Draft

Cover Letter to the NTIA

April 2, 2012

Lawrence Strickling
Assistant Secretary of Commerce for Communications and Information
US Department of Commerce
National Telecommunications and Information Administration
1401 Constitution Avenue, Room 4725
Washington, DC 20230

Re: Multistakeholder Process To Develop Consumer Data Privacy Codes of Conduct

Dear Assistant Secretary of Commerce:

Mozilla submits the following comments in response to the March 5, 2012 call for public comments on a "Multistakeholder Process To Develop Consumer Data Privacy Codes of Conduct."

We applaud the Administration and the NTIA in seeking to establish open, transparent, multistakeholder processes for groups to develop consumer privacy codes of conduct.

The topics raised in the request for comments are pertinent to Mozilla on a number of levels. Our comments reflect contributions from both a number of engineers, developers and others at Mozilla who have worked to establish the Mozilla project as a multistakeholder process, of sorts, and also from people who have spent considerable time working with open standards groups. As with many of our efforts, we opened up the process within our community and asked for input from a broad range of participants, using a publicly available wiki page to collect points of view and refine our messages.

Our comments are summarized as follows:

• Mozilla supports a process that is open and transparent while at the same time develops effective and meaningful codes of conduct. However, we don't think all areas of online privacy will be suitable for voluntary codes. We believe it will be vital for the Administration to use a well vetted and accepted criteria for determining its agenda.
• To foster consensus and transparency, the Administration should continue to promote openness and transparency at every stage of the process, including in technology, rapidly updating meeting minutes and decisions and lowering the barriers for interested stakeholders to participate.
• We encourage the Administration to commit to full openness: the most common reason for purportedly open/transparent processes to fail is that portions of the process end up being handled in a closed fashion and stakeholders lose trust in the process.

We are particularly appreciative of the process undertaken to engage the public throughout the past two years and through the Administration's ongoing efforts to solicit input from public and industry stakeholders before tackling various online privacy issues or launching into developing codes of conduct.

On behalf of Mozilla, we thank you for the opportunity to provide these comments. Please do not hesitate to contact us with any questions or for additional input.

Respectfully Submitted,

/s/

Alexander Fowler
Global Privacy and Public Policy Leader
Mozilla
650 Castro Street, Suite 300
Mountain View, CA 94041
(650) 903-0800, ext. 327

Mozilla's Comments to the NTIA on Developing Consumer Data Privacy Codes of Conduct via Multistakeholder Processes

I. Introduction

Mozilla is a global community of people working together since 1998 to build a better Internet. As a non-profit organization supporting an open source project, we are dedicated to promoting openness, innovation, and opportunity online.

Mozilla and its contributors make technologies for consumers and developers, including the Firefox web browser used by almost a half billion people worldwide. As a core principle, we believe that the Internet, as the most significant social and technological development of our time, is a precious public resource that must be improved and protected.

Openness, transparency, privacy and security are important considerations for Mozilla. They are embraced both in the process of creating products and services, as well as within the resulting products and services themselves. Mozilla's published Privacy Principles derive from a core belief that the user should have the ability to shape, maintain and control their web experience. We develop our products in the open and aim for transparency in every line of code and piece of content we produce. At the same time, we strive to ensure privacy and security innovations support consumers in their everyday activities whether they are sharing information, conducting commercial transactions, engaging in social activities, or browsing the web.

II. Issues Suitable for Multistakeholder Processes and Codes of Conduct in Privacy

One of the challenges in developing codes of conduct for online privacy is the pace of technological innovation and, in many cases, a lack of accountable institutions specialized in those areas of development. In the case of newly emerging technical capabilities and associated business practices, existing institutional and public stakeholders may not be well prepared, vested or focused to fully understand important nuances in how users are engaging with them, such that there aren't well defined partners to participate in developing and promulgating codes of conduct.

For instance, if we look at mobile apps, with privacy issues associated with notices, location, advertising, and collection and use of new types of personal data, it isn't clear today who the particular stakeholders would be to represent all the parties engaged in this vibrant and rapidly emerging area. Unlike the advertising industry, where a handful of influential trade associations represent both the major and independent companies, the corollary doesn't appear to exist for app developers. While there are major mobile trade associations like the GSMA, which does bring together the major mobile carriers and has developed a set of privacy principles, it's an open question as to whether it would have the convening power to mobilize the decentralized app industry to adhere to a code of conduct.

