Email itself is 100% insecure. You should assume that 100% of your email is available to the intelligence community. (There's a reason Petraeus never sent any email to his mistress. According to William Binney, the NSA keeps copies of all emails sent to or received in the US.) So, they already know this email was sent to you.
Stopwatching.us is going to present your signature to Congress anyway. If you're paranoid about the US government, it doesn't make sense to sign the petition.
The only additional data they can receive from this innocent tracking code is that you read the letter (if you decided to display images) and that you clicked on a link (if you in-fact did).
The intelligence community could conceivably do a lot of terrible things with everyone's phone records, everyone's Facebook data, everyone's Google searches... but if you want to remove measurement completely from the web, that's a bridge too far.
After that, you know nothing. The mail could be deleted straight away and never delivered to a mailbox.
I think it's a valid point, specially when this is part of a campaign for privacy. Is it that important for Mozilla to collect that information?
EDIT: typo
http://www.nydailynews.com/news/national/petraeus-emails-ref...
Well, at least the message bodies can be encrypted, can't they?
It's almost as insane as that piece in Slate claiming that Hadoop is evil because it enabled large scale data analysis (http://www.salon.com/2013/06/14/netflix_facebook_and_the_nsa...). Technology is not the issue.
This newly found aversion to tracking and measurement is a stupid knee-jerk reaction to the news.
It's not new at all, and we don't appreciate it.
It's beyond quid pro quo, it's how software improves and evolves, and it is to the benefit of everyone: you, other users, vendor.
My purpose with this post is not to expose Mozilla, but to show how deep many of us are in this business. I admit I am guilty of similar practices myself.
I think we should use this privacy crisis to stop and rethink what are we gathering about our users, how are we doing it, can we really guarantee their privacy in our countries and on technological platforms we use.
If you really care about your users, think before gathering any of their data. It may end up somewhere you or they do not want.
> I admit I am guilty of similar practices myself.
That's all well and good, but the article doesn't reflect that in the least.
Do you think you could have chosen a better title to reflect this?
I am sorry. My only excuse is that my two kids were running around disturbing my ability to focus.
BTW: I am a big fan and a user of what you do. I think Firefox OS is one of the technologies that will help us reclaim some of our freedoms and privacy back.
I helped build stopwatching.us as part of the coalition of organizations and individuals in support, and thought I'd give a quick bit of insight into why the tracking stuff is in there.
When we came up with the idea for the site last Friday, we quickly realized that one of the trickiest parts to manage would be the privacy policies of the different organizations involved. There's over 80 different partners, and about 6 different core organizations involved. Mozilla and EFF in particular have really stringent legal conditions and privacy policies for any sites they promote, and we needed to make sure we abided by them.
On Mozilla's end we needed to have some way of collecting and storing emails and personal information that would get through their legal department quickly. Since they've used Blue State Digital in the past and screened both their technology and privacy policy, that was deemed the fastest way to make things work.
BSD includes things like the email tracking code automatically, and as far as I know there's not an easy way to strip that stuff out. Hence the tracking stuff in the emails.
By the way: the email I got was probably sent to Mozilla supporters, not to StopWatching.us signatories (although it seems they use the same From address).
However, in the light of this privacy crisis, I think Mozilla should take time and think some more of what could be done.
It doesn't look good anymore that the fastest solution was to choose a technology provider that uses recipient tracking. It is bad that BSD privacy policies probably don't stand a chance against a government request with a gag order. I can only hope that the privacy policy treats US and non-US citizens alike. I can also hope that the screening checked that BSD systems don't store too much data about the recipients.
I think they could do worse, strategically, than take a strong, consistent stance throughout their product(s) and communications, to make Mozilla the browser and email client of choice for those who don't want to leave a huge slimy trail of cookies and web bugs for anyone who's interested to track.
Worth noting this is not saying that either Safari or Chrome are worse browsers in general, or that they have security holes to feed the NSA machine - but any piece of data that a US company has about you is a piece of data that could be passed to the NSA under a FISA order, or even a future law change a decade away from now.
The fewer of those pieces of data you create, the better, imho.
What we let them(anyone outside) note about us.. should be our decision.. .. you click a button, you sign a contract.. data should not "escape" from us.. this is a bad behaviour, and its contagious.. US companies are full of it.. its not just a government issue.. companies have been doing this for years.. with different purposes than government..
This is just the beginning of the unveilling of a bad behavioral pattern that must stop, period.
Nobody is giving a #$% about our privacy and our rights, because they are being served of you and me in a silver plate and this make them more powerful and rich.. even if they are "the good guys".. everybody must stop..
Its good people are wakening up!
$ host sendto.mozilla.org
sendto.mozilla.org is an alias for secure-mozilla-1.bsdtools.com.
secure-mozilla-1.bsdtools.com has address 66.151.230.193
On the other hand I outsourced my blog tracking to Google Analytics. I am guilty of the same crime.
Do you do that too?
I have now removed Google Analytics code in my blog until I will find an alternative that keeps my visitors data more private: https://github.com/emilis/emilis.github.com/commit/ad40981a4...
Though I've often pondered over the implications, I'm not convinced that not gathering analytics is the solution here. This is not too far from the debate about AK-47 - would it be better if the gun had never been invented? How about nuclear power?
The point is that analytics are the way of the future, the differentiation lies in the purpose for which you leverage them.
How about making analytics opt-in?
Perhaps analytics needs a standard for how they are stored (i.e only store aggregates, not individual records)
The point is well and good, but those in glass houses should be careful when throwing stones.
This situation is the inevitable result of an industry that is built on advertising dollars. All of the tools are designed with that in mind and they crowd out tools that don't support that business model.
I have cut out Google Analytics include from my blog code after I wrote the post. Now I see that I will have to switch off IntenseDebate comments as well.
Thanks for pointing out!
Government eavesdropping aside, I see the internet as just another form of communication. Anytime you talk to someone, you are entrusting them with whatever you are communicating to them. If you knew a friend doesn't keep secrets well, you probably wouldn't tell them any secrets. When Mozilla sends you that email with the tracking links, you are entrusting them with that data, and are hoping that the data leads to a better relationship between them and you or offers some mutual benefit.
What is different in internet communication is that it is hard for a user to determine what company is trustworthy and when that trust has been violated. Most users also simply don't care when that trust has been violated - no one should like that their user data at some level is sold to advertisers by Facebook, but that won't stop them from using it (I myself am guilty of this).
Should tech companies not collect user data in the fear that a 3rd party may one day steal that data? Or should they not collect user data for some other reason?
Well then "Login" would stop working. I think there is no universal line. Just inform users of what you are collecting.
Source: https://twitter.com/msurman/status/346564623539003393
That tracking image is just trying to see how many people opened the email. And yes, they can tell you opened the email. So what?
The tracking of links is simply trying to gauge popularity for each link in the context of what the email was about.
The reason they're watching you click things in the email you willingly signed up to receive, is because they want to keep you as a subscriber and not anger you by sending pointless emails that you never interact with.
Written from my Firefox browser.
They certainly should think twice when they redirect a DNS overnight.