Initial Questions: Project/Feature Name: Shumway SWF Runtime Tracking ID: Description: (taken from sec bug verbiage) Shumway is an experimental web-native runtime implementation of the SWF file format. It is developed as a free and open source project sponsored by Mozilla Research. The project was started with two goals: 1. Advance the open web platform to process rich media formats, like SWF, that were previously only available in closed and proprietary implementations. 2. Offer a runtime processor for SWF and other rich media formats on platforms for which runtime implementations are not available. Additional Information: - https://github.com/mozilla/shumway/wiki/Intro - https://github.com/mozilla/shumway/wiki - https://wiki.mozilla.org/Shumway/Roadmap Key Initiative: Firefox Platform Release Date: 2013-12-10 Project Status: development Mozilla Data: Yes Mozilla Related: Firefox Desktop, Firefox for Android Separate Party: No Is there a privacy policy for this new feature/product?: We aren't sure What assistance do you need from the privacy team (if any)?: Due to issues like this, we've decided it would be good to get a privacy review: https://github.com/mozilla/shumway/issues/399

Stacy - I'm closing the legal bug because I don't think there's anything for us to do, but if you need any input from legal on privacy aspects of Shumway, feel free to reopen the legal bug.

Alina - this looked product related so I reassigned to you. Let me know if you don't think it belongs with you.

Erin - Just want to follow up on this as we haven't discussed this project recently. Is this project / feature still in process and on your roadmap? Have there been any changes since you filed the bug 2 months ago? Let's also flag this for discussion on our call this week. Thanks!

Hi all - The Privacy Council is working on a questionnaire approach to privacy reviews. This questionnaire was created by Allison Naaktgeboren, who is on our Privacy Council. It would be great if Erin or someone from the Shumway team could try filling this out. Anything that doesn't apply can be marked n/a and anything you don't know can be marked as don't know. We would be very interested in any feedback on how well the questionnaire works for this process and/or any improvement suggestions. https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AgxmiM7c95HhdDd4eWMtSWo5dzB6OVpnTWRaRHFmSEE#gid=0

ping @elancaster, what is the current status of this?

@bsmedberg, looking for an update on whether this is still in process.

I don't know anything about this.

Shumway is still in development! Chris Peterson is EPMing, now. Ccing him.

Thanks, Erin. I will follow up on the privacy questionnaire.

Michael volunteered to fill out the Shumway privacy questionnaire.

I filled out most of the questions. Some don't really apply so I skipped them. We only collect and store telemetry information, which as far as I know cannot be used to identify someone.

Alina: now that Michael has completed the privacy questionnaire, what is the next step for our Privacy-Policy Review?

I think this should be a wrong ni ...

Alina: now that Michael has completed the privacy questionnaire, what is the next step for our Privacy-Policy Review?

Stacy and I have met with the privacy technical volunteers to review the info from the questionnaire - thanks for completing this. We advise you to do a couple things: 1) It is fine to collect Telemetry data, but the data should go into our existing Telemetry database. 2) For the opt-in survey feature where a user can submit bug reports and where it collects the URL of the flash that can't play, the URLs should be moved onto a Mozilla domain name that is secured with https. Overall, the information that is collected needs to be under our control. A few more questions: (1) In the questionnaire, there was a link to the Shumway Issue Reporter link - http://shumway-issues.tillschneidereit.net/list - would this link or a similar report be accessible all users? (2) It would be helpful to see what the UI looks like to a user when they are presented with the option to submit bug reports. Could you provide the UX wireframes / mocks for this? (3) With no public documentation yet about Shumway, how will users be informed before or when it is implemented? (4) The questionnaire notes that there is "no benefit to users" for us to store the collected data, but that it "helps us make better decisions". Could you clarify Shumway is helpful to users?

Correction: (4) Could you clarify how Shumway is helpful to users?

Michael: can you (or Till?) answer Alina's questions 1–4 in comment 15? We can discuss the recommended telemetry changes at our Thursday meeting.

Alina: the Shumway Issue Report URL listed in the questionnaire [1] is incorrect. That was the URL for a retired prototype. The current URL is [2]. Is an "allizom.org" domain name official enough for your privacy concerns? [1] http://shumway-issues.tillschneidereit.net/list [2] https://shumway-issue-reporter.paas.allizom.org/list

Till: is it now your job to answer Alina's privacy questions 1–4 in comment 15? :)

