"Some have claimed that we should move Mozilla out of the US. Unfortunately, for reasons of connectivity, workforce, ties to US market, legal issues and restructuring costs we are not able to do that.
Current (recurring) developments in the US have shown that our government can not be trusted. No amount of legislation is going to achieve a fully accountable government.
Because of this, we are unable to guarantee that Persona is or will be exempt of data requests from one of the government agencies. Even worse: we will not be able to tell you when / what data has been requested. We are and will not be able to confirm or deny data requests. It can be that future legislation forbids us to even make the statements that we are making in this paragraph, so this is maybe the last time that we can tell you this.
The only solution to a private internet is to fully embrace cryptography for all our communications. Until then, you can use Persona at your own risk."
The last bit here is a reach. For starters, Persona uses SSL, so it's encrypted. But more broadly, if you're going to use centralized, third-party authentication mechanism you could do far, far worse than Persona. I'd go so far as to say if your site is implementing its own authentication system, you could do yourself even more damage with a poor implementation.
Your critique seems to missed an important part about Persona's design: "It’s also worth pointing out that we do take certain technical measures to limit the data we collect. We’ve designed Persona so that the identity provider – including the fallback Identity Provider that we run – does not learn your browsing history. We consider that a good security practice, not specifically because of surveillance, but generally because collecting data without a user benefit just creates risk."
Further, the main "centralized" risk would be their default identity provider. If you don't want to use that for your domain, you can provide your own, and host it in another country. In this case, Mozilla's servers aren’t even being contacted when you authenticate.
I know nothing about Persona. I have never used, and I have not read anything about it. But that much is clear to me: the communication between you and the Persona provider can happen very much over an encrypted channel, but the data in the Provider is not encrypted with a key which you only know. The Persona provider has the data in the open (except passwords, which are hashed)
This whole fiasco has shown a weakness in the system which was there all the time, but little acknowledged: it is not about encrypting communications anymore. The eavesdropping risk is well understood and there are technologies available to get rid of it (SSL, SSH tunnels, whatever). But now we need to encrypt the data everywhere. Nobody can be trusted with the data anymore because the government can be accessing that data, and they do not need to eavesdrop: they just need to send a letter and implicitly threaten with litigation and imprisonment to obtain whatever data they want.
This makes the technological solutions much more challenging, and some services can probably not be provided. How does Facebook provide services to their users if the data they have must be encrypted and they can not access it? How to share with friends photos if they are encrypted? Maybe creating ad-hoc group passwords to share data? I do not know, it is difficult.
The only thing those in power would find out by looking at Mozilla's servers in charge with Persona authentication would be your freaking email address and that's it. This is by design.
"It’s also worth pointing out that we do take certain technical measures to limit the data we collect. We’ve designed Persona so that the identity provider – including the fallback Identity Provider that we run – does not learn your browsing history."
That does not say "we only store your email address". It also does not say they are storing more than that, either. In any case, the data is not encrypted, so my argument stands.
"Many sign-in systems carry your profile data with them; some even share that info with other sites and social networks. We believe you should control how your personal information is shared. Persona lets you get started with just your email address; you can add your profile data later, when and where you think it’s appropriate."
Whatever that "profile data" is, can be requested by the government.
The "profile data" that refers to is the profile data you want to add per-site. It's got nothing to do with Persona.
All Persona knows is your email, a password and the fact that you (maybe) want to authenticate at some point (but it doesn't know where, and it can't be sure you're actually trying to authenticate somewhere even).
Personally, I think that argument is right. "Complete" encryption has usability tradeoffs many people will refuse to make. And I get that. Emotionally, it frustrates me that I can't store my Google Authenticator key in Google Drive even though I understand exactly why that would break two-factor authentication.
The blog post doesn't say it's an either-or question. It says that, given that Mozilla has limited resources, we think it is more effective to focus those resources on changing the law to benefit the user rather than trying to fix just Persona by moving it to another country.
If we had unlimited resources than we'd be able to do both, but the post goes on to explain why that wouldn't be effective anyway.
(Disclaimer: I work for Mozilla in a different department than the Persona team.)
Honest question: why the wishful thinking? Why not tell it like it is? What is the potential damage that Mozilla could suffer by clearly stating that it is impossible and it will be impossible to guarantee that the government will not be monitoring all online activity? We know that the shadow-government is very good at:
1) Spying its citizens, using legal or illegal methods.
2) Cover up those operations with the use of force (indoctrination, legal threats, imprisonments, ...)
3) Change operation procedures whenever a martyr leaks the modus operandi, and improve the sealing of those activities.
This has been going on for decades. They have been iterating on this for a long time and we can assume that the shadow-government is very competent at it, so it will be impossible to control it. It is not possible to reign on the secret machine anymore.
