
Mozilla should move Persona out of the US - workhere-io
http://blog.workhere.io/mozilla-needs-to-move-persona-out-of-the-us/
======
callahad
Hi, Persona dev here.

We want to do better: we want to get rid of the Persona servers altogether. As
tlocke said, Persona is designed to let you choose who you trust, and anything
that requires centralization is considered a bug.

There are 4 points of temporary centralization, each of which can be replaced
independently:

1\. The JS polyfill. Until we stabilize the API, we ask that you link directly
to login.persona.org/include.js

2\. The persona.org interface. Once browsers have native support for Persona,
that will supersede both the polyfill and the persona.org interface. This is
all based on what Mike Hanson called Locally Isolated Feature Domains (LIFD):
[http://www.open-mike.org/entry/lifding-the-web](http://www.open-
mike.org/entry/lifding-the-web)

3\. The Fallback IdP. If your email provider doesn't support Persona, Mozilla
will certify your identity after you click a confirmation link sent to your
email address. If your email provider _does_ support Persona, it automatically
supplants Mozilla's fallback.

4\. The Hosted Verifier. Until we stabilize the data formats, we recommend
that sites POST identity assertions to verifier.login.persona.org/verify for
verification. The assertions necessarily contain your email address and the
site you're logging into. We want this to go away soon, and François Marier
has suggested a pretty slick way to get us there. Until then, we've got a
strong privacy policy in place and we limit the data we log. I believe Ben
Adida is going to comment more on that shortly.

If you're interested in getting involved, drop me a line and I'd be happy to
help you get started.

~~~
monsterix
> Mozilla will certify your identity after you click a confirmation link sent
> to your email address.

Asking email address for sign-up is perhaps important, but I'm wondering why
can't it be removed completely from the process? It is a piece of friction,
and potentially identifying as OP puts it in his post?

Can't we be just done with the requirement of email address? Let early users,
especially those who inspire the rest of the bell curve, remember their
persona id with some personal questions that the user may so choose.

Get rid of anything that can be gotten rid of.

~~~
workhere-io
Email addresses have certain advantages:

\- Most everyone on the 'Net has one.

\- Most everyone remembers their email address (but they might not remember
what usernames they used for which websites).

\- Email addresses are unique, so when a user signs up for Persona, they don't
have to go through that time-wasting "this username is taken, try this one
instead" process.

\- Email addresses make it easy to recover forgotten passwords.

So - while I see you point - I think that email addresses are the best option.

~~~
monsterix
I mostly agree. Now this may be a bit difficult to explain, but all the logic
in the points above sort of align towards the intent of achieving mass
adoption. But I am afraid that mass adoption is not going to happen just like
that. And it is certainly not going to depend on the fact that everyone uses
email.

Let's look at an ordinary user first. An ordinary user doesn't half understand
the subject of privacy. He/she is rather more interested in sharing his/her
best looking picture on Facebook. Or worried about landing a good job with a
nice new email with all the strengths. Which is the cool app, what is the next
device he can _show off_ etc.

Why would Persona matter to such a user? A type that is majority and we've
counted them all in the statement 'everyone on the 'Net has one'. So this is
more like opening an end of a small pipe to the atmosphere thinking that all
the air will pass through it.

 _\- Most everyone on the 'Net has one._

Yes. But it doesn't provide any motivation for people to go and sign-up for
Persona. Hence email registration only adds to friction.

 _\- Most everyone remembers their email address (but they might not remember
what usernames they used for which websites)._

This one is real. Since Persona is about, well, persona it is more likely to
remain etched in the memory of early adopters (ignore mass adoption for a
later stage) provided it is done right, kept right etc. Mozilla is an amazing
and capable organization so it should experiment more given that the project
itself is an ambitious experiment.

 _\- Email addresses are unique, so when a user signs up for Persona, they don
't have to go through that time-wasting "this username is taken, try this one
instead" process._

Dumb users are dumb enough to try signing up with the same email id again. I
am not very sure about Persona's positioning w.r.t same person having multiple
email ids?

 _\- Email addresses make it easy to recover forgotten passwords._

Agreed. However, Hacker News is a great example of why both email id and
password recovery are immaterial for a product to be successful (Kudos PG!). I
do agree with the simplicity of recovering forgotten password through email,
but this is certainly not a show-stopper at this stage.

~~~
workhere-io
I don't think Persona is pitched for the tech-savvy. On the contrary, I think
Persona offers a huge advantage for normal users: You can do one-click sign-
ups and log-ins for new websites (provided that you've already signed up for
Persona and that you've checked the "save my session" button or whatever it's
called).

Another advantage is that you don't have to waste time validating your email
address when you sign up for a new website. Persona has already validated your
email.

