[tbb-dev] Quo Vadis, Private Browsing Mode?

Georg Koppen gk at torproject.org
Thu Jan 22 12:00:55 UTC 2015 

Arthur D. Edelstein:
> I think the last three checkboxes (Prevent website tracking, Prevent
> browser fingerprinting, and Prevent location tracking) are too
> abstruse and should be merged into a single "network privacy"
> checkbox. If you want to prevent website tracking, in practice you
> also need fingerprinting defenses and a proxy. In other words, the
> privacy pane should show, simply:
> 
> + In private browsing mode:
>   [x] Don't record my browsing history on this computer
>   [x] Keep bad people on the internet from recording my browsing history
> 
> By offering only a single on/off pref for network privacy, we will be
> protecting users from a network that is almost always more hostile
> than they anticipate. By requiring users to answer the question, "Do
> you want network privacy, or don't you?" we are confronting users with
> the fact that network adversaries will use any and all means to track
> users. We are saying, "Dear User, you can't disable some network
> defenses, and expect to remain protected."
> 
> And, furthermore, I would suggest that both of these checkboxes should
> be in enabled by default. Indeed, according to the paper you cited
> [3], at least 20% of users think network privacy is the purpose of
> private browsing mode.
> 
> In order to encourage Mozilla to adopt this level of user interface
> simplicity in Firefox, I would suggest we should have a single pref
> that controls all the features exposed by the second checkbox. This
> pref would cover all kinds of cache and network isolation,
> anti-fingerprinting and anti-linking measures, activating Tor (once it
> is embedded in Firefox), etc.
> 
> While there may be advantages to introducing several prefs, I fear
> these advantages will be outweighed by the damage to privacy from pref
> entropy -- the more privacy prefs we introduce, the more likely some
> of them will be turned off by default in Firefox, due to random
> decisions.

Well, first of all the casual user won't see the details of the privacy
pane (that#s the goal). She should only click on "Enable Private
Browsing Mode" and that's it. Thus, we need reasonable defaults while
still allowing users that need different settings to make the
adjustments easily.

So, the proxy requirement comes first to mind. I hardly doubt that
Mozilla will ever enable that one even with Tor integrated by default.
And be it for the reason that surfing via Tor is and will always be
slower than surfing without it or that websites are blocking Tor users.
Let alone the scenario where users want to have privacy even if they
have no proxy configured. And, taking my Tor hat off, the argument: "I
don't want to let Google track which news sites I visit while I don't
have a problem that Google sees somebody connecting to these sites from
different networks (which is actually me)." seems not unplausible to me.
And what if your proxy is currently not reachable (for whatever
reasons)? Why should you not have linkability/fingerprinting defenses in
place at least? That would at a minimum keep trackers with not so much
resources at bay which might be worthwhile to achieve.

What about the unlinkability/fingerprinting options? I see your point
about preference inflation and the inherent dangers with it. And maybe
it actually does indeed not make much sense from an end-user's view to
differentiate between both: the fingerprinters are as well eager to
generate an identifier for you which does not happen on the client-side
in this case (as with cookies etc.) but on the server-side. The result
is the same although it is non-trivial do defend against that
server-side identifier by binding it to the URL-bar domain. :)  So, yes,
collapsing both checkboxes might be a good idea although I am not sure
yet whether there are some important use-cases that should be taken into
account here and which I am missing. We'd then have something like the
following:

[x] Enable Private Browsing Mode+

    [x] Don't remember history
    [x] Prevent website tracking
    [ ] Prevent location tracking (use a proxy)

                               [Show site data]

Georg


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tbb-dev/attachments/20150122/dc2cfe53/attachment.sig>

More information about the tbb-dev mailing list