Windows EU Ballot Screen Technical Glitch

We’re encouraged by the European Commission’s efforts to ensure that users have meaningful browser choice in the Windows PC environment. The 2009 Commitments adopted by Microsoft were a foundational part of the remedy developed by the Commission to resolve Microsoft’s competition violations in EC countries. A key part of the remedy was Microsoft’s commitment to present the browser ballot screen to Windows users through vehicles like the Windows 7 Service Pack 1. Earlier this year, we learned that Microsoft failed to fully comply with the browser choice ballot screen obligation for nearly 15 months.

Most recently the EC sent a statement of objections to Microsoft for failing to include the browser-choice screen as promised. Our data suggests that the absence of the browser choice screen had the following impact:

  • Daily Firefox downloads decreased by 63% to a low of 20,000 just prior to the fix;
  • After the fix, Firefox downloads increased 150% to approximately 50,000 per day; and
  • Cumulatively 6 to 9 million Firefox browser downloads were lost during this period.

After accounting for the aggregate impact on all the browser vendors, it seems like this technical glitch decreased downloads and diminished the effectiveness of the remedy ordered in the 2009 Commitments.

New European Commission Privacy Recommendations

The EC released its new privacy recommendations on Thursday to update the 15 year old EU privacy regime.  The report contains the Commission’s findings from their analysis over the past year and announces an intention to investigate a number areas in more depth with the goal of proposing legislation in 2011.  The impetus as described by the Commission is that today’s challenges “require the EU to develop a comprehensive and coherent approach guaranteeing that the fundamental right to data protection for individuals is fully respected within the EU and beyond.”

I suspect that for some the principles may be perceived as new administrative overhead and obstacles to an “optimum user experience.”  My quick take (personal opinion) is that the findings and areas of study represent a move in the right direction.  Ofcourse, the devil is in the details which will evolve over the coming year, so we’ll see. As the EC develops its new framework, finding reasonable and practical ways to implement the proposals will be essential to their success.

This is even more interesting given that the US Federal Trade Commission has indicated its coming out with recommendations soon. These would also likely result in legislation next year as well.  It would be great (if not just common sense) to see as much harmonization between the two frameworks as possible. We can still dream.

Welcome any thoughts or observations about the proposal. Some highlights from the report are shown below, but the report is worth the read.

  • The Commission will consider how to ensure a coherent application of data protection rules, taking into account the impact of new technologies on individuals’ rights and freedoms and the objective of ensuring the free circulation of personal data within the internal market.
  • The Commission will examine ways of clarifying and strengthening the rules on consent.
  • The Commission will consider:
    • introducing a general principle of transparent processing of personal data in the legal framework;
    • introducing specific obligations for data controllers on the type of information to be provided and on the modalities for providing it, including in relation to children;
    • drawing up one or more EU standard forms (‘privacy information notices’) to be used by data controllers.
  • The Commission will therefore examine ways of:
    • strengthening the principle of data minimisation;
    • improving the modalities for the actual exercise of the rights of access, rectification, erasure or blocking of data (e.g., by introducing deadlines for responding to individuals’ requests, by allowing the exercise of rights by electronic means or by providing that right of access should be ensured free of charge as a principle);
    • clarifying the so-called ‘right to be forgotten’, i.e. the right of individuals to have their data no longer processed and deleted when they are no longer needed for legitimate purposes. This is the case, for example, when processing is based on the person’s consent and when he or she withdraws consent or when the storage period has expired;
    • complementing the rights of data subjects by ensuring ’data portability’, i.e., providing the explicit right for an individual to withdraw his/her own data (e.g., his/her photos or a list of friends) from an application or service so that the withdrawn data can be transferred into another application or service, as far as technically feasible, without hindrance from the data controllers.
  • The Commission will examine the following elements to enhance data controllers’

    • making the appointment of an independent Data Protection Officer mandatory and harmonising the rules related to their tasks and competences31, while reflecting on the appropriate threshold to avoid undue administrative burdens, particularly on small and micro-enterprises;
    • including in the legal framework an obligation for data controllers to carry out a data protection impact assessment in specific cases, for instance, when sensitive data are being processed, or when the type of processing otherwise involves specific risks, in particular when using specific technologies, mechanisms or procedures, including profiling or video surveillance;
    • further promoting the use of PETs and the possibilities for the concrete implementation of the concept of ‘Privacy by Design’.

