Hi all,
the discussion about how to handle our fingerprinting patches in the Private Browsing Mode (PBM) space we had on 01/12 made me think a bit more about the topic in general.
So, PBM currently is just meant to avoid saving information about the sites you visit. Nothing more and nothing less.[1] This basically maps to the disk avoidance requirement in the Tor Browser design document.[2] The question is now how to treat the other privacy relevant areas like cross-origin linkability or fingerprinting? Should we invent new modes and try to sell them to the user in addition to the Private Browsing Mode? And if so, how exactly do we relate all these things together given that there are now private windows and non-private windows coexisting in vanilla Firefox versions (thanks for bringing this complication up, Arthur)?
Here is what I think we should aim at: We should have one mode we sell as private browsing mode, call it Private Browsing Mode+ (PBM+) for now, that contains the different areas I mentioned above as they are all related to "privacy" in one way.
How should it work ------------------
If you look at the current privacy pane in your Firefox you see that there are already some foundations laid for that idea in that Mozilla seems to acknowledge that there are different angles to "privacy": there is the Tracking section that would roughly correspond to our cross-origin linkability area, then there is the History section which regulates the disk avoidance part and then there is the odd Location Bar section which is presumably there to optionally prevent people from looking over ones shoulder. No fingerprinting part. No proxy part (in case users are looking for location privacy). At the same time the privacy pane is highly confusing: What do third party cookie settings play for a role in the history section, for instance? And why are these settings deeply buried there and not visible in the Tracking section?
I am not talking here about how the privacy pane should look like in non-PBM(+) but if PBM+ got enabled the pane could by quite clean and show by default five checkboxes and one button like
[x] Enable Private Browsing Mode+
[x] Don't remember history [x] Prevent website tracking [x] Prevent browser fingerprinting [ ] Prevent location tracking (use a proxy)
[Show site data]
(We could think about checking the last checkbox, too, if a proxy is already configured)
Users would then
1) easily see what kind of privacy related protections they have enabled without the need to dig down some obscure menus and fiddle with several settings. 2) be able to configure their mode according to their needs (yes, there are people that want their history being enabled (I am not of that sort btw) while all the other protections remain in place). 3) get a place where the improved privacy UI mentioned in our design document would have a good place (we might need to think about which relationship it has to the prevent-tracking-option above but that is just a detail): a "Show site data" button.
Why should it work that way ---------------------------
First if all, it is highly confusing for a user to have a bunch of modes to select from if she wants to get privacy on the web. "Enable Private Browsing Mode" somewhere in the menu or via a toolbar button should be enough. There is no need for her to know things about the different parts of the privacy concept.
Second, there is still a big part of users that see more than one angle with respect to privacy and include the linkability and fingerprinting part in their concept of a private browsing mode.[3] We should take care of them and incorporate that into the UI I think. This is especially important, I think, as the usual things that hit the mainstream press and thus have a chance to get seen by and influence normal users are linkability/fingerprinting related.[4][5]
What to do ----------
For the linkability related things we have a preference which makes it a) easier for Mozilla to merge our patches and b) makes it easier for the UI I outlined above. It might even make it easier for Mozilla to adapt such a UI as they could just flip a preference if they really think that cross-origin linkability has nothing to do with a Private Browsing Mode.