The latest improvements on the spying machine are:
1) Better understanding of the whistleblower phenomenon: how to better indoctrinate workers so that they are less likely to talk, how to assassinate the character by using the media, how to create an example by using the full force of the law (whatever that means in this context) to make the possibility of leakages in the future less likely, how to put pressure in other governments to aid in the prosecution of whistleblowers. They have had lately several high-profile cases (Manning, Assange) for testing their machinery, and it is working perfectly.
2) Coerce companies into collaboration, and at the same time legally forbid them to neither confirm nor deny participation. I must say that this is simply a work of genius.
Mozilla could at least openly recognize this fact, as long as this is still a legal thing to do. The next iteration of the spying machine will maybe not even allow us to have this conversation. Who does feel safe talking about this things anymore? Not me, for sure.
Mozilla could still in good faith recommend Persona, while clearly stating that they are in no position to make any guarantee whatsoever about possible monitoring activities.
"First, it’s not clear to us that other governments have any less intrusive surveillance activities."
Well, it is clear the US has it. That should be enough. There are some unknowns unknowns, but this is a known unknown. There are other governments with the same willingness and capabilities of spying on everyone (do not move to China), but most of the countries in the world do not have a Government with both willingness and the technical abilities to do it. And most of the countries do not have a huge and highly sophisticated shadow-government, with multiple agencies working out of the public oversight. Most countries have secret services, but they are a joke compared to what the US is able to deliver.
"Second, as a US company, Mozilla is subject to US Laws, wherever we host our servers."
Move the company out of the US. I undertsand that it won't be easy, but is the only way to be 100% sure that the US Government will not come requesting data (not that they will not take it anyway, if they are able to)
"Third, we’d rather not engage in an arms-race with US government agencies."
Read: we are afraid to lead here, because backlash from the government (and the public?) could be too damaging for Mozilla.
"We’d rather focus on efforts to change the Law to respect user data wherever it lives."
We know so much: the privacy situation in the US is bad, and getting worse very fast. No amount of public discussion or legislation is going to change that. If PRISM is outlawed, even if those responsible are put into prison, they will start the PROSM program, more secretive, more broad. We will know about it on 2037 (maybe not, since by then we will be already living in a fully accomplished Orwell world). By then Mozilla will issue a statement similar to this one, explaining why they are not really taking the necessary steps.
Fazit: if even a company committed to freedom and openness like Mozilla is not willing and/or able to take the necessary steps, it shows how unavoidable 1984 is.
NSA and GCHQ are very good at math and very good at surveillance.
Not engaging in an arms race with well funded, very smart, government agencies is probably a good idea.
If they think you're a criminal (doesn't apply to Mozilla) they will coerce foreign governments to cooperate - see for example the illegal attacks on Mega or the domain seizures for gambling or torrent sites.
But we know, from ECHELON, that they're happy to spy on anyone, and use weird loopholes in the law to do so.
Mozilla would need to find a country that had great Internet infrastructure; good strong laws and privacy culture[1]; lack of links to US; comfortable living for staff; etc etc.
That's not easy.
[1] The US has a strong culture of privacy, which is what makes PRISM so surprising for their citizens. (Not for many other people who were saying it's happening, and have been doing so for a while.)
"[1] The US has a strong culture of privacy, which is what makes PRISM so surprising for their citizens. (Not for many other people who were saying it's happening, and have been doing so for a while.)"
When will the public accept that "good strong laws and privacy culture" is not in the least a characteristic of the US, and hasn't been for the last 30 years?
The US is probably not a democracy anymore, and hasn't been for over 20 years, since Governments are elected by corporate interests (via campaign funding)
NSA and GCHQ are but 2 on a long list of government intelligence agencies with exceptionally skilled individuals. It is madness to believe that even if you moved to a fully neutral location [if you can find one] you wouldn't be compromised for the information you store, through agents/moles/whatever or otherwise.
But that's not enough. If they really want to be free from the US's reach they'd have to:
- not do business with any companies under US jurisdiction (oops - Google and Microsoft)
- not employ and US citizens or permanent residents
- warn employees that they could get arrested if they visit the US
- ...
And given that Firefox is a very visible browser with significant market share, the US government would probably be very motivated to squash outright defiance.
Mozilla would probably die, and that would be a very bad thing. So you are right, this is not the wisest path (it is the bravest, but the graveyard is full of brave people).
The other option is to contribute to educate the public by being honest. Giving the false hopes that they provide in their statement, they are doing a disservice to the public by downplaying the risk posed by the government.
I would have hoped from more honesty from Mozilla; they should just call it what it is: the US is a police state, so you'd better protect yourself.
If they want to be able to store a bit of customer information that they don't have to pass over to the US government then they just have to move the company and their servers out of the US.
Why would a company that has nothing to do with the US have to warn employees that they could get arrested if they visit the US?
