[tbb-dev] Quo Vadis, Private Browsing Mode?

Arthur D. Edelstein arthuredelstein at gmail.com
Wed Jan 21 19:57:55 UTC 2015

Hi Georg,

Thanks for bringing this up for discussion. I totally agree with your
philosophy of keeping the options exposed in the user interface as
simple as possible. Zooko wisely said, "the number of modes or options
in your system is the *exponent* in how hard it is to maintain." [1]

> I am not talking here about how the privacy pane should look like in
> non-PBM(+) but if PBM+ got enabled the pane could by quite clean and
> show by default five checkboxes and one button like
> [x] Enable Private Browsing Mode+
>     [x] Don't remember history
>     [x] Prevent website tracking
>     [x] Prevent browser fingerprinting
>     [ ] Prevent location tracking (use a proxy)
>                                [Show site data]

I think the last three checkboxes (Prevent website tracking, Prevent
browser fingerprinting, and Prevent location tracking) are too
abstruse and should be merged into a single "network privacy"
checkbox. If you want to prevent website tracking, in practice you
also need fingerprinting defenses and a proxy. In other words, the
privacy pane should show, simply:

+ In private browsing mode:
  [x] Don't record my browsing history on this computer
  [x] Keep bad people on the internet from recording my browsing history

By offering only a single on/off pref for network privacy, we will be
protecting users from a network that is almost always more hostile
than they anticipate. By requiring users to answer the question, "Do
you want network privacy, or don't you?" we are confronting users with
the fact that network adversaries will use any and all means to track
users. We are saying, "Dear User, you can't disable some network
defenses, and expect to remain protected."

And, furthermore, I would suggest that both of these checkboxes should
be in enabled by default. Indeed, according to the paper you cited
[3], at least 20% of users think network privacy is the purpose of
private browsing mode.

In order to encourage Mozilla to adopt this level of user interface
simplicity in Firefox, I would suggest we should have a single pref
that controls all the features exposed by the second checkbox. This
pref would cover all kinds of cache and network isolation,
anti-fingerprinting and anti-linking measures, activating Tor (once it
is embedded in Firefox), etc.

While there may be advantages to introducing several prefs, I fear
these advantages will be outweighed by the damage to privacy from pref
entropy -- the more privacy prefs we introduce, the more likely some
of them will be turned off by default in Firefox, due to random


[1] https://twitter.com/zooko/status/525382151668502528
> [3] http://www.winlab.rutgers.edu/~janne/WPES14-privatebrowsing.pdf

More information about the tbb-dev mailing list