------
rfugger
The fact that Mozilla is a US corporation means that it will still have to
give the US government the data it asks for, regardless of where the servers
are hosted.

~~~
workhere-io
I know. That's why I wrote in the article that they will need to move "both
the legal entity behind [Persona] and the servers involved" to another country
:)

They don't necessarily need to move the Mozilla organization, but then they'd
need to make Persona an organization in itself and move that organization.

~~~
zobzu
It's a much safer bet to make it impossible to get the data for the company.
It's not like if non-US countries were much better.

------
tlocke
Mozilla Persona is federated, so the BrowserId service is provided by the
email provider. Mozilla provide a fallback service, in case your email
provider hasn't set one up. So just pick an email provider in the country of
your choice.

There's another misunderstanding in the post:

    
    
      > Then NSA would have access to basically 40% of a user's
      > browsing history, including URLs, the email address used,
      > and time of visit.
    

As I understand it, Persona doesn't 'phone home' each time authentication is
required. It's intended that the browser authenticates you from its cache, and
only refers back to the Persona server from time to time, and doesn't tell the
Persona server anything about the sites you've been visiting etc.

~~~
workhere-io
> Mozilla Persona is federated, so the BrowserId service is provided by the
> email provider. Mozilla provide a fallback service, in case your email
> provider hasn't set one up. So just pick an email provider in the country of
> your choice.

The way it currently works is that when you want to log in, a pop-up window
from persona.org is opened. This would make Persona able to collect data
(which I don't think they're doing, but NSA could force them to).

> As I understand it, Persona doesn't 'phone home' each time authentication is
> required

I'm not an expert on the inner workings of Persona, but with the way Persona
currently works it actually does fetch JS from the Persona servers on each
page load. Try logging in on
[http://personaexamples.workhere.io/](http://personaexamples.workhere.io/) and
reload the page a couple of times while checking in Firebug / Chrome Developer
Tools which JS files are loaded.

~~~
tlocke
You can self-host the js files wherever you like. It's not recommended that
you do because Persona is still evolving. However the point is that the
protocol is completely decentralized.

By the way, as a plug, I've implemented it on my site
[http://www.polifesto.com/](http://www.polifesto.com/)

~~~
workhere-io
> You can self-host the js files wherever you like

Sure, but those files would still open the persona.org pop-up, AFAIK (until
Persona has been implemented directly in the browser). So until then
persona.org could theoretically gather data.

~~~
AndrewDucker
Any signs of Persona being implemented in the browser?

~~~
callahad
Firefox OS includes pseudo-native implementation, with some work still getting
farmed out to persona.org. Ozten and Jedp are working on the beginnings of
truly native support in desktop Firefox. We've held off on pushing too far in
that direction while we toyed with the API and data formats, but things seem
to be shaping up.

~~~
mpyne
If you guys get it stabilized and working I wouldn't mind helping get Konq to
support it (time permitting, of course).

------
junto
I think that the vast majority of tech companies need to seriously consider
relocating outside US jurisdiction, in a similar manner to which they have
already off-shored their finances.

~~~
mapleoin
I wonder if this will lead to tax-heaven countries, the same way we currently
have tax-heaven countries or even something which would be equivalent to
Switzerland's renown in finance.

~~~
junto
I perceive that certain countries will become super data havens. Something
like Gibson noted in his book Count Zero:
[http://en.wikipedia.org/wiki/Data_haven#History_of_the_term](http://en.wikipedia.org/wiki/Data_haven#History_of_the_term)

The Switzerland of data if you will. You need a durable and sizable connection
to the internet, plenty of energy, strong human rights and stable governance.
Iceland almost fits the bill, but their governance is not stable enough.

Actually, Switzerland is actually not a bad option. They understand the
necessity of privacy and are extremely stable politically. The canton
principals are an excellent political stabilizer.
[http://en.wikipedia.org/wiki/Cantons_of_Switzerland](http://en.wikipedia.org/wiki/Cantons_of_Switzerland)

~~~
pyre
The US was already able to force the Swiss banking system open, so I don't see
how this would protect anyone's data.

------
Yoric
That doesn't sound very useful.

Firstly, Persona doesn't have access to any such information. The only
interesting information that could be extracted by owning a Persona server is
that user X using IP Y wants to connect to some service - but Persona doesn't
know which service. So you only get the IP.

Secondly, well, anybody can become a Persona identity provider. Do you want to
host one in insert-your-favorite-country here? Well, that's quick and easy.

~~~
workhere-io
As stated elsewhere there's a difference between how Persona works now and how
it eventually will work. Persona at this stage is stable and works very well,
but it does communicate with and send private data to persona.org, which is
owned by an American organization (Mozilla).

