Privacy/Reviews/OpenSearch
Contents
Document Overview
| Feature/Product: | OpenSearch (in Thunderbird) |
| Projected Feature Freeze Date: | 2012-01-31 |
| Product Champions: | Blake Winton, Mark Banner, Mike Conley, Jim Porter |
| Privacy Champions: | Sid Stamm |
| Security Contact: | Curtis Koenig |
| Document State: | [AT RISK] cookie clearing |
Timeline:
| Architectural Overview: | 2011-09-07 (via secreview) |
| Recommendation Meeting: | Asynchronous via email |
| Review Complete ETA: | Jan 2012 |
Architecture
In this section, the product's architecture is described. Any individual components or actors are identified, their "knowledge" or what data they store is identified, and data flow between components and external entities is described.
The main objective of this feature/product is: to provide users with a way to search on the web from within Thunderbird.
Data Flow Diagram
Design Documents:
I thought there were some, but the design seems to have been done entirely on paper and in conversations. Which is probably reasonable in this case, because it's stupidly simple.The code is at [1].
There are two basic interactions, described below.
Global Search
When the user types some text in the "Search all messages…" box, the addon adds a search entry to "Search the web for: <the user's text>".
Context Search
If the user selects some text and either right-clicks to show the context menu, or selects the "Message" menu, the addon will add a menu item to "Search the web for: <the user's text>".
Search Tab
When either of the two options above are selected, Thunderbird opens a content tab pointing at the url for the default search provider containing the search terms. From this tab, the user can also change search engines and set the default search engine to the currently selected one.
Components
Describe any major components in the system and how they interact. Also include any third-party APIs (those Mozilla does not control) and what type of data is sent or received via those APIs.
- Thunderbird Search
- Third party search providers component.
Thunderbird
This component adds the menu and search items for the user to click on.
It interacts with the selected third party search provider through a browser tab to allow the user to view the search results.
The tables below simply summarize the data encountered by this component.
Stored Data:
| what | where | notes |
|---|---|---|
| user's default browser. | Thunderbird preference. | |
| last string searched for. | Thunderbird preference. | To let the user repeat the last search. |
Communication with third party search provider
| Direction | Message | Data | Notes |
|---|---|---|---|
| In: | search results page. | html | |
| Out: | http request for search results page. | search terms, client IP. |
Third party search providers
This component returns the list of search results.
It interacts with the addon through being launched in a browser tab.
Note: We don't write this component, and have limited influence over what it does.
The tables below simply summarize the data encountered by this component.
Stored Data:
| what | notes |
|---|---|
| Unknown. | Since this is the third-party server, we should assume they store everything they can. |
User Data Risk Minimization
In this section, the privacy champion will identify areas of user data risk and recommendations for minimizing the risk.
Unintended searches
Potentially users may mistakenly activate this feature and send parts of private emails as search queries. Since emails can contain sensitive data, we have to be sure users are aware when searches happen.
The Risk: is that users may accidentally transmit arbitrary data to search providers.
Since the feature must be activated from the global search box or a context menu, this is a very minor risk, and needs no mitigation.
Identity transmission
Users' identities are present throughout pretty much all email messages and other parts of the Thunderbird client. This includes user data such as email addresses, physical addresses or phone numbers or any other PII users choose to with any recipient via email.
The Risk: Users may unknowingly identify themselves to search providers (by including a cookie or their identity with the search query).
Recommendation: prevent cookies from being transmitted with searches or limit their lifetime to session-length. (e.g., clear them on shutdown). Make it easy for users to clear cookies on demand as well.
Alignment with Privacy Operating Principles
In this section, the privacy champion will identify how the feature lines up with Mozilla's privacy operating principles.
See Also: Privacy/Roadmap 2011#Operating_Principles:
Principle: Transparency / No Surprises
Users can select which search provider they wish to use, and when they send search queries, it is clear they are sending data. The two mechanisms used to generate search traffic (global/context) are both user-initiated, so it is not surprising that search queries are sent out.
Recommendations: It should be made clear in the UI to whom the search queries are going, e.g., "Search Google for..."
Principle: Real Choice
Users do not have to use the feature if they wish to avoid it, and they can use any OpenSearch provider for web searches.
Recommendations: none.
Principle: Sensible Defaults
The feature, while available, is not sending users' searches of local data to search providers unless the user chooses to "Search the web for X". No data is shared with third parties by default.
Recommendations: none.
Principle: Limited Data
The user's queries are transmitted to search providers (as initiated by the user). Mozilla has no server-side component to this feature, so we are not collecting any data about this feature. Thunderbird maintains the last string searched, but only one, and it is replaced as soon as a new search is conducted.
Cookies are kept in Thunderbird, and searches conducted using this feature include cookies.
Recommendations: prevent cookies from being transmitted with searches or limit their lifetime to session-length. (e.g., clear them on shutdown). Make it easy for users to clear cookies on demand as well.
Follow-up Tasks and tracking
| What | Who | Bug | Details |
|---|---|---|---|
| [DONE] Initial Overview Discussion | Sid Stamm & Mark Banner | Held on 2011-09-07 as part of secreview Security/Reviews/TBOpenSearch | |
| [DONE] Initial Risk Analysis | Privacy team | January 2012 | |
| [DONE] Public Discussion | mozilla.dev.planning | 9-Feb-2012 | |
| [DONE] Investigate cookie sending behavior | TB Team (Blake) | Cookies are sent. (3/28) | |
| [DONE] Tweak UI to state to whom the search terms will be sent | TB Team | bug 734232 from Thunderbird 13 | |
| [NEW] Make it easy for users to clear cookies (or suppress their transmission) | TB Team | bug 741336 |
