Last week, media reports emerged discussing the US government’s involvement in broad surveillance of phone and Internet traffic via top secret programs. Mozilla today responded by calling for a “thorough investigation” of these surveillance activities and addressed worries regarding Mozilla Persona, noting that leaving the US is not an option, and it wouldn’t work anyway.
For those who don’t know, Persona is Mozilla’s answer to social networking logins offered by the likes of Facebook, Twitter, and Google+. The company revealed the BrowserID service in February 2012 and then launched a beta of the renamed Persona in September 2012. Developers can implement the service for authentication across smartphones, tablets, and desktop browsers.
Mozilla noted that it does store some user data, but only that which it needs to provide the features it validates with users and developers. As for calls to move Persona servers outside of the US to escape the now-revealed surveillance activity, the company said this:
We don’t think that would help, and even if it did a bit, we think we can be much more productive by focusing on other areas. First, it’s not clear to us that other governments have any less intrusive surveillance activities. Second, as a US company, Mozilla is subject to US Laws, wherever we host our servers. Third, we’d rather not engage in an arms-race with US government agencies. We’d rather focus on efforts to change the Law to respect user data wherever it lives.
Mozilla’s declaration is in part a direct response to a blog post titled “Mozilla needs to move Persona out of the US” that received a lot of attention on Hacker News yesterday. The most upvoted comment, however, from Persona developer Dan Callahan, said Mozilla is looking to get rid of the Persona servers altogether because the service “is designed to let you choose who you trust, and anything that requires centralization is considered a bug.”
Callahan listed four points of temporary centralization, each of which he said can be replaced independently:
- The JS polyfill. Until we stabilize the API, we ask that you link directly to login.persona.org/include.js
- The persona.org interface. Once browsers have native support for Persona, that will supersede both the polyfill and the persona.org interface. This is all based on what Mike Hanson called Locally Isolated Feature Domains (LIFD): http://www.open-mike.org/entry/lifding-the-web
- The Fallback IdP. If your email provider doesn’t support Persona, Mozilla will certify your identity after you click a confirmation link sent to your email address. If your email provider does support Persona, it automatically supplants Mozilla’s fallback.
Top Image Credit: Chris Chidsey
Celebrate Pride 2020 with us this month!
Why is queer representation so important? What's it like being trans in tech? How do I participate virtually? You can find all our Pride 2020 coverage here.