------
chrismorgan
It seems to me that if the NSA is able to force Mozilla to put in such
tracking into Persona (which in its current form, where using the scripts at
persona.org is recommended, would be possible—later on, you'd need to modify
the source and get people to update to it), _you don 't need to worry about it
in the slightest_. You've already got much larger problems: putting tracking
into the browser itself would be _much_ more effective.

~~~
workhere-io
Sure, but who says every major browser will be controlled by a US legal entity
five years from now?

------
ck2
NSA is good at MITM attacks according to Snowden. Moving outside the USA won't
stop them.

Unless it's just for politics, to feel better, then go for it.

~~~
workhere-io
> NSA is good at MITM attacks according to Snowden. Moving outside the USA
> won't stop them.

If they do MITM attacks, it will probably be on US citizens. Moving Persona
out of the US would at least stop the snooping on non-US citizens.

~~~
BCM43
That's only if the traffic does not flow through the US which, given the way
our current internet infrastructure is setup, is very possible

~~~
drzaiusapelord
If I have my datacenter in Iceland and you connect from France, I really doubt
you'er going waste valuable transcontinental bandwidth with high latency and
extra hops by routing through NYC first.

~~~
fotbr
If the US decides your France<->Iceland traffic is that valuable, it's a small
matter to reach an arrangement with friendly-or-easily-pressured governments,
agencies, or companies to have your traffic routed in such a way that the US
can see it, whether that's in the US or not, or to just have one of those
governments, agencies, or companies to play MITM and pass everything over
wholesale.

For that matter, go look up Ivy Bells. Sure, fiber can't be tapped in the same
manner, but you can get around that by placing your splice/tap during other
outages, especially if you arrange for those too -- "Here's <insert amount>
dollars/euros/ducats/doubloons/etc. Drag this across the bottom from point x
to point y on your charts on date z, then cut it loose and leave it behind and
go on your way."

Now, with a straight face, can you claim that you know, for sure, that your
undersea links are pristine and unmolested, either at the end points with the
equivalent of the infamous at&t "nsa rooms", or somewhere in the middle? Do
you know, for sure, that the people who own the fiber trunks aren't playing
ball with the nsa/mi6/dgse/etc?

Unless you own the entire infrastructure, and actively monitor it to be sure
of such things, it is best to assume that your communications are vulnerable
at some point along the way.

~~~
drzaiusapelord
> it is best to assume that your communications are vulnerable at some point
> along the way.

This claim and the claim of "I'm probably going through the US" are two
entirely different claims.

Yes, using encryption helps. Yes, using non-US datacenters help. Security is
layers. Its not all hopeless. The US isn't all powerful.

~~~
fotbr
If your communications are vulnerable, and your communications are of interest
to governments, then there's very little you can do to avoid it being
intercepted.

You may, if you trust your hardware, your encryption software, and your key
management, be able to keep that intercepted message from being read for some
length of time. That is different than actually intercepting the traffic,
which is trivial for the organizations we're talking about, and there is very,
very little someone can do to avoid the interception.

Believing that being on a different continent makes you safe is deluding
yourself.

------
mixedbit
Unfortunately, you don't need to tap an authentication system to spy which
services people are visiting. You can achieve the same for example by ordering
a popular jQuery CDN to collect HTTP referrers, IP addresses and browsers
fingerprints.

~~~
workhere-io
Suppose we found out that the NSA was snooping through the jQuery CDNs. It
would only take five minutes for website owners to change their jQuery
locations.

It's a different story with Persona. Changing your entire user system isn't
done overnight.

------
jwr
Your site disables zooming on iOS devices, which makes it inaccessible to some
of us. Please don't do that if you want people to read what you wrote.

~~~
workhere-io
Sorry about that - I tested it on Android (Galaxy S3), and it worked
perfectly. I'll try to test on iOS next time.

~~~
pietro
Just remove maximum-scale=1 from the viewport meta tag. It doesn't allow
zooming in Safari, either.

~~~
workhere-io
Should be fixed now.

------
andyl
And so it begins. People who care about a strong US tech industry need to
oppose government snooping.

~~~
goldfeld
Opposing a strong US tech industry seems like a better bet for non-americans
righ row. If the tech world were distributed across nations in a more balanced
way the public would have more leverage today.

~~~
andyl
I disagree. The world needs a 'data safe haven', and it is much better for
everyone if that haven is a strong country like the US. Distributed/Piecemeal
efforts to maintain data security will be easy to kill.

~~~
louthy
How is the US a 'data safe haven' when the data stored by organisations within
it are fair game for the US government without due process?

~~~
Ygg2
I understood grandparent's post as asking for a country with lot of political
power and clout (like US) to be a data safe haven.

Unfortunately I can't think of a single state that has enough power and would
want to keep data safe. Russia is basically dependant on US, China is not
interested in keeping it safe, etc.

------
rasterizer
If you think that the US is the only country with overreaching intelligence
bodies then you're deluded.