It might make sense to have a preference for the fingerprinting patches, too, then given the model above. Something like "privacy.fingerprinting.disable" maybe. This would allow Mozilla then again to leave the checkbox unchecked in a UI like the one above if they think fingerprinting does not belong into the Private Browsing Mode. It might make upstreaming patches easier, too. And, as a last point, we should not let us distract here from people framing the fingerprinting issue as a security related one being orthogonal to privacy concerns.[6]
Georg
[1] https://support.mozilla.org/en-US/kb/private-browsing-browse-web-without-sav... [2] https://www.torproject.org/projects/torbrowser/design/#disk-avoidance [3] About 22% according to http://www.winlab.rutgers.edu/~janne/WPES14-privatebrowsing.pdf. But the data they collected is not as robust as I'd like to have it. [4] E.g.: http://www.mediapost.com/publications/article/155032/#axzz2JFJ5s8l1 [5] E.g.: https://www.propublica.org/article/meet-the-online-tracking-device-that-is-v... [6] See the FPDetective paper: https://www.cosic.esat.kuleuven.be/publications/article-2334.pdf sections 7.1 and 7.3 for examples
Hello Georg,
On Wed., janv. 21, 2015, Georg Koppen wrote:
I am not talking here about how the privacy pane should look like in non-PBM(+) but if PBM+ got enabled the pane could by quite clean and show by default five checkboxes and one button like
[x] Enable Private Browsing Mode+
[x] Don't remember history [x] Prevent website tracking [x] Prevent browser fingerprinting [ ] Prevent location tracking (use a proxy)
[Show site data]
There is a friend of Tor designing the B2G privacy panel as we speak. B2G doesn't have PBM, but will present a simplified panel (even with proxy support) like you're suggesting.
So there's a question of privacy panel convergence in Mozilla products as well as TBB. Probably something Polaris intends to coordinate?
[...]
- easily see what kind of privacy related protections they have
enabled without the need to dig down some obscure menus and fiddle with several settings.
Keep it simple stupid is the winning recipe in a lot of user trends, so thanks for making this #1.
Cheers, Michael
Hi Georg,
Thanks for bringing this up for discussion. I totally agree with your philosophy of keeping the options exposed in the user interface as simple as possible. Zooko wisely said, "the number of modes or options in your system is the *exponent* in how hard it is to maintain." [1]
I am not talking here about how the privacy pane should look like in non-PBM(+) but if PBM+ got enabled the pane could by quite clean and show by default five checkboxes and one button like
[x] Enable Private Browsing Mode+
[x] Don't remember history [x] Prevent website tracking [x] Prevent browser fingerprinting [ ] Prevent location tracking (use a proxy) [Show site data]
I think the last three checkboxes (Prevent website tracking, Prevent browser fingerprinting, and Prevent location tracking) are too abstruse and should be merged into a single "network privacy" checkbox. If you want to prevent website tracking, in practice you also need fingerprinting defenses and a proxy. In other words, the privacy pane should show, simply:
+ In private browsing mode: [x] Don't record my browsing history on this computer [x] Keep bad people on the internet from recording my browsing history
By offering only a single on/off pref for network privacy, we will be protecting users from a network that is almost always more hostile than they anticipate. By requiring users to answer the question, "Do you want network privacy, or don't you?" we are confronting users with the fact that network adversaries will use any and all means to track users. We are saying, "Dear User, you can't disable some network defenses, and expect to remain protected."
And, furthermore, I would suggest that both of these checkboxes should be in enabled by default. Indeed, according to the paper you cited [3], at least 20% of users think network privacy is the purpose of private browsing mode.
In order to encourage Mozilla to adopt this level of user interface simplicity in Firefox, I would suggest we should have a single pref that controls all the features exposed by the second checkbox. This pref would cover all kinds of cache and network isolation, anti-fingerprinting and anti-linking measures, activating Tor (once it is embedded in Firefox), etc.
While there may be advantages to introducing several prefs, I fear these advantages will be outweighed by the damage to privacy from pref entropy -- the more privacy prefs we introduce, the more likely some of them will be turned off by default in Firefox, due to random decisions.
Arthur
[1] https://twitter.com/zooko/status/525382151668502528
[3] http://www.winlab.rutgers.edu/~janne/WPES14-privatebrowsing.pdf
Arthur D. Edelstein:
I think the last three checkboxes (Prevent website tracking, Prevent browser fingerprinting, and Prevent location tracking) are too abstruse and should be merged into a single "network privacy" checkbox. If you want to prevent website tracking, in practice you also need fingerprinting defenses and a proxy. In other words, the privacy pane should show, simply:
- In private browsing mode: [x] Don't record my browsing history on this computer [x] Keep bad people on the internet from recording my browsing history
By offering only a single on/off pref for network privacy, we will be protecting users from a network that is almost always more hostile than they anticipate. By requiring users to answer the question, "Do you want network privacy, or don't you?" we are confronting users with the fact that network adversaries will use any and all means to track users. We are saying, "Dear User, you can't disable some network defenses, and expect to remain protected."
And, furthermore, I would suggest that both of these checkboxes should be in enabled by default. Indeed, according to the paper you cited [3], at least 20% of users think network privacy is the purpose of private browsing mode.
In order to encourage Mozilla to adopt this level of user interface simplicity in Firefox, I would suggest we should have a single pref that controls all the features exposed by the second checkbox. This pref would cover all kinds of cache and network isolation, anti-fingerprinting and anti-linking measures, activating Tor (once it is embedded in Firefox), etc.
While there may be advantages to introducing several prefs, I fear these advantages will be outweighed by the damage to privacy from pref entropy -- the more privacy prefs we introduce, the more likely some of them will be turned off by default in Firefox, due to random decisions.
Well, first of all the casual user won't see the details of the privacy pane (that#s the goal). She should only click on "Enable Private Browsing Mode" and that's it. Thus, we need reasonable defaults while still allowing users that need different settings to make the adjustments easily.
So, the proxy requirement comes first to mind. I hardly doubt that Mozilla will ever enable that one even with Tor integrated by default. And be it for the reason that surfing via Tor is and will always be slower than surfing without it or that websites are blocking Tor users. Let alone the scenario where users want to have privacy even if they have no proxy configured. And, taking my Tor hat off, the argument: "I don't want to let Google track which news sites I visit while I don't have a problem that Google sees somebody connecting to these sites from different networks (which is actually me)." seems not unplausible to me. And what if your proxy is currently not reachable (for whatever reasons)? Why should you not have linkability/fingerprinting defenses in place at least? That would at a minimum keep trackers with not so much resources at bay which might be worthwhile to achieve.
What about the unlinkability/fingerprinting options? I see your point about preference inflation and the inherent dangers with it. And maybe it actually does indeed not make much sense from an end-user's view to differentiate between both: the fingerprinters are as well eager to generate an identifier for you which does not happen on the client-side in this case (as with cookies etc.) but on the server-side. The result is the same although it is non-trivial do defend against that server-side identifier by binding it to the URL-bar domain. :) So, yes, collapsing both checkboxes might be a good idea although I am not sure yet whether there are some important use-cases that should be taken into account here and which I am missing. We'd then have something like the following:
[x] Enable Private Browsing Mode+
[x] Don't remember history [x] Prevent website tracking [ ] Prevent location tracking (use a proxy)
[Show site data]
Georg
I've pointed the Mozilla dev-privacy list at this thread to see what they think. See https://groups.google.com/d/topic/mozilla.dev.privacy/o-1UVHwAlKk and https://groups.google.com/d/msg/mozilla.dev.privacy/XQza_CmYDr4/7hemg2vtyUYJ
If you're not currently subscribed to dev-privacy, you may want to do so now so you can weigh in: https://lists.mozilla.org/listinfo/dev-privacy
Georg Koppen:
Hi all,
the discussion about how to handle our fingerprinting patches in the Private Browsing Mode (PBM) space we had on 01/12 made me think a bit more about the topic in general.
So, PBM currently is just meant to avoid saving information about the sites you visit. Nothing more and nothing less.[1] This basically maps to the disk avoidance requirement in the Tor Browser design document.[2] The question is now how to treat the other privacy relevant areas like cross-origin linkability or fingerprinting? Should we invent new modes and try to sell them to the user in addition to the Private Browsing Mode? And if so, how exactly do we relate all these things together given that there are now private windows and non-private windows coexisting in vanilla Firefox versions (thanks for bringing this complication up, Arthur)?