Privacy is Brewing

People think about Mozilla mostly in the context of our major product, Firefox, but we’ve got lots of activities, both related to Firefox and beyond, that touch on issues of user control and privacy.

It’s an incredibly active area right now across the industry, and we’re finding ourselves more involved, so I wanted to start writing about these issues as they develop.  What’s below is a bit of an effort to divine some meaning from what on its face, looks like a series of unrelated events; however, in aggregate, they suggest a bigger story is unfolding which is that users’ expectations about their ability to control their online information, at least for a growing segment,  are not being satisfied.

In the last few months alone, Google Buzz and Facebook privacy practices have made the news more than once, resulting in inquires or complaints in both the EU and the US. The US Federal Trade Commission announced it is planning to create new guidelines for online privacy, and just last week, new online privacy draft legislation was introduced in Congress. (See Boucher bill is here) The US Department of Commerce has started an initiative to explore privacy and innovation, including a notice seeking public comments.  Similarly, the EU Article 29 Data Protection scheme continues to evolve as the Working Party adopted its new Work Programme for 2010-2011 with a goal to “address challenges linked to new technological development” In this same period, there have been countless news stories, all of which say they are about “privacy” but -if you read them carefully- mainly appear to be about sharing and user control.

As the New York Times reported recently:

“Consumer groups have been fighting what they see as the prevalence of online tracking, companies like Google and Yahoo have adjusted their own privacy policies in response to consumer concern, and industry groups recently put forth self-governing principles while arguing that free Internet content depended on sophisticated advertising methods.”

Among many privacy thinkers (at least in the US) there is a view that the current “notice and consent” framework doesn’t work very well.  Jonathan Zittrain has written much about this already, as well as many others. The online privacy environment is more complex than ever before in part because of:

  • new ways to share, track, and analyze information (and accompanying new questions about the definition of “user information”);
  • users who want to connect and share (Facebook didn’t get 400M users accidentally); and
  • an increasing expectation that users, when they do intend to share, also expect some reasonable control of their information and information about them.

It’s unclear whether the critique of notice and consent is driven by the framework itself, the way it has been implemented (i.e. privacy policies tucked away in the footers), or because of the inherent generative nature of the web. It’s really hard to tell whether the idea is fundamentally bad when the implementation doesn’t work that well.

One alternative framework under discussion contemplates a model with few restrictions on what is collected, but significant and enumerated limits on how the collected information may be used. Others have observed that current models are insufficient because they don’t reflect the changing context of the transaction – meaning privacy norms and expectations change depending on what you’re doing.  Helen Nissenbaum suggests a construct called contextual integrity that “ties adequate protection for privacy to norms of specific context.” The concept is developed more fully in her book, Privacy in Context: Technology, Policy and the Integrity of Social Life, which is worth the read.

Recently, we’ve also had the opportunity to share our experiences with some people in policy circles. These have included the FTC, congressional staffers,  and the Commerce Department. The discussions have helped me better understand the landscape, and provided a chance to share how our products are designed to help users manage their interactions on the web and control the information that they share.

In future posts, I’ll try to provide a summary of some of the activities here at Mozilla in this area.  In the interim, we’ll continue tracking and looking for ways to improve what we do.

Thoughts on Microsoft’s Settlement Proposal in the European Commission’s Tying Investigation

When the European Commission (EC) investigation started we articulated some principles we thought were essential for any remedy. Asa Dotzler did an exhaustive comparison of those principles against Microsoft’s proposal that can be found here. We’ve had some time to think more about Microsoft’s settlement proposal with the benefit of further clarifications from Microsoft about their intent. Overall, the proposal is a good step forward that if earnestly executed could improve browser choice and reduce the likelihood that non-IE choices are undermined by operating system behavior. The ultimate success of the proposal,  however, will depend on Microsoft’s long-term commitment to realize not just the words of the proposal, but its spirit, so a lot still remains to be seen.

Mitchell Baker provides some big picture observations about the proposal here. In the material below we’ve tried to articulate in detail those key aspects of the proposal that need modification (Protecting User Choices and the Ballot Mechanism). Our assumption is that the EC and Microsoft may be close to a resolution; thus, the ability to radically change the proposal may be constrained as a practical matter, but I’d welcome feedback on other essential terms or clarifications that may be missing.

Protecting User Choice of Non-IE Browsers:

Our most urgent concerns in the EC investigation related to protecting a user’s choice of a non-IE browser. The proposal largely addresses those concerns and should merit support if certain deficiencies are corrected.  These are described below:

Windows Update.  Not offering updates through Windows Update to an off-switched IE is a good start.  But most users won’t have IE turned off, even if they have other browsers as their default.  When IE is not the default, any launch of IE, user intended/initiated or not, may prompt the user to restore IE as his default browser. This may be a reasonable action for an intentional user-initiated launch of IE, but it’s an abuse when it’s not user-initiated and has the impact of undoing user choice.  Perhaps the language in Section 1, Paragraph 1 which states that “it [IE] can only be turned on through user action specifically aimed at turning on Internet Explorer” is designed to capture this, but it could be clarified to eliminate any uncertainty. Thus, the proposal should be modified to expressly state that Microsoft cannot use Windows Update to trigger any “Make IE the default” consideration unless the user launched IE intentionally and not just as a requirement of another process.

Tie-ins with Microsoft Applications.  Not including links, shortcuts, or icons for launching an install or download inside of Office 2007 is a good start; however, it’s just not enough.  Microsoft Office 2007 and other Microsoft programs should not “hard code” links, shortcuts, or icons to launch an already installed IE when IE is not the default browser.  If Microsoft applications need to launch a browser, they should only launch the user’s default browser.  Otherwise, with every launch of IE from its other applications, Microsoft is prompting the user to restore IE to the default status.  This has the effect of pressuring users to undo their default browser choice.  Thus, the proposal should be modified such that this provision applies to all Microsoft desktop software, and certainly to the already announced Office 2010.

Ballot Mechanism:

If a ballot is going to help provide consumers a meaningful choice, the proposal needs to be modified a bit. Below are some key aspects of the ballot that are currently not addressed sufficiently or that need modification.

Ballot Application.  The proposal states in Section 2, Paragraph 7 that “Microsoft will distribute a Ballot Screen software update to users within the EEA of Windows XP, Windows Vista and Windows Client PC Operating Systems, by means of Windows Update as described hereafter:..” The proposal later states in Section 2, Paragraph 8 that “The Ballot Screen will give those users who have set Internet Explorer as their default web browser an opportunity to choose whether and which competing web browser(s) to install in addition to the one(s) they already have.” It is unclear how this applies in the OEM channel. If Microsoft or other 3rd parties have paid for pre-installation of IE (or an IE derivative) in the OEM channel, the ballot mechanism should still apply. As currently drafted the ballot mechanism seems to only apply to “those users who have set Internet Explorer as their default web browser.” Does this include users who bought a PC with IE pre-installed? If not, it should. Perhaps this is an oversight or unintentional ambiguity.  Nonetheless, this aspect of the proposal should be modified such that it is clear that the ballot mechanism applies if IE is pre-installed by OEMs.

There’s another more complex question of whether the ballot should apply to any browser pre-installed with OEM distributions.  Some would say it should, since there are only a few parties who can compete economically in the distribution game, so why tie Microsoft and leave everyone else free to engage in the same behavior. Conversely, such other parties are unlikely to have monopoly power in the operating system market, nor are they the subjects of an investigation based on practices found to be anti-competitive. In the absence of an overwhelming and compelling justification, it seems unwise to tinker with this any more than is necessary, but it still doesn’t seem quite right.  I suspect these are exactly the kind of unintended consequences Mitchell Baker expressed concern about initially.

