Throw a link in to the Mozilla trademark policy? done, thanks --shaver

"be chosen to "game" or otherwise manipulate sort/display order, search, rating systems, or international currency markets" isn't particularly clear IMO. Cameron 10:52, 20 June 2006 (PDT)

Can you elaborate on what is unclear, or suggest something clearer? --shaver

Perhaps "cheat" ? Cameron 17:18, 28 June 2006 (PDT)

Good call, updated -- shaver

Suggested policy draft. Comments most welcome ...

Privacy Policies - Some Guidelines for Addon Developers

Any addon or extension (including, but not exclusively limited to, toolbars) which collects _any_ data from the user _must_ have a privacy policy [linked page? what happens if they are changed after the extension is approved? included in the description maybe?] which details in unambiguous terms and in a non-contradictory manner:

1) specifically what information is collected (eg IP address, usage, referer urls etc); and 2) specifically how that information is used; and 3) identifies who is collecting the information.

In particular, if the extension generates or stores any unique identifier, this fact must be disclosed in the privacy policy along with how that unique identifier is used. This includes the use of cookies.

It is not sufficient for a privacy policy to claim that it does not spy on the user or collect your email address. We are not so much interested in what you do NOT do, but rather in what you DO do and how you do it.

A privacy policy cannot claim that "statistics are completely anonymous" or that "statistics are unidentifiable" if they are in any way associated with a unique identifier whether generated by the add-on or not. Even where it is possible to anonymise information, the information may still be legally classed as "personally identifying" if it can be traced back or put together with other information to identify the individual.

It should be noted that almost every web server collects the following information:

• IP address
• referer url
• date and time
• web browser type and version
• operating system type and version
• protocol used.

You may also be collecting additional information. If so, you must disclose exactly what information is being collected and how it will be or will not be used.

You can collect any information you wish BUT you have to disclose your collection practices so that the end user can decide whether to consent to that collection or not. If the end user does not consent, then the person can decide not to install your extension.

Once you have disclosed what information is being collected and how it is being used, you should also disclose in what circumstances it may be shared with a third party. For example, this includes, but is not limited to circumstances where:

  1. the information is required to help identify an attempt to abuse or compromise the integrity or security of a web site or any site connected to it; or

  2. a law enforcement agency, or other government agency, exercises its legal authority to require access to the information. (Note that this is _require_ access, not simply _asks for_ access.)

European Union Considerations - An Overview

Countries in the European Union have very strict privacy and data protection laws by virtue of the EC Directive on Privacy and Electronic Communications (Directive 2002/58/ECDPEC; see http://www.europa.eu.int/eur-lex/pri/en/oj/dat/2002/l_201/l_20120020731en00370047.pdf) which forms part of the European regulatory framework for electronic communications networks and services.

The implementation of the Directive into the law of all EU countries impacts direct marketers, website and online content businesses, providers of subscriber directories, Internet users and anyone who sends or receives information via the Internet.

Under the Directive, organizations must disclose their information collection practices in their privacy policy, including the information they collect, how they will use or share the information, and the use of cookies or other tracking devices. At points where personal data is being collected, a link to the privacy policy must be provided. Cookies and other tracking devices can only be used if EU users:

   * are given clear and comprehensive information about the purpose of cookies
   * give consent to the use of cookies
   * are offered the chance to refuse these cookies

It is important to note that there is no distinction between persistent and session cookies. Also important to note is that if cookies do contain personal data, data collectors must also comply with the applicable country data protection laws.

Many web application vulnerabilities may lead to security breaches of personal information, directly or indirectly, and could be considered to be violations of the directive. There are heavy fines for violating the directive.

I guess a privacy policy template might be helpful, though I'm not sure it's such a good idea lest people simply cut and paste regardless of the actual circumstances.

What do YOU think :)

DonGato's comments on suggested policy

(2006-11-28 06:26:11)

Descriptions and add-on naming: some extensions are not *FREE*, if this is allowed it should be also clearly stated at the description.

Categorization: I think 5 categories is too much. I think 3 is already ok as a limit for remora.

Collection of user data: currently a statement of data collection is added to the description at user discretion. This shouldn't be left as this and should be handled by Mozilla AMO reviewers alone. This statement should be prominent (bold and red maybe) and put at the top of the description.

Rating systems: there are other proposals for the rating system. Currently some developers delete all negative comments. This shouldn't happen and failure to take negative comments shouldn't be allowed. I don't know the best way to handle this but there are comments of eBay's system at mozillaZine general forum.

Rating systems: there might be a need for a notification about the rating system not being the place for feature requests or bug reports, but as we miss such feature at AMO I don't know how would be the handle of such things. I'm actually using a reference to a mozillaZine forum thread but not everybody will take the work of doing so.

Creator responsiveness: currently extension bumping by slightly changing the description is happening. I know remora will fix that, but as you can always leave other places for abusing I think that a clear statement about such thing should be added to the policy. That might be called "Creator responsibility".

Sexually Explicit Material, Violence, ...

Needs a section on sexually explicit material, violence, and other harmful subjects. -- VanillaMozilla

DonGato's comment: (2006-11-29 13:22 GMT)

First we need to know what is Mozilla policy on adult material.

Could they be accounted on facilitating access to adult material? Could this be used to avoid some kind of parental control? Do they want to promote this kind of content?

If they don't want to allow adult content (not the average girl in bikini that Shaver commented at the bug), they should add it to the ongoing policy. An example of such a policy could be this one:

IV. ADULT MATERIAL POLICY

Due to different cultures, material that is appropriate in some countries may not be appropriate in others. For this reason and many others, we maintain a strict "No Adult Material Policy".

Mozilla defines "Adult Material" as any of the following:

  1. Any addon that has images or videos showing frontal nudity on either men or women.
  2. Any addon that has images or videos showing any sexually explicit nudity.
  3. Any addon that has audio clips or text containing sexually explicit material.

We also prohibit the following:

  1. Any addon that links to other sites containing such material.
  2. Any addon that is engaged in the sale of sexually explicit items.

In addition we reserve the right to determine what might be considered "sexually explicit" or "sexually related". If your addon contains material that you are unsure about, please let us know before publishing it at addons.mozilla.org.

EDIT (2006-11-30 20:00 GMT) just to clarify, this was built based on the policy provided here: http://www.volusion.com/terms.asp

VanillaMozilla replies. A policy is essential. It's a hot topic, and a policy is protection against getting burned. It's also a waste of resources fighting over these matters on a case-by-case basis in bug reports, in the press, or possibly even in the courts.

I like DonGato's draft, although the importance of the subject is such that it should probably receive a high-level review. It's the prudent thing to do. --VM 30 Nov 06

Also needs mention of violence, etc. --[-user:VanillaMozilla]] 30 Nov 06

Suggested modifications to the draft policy by James H.

I like it. The things I would like to see different in the listed draft are:

Categorization) Only allow listing in one category. Pick the most appropriate category to list your extension in.

Categorization) Add a Multiple Function Category and/or Toolbar category.

Categorization) Allow site admins to move an extension to a different category if they feel it is improperly listed.

Rating systems) Allow users to only rate an extension once.

Rating systems) Do not allow ratings/comments to be deleted. Allow the extension author (and only him) to have 1 reply to each rating if he chooses to debate any comment (such as Ebay's feedback system). Only allow a rating/comment to be deleted if "both" the author and the person making the comment agree to it , or by a system admin for outright system abuse. Ordinary users are smart enough to sift through comments and make an informed decision.

Thank you, James H.