursory investigation of the feature would have revealed that.

Next, the writer tries to walk the absurdity back a bit by saying that "[phishing protection] does require an explicit opt-in". But once again he's wrong. Users get the benefit of this feature out of the box and without any privacy issues.

Had the author, who was too chickenshit to put his name on the story, actually looked into the feature, here's what he would have learned:

Firefox phishing protection offers users protection from online identity and credential scams by checking the visited sites against a local list of known bad sites. This list of bad sites is refreshed regularly by Firefox -- every 30 to 60 minutes. At no time are the users' visited sites shared with any third parties (or even with Mozilla) when using this feature in it's default, and quite capable, configuration.

If a user wants to make a slight improvement to the feature -- eliminating the 30 to 60 minute lag time between when a site is identified as bad and when Firefox gets the updated list, the user can dig deep into the preferences and find the option to do a "real-time" compare with the most up to date list at Google's server. If the user does check that box, she will be presented with a plainly worded description of what that means, including links to the applicable privacy policies.

This real-time compare is an optional enhancement to the phishing protection feature and is absolutely not required for the feature to provide real benefit to users. There are legitimate privacy concerns any time user data is shared with service providers and that is why this enhancement to the phishing protection feature is not enabled by default.

We take user privacy seriously. We always have and we always will. For a journalist to write such fiction, and to suggest that Mozilla has sacrificed user privacy because of some (unexplained) profit motive without having even a basic understanding of how the feature works is not only unprofessional, it's completely irresponsible and a threat to user safety and security.

Posted by asa at 10:51 PM