Following the NSA revelations, Mozilla wants to make sure people trust its products. The company behind Firefox is now looking to build a global auditing system that will verify that Mozilla builds do not contain code forced into the browser by court orders.
“It is becoming increasingly difficult to trust the privacy properties of software and services we rely on to use the Internet. Governments, companies, groups and individuals may be surveilling us without our knowledge. This is particularly troubling when such surveillance is done by governments under statutes that provide limited court oversight and almost no room for public scrutiny,” wrote Andreas Gal, Mozilla’s vice president of mobile and R&D, and Brendan Eich, CTO and SVP of Engineering.
They further advise users to show prudency when interacting with Internet services knowing that in the end, companies need to comply with the law.
“The government can legally access user data in ways that might violate the privacy expectations of law-abiding users. Worse, the government may force service operators to enable surveillance (something that seems to have happened in the Lavabit case),” they write.
Mozilla’s execs say that major browsers are being created by companies within reach of the government and while there’s been no indication that they have been asked to build in surveillance codes, that doesn't mean it can't happen. If that were the case, however, chances are that gag orders would prevent this type of information from coming out.
The company behind Firefox wants to establish a system that would allow users to verify that Mozilla’s binary builds contain only code coming from Mozilla’s source code repositories.
Establishing such a system at a global level would require regular audits of Mozilla source, automated systems to verify binaries and a way to raise the alarm if there’s any difference between the verified and official builds.
“Through international collaboration of independent entities we can give users the confidence that Firefox cannot be subverted without the world noticing, and offer a browser that verifiably meets users’ privacy expectations,” Eich and Gal write.
This, Mozilla believes, will help establish trust in the company.
The announcement comes months after the NSA scandal broke out, with reports indicating the reach the NSA has and the fact that it will stop at nothing to get its hands on the data it wants. While Internet companies have been under the magnifying glass more than ever, it’s the discussions about the security backdoors the U.S. government has supposedly forced companies to build into the products that sparked the most outrage.