Security/Anonymous Browsing: Difference between revisions
| Line 27: | Line 27: | ||
== The Medical Patient/Abuse Victim == | == The Medical Patient/Abuse Victim == | ||
The medical patient has some kind of condition that they would prefer that ad networks not be aware of | The medical patient has some kind of condition that they would prefer that ad networks not be aware of: possibly one that puts them at risk for raised medical, life, or auto insurance premiums, or carries other social stigma. Such a user may decide to use the mode after receiving mysterious targeted ads for their condition while visiting unrelated sites. | ||
They are possibly a member of a number of online support groups that they | They are possibly a member of a number of online support groups that they log in to and post to under a pseudonym (such as alcoholics anonymous, narcanon, etc) using the mode. | ||
They | They are likely an occasional user, and would remain logged in to social media services, their email account, and other websites continuously during normal browsing, but would prefer a clean slate for web usage relating to their condition. | ||
They may or may not be concerned about records of anonymous web activity on their own computer. They likely use the mode from home. | They may or may not be concerned about records of anonymous web activity on their own computer. They likely use the mode from home, but may opt to use a proxy. | ||
== The Pseudonymous Blogger == | == The Pseudonymous Blogger == | ||
The pseudonymous blogger maintains a politically or technically controversial blog that may expose them to subpoena risk to uncover their identity. There have been several cases of Apple in particular demanding the identity of bloggers | The pseudonymous blogger maintains a politically or technically controversial blog that may expose them to subpoena risk to uncover their identity. There have been several cases of Apple in particular demanding the identity of bloggers posting about unreleased or otherwise secret product releases or features. Bloggers in China and other countries also face risk of attempts to identify them. | ||
This user | This user likely uses public wifi or a proxy to access the Internet, as opposed to their normal Internet connection. | ||
If operating in the United States, this user is likely not concerned about logs on their local disk. | If operating in the United States, this user is likely not concerned about logs on their local disk. | ||
| Line 46: | Line 46: | ||
== The Paranoid == | == The Paranoid == | ||
The paranoid wants to avoid most of their activity being recorded by ad networks and services. They are suspicious of Facebook, social media sites, and tend not to be logged in to any services continuously. They are the types that disable javascript | The paranoid wants to avoid most of their activity being recorded by ad networks and services. They are suspicious of Facebook, