Hacker News new | past | comments | ask | show | jobs | submit login

The blog post doesn't say it's an either-or question. It says that, given that Mozilla has limited resources, we think it is more effective to focus those resources on changing the law to benefit the user rather than trying to fix just Persona by moving it to another country.

If we had unlimited resources than we'd be able to do both, but the post goes on to explain why that wouldn't be effective anyway.

(Disclaimer: I work for Mozilla in a different department than the Persona team.)




Honest question: why the wishful thinking? Why not tell it like it is? What is the potential damage that Mozilla could suffer by clearly stating that it is impossible and it will be impossible to guarantee that the government will not be monitoring all online activity? We know that the shadow-government is very good at:

1) Spying its citizens, using legal or illegal methods.

2) Cover up those operations with the use of force (indoctrination, legal threats, imprisonments, ...)

3) Change operation procedures whenever a martyr leaks the modus operandi, and improve the sealing of those activities.

This has been going on for decades. They have been iterating on this for a long time and we can assume that the shadow-government is very competent at it, so it will be impossible to control it. It is not possible to reign on the secret machine anymore.

The latest improvements on the spying machine are:

1) Better understanding of the whistleblower phenomenon: how to better indoctrinate workers so that they are less likely to talk, how to assassinate the character by using the media, how to create an example by using the full force of the law (whatever that means in this context) to make the possibility of leakages in the future less likely, how to put pressure in other governments to aid in the prosecution of whistleblowers. They have had lately several high-profile cases (Manning, Assange) for testing their machinery, and it is working perfectly.

2) Coerce companies into collaboration, and at the same time legally forbid them to neither confirm nor deny participation. I must say that this is simply a work of genius.

Mozilla could at least openly recognize this fact, as long as this is still a legal thing to do. The next iteration of the spying machine will maybe not even allow us to have this conversation. Who does feel safe talking about this things anymore? Not me, for sure.

Mozilla could still in good faith recommend Persona, while clearly stating that they are in no position to make any guarantee whatsoever about possible monitoring activities.


We did tell it like it is. In the security reviews (note the plural; we have ongoing reviews).

Here is the documentation from the initial public release: https://wiki.mozilla.org/Security/Reviews/Identity/browserid

Note all of the times we called out government actors as potential threats?

With respect, it is easy to tuck tail and run (as in move to another country), it is much more challenging to dig in and try to change things.

(Disclaimer, I work for Mozilla, on the security team, and I worked on reviews of Persona since its first design iteration).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: