Arthur D. Edelstein:
I think the last three checkboxes (Prevent website tracking, Prevent browser fingerprinting, and Prevent location tracking) are too abstruse and should be merged into a single "network privacy" checkbox. If you want to prevent website tracking, in practice you also need fingerprinting defenses and a proxy. In other words, the privacy pane should show, simply:
- In private browsing mode: [x] Don't record my browsing history on this computer [x] Keep bad people on the internet from recording my browsing history
By offering only a single on/off pref for network privacy, we will be protecting users from a network that is almost always more hostile than they anticipate. By requiring users to answer the question, "Do you want network privacy, or don't you?" we are confronting users with the fact that network adversaries will use any and all means to track users. We are saying, "Dear User, you can't disable some network defenses, and expect to remain protected."
And, furthermore, I would suggest that both of these checkboxes should be in enabled by default. Indeed, according to the paper you cited [3], at least 20% of users think network privacy is the purpose of private browsing mode.
In order to encourage Mozilla to adopt this level of user interface simplicity in Firefox, I would suggest we should have a single pref that controls all the features exposed by the second checkbox. This pref would cover all kinds of cache and network isolation, anti-fingerprinting and anti-linking measures, activating Tor (once it is embedded in Firefox), etc.
While there may be advantages to introducing several prefs, I fear these advantages will be outweighed by the damage to privacy from pref entropy -- the more privacy prefs we introduce, the more likely some of them will be turned off by default in Firefox, due to random decisions.
Well, first of all the casual user won't see the details of the privacy pane (that#s the goal). She should only click on "Enable Private Browsing Mode" and that's it. Thus, we need reasonable defaults while still allowing users that need different settings to make the adjustments easily.
So, the proxy requirement comes first to mind. I hardly doubt that Mozilla will ever enable that one even with Tor integrated by default. And be it for the reason that surfing via Tor is and will always be slower than surfing without it or that websites are blocking Tor users. Let alone the scenario where users want to have privacy even if they have no proxy configured. And, taking my Tor hat off, the argument: "I don't want to let Google track which news sites I visit while I don't have a problem that Google sees somebody connecting to these sites from different networks (which is actually me)." seems not unplausible to me. And what if your proxy is currently not reachable (for whatever reasons)? Why should you not have linkability/fingerprinting defenses in place at least? That would at a minimum keep trackers with not so much resources at bay which might be worthwhile to achieve.
What about the unlinkability/fingerprinting options? I see your point about preference inflation and the inherent dangers with it. And maybe it actually does indeed not make much sense from an end-user's view to differentiate between both: the fingerprinters are as well eager to generate an identifier for you which does not happen on the client-side in this case (as with cookies etc.) but on the server-side. The result is the same although it is non-trivial do defend against that server-side identifier by binding it to the URL-bar domain. :) So, yes, collapsing both checkboxes might be a good idea although I am not sure yet whether there are some important use-cases that should be taken into account here and which I am missing. We'd then have something like the following:
[x] Enable Private Browsing Mode+
[x] Don't remember history [x] Prevent website tracking [ ] Prevent location tracking (use a proxy)
[Show site data]
Georg