(In reply to Chris Peterson (:cpeterson) from comment #19) > Till: is it now your job to answer Alina's privacy questions 1–4 in comment > 15? :) It is :) (In reply to Alina Hua from comment #15) > 1) It is fine to collect Telemetry data, but the data should go into our > existing Telemetry database. That's what happens: we use the built-in Telemetry reporting mechanism. > > 2) For the opt-in survey feature where a user can submit bug reports and > where it collects the URL of the flash that can't play, the URLs should be > moved onto a Mozilla domain name that is secured with https. Overall, the > information that is collected needs to be under our control. As Chris points out in comment 18, the link given in the questionnaire was wrong - the reporter is hosted on Mozilla infrastructure. I'll switch to an SSL connection (we have a *.paas.allizom.org wildcard certificate). The remaining question is whether a *.allizom.org domain is acceptable. There apparently is a process for getting a *.mozilla.org domain, but I don't know how much effort it is. I'd of course check if *.allizom.org isn't acceptable. > > A few more questions: > > (1) In the questionnaire, there was a link to the Shumway Issue Reporter > link - http://shumway-issues.tillschneidereit.net/list - would this link or > a similar report be accessible all users? The list is accessible to all users, at least for now. The idea was to make it similar to the crash reporter, which shows most information publicly, but has some additional restricted information that's only available to a restricted group of people. I can change the setup to either not have the list public at all, or to reduce the amount of publicly-visible data. > > (2) It would be helpful to see what the UI looks like to a user when they > are presented with the option to submit bug reports. Could you provide the > UX wireframes / mocks for this? We didn't yet have any UX involvement, so the UI is somewhat rough on the edges (UX is not a plentiful resource). The following describes the process of submitting a report: 1. Hover over the "Shumway" button shown in the lower-right corner of each Shumway instance: http://i.imgur.com/UMXM5tr.png 2. Click on the "Report Problems" button that appears: http://i.imgur.com/9PBDpTv.png 3. A window with a form is opened, and can either just be submitted, or changed/amended with additional information: http://i.imgur.com/DV3RguR.png 4. A confirmation screen with a link to the submitted entry is displayed: http://i.imgur.com/W8KlwXE.png > > (3) With no public documentation yet about Shumway, how will users be > informed before or when it is implemented? The feature is in the Shumway extension as available on the http://www.areweflashyet.com/ website and in the version of Shumway that's bundled (but disabled by default) with Firefox Nightly only. Right now, opening the reporter automatically sends, but doesn't store, all collected information to our server. We could probably change that to having the form be part of the Shumway extension and thus not sending any information at all until the user clicks "submit". Given that that would involve quite a bit of development effort, I'd only want to do this if it's deemed necessary from a privacy point of view. > > (4) The questionnaire notes that there is "no benefit to users" for us to > store the collected data, but that it "helps us make better decisions". > Could you clarify Shumway is helpful to users? Just as with Telemetry data, the data collection in itself doesn't help the user. The improvements to Shumway itself that are enabled by the analysis of the data, OTOH, is. I'm not entirely sure if a discussion of the usefulness of Shumway as a product is in scope for a privacy review, so I'll keep this short. I'm more than happy to provide information in addition to the following answer, though: Shumway has the potential to reduce reduce crash rates, as a substantial percentage of our browser crashes are related to the Flash plugin, which doesn't have to be used for content that Shumway can play. Additionally, Shumway can potentially be enabled on handheld devices which the Flash plugin isn't available for at all, enabling users to play Flash contents on those devices. Then there is a real risk of Adobe discontinuing support for the Flash plugin altogether, leaving us in a situation where we couldn't enable our users to play Flash contents on any device or computer. This is already the case for Linux, where recent versions of the Flash plugin are only avaible to users of Google Chrome. Finally, bundling Shumway with the browser gives us much more control over what information is stored by Flash content. Specifically, we can implement better UI for controlling the so-called Flash Cookies (i.e., Local Shared Objects), which many sites use to track users in hard-to-detect ways. We've also discussed curtailing this capability, so Shumway might allow us to better protect users' privacy by default.

Clearing the private-bug flag; there's no need for policy reviews to be private. HTTPS to allizom.org is fine. The form could use some UI love, but as it's written right now, I'm not comfortable making the URLs public: URLs in crash-stats are private because they can potentially contain user IDs or even login keys. I recommend making the data reporting system protected to *@mozilla.com for now (using persona is fine). If you've got volunteers who are helping analyze this data, we can talk about ways to either anonomize it or work with them to get trusted access to it.

I filed Shumway GitHub issue #1244 to restrict Shumway telemetry data access to *@mozilla.com. https://github.com/mozilla/shumway/issues/1244

Till: what work in your comment 20 is left to do? Now that Shumway is using Bugzilla instead of GitHub issues, we should create new (private?) blocking bugs to track that work.

Clearing ni? ahua because bsmedberg's comment 21 confirmed that HTTPS to allizom.org is adequate for our telemetry service.

Make bugs with "[shumway-fb2]" whiteboard tag block shumway-fb2 meta bug 1110300.

This Shumway bug is no longer relevant.