Complete Privacy-Policy Review for Internal hosting of Wiretap REST debugging



6 years ago
6 years ago


(Reporter: dre, Assigned: me)




Initial Questions:

Project/Feature Name: Internal hosting of Wiretap REST debugging
Tracking  ID:
Wiretap is a managed proxy that enables easy debugging and investigation of
REST APIs.  The URL provides a good introduction as well as a four minute
webcast that explains it very well.

If it were available, we would be using it in the course of developing the
Firefox Health Report, the Metrics middleware query API, and other services,
but it is not blocking any goals.

The service is currently in private beta as a SaaS solution, but the creator
plans to make it available as an internally hosted solution as well.  I reached
out to him and he stated that he would love to work with us to define the
requirements for such a service and use us to tailor the offering.

This would most likely involve setting up the application on a machine or VM,
and it would be useful to provide him with access to the system to be able to
set up, configure, and troubleshoot as needed.  He would be happy to sign an
NDA or contract to ensure the privacy of any data captured by the system to
which he may have access.

Additional Information:
The website has a good technical description of the SaaS solution and the four minute webcast on that page provides a great explanation of how it is used.
Urgency: no rush
Current Goal: 
Release Date: 2013-01-31
Project Status: future
Mozilla Data: Yes
New or Change: New
Mozilla Project: none
Mozilla Related: Metrics, Webdev, Services, potentially OpsSec as well.
Separate Party: Yes

Privacy Policy: No
Privacy Policy Link: 
User Data: Yes
Data Safety  ID: 
Legal  ID: not filed

Comment 1

6 years ago
There seems to be a website link missing there? A web search for "wiretap" is not supremely effective.

Since we're using it for debugging and investigation, what's the plan for logs and log retention? I suspect you and I should sit down for half an hour to braindump on the plan here, but I'd like to look over their web site first.
Flags: needinfo?(deinspanjer)
Sorry, I had the URL in the original bug, but forgot to include it when I used the new security review request form because it wasn't an explicit field.

In the SaaS model, the default is for recorded data to expire in 24 hours.  It is customizable per collection end point and also per specific headers so you can do things like throw away auth headers after 5 minutes and such.

Definitely take a look at the website, it should give you a good feeling for the concept, and then feel free to ping me to chat about the plan.
Flags: needinfo?(deinspanjer)

Comment 3

6 years ago
Okay, I totally understand what the deal is here.

Based on the use case evangelised on the site, it looks like users wouldn't be interacting with the service: it'd just be developers/testers. If that's the case, then I don't see any privacy impact at all. Please re-open if I don't get it.
Last Resolved: 6 years ago
Resolution: --- → WORKSFORME
This assessment is how I see it and works fine for me.  If there are any privacy concerns that come up in other bugs, I will make sure and let you know.
You need to log in before you can comment on or make changes to this bug.