Download Process. A download link is insufficient for fulfilling user intent.  If a user clicks the download Opera link in the ballot, he is signaling intent to, at a minimum, try out Opera. Our data shows that only ~55% of users who click a download link will be able to complete the process of downloading and installing so that they may at least try out the new browser.  A download link, therefore, is insufficient to fulfill user intent. The most valuable change to promote the likelihood of fulfilling user intent would be to have the link trigger both the download and the execution of the installer at download complete. The second most important change would be to have the download also launch the vendor’s instruction page for completing download and install of the new browser.  Obviously this is a complex process that will take some thinking, and to make it really work, we would strongly recommend that the proposal include a Microsoft commitment to work with browser vendors directly in an informal group (including the EC) so the ballot implementation can be informed by the knowledge and experience of other browser providers. To date, Dave Heiner, Microsoft’s Vice President and Deputy General Counsel, has been receptive to comments from those outside of Microsoft. We hope this continues as the development teams engage more fully in making the ballot work as intended.

Ballot Screenshot.  The ballot as described in the screenshot is not unbiased as MS claims in the written proposal. It suffers from two major bias issues.

The first is that IE may become the default browser in more scenarios than the alternative browsers. IE may become the default by being selected. It may also become the default if the user simply ignores the ballot. It may also become the default if the user is unable to figure out how to use the ballot. Finally, it may become the default even if the user expresses a desire to try one of the other browsers but fails to achieve an alternative browser install (point 1. above.) The other browsers have only one, difficult and failure prone scenario to becoming the default. I don’t know how one would remedy this except partially by requiring the user to make a choice rather than treating no choice as a user preference for IE.

The second issue of bias is the ordering of the browser choices on the ballot. When presented with a question that interrupts the user’s “flow” the most common user response is to take actions, without serious consideration, that will remove the interruption. That often results in users simply closing the Window containing the interruption or in choosing the button or option they believe is most likely to remove the Window.  We strongly suspect that placement matters, and being the farthest most left position has some inherent advantage. Thus, having a mechanism to equitably mitigate this inherent advantage would make this a much better remedy. This will likely require further evaluation and testing, so the notion that the proposal can be adopted, implemented, and filed away, without subsequent iteration doesn’t seem plausible.

De-selection of IE. Section 2, Paragraph 8 further states that “Microsoft shall ensure that in the Ballot screen users will be informed in an unbiased way that they can turn Internet Explorer off.” Merely advising the user with text on how to turn IE off in the ballot is simply not enough to achieve the intended purpose of the remedy. The commitment should be modified so that IE is turned off seamlessly when the user selects a non-IE browser through the ballot screen, rather than through a separate procedure.  Even if a user does succeed in choosing and successfully installing an alternative browser as his default, IE will still occupy prominent real estate on the Desktop and Start Menu. The other browsers do not have this luxury and the advertising opportunity it provides merely through placement.  Consequently, the best way to ameliorate this is to offer the user the opportunity to _replace_ IE rather than to simply join it on the desktop. This could take the form of a “make this browser the new default and turn IE off when that’s done” option in the ballot.  Alternatively, Microsoft could provide an API to the IE off switch that could be used in the installers of other browsers to effect the same change.

Education. The ballot, as proposed, does nothing to educate the user as to what a Web browser is or how different browsers might offer different experiences. A user with no understanding of what a browser is and no explanation in the ballot to educate him will likely just dismiss the window as an unexplainable interruption. The ballot should introduce the user to at least a simple definition of what a browser is before offering the user a choice in browsers. It should probably go one step further and explain that the different browsers compete for superiority in the areas of ease of use, security, and customizability. A two-sentence introduction with this information will help users make a meaningful choice.

Testing and Evaluation. The term of the proposal is five years; however, there are no interim evaluation milestones. To evaluate the efficacy of the remedy, there must be some ongoing evaluation, otherwise how will we know if the ballot proposal made a difference, and if so, what did it actually change. Thus, an annual review by the EC should be part of the proposal. The review should include only data derived from public sources and Microsoft that comports with all applicable privacy directives.


For now, these seem to be the minimum set of changes required for an effective remedy. There are numerous other terms that could be adjusted, but these key points should be considered and addressed before adopting the proposal.

I’d like to thank Asa Dotzler who made significant contributions to this post.