Why would a company whose only connection to the US is a few US citizen and/or permanent resident employees have to worry about whether or not certain transactions involve those employees?
You might not know why, but they do. The US is unusually (perhaps uniquely) aggressive in how far it tries to push the reach of its law. It's worth thinking through the implications of that.
> "Third, we’d rather not engage in an arms-race with US government agencies."
> Read: we are afraid to lead here, because backlash from the government (and the public?) could be too damaging for Mozilla.
I read "This is a race we'll probably not win and even if we do, we'd have a lot of power tied up there. But we can win by just changing the rules, so let's do that."
The US has been changing the rules since decades. The shadow government has adapted to those changes, becoming more and more powerful with each change. The US will pass a couple of "government openness" laws in the coming months (years?). The shadow government will laugh at that, move operation proceedings to the new release, and increase the broadness of surveillance, thanks to improvements in technology.
The only way to stop this, until privacy technology is widespread (which I hope will become a huge topic soon), is to stop doing business in the US right now.
Note that moving the servers from the US would not be sufficient - you'd have to move the domain to a TLD not controlled by the US or any other entity that they can influence. You'd have to host with a provider independent enough etc.
Thus, the stated goal of persona is to remove the need for a centralized auth provider - thus sidestepping the problem of where those centralized servers are located. That's why they don't want to engage in a whack-a-mole game with the US government.
So you are saying that Mozilla can be a trustworthy partner in the development of Persona (since it is opensource, I guess?), but not a trustworthy Persona provider (since they are US based). That sounds reasonable, and Mozilla deserves much credit for that.
Both the non-profit and for-profit arms of Mozilla are funded almost entirely by Google. It's a pretty safe bet that they'll follow Google's overall lead in dealing with the government.
https://en.wikipedia.org/wiki/Mozilla_Corporation - "Google pays Mozilla a substantial sum – in 2006 the total amounted to around $57 million, or 85% of the company’s total revenue. [The deal was extended multiple times and currently expires in November 2014.]"
That doesn't really make sense in this case. Mozilla does get a lot of cash from Google, but Mozilla has a strong enough mission (see the manifesto) to make sure it's not a Google sockpuppet.
Google's funding isn't the end of the story. There are others (e.g. Microsoft) who would be happy to fund Mozilla. The real question is: How much cash could Mozilla get from non-US sources? I'd guess orders of magnitude less, sadly.
That's an interesting thought. Do you really think Microsoft would fund a cross-platform browser? Do you think Apple would fund a cross-platform browser? Yahoo is close with Microsoft, so they're out if Microsoft is. Oracle and IBM aren't really consumer facing. Intel, mostly hardware. Facebook's walled garden seems to conflict with Mozilla's core mission. Adobe, possibly. Who else were you thinking of?
Based on the rumors (and partially supported by Firefox with Bing), both Microsoft and Yahoo were actively bidding against Google (for the ad revenue, presumably).
Microsoft also probably has some interest in supporting Firefox for "browser strategic" reasons (pushing back against WebKit/Blink on mobile, a partner other than Google or Apple for work with on new web standards, etc.). I find it harder to imagine Apple being interested, but perhaps that would change if Blink starts eclipsing WebKit or if they want to push iAds more. More generally, though, the point I'm making is that (almost?) all potential alternative sponsors have extensive US ties and/or interests...
One great thing about Persona is that it doesn't have to get involved every time I log into some website. The keys can be cached, so Persona doesn't need to know which websites I visit the most frequently, how long I spend on each site, which pages I read, etc. Persona just provides the identity and stops there. In that sense, Persona's very design makes it an unattractive target of surveillance. Not much data there.
Right now, Mozilla knows my email address, my (hopefully salted and hashed) password, some keys associated with said password, and the set of IP addresses from which I ever accessed Persona. Maybe also the set of IP addresses from which its key was requested, but that's not a particularly useful piece of information when NSA is trying to figure out what I'm up to.
However, Two of the planned changes to Persona gets me worried a little. The first is that Persona will allow people to add multiple email addresses to each account and choose which one to use at any given time. This means that if NSA gains access to the contents of a Persona server, they'll be able to link several (seemingly unrealted) email addresses to the same account. If you're a heavy Redditor, imagine that somebody will be able to find out every throwaway account that you made and abandoned over the years to talk about things you don't want traced back to you. That's the sound of the Eureka! that the NSA agent utters when he finds out that the person who has been posting anti-factory-farming comments all over the place is actually the same guy who retweeted some anti-Esso catchphrase, who is the same guy whose personal blog contains pictures from a recent trip to Pakistan.
My second worry is that Mozilla expects email service providers to serve as a Persona provider for their users. If I'm not sure whether I want to trust the Mozilla Foundation (the good guys) with information about my various alter egos, I'm definitely going to be wary of giving Google, Yahoo, and Microsoft the same kind of information. Although it's possible for you to be your own Persona provider, realistically, not many people are their own OpenID providers at the moment, and not many of them are going to be their own Persona provider, either. Decentralization is often advertised as one of the better features of Persona, but I suspect that it's going to remain little more than an advertisement. Everyone else will just use Google-hosted Persona with their Google-hosted email, with no real improvement of privacy.
Unless I'm mistaken[1], right now the popup that has multiple emails in it is the part that will eventually become native to the browser itself, so no service should have access to that list of multiple emails.
Each of those emails is instead tied to an identity provider: for example, you might have a GMail address that uses Google as the IdP, while a Yahoo one would use Yahoo as the IdP. But Google and Yahoo don't actually know that you're using multiple emails to login to stuff, they only deal with the emails you register with them.
What happens right now is that Mozilla Persona hosts the JS-powered popup that lets you choose between emails, so we end up with that info. This is for use in the short-term and for older browsers, but long term I think it will shift to client-side only.
[1] I work for Mozilla, but not on the Persona project, so there is a chance that I'm completely wrong. Doh!
When I log into persona.org, it seems to allow me to remove my (currently only) email address by clicking the first blue "Edit" button and then clicking "Remove" next to my email address. So I assumed that, in the future, I might also be able to add email addresses. Sorry if I was wrong about this.
You can add email addresses now, this is just for the bridge, so it allows you to use alternate addresses to log in with. It's not specific to Persona, it's just how they designed the current bridge (which they aim to phase out in the long run).
Any plans to pin the login.persona.org SSL certificate in browsers? It seems like a pretty tasty MITM attack target, especially while most identity providers don't have native persona support.
login.persona.org is listed in the key pinning list in Chrome[1], but marked as kNoPins, DOMAIN_NOT_PINNED - whatever that means.
What's going to happen, at best, is that email service providers like Google and Microsoft will begin to support Persona. Either as a replacement for OpenID, or in addition to it. A negligible minority of the human population, such as regular HN readers like you and I, might opt to implement Persona on our own servers, but everyone else will remain hostages of their respective email service providers.
Realistically and perhaps sooner than you think They are finishing up the LDAP based provider, once that happens, you could hook it up to most company-wide authentication systems.
Once that's working @university.edu and @bigco.com would authenticate directly with the organization. That'll be huge. This is a very very high value feature, I expect it to be the driving force for adoption.
One of the big challenges of large organizations is shutting someone off once they've left the company. This provides very unintrusive way to do so for applications that use Persona. I could see large organizations requiring that all logins use Persona (and the @organization domain).
That's exactly my thinking when creating https://persowna.net/. Providing authentication that hooks up to the corporation's specific system for the entire web is potentially a very big thing.
By using a browserId enabled user agent/browser and an email provider who has implemented the browserId -protocol you already have a fully decentralised Persona experience.
My problem is with the "email provider" part. In the real world, it just means Google, Yahoo, Microsoft, and handful of firms (like Rackspace) that provide hosted email solutions for a fee. You might call it "decentralized", but I'd call it "mostly centralized".
It seems to me as though an interim solution would be to partner with organizations in other countries to set up Persona fallbacks there. Key to this is that it would need to be a partnership with an entity local to the nation where the server is stored: Mozilla should not run these services itself, for the reasons listed in Mozilla's own post.
Has this option been explored, or at least considered?
The most important line for me from the blog post was
Third, we’d rather not engage in an arms-race with US
government agencies. We’d rather focus on efforts to
change the Law to respect user data wherever it lives.
This effectively tells a lot about Mozilla's intent.
how do you know mozilla was not forced by US to post just that? and they cant tell you they have been forced to do this.
This simple fact basically destroys persona imho.
> First, it’s not clear to us that other governments have any less intrusive surveillance activities.
This is a surprising statement, and somewhat dismissive of the respect for privacy and personal rights in the rest of the world. The NSA program is not a mundane activity, and should not be regarded as such, especially by a foundation like Mozilla.
"Some have claimed that we should move Mozilla out of the US. Unfortunately, for reasons of connectivity, workforce, ties to US market, legal issues and restructuring costs we are not able to do that.
Current (recurring) developments in the US have shown that our government can not be trusted. No amount of legislation is going to achieve a fully accountable government.
Because of this, we are unable to guarantee that Persona is or will be exempt of data requests from one of the government agencies. Even worse: we will not be able to tell you when / what data has been requested. We are and will not be able to confirm or deny data requests. It can be that future legislation forbids us to even make the statements that we are making in this paragraph, so this is maybe the last time that we can tell you this.
The only solution to a private internet is to fully embrace cryptography for all our communications. Until then, you can use Persona at your own risk."