Here is what I think we should aim at: We should have one mode we sell as private browsing mode, call it Private Browsing Mode+ (PBM+) for now, that contains the different areas I mentioned above as they are all related to "privacy" in one way.
How should it work
If you look at the current privacy pane in your Firefox you see that there are already some foundations laid for that idea in that Mozilla seems to acknowledge that there are different angles to "privacy": there is the Tracking section that would roughly correspond to our cross-origin linkability area, then there is the History section which regulates the disk avoidance part and then there is the odd Location Bar section which is presumably there to optionally prevent people from looking over ones shoulder. No fingerprinting part. No proxy part (in case users are looking for location privacy). At the same time the privacy pane is highly confusing: What do third party cookie settings play for a role in the history section, for instance? And why are these settings deeply buried there and not visible in the Tracking section?
I am not talking here about how the privacy pane should look like in non-PBM(+) but if PBM+ got enabled the pane could by quite clean and show by default five checkboxes and one button like
[x] Enable Private Browsing Mode+
[x] Don't remember history [x] Prevent website tracking [x] Prevent browser fingerprinting [ ] Prevent location tracking (use a proxy) [Show site data](We could think about checking the last checkbox, too, if a proxy is already configured)
Users would then
- easily see what kind of privacy related protections they have enabled
without the need to dig down some obscure menus and fiddle with several settings. 2) be able to configure their mode according to their needs (yes, there are people that want their history being enabled (I am not of that sort btw) while all the other protections remain in place). 3) get a place where the improved privacy UI mentioned in our design document would have a good place (we might need to think about which relationship it has to the prevent-tracking-option above but that is just a detail): a "Show site data" button.
Why should it work that way
First if all, it is highly confusing for a user to have a bunch of modes to select from if she wants to get privacy on the web. "Enable Private Browsing Mode" somewhere in the menu or via a toolbar button should be enough. There is no need for her to know things about the different parts of the privacy concept.
Second, there is still a big part of users that see more than one angle with respect to privacy and include the linkability and fingerprinting part in their concept of a private browsing mode.[3] We should take care of them and incorporate that into the UI I think. This is especially important, I think, as the usual things that hit the mainstream press and thus have a chance to get seen by and influence normal users are linkability/fingerprinting related.[4][5]
What to do
For the linkability related things we have a preference which makes it a) easier for Mozilla to merge our patches and b) makes it easier for the UI I outlined above. It might even make it easier for Mozilla to adapt such a UI as they could just flip a preference if they really think that cross-origin linkability has nothing to do with a Private Browsing Mode.
It might make sense to have a preference for the fingerprinting patches, too, then given the model above. Something like "privacy.fingerprinting.disable" maybe. This would allow Mozilla then again to leave the checkbox unchecked in a UI like the one above if they think fingerprinting does not belong into the Private Browsing Mode. It might make upstreaming patches easier, too. And, as a last point, we should not let us distract here from people framing the fingerprinting issue as a security related one being orthogonal to privacy concerns.[6]
Georg
[1] https://support.mozilla.org/en-US/kb/private-browsing-browse-web-without-sav... [2] https://www.torproject.org/projects/torbrowser/design/#disk-avoidance [3] About 22% according to http://www.winlab.rutgers.edu/~janne/WPES14-privatebrowsing.pdf. But the data they collected is not as robust as I'd like to have it. [4] E.g.: http://www.mediapost.com/publications/article/155032/#axzz2JFJ5s8l1 [5] E.g.: https://www.propublica.org/article/meet-the-online-tracking-device-that-is-v... [6] See the FPDetective paper: https://www.cosic.esat.kuleuven.be/publications/article-2334.pdf sections 7.1 and 7.3 for examples
tbb-dev mailing list tbb-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tbb-dev
-
Arthur D. Edelstein -
Georg Koppen -
Mike Perry -
tordevmuc@encambio.com