Transparency is a key part of how Mozilla approaches user trust. As an open source project that relies on open development, we build transparency into the way we write our code. Additionally, our product documentation and notices describe how our products work and how we handle user data.
With this transparency in mind, we intend to publish bi-annual transparency reports that help provide additional transparency to government disclosures and takedown requests.
Frequently Asked Questions
What is the scope of the Transparency Report?
The purpose is to provide public insight into the types of government demands we receive for our user data or to remove content; and requests from individuals or companies to remove content based on copyright or trademark claims. Each report also includes a supplement describing our efforts to reform laws on privacy, surveillance, cybersecurity, and intellectual property for a healthier internet.
With each additional report that we publish, we’ll continue to reevaluate how we can be more transparent. To this end, starting in H2 2018, we started reporting on the number of requests we receive from individuals inquiring about their personal data.
How does Mozilla handle Government Demands for User Data?
Mozilla requires a valid Legal Process to compel the disclosure of Specific User data to a government; such as a legitimate and properly scoped court order, or a search warrant supported by probable cause and issued by an appropriate law enforcement authority. We interpret requests narrowly, and we will oppose unlawful or overbroad requests for specific user data.
Recipients of National Security Requests can only publish reporting bands instead of specific figures. If we receive such a request, we may challenge these reporting bands, in addition to opposing any unlawful or overbroad requests.
How does Mozilla handle Gag Orders?
We don’t believe it is appropriate for the government to indefinitely delay a company from providing user notice. We will take steps to enforce this belief for gag orders that meet any of the following criteria:
Unreasonable Duration - Any gag order with an unspecified duration or with a duration longer than one year. This time period may be changed if specific facts in the case lead us to believe that a longer time period is reasonable. We support policy proposals to codify into a federal statute shorter durations of one year or less, consistent with Section 9-13.700 of the DOJ U.S. Attorneys’ Manual.
Unreasonable Scope - Any gag order that would prevent us from disclosing the existence of legal process in our transparency report.
Unreasonable Number of Impacted Users - Any gag order that appears to affect more than 50 users, or where specific facts suggest that the order affects users we can reasonably determine are unrelated to the activity under investigation, such as users of a shared computer or IP address.
Unreasonable Impact on Free Expression - Specific facts of the case raise free expression issues (such as cases involving journalists or the press).
How does Mozilla handle voluntary disclosures and Emergency Requests?
The law authorizes us to disclose information to governmental entities in emergencies and we may do so if we have a good faith belief that it is reasonably necessary to protect the rights, property or safety of people.
If we receive an Emergency Request, we require it to be certified in writing by a government officer describing the nature of the emergency and how the information requested might prevent the harm. Additionally, we may attempt to verify information before responding.
How does Mozilla handle copyright removal requests?
See here to read our process for handling reports of copyright infringement.
How does Mozilla handle trademark removal requests?
See here to read our process for handling reports of trademark infringement.
When does Mozilla notify users about a Specific User disclosure?
In some cases when we make a voluntary disclosure, we may choose to skip or delay notification if we have a good faith belief that it is reasonably necessary to protect the rights, property or safety of people.
When does Mozilla notify users about a copyright or trademark request?
Users are notified if we receive a Takedown Notice related to their submission on a Mozilla service. We also try to publicly post copies of the Takedown Notices (with personal data redacted) to sites such as MozWiki and Lumen Database (formerly known as the Chilling Effects project)
What does the Supplement cover?
This section of our report covers situations that don’t fit into our reporting categories. For example, to the extent we are legally permitted, we may include voluntary disclosures as well as legal and policy activities that we engaged in during the reporting period to further government transparency.
What do you mean by Personal Data Requests?
We believe that everyone should have control over their personal data, understand how it’s obtained and used, and be able to access, modify, or delete it. We extend these principles to all of our users regardless of when they submit a Personal Data Request, where they are located, or whether a data protection law (such as the GDPR) grants them express privacy rights.
- Counter Notice
- Court Order
An order issued by a judge or magistrate compelling a company to engage or refrain from certain action.
- Cybersecurity Threat Indicator
Pieces of information about a threat to a computer network or system, such as a vulnerability, piece of malicious code, or the IP address of an attacker. This definition is based on the Cybersecurity Information Sharing Act of 2015 (CISA); the full definition is at 6 U.S.C. § 1501(6).
- Emergency Request
A request from a government agency seeking information on an expedited basis in connection with an emergency, typically involving death or serious injury.
- Legal Process
Examples of Legal Process from outside the United States include: Letters Rogatory and requests through a MLAT (Mutual Legal Assistance Treaty).
- Letters Rogatory
A Court Order issued by a Court within the United States after a formal request from a Court outside the United States. Letters Rogatory must be valid in both the United States and the originating country.
- MLAT (Mutual Legal Assistance Treaty)
A treaty between the United States and another country authorizing a Court in the United States to issue a Court Order upon a request from another country. MLAT requests must be valid in both the United States and the originating country.
- National Security Request
A National Security Letter issued under 18 U.S.C.§2709, a Court Order issued under the Foreign Intelligence Surveillance Act or any other classified request for user information issued in the U.S.
- Pen Register Order
A Pen Register and Trap and Trace Order is a type of U.S. Court Order compelling a company to disclose data about a user’s realtime communications (excluding the content of the communications themselves) to law enforcement on an ongoing basis, usually for a period of 60 days.
- Personal Data Request
A user-generated request about personal data such as how to delete, port, modify or access it. For the purpose of our Transparency Report, we count the number of requests received by email, post, or to our portal for Data Subject Access Requests. We don’t count (or have metrics for) the number of such requests that our users process themselves through in-product features.
- Search Warrant
A document authorizing law enforcement to obtain user data issued by a neutral and detached magistrate on the basis of finding that “probable cause” exists to believe that the items being sought will be found in the place to be searched.
- Specific User
An identifiable user of Mozilla’s products and services.
A formal request for the production of evidence or testimony that can be issued by a government agency or court. Judicial review is not necessarily required.
- Takedown Notice
Documentation that meets the requirements set forth in our reporting copyright or trademark infringement page.
- Wiretap Order
A type of U.S. Court Order compelling a company to disclose the metadata and content of a user’s realtime communications to law enforcement on an ongoing basis, usually for a period of 30 days.