[schoen]

It points to an interesting problem that, while browser vendors officially think that users ought to be notified when someone is using an intercepting proxy -- that it shouldn't be invisible to them -- when users aren't installing their own OS or configuring their own browser, it could be completely invisible in practice.

So the IT department-installed or OEM-installed cert is treated as "user-installed" by the pinning logic, and the user never actually gets warned.

[justcommenting]

As someone who respects your work, I would suggest that perhaps the more interesting problem is EFF's structural inability to do anything but apologize for Google policies and practices that clearly and obviously harm user freedom and privacy.