Today is a challenging time for the Internet, particularly as it relates to the collection, use, and sharing of people's personal information from the web. These challenges are demonstrated by the breach of trust involving Facebook and Cambridge Analytica, but they are not unique to those companies.
We as an industry, in partnerships with governments and committees like this one, have a responsibility to build a healthier Internet ecosystem that gives people meaningful control over their privacy. Mozilla appreciates the seriousness with which this committee is taking this issue, and we thank you for inviting us here to express our views.
My name is Marshall Erwin. I am the director of trust and security at the Mozilla Corporation. My role primarily involves working with our product and engineering teams to understand the privacy properties of the Firefox browser to make sure that, within that browser, we are practising the same principles that we preach on a day-to-day basis regarding privacy.
First, I am going to talk about Mozilla's approach to privacy, and then I'll talk a bit more generally about our perspective on where the industry is.
Mozilla is a mission-driven organization dedicated to creating an Internet that truly puts people first, where individuals shape their own experience and are empowered, safe, and independent online. That commitment to our mission is why, when the story regarding Facebook and Cambridge Analytica first broke, we made the decision to pause our advertising on Facebook. That advertising remains paused today.
That commitment to our mission also lives within the Firefox browser that we produce and that is used by hundreds of millions of people around the world. We practise a set of data privacy principles within that browser that shape the data collection we have.
Firefox is essentially your gateway to the Internet. As such, the browser, the piece of software that runs on your computer or your phone, will manage and have access to a lot of sensitive information about you and about the websites you visit. That is information that stays on your device; Mozilla does not collect it. As a browser-maker, we actually don't know very much about how our users browse the web or about their interests. That is a big challenge for us, but it's also by design. If you are using the Firefox browser to do something sensitive or personal, you can have confidence that Mozilla is not going to learn about that.
Mozilla does collect a limited set of information from the browser by default to help us understand essentially how people are using the technology. This is information, for example, about the types of features you use in the browser, but it is not about your web-browsing activity itself, which is an important distinction that we make.
Mozilla has a set of policies and processes in place to govern the data collection we have. I can talk about these in a lot more detail, but what I think is important for this committee to understand is that it is possible to build a product that hundreds of millions of people use that collects some data by default while respecting the users' privacy and not putting that privacy in jeopardy. That is what we have done at Mozilla with the Firefox browser.
It can be difficult to find the right balance between privacy and the features that people want. This is not easy. We believe that we strike the right balance with the browser. Unfortunately, that is not where the rest of the industry is today.
Let's talk a bit about the technology industry, where it is doing well, and where it needs to improve.
The technology industry, especially its biggest players, is doing a decent job providing people with privacy controls. If you are a Facebook user and you care about your privacy, you can take steps to limit what data the company retains and what data it shares with others. However, the industry is coming up short in three areas that I want to call your attention to.
First, those privacy controls are often buried and difficult to find. The industry does not proactively help people understand and use their privacy settings. As a result, Internet users might have technical privacy controls, but they do not have meaningful control over their privacy today.
Second, the default state of those controls is not reasonable and does not align with users' expectations of what will happen when they use a product or a service. Users are defaulted into the collection and sharing of sensitive data. This violates what we call the sensible settings principle that we practise within Firefox. These sensible settings do not exist for much of the technology industry today.
Third, the data collection and sharing that are tied to those privacy settings are still expansive and permissive. The basic limited data principle—again, one that we practise within Mozilla—is not one that is followed by the industry.
If you examine the issues regarding Facebook and Cambridge Analytica, you will find that all those issues are at play.
I want to call the committee's attention to one specific issue that deserves further consideration, which is the collection and use of people's browsing activity as they navigate the web, sometimes referred to as cross-site tracking on the Internet. This type of activity is often associated with the Facebook's Like button.
If that button is on a website that you visit, and irrespective of whether you click that button, Facebook may collect data about the page you visited and use that data in targeted advertising.
The three problems within the industry that I identified are all still present here. Internet users do not have meaningful control over this tracking activity, nor do they even understand that it exists. The default is to track users across the web, and there are few limits on the data collection through that tracking. This tracking is a problem. It creates privacy risks and it undermines the basic trust that people have when they go online today.
Facebook argued before the U.S. Congress two weeks ago that its cross-site tracking activity is no different than what companies like Twitter, Pinterest, and Google do every day. Facebook was right about that. This is a common tactic across the industry and is not unique to Facebook in any way. However, we are at an important inflection point. Organizations like Facebook should be asking what they can do to lead the industry to some place that does not involve tracking people across the web without giving them meaningful control over that tracking.
There is a critical role for committees like this one to play in pushing Facebook and other companies to explain their cross-site tracking activity, to state plainly whether they believe their users understand and have meaningful control over that tracking, and to articulate what they are doing to lead the industry to a better place on this issue.
Again, I want to thank the committee for inviting us here today. I look forward to answering any questions you may have on Mozilla's overall approach to privacy or the perspectives that we have on the industry.