~~~
workhere-io
Thanks for the snarky comment, but the fact that there are countries with
overreaching intelligence agencies doesn't mean that every country is like
that.

In most countries a warrant will get you access to private data - but what the
NSA is doing here goes far beyond that.

~~~
purephase
rasterizer is correct. I think people are misguided in believing that there
are viable alternatives. The reason this is such a big deal is that the US (on
paper anyway) is built on a tenet of civil liberties which is/was unique.

Obviously, reality is entirely different but my point is that, in other
countries/localities, these so-called fundamental freedoms either do not exist
or are diminished. In most of the western world, governments have significant
leeway into the private lives of their citizens in the areas covered by PRISM.

I think we can be reasonably certain that programs like this already exist, or
are identical, in almost any country with the technical capacity to provide
similar services to the US.

~~~
workhere-io
> The reason this is such a big deal is that the US (on paper anyway) is built
> on a tenet of civil liberties which is/was unique.

The US didn't invent most of those liberties. Your assumption that those
liberties are not part of the law in other countries is wildly incorrect.

The assumption that most other western countries have as extensive
intelligence gathering as the US needs proof. I'm aware that Sweden and the UK
are quite big on data gathering, but there are hundreds of other countries in
the world.

~~~
purephase
My point is that the number of countries with the capacity/capability to
provide the level of service that the US provides is quite small. Of those, I
imagine most if not all of them have similar data gathering practices that
extends to their own citizenry, so non-citizens are not even an issue.

Let's look at the list of countries (order is random):

1\. EU (probably only France, UK, Germany, possibly the Netherlands) 2\.
Israel 3\. Canada, solely by proximity to the US 4\. Japan 5\. China 6\.
Brazil 7\. Russia 8\. Australia, that's a big maybe though 9\. India 10\. Iran
11\. South Korea 12\. Singapore 13\. South Africa 14\. Scandinavia (Finland,
Denmark, Sweden)

These are the countries that likely have the technological advancement
required to even offer cloud-based services of the scale and capability
offered by US based organizations.

This is also assuming that significant parts of their overall connectivity
does not route through US controlled territories or demarcation (which likely
rules out any south-east asian country like South Korea, Singapore, also
Canada and Australia).

Of those remaining on the list, very few of them have even have civil
liberties legislation codified. A rough guess might be:

1\. EU 2\. Israel 3\. Japan 4\. Brazil 5\. Scandinavia 6\. South Africa?

Israel we could likely rule-out. Not exactly the most trustworthy government,
and the close ties with the US likely means that they either participate in or
benefit directly from PRISM.

As a collective whole, the scandinavian countries likely could offer the level
of cloud-based services provided but not individually.

So, in no particular order:

1\. France 2\. UK 3\. Germany 4\. Japan 5\. Brazil

~~~
timw6n
All the Scandinavian countries you list are actually EU members — a better
term for your first group would be Western Europe.

But, really, I'm not sure how much confidence you could have in any of those
countries: The UK's GCHQ was very heavily involved in Prism themselves, much
to our national shame, for instance.

~~~
mercurial
Looks like Sweden has even more intrusive snooping than PRISM, if you can
believe that. I'd look toward Iceland, personally.

------
ttrreeww
US based technology companies can no longer be trusted.

------
drivebyacct2
Why? Nothing about it is remotely centralized and eventually it won't require
ANY sort of server-side resources. The entire point is that you trust who you
want to be your IdP

edit: never mind, reading the thread it's clear that few here have any idea
what Persona is or how it works.

~~~
workhere-io
As I've mentioned elsewhere on this page, there's a difference between what
Persona is right now and what it will become later.

Right now it _is_ indeed centralized. Check out the integration documentation
and you'll see how. [https://developer.mozilla.org/en-
US/docs/Mozilla/Persona/Qui...](https://developer.mozilla.org/en-
US/docs/Mozilla/Persona/Quick_Setup)

~~~
drivebyacct2
Nope, that's the Quickstart guide. It's possible to do it without using
Mozilla's servers. Someone just a couple weeks ago posted a writeup on how
they did it themselves.

~~~
workhere-io
I would assume that most website owners will go with the integration method
Mozilla currently recommends, and that method is centralized.

For instance, the quickstart guide mentions
[https://login.persona.org/include.js](https://login.persona.org/include.js):
"You _must_ include this on every page which uses navigator.id functions.
Because Persona is still in development, you should not self-host the
include.js file."

~~~
drivebyacct2
Okay, but for anyone like us, we can self-host and just make sure it stays
mirrored and up to date. The only other bit is doing the verification on your
own server instead of trusting them. That's as big a deal as anything.

------
northisup
I don't think you know how to persona...