This led us to consider what conditions would need to be met for a particular privacy issue to be suitable for a multistakeholder process to generate a meaningful, voluntary and enforceable code of conduct. From our perspective, there appear to be five conditions necessary for determining if a code of conduct is suitable as a way to create a set of rules that can effectively protect consumer privacy, as opposed to other mechanisms like technology solutions or government regulation.

1. Trade associations and/or technical standards bodies have convening power to be accountable and represent the interests of leading companies and organizations in an emerging area of online privacy.
2. Consumer advocates and academics have sufficient technical and business understanding in the new online privacy concern.
3. User benefits to a technology, service or data type are demonstrable and users are motivated to use the technology or online service.
4. Heightened concerns for privacy and security represent a significant barrier for the industry to overcome.
5. There's a lack of existing regulation in the United States addressing that area.

Applying the above criteria and using the areas of interest outlined by the NTIA in its Federal Register notice, we came up with the following analysis:

While we went back and forth internally over how to rate each dimension, and others will undoubtedly weigh things differently, we hope this analysis points out that codes of conduct are not going to be a one-size-fits all approach to online privacy. Nor will codes be easy to develop and promulgate without, in many cases, seeing changes across multiple stakeholders to gear up to tackle any one online privacy and security consideration.

From our analysis, we would end up ranking privacy considerations for online services directed at teenagers as an ideal area for a code, given the maturity and number of accountable industry and public interest groups already working on kids privacy as a result of the Children's Online Privacy Protection Act. Likewise, looking to codes in the area of collecting personal data via multiple technologies (e.g., cookies, LSOs and cache) is another area where we see technology standards groups being well positioned and public interest groups having substantial experience working together with business and consumers to be a potentially good area for a code of conduct.

Overall, from our perspective, the important thing for the Administration to recognize is when conditions are ideal to convene a multistakeholder process to develop a code of conduct for online privacy - and when they are not.

III. Mozilla's Experience: Considerations for Implementing Multi Stakeholder Processes

Mozilla supports a process that is open and transparent while at the same time develops effective and meaningful codes of conduct.

****Tantek and Jishnu are making major edits to this section, please hold off for a bit****

A. Open Participation

In an open, transparent process, first and foremost, it is critical to keep all relevant documents, drafts, ideas, etc. on process, guidelines, meeting plans and meeting notes on an open, accessible site, such as a wiki. See https://wiki.mozilla.org/ for an example of such a wiki. This will promote transparency and participation.

It may also be useful to split up the code of conduct into various subgroups organized by topic which could aid to participation and reaching consensus. The process of splitting the codes could in itself happen as the first stage of the open, transparent processes.

If the discussions are made open and primarily take place on the web, simple publication of the URL(s) of the wiki would encourage the right stakeholders to contribute. In order to maximize inclusiveness, we suggest that as much as possible should be done on online wiki's and internet relay chat as opposed to in person so that those who lack resources to send delegates to in person meetings may still participate. While phone and in person meetings may be necessary, they have a tendency to lower participation. As such, they should be minimized and should be properly documented.

If the NTIA chooses to introduce prerequesites to meetings, such as position papers, we do not believe such papers should be mandatory prerequesites to attend at a meeting. Mandatory requirements will lower participation and should be kept to a minimum. To be consistent with the principle of openness, all position papers should be submitted by posting them on the web, in an an open format (like HTML) in a way humans can easily view them on any web browser, and search engines can easily index. Proprietary formats like .DOC (Word) and search-unfriendly formats like PDF should be discouraged.

B. Transparency

Technology

Mozilla believes that the technology used to promote the process can affect the transparency of the process as much as the procedural rules. Therefore, we would recommend that all documentation use open web standards like HTML which can be implemented in multiple viewers and rendered in ways that are searchable and accessible at the lowest cost to stakeholders and the public. We also recommend open hosted services such as IRC for discussions and etherpad for collaborative note-taking http://etherpad.mozilla.org/. At the end of meetings, the NTIA could post archives of IRC discussions and etherpad notes on the wiki for the project, establishing a quickly updating history of discussions and meetings.

