Hi Georg,
Thanks for bringing this up for discussion. I totally agree with your philosophy of keeping the options exposed in the user interface as simple as possible. Zooko wisely said, "the number of modes or options in your system is the *exponent* in how hard it is to maintain." [1]
I am not talking here about how the privacy pane should look like in non-PBM(+) but if PBM+ got enabled the pane could by quite clean and show by default five checkboxes and one button like
[x] Enable Private Browsing Mode+
[x] Don't remember history [x] Prevent website tracking [x] Prevent browser fingerprinting [ ] Prevent location tracking (use a proxy) [Show site data]
I think the last three checkboxes (Prevent website tracking, Prevent browser fingerprinting, and Prevent location tracking) are too abstruse and should be merged into a single "network privacy" checkbox. If you want to prevent website tracking, in practice you also need fingerprinting defenses and a proxy. In other words, the privacy pane should show, simply:
+ In private browsing mode: [x] Don't record my browsing history on this computer [x] Keep bad people on the internet from recording my browsing history
By offering only a single on/off pref for network privacy, we will be protecting users from a network that is almost always more hostile than they anticipate. By requiring users to answer the question, "Do you want network privacy, or don't you?" we are confronting users with the fact that network adversaries will use any and all means to track users. We are saying, "Dear User, you can't disable some network defenses, and expect to remain protected."
And, furthermore, I would suggest that both of these checkboxes should be in enabled by default. Indeed, according to the paper you cited [3], at least 20% of users think network privacy is the purpose of private browsing mode.
In order to encourage Mozilla to adopt this level of user interface simplicity in Firefox, I would suggest we should have a single pref that controls all the features exposed by the second checkbox. This pref would cover all kinds of cache and network isolation, anti-fingerprinting and anti-linking measures, activating Tor (once it is embedded in Firefox), etc.
While there may be advantages to introducing several prefs, I fear these advantages will be outweighed by the damage to privacy from pref entropy -- the more privacy prefs we introduce, the more likely some of them will be turned off by default in Firefox, due to random decisions.
Arthur
[1] https://twitter.com/zooko/status/525382151668502528
[3] http://www.winlab.rutgers.edu/~janne/WPES14-privatebrowsing.pdf