Liz Fong-Jones (方禮真) Profile picture
Oct 3, 2018 25 tweets 10 min read Read on X
Final keynote block: @lxt of Mozilla on practical ethics and user data. #VelocityConf
@lxt And also ethics of experimentation!

"just collect data and figure out later how you'll use it" doesn't work any more. #VelocityConf
We used to be optimistic before we ruined everything.

Mozilla also used to not collect data, and only had data on number of downloads, but its market share went down because they weren't measuring user satisfaction and actual usage. #VelocityConf
Privacy and security are a fundamental right and shouldn't be treated as optional, according to Mozilla's principles.

They're in tension with collecting data to make the web better. So how does Mozilla navigate the challenge? #VelocityConf
[ed: full disclosure: this talk I'm transcribing represents the speaker's opinions and not mine, and not @invinciblehymn's/Chrome's either]

There's a lot of cynicism around data collection, especially when it comes to Chrome, etc. #VelocityConf
.@lxt will discuss how they collect data, how they've messed up, and how they've recovered from mistakes.

"Part of ethics is admitting when you mess it up and fixing it." #VelocityConf
Disclaimers: this is what they do, it's not perfect. It's open source so it can be cloned and made better.

Lean data practices:
(1) collect what you need to answer your questions
(2) keep minimum amount of time
(3) don't violate user expectations. #VelocityConf
4 different kinds of data:
(1) technical data - OS, memory, version number. opt-out [ed: this potentially becomes fingerprintable]
(2) interaction/usage data - number of tabs, session length, configs. opt-out.
- - - - - - - -
(3) activity data e.g. browsing history. #VelocityConf
Mozilla considers this every sensitive, and many people don't want it collected. Remember the AOL and Uber "anonymized" datasets that weren't.

Some URLs are magic access keys that allow mutation :/

Mozilla rarely collects, and only for specific cases. #VelocityConf
(4) highly sensitive data - email, username, identifiers. opt-in with advance notice, user consent, and secondary ???.

So we want to collect at Mozilla. Steps: file a request for collection in Github, then review by a data steward. #VelocityConf
Data Stewards are like lawyers; looking for ways to be able to say yes, rather than being adversaries. They pattern-match to known precedents/case law to find ways for you to do it in a safe way. An example: #VelocityConf
Suppose you want to find slow URLs to be able to debug them. Treat it like a crash report: ask the user if they want to report it to Mozilla and show them the URL that would be sent. If it's "embarassing health url", they'll say no and decline to send. #VelocityConf
Privacy preserving data collection: add randomness to make data not identifiable, or mix the data using mixnets. Mozilla is investing in this approach.

With experimentation, there are ethics as well. #VelocityConf
But if you don't perform tests before releasing products, you're performing a massive uncontrolled experiment. "we're giving everyone in the country a non-fda approved medication, if you die, let us know." This is not what we want. #VelocityConf
A product hypothesis document describes the purpose of your experiment and your approach. data reviews, who will have access, and science review to figure out if the experimental design is correct. #VelocityConf
Most experiments are opt-in, but some are opt out. Harder to get approval for opt-out experiments, unless it's something that must eventually roll out to all users (e.g. TLS 1.3) where it's testing maturity rather than product direction. #VelocityConf
There's also testpilot.firefox.com that people can opt into, with informed consent. Even if biased towards early adopters, it still provides useful data.

And there's Firefox Pioneer that allows people to donate their data to Mozilla. #VelocityConf
1000 people installed it even before the blog post went up.

Some case studies where Firefox messed up: #VelocityConf
Case study 1:
Mr. Robot promo. Experimental system used to push opt-out "experiment" to all US users as part of an AR marketing promotion/game. It violated user trust and expectations. They wouldn't do it again.

How did it happen? #VelocityConf
Road to hell is paved with good intentions. It was meant to be fun, no money or user data changed hands. Mozilla employees thought the TV show was cool and it would be an easter egg. But it wound up looking like malware to users.

The data reviews didn't catch it. #VelocityConf
"It doesn't collect any data, so I guess it's okay."
"You're not doing any science, so it looks okay..."