Process

Since the advent of web standards, there are many We recommend that discussions during in-person meetings should be minuted by voluntary minute-takers (as designated by the chair of the meeting) in an Etherpad so that others in the meetings can also add to the minutes and make corrections as necessary in realtime.

Procedures stakeholders should follow to explain decisions

Stakeholders should publish their explanations of decisions on issues discussed on the web, preferably on a centralized open wiki, and cite sources for their reasoning (using URLs). Stakeholders should also cite the minutes/notes of their meetings with other stakeholders to explain decisions they have reached in concert.

Are there lessons from existing consensus-based, multistakeholder processes in the realms of Internet policy or technical standard-setting that could be applied to the privacy multistakeholder process?

Yes, examples abound. We recommend a study of the W3C, IETF, WHATWG and microformat organizations. Many of the points those processes have come up with are summarized in this blog post by one of our contributors, Tantek Celik: http://tantek.com/2011/168/b1/practices-good-open-web-standards-development.

Defining & Incentivizing Consensus

There are numerous factors in reaching consensus and they tend to differ based on the people involved and the issues at hand. For example, the W3C defines consensus roughly as a position which is either absent of objections, or has the least significant objections among several options. [We need more detail on how different bodies define consensus and what our recommendations might be based on how we do things at Mozilla and in standards bodies].

Some standards efforts have failed to reach consensus. In such cases, the failure to achieve consensus can cause one group to "fork" the effort and reach consensus by itself. An example of this is the 2004 W3C workshop in which the W3C staff promoted browser adoption of XML+RDF as a future for the web. Many The argument was essentially one between pursuing a fairly new, more academically pure yet more complex model, and evolving existing pragmatic technologies and the positions were irreconcilable. A group of stakeholders split off and formed the WHATWG.org to advance HTML, CSS and the DOM, the results of which became HTML5.

The NTIA can encourage consensus by requiring that all proposals be posted publicly and all discussions be posted publicly which will encourage stakeholders to think with a broader perspective than simply their own self-interests. Let sub-groups of stakeholders form organically rather than attempting to facilitate anything in particularly. To keep the overall process transparent, make sure that all materials discussed are published openly on the web, and that meeting plans/attendees/minutes/notes are similarly published openly on the web.

Mozilla supports efforts to implement codes of conduct that help bring at least the level of technological and legal principles around privacy afforded to users of the web to the development of mobile apps.

The key requirements that a multistakeholder process will need to identify for privacy considerations to be addressed adequately are:

1. what are the privacy best practices that should influence the design of mobile apps and associated hosted services to provide user transparency and choice? and
2. what are the legal or regulatory ramifications for failing to follow the codes of conduct?
3. how much will such codes of conduct continue to allow for innovation around novel uses of data that have user benefit?

Mozilla continues to implement a variety of consumer data privacy innovations in the creation of its products that we believe may help provide examples of potential areas for codes of conduct.

We design our products with the following principles in mind: [Insert privacy principles] [TBD this section]

Accountability

We believe that a clear accountability framework is necessary to help make a resulting Code of Conduct a meaningful exercise. Such accountability framework should, at a minimum, involve: (i) clear, consistent rules around what constitute a violation of the code of conduct (ii) balance user-centric innovation for uses of data with the need for more transparency and user control around their data.

IV. Public Resources from Mozilla on Privacy and Security

There are a number of examples of open, public-facing privacy and security work underway at Mozilla that may be of interest to the NTIA, including:

• Mozilla's Privacy Team Site (https://wiki.mozilla.org/Privacy)
• Privacy Reviews (https://wiki.mozilla.org/Privacy/Reviews)
• Security Reviews (https://wiki.mozilla.org/Security/Reviews)
• Data Safety at Mozilla (https://wiki.mozilla.org/Data_Safety)
• Privacy Roadmap (https://wiki.mozilla.org/Privacy/Features
• Public Privacy Mailing List (https://lists.mozilla.org/listinfo/privacy)
• Mozilla Privacy & Data Safety Blog (http://blog.mozilla.com/privacy/)

V. Contact

Please direct questions and/or comments to:

Alex Fowler, Global Privacy and Public Policy Leader, Mozilla 650 Castro Street, Suite 300, Mountain View, CA 94041 (650) 903-0800, ext. 327