canmove, Confirmed users
1,537
edits
Privacy/Reviews/AndroidSystemStorage: Difference between revisions
Jump to navigation
Jump to search
m
→Follow-up Tasks and tracking
| (12 intermediate revisions by 2 users not shown) | |||
| Line 12: | Line 12: | ||
|'''Security Contact:''' || Curtis Koenig | |'''Security Contact:''' || Curtis Koenig | ||
|- | |- | ||
|'''Document State:''' || <section begin='status'/>{{ | |'''Document State:''' || <section begin='status'/>{{drop|postponed until 2012}}<section end='status'/> | ||
|} | |} | ||
| Line 162: | Line 162: | ||
= User Data Risk Minimization = | = User Data Risk Minimization = | ||
In this section, | In this section, areas of user data risk are identified and recommendations made for minimizing the risk. | ||
== User | == Unintended Dissemination of User Data == | ||
''The Risk'' is the possibility of syncing user data to Google unexpectedly or undesirably to the user, via storing bookmarks, history, etc in the Android system store | ''The Risk'' is the possibility of syncing user data to Google or other third party services unexpectedly or undesirably to the user, via storing bookmarks, history, etc in the Android system store. The third party services mentioned here are those connected to the users' phones by installing apps that access the system store -- one of which is Google (sync). | ||
''Requirement:'' There must be explicit messaging that users may need to take action to opt out of having their Firefox for Android data synced to Google ( | ''Requirement:'' There must be explicit messaging that users may need to take action to opt out of having their Firefox for Android data synced to Google or other third parties. (If they have their phone configured to sync data to Google, which many users will - the change to using system storage and its implications must be communicated loudly and clearly to avoid user surprise). | ||
''Recommendation:'' | ''Recommendation:'' Provide an option to store data separate from the globally accessed store. When enabled, this feature would not use the global system services to store history, bookmarks, and passwords but instead hide them from the rest of the phone and discourage cross-app data sharing on the device. Consider this separate data store as the default storage for Firefox for Android and have users opt in to using system storage. | ||
{{ResolutionBox|{{ok| {{bug|704490}} in progress for local (non-systemwide) bookmark/history databases. Also should default to this local alternative.}}}} | |||
== Update and Profile Data Migration == | |||
''The Risk'' is that when users are updated to the new version from a version of Firefox that did not use the system storage service, their data will be copied unintuitively into the shared system databases without the user's knowledge or consent. | |||
''Requirement:'' Any migration of data must be explicitly authorized by the user via consent dialog. ("Would you like to transfer your sync bookmarks into the system DB? If you do this, X and Y will happen. [Yes] [No]") | |||
''Recommendation:'' Migration should not happen automatically. Updating to the new version of Firefox should create a clean profile. Consider offering users a way to pull in their data from Sync, giving information about the potential side-effects of doing this in whatever disclosure explains how to do it. | |||
{{ResolutionBox|{{new|Confirm this: when users update Firefox, it does not migrate the data (starting with a clean profile)}}}} | |||
= Alignment with Privacy Operating Principles = | = Alignment with Privacy Operating Principles = | ||
| Line 180: | Line 192: | ||
====Principle: Transparency / No Surprises==== | ====Principle: Transparency / No Surprises==== | ||
Users are going to be upgraded from the previous release of Firefox to the Native UI/Birch release. | Users are going to be upgraded from the previous release of Firefox to the Native UI/Birch release. | ||
If they have enabled Google sync, | If they have enabled Google sync, their data will automatically begin accumulating in a way that is archived by Google Sync. Users may potentially be using Firefox to avoid using this shared system storage, and this change may surprise them. | ||
storage, and | |||
Additionally, it may happen that users will sync their Firefox data from Mozilla Sync, this data would then | Additionally, it may happen that users will sync their Firefox data from Mozilla Sync, this data would then | ||
be stored in the system store and then possibly synced to Google - breaking expectations of where and how | be stored in the system store and then possibly synced to Google - breaking expectations of where and how | ||
sync'd data is shared | sync'd data is shared. | ||
'' | ''Requirement'': Disclose this switch to Android System Storage to users who may not want to share their bookmarks and history outside of Firefox or Firefox Sync. | ||
''Recommendation'': Provide an option to store data apart from the global store. That is, do not use the global system services to store history, bookmarks, and passwords. But instead, hide them from the rest of the phone and discourage data sharing on the device. Have users opt-in to using the system storage and syncing to Google if that's what they want. | |||
====Principle: Real Choice==== | ====Principle: Real Choice==== | ||
In the initial shipping version of Firefox for Android, there is no option to | In the initial shipping version of Firefox for Android, there is no option to store history and bookmarks ''outside'' or isolated from Android system storage. (There are plans to add this functionality after the initial release). | ||
'' | ''Recommendation'': Provide an option to store data apart from the global store. (See above). | ||
====Principle: Sensible Defaults==== | ====Principle: Sensible Defaults==== | ||
Opting users in to using the system database on upgrade to the Native UI version of Firefox for Android is a sizable change from previous version of Firefox for Android. | Opting users in to using the system database on upgrade to the Native UI version of Firefox for Android is a sizable change from previous version of Firefox for Android. While it makes sense to default to the Android System Storage | ||
'' | ''Requirement'': Disclose this change in behavior to our users, and do not migrate their old profile data automatically. (See above). | ||
====Principle: Limited Data==== | |||
Mozilla itself will not collect additional data in the Native UI version of Firefox for Android. Mozilla Sync will continue to be opt in and configurable by the user. No actions needed for this principle. | |||
{{ResolutionBox|{{new|Address requirements and recommendations for disclosures and defaults listed above.}}}} | |||
= Follow-up Tasks and tracking = | = Follow-up Tasks and tracking = | ||
| Line 229: | Line 229: | ||
! Details | ! Details | ||
|- | |- | ||
| {{ | | {{done|Initial Overview Discussion}} | ||
| | | Doug, Ian, Sid | ||
| | |||
| Brief "hallway" chat. | |||
|- | |||
| {{done|public call for comments}} | |||
| Sid | |||
| | |||
| 7-Dec-2011 - post to dev.planning for input | |||
|- | |||
| {{new|discuss recommendations with team}} | |||
| Sid / Ian / Mobile team | |||
| | | | ||
| | | 14-Dec or so | ||
|- | |||
| {{ok|implement separate (local) bookmark/history DBs for access by only Mozilla apps}} | |||
| Mobile team | |||
| {{bug|704490}} | |||
| TBD | |||
|- | |||
| {{new|default to local DBs for bookmarks and history, allow users to enable system storage}} | |||
| Mobile team | |||
| | |||
| TBD | |||
|- | |||
| {{new|implement opt-in migration path for sync data to local or system dbs}} | |||
| Mobile team | |||
| | |||
| TBD | |||
|} | |} | ||
[[Category:Privacy/Reviews| | [[Category:Privacy/Reviews|AndroidSystemStorage]] | ||