People had unease that it wasn't right but nobody felt empowered to speak up and stop it. #VelocityConf
Action items: Don't do things in secret. Have more formal process, define red flags (such as "things that are done in secret", "things done in partnership", "we weren't trying to learn anything"). Document escalation paths. #VelocityConf
Second case: crash reporting system for single tab crashes.

Bug where if someone submitted one tab, it would submit all future crashes without opt-out. Uh oh. #VelocityConf
"We can't tell what data was submitted with consent and what was fruit of the poisoned tree..."

They met on Dec 26, and the VP's immediate response was "burn it to the ground". So they deleted 1PB of crash data, without question. #VelocityConf
And there was a moment of silence for the lost crash data.

We can always do better. Learn from mistakes, steal ideas, steward users' data wisely, and always feel free to ask questions.

Systems are people. It's easy to mess up. Always strive for better. [fin] #VelocityConf

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Liz Fong-Jones (方禮真)

Liz Fong-Jones (方禮真) Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @lizthegrey

Oct 3, 2018
Final talk I'll be getting to at #VelocityConf before I dash to Toronto: @IanColdwater on improving container security on k8s.
@IanColdwater She focuses on hardening her employer's cloud container infrastructure, including doing work on k8s.

She also was an ethical hacker before she went into DevOps and DevSecOps. #VelocityConf
She travels around doing competitive hacking with CTFs. It's important to think like an attacker rather than assuming good intents and nice user personas that use our features in the way the devs intended things to be used. #VelocityConf
Read 36 tweets
Oct 3, 2018
My colleague @sethvargo on microservice security at #VelocityConf: traditionally we've thought of traditional security as all-or-nothing -- that you put the biggest possible padlock on your perimeter, and you have a secure zone and untrusted zone.
@sethvargo We know that monoliths don't actually work, so we're moving towards microservices. But how does this change your security model?

You might have a loadbalancer that has software-defined rules. And you have a variety of compartmentalized networks. #VelocityConf
You might also be communicating with managed services such as Cloud SQL that are outside of your security perimeter.

You no longer have one resource, firewall, loadbalancer, and security team. You have many. Including "Chris." #VelocityConf
Read 19 tweets
Oct 3, 2018
Leading off the k8s track today is @krisnova on migrating monoliths to k8s! #VelocityConf
@krisnova [ed: p.s. her ponies and rainbows dress is A+++]

She starts by providing a resources link: j.hept.io/velocity-nyc-2…

The problems we're solving:
(1) why are monoliths harder to migrate?
(2) Should you?
(3) How do I start?
(4) Best practices #VelocityConf
.@krisnova is a Gaypher (gay gopher), is a k8s maintainer, and is involved in two k8s SIGs (cluster lifecycle & aws, but she likes all the clouds. depending upon the day). And she did SRE before becoming a Dev Advocate! #VelocityConf
Read 29 tweets
Oct 3, 2018
Next up is @mrb_bk on why marketing matters. #VelocityConf
@mrb_bk Hypothesis: marketing >> code in terms of software adoption. [ed: and this is why I became a developer advocate!] #VelocityConf
You need to consider community early when developing a product.

Always ask, "Why do people matter?" "Why does adoption matter?" #VelocityConf
Read 17 tweets
Oct 3, 2018
Next up is @rogerm on O'Reilly's insights into trends with Radar. #VelocityConf
@rogerm They look at changes in search terms year on year; the two largest increases are k8s and blockchain. #VelocityConf
People are becoming less interested in broader topics and more interested in specific technologies e.g. pytorch. #VelocityConf
Read 5 tweets
Oct 3, 2018
Next is my colleague @rakyll on distributed tracing!! #VelocityConf
@rakyll In a big city, you learn to deal with large scale and navigating your way around, in an environment that has a lot of chaos and data.

And sometimes things don't go according to plan if you encounter construction, etc. along the way. #VelocityConf
It doesn't matter where the error happened, from a user's perspective, it's a failure to them.

Maybe we're doing better at @GCPcloud, but there are lots of opportunities to improve still, says @rakyll. #VelocityConf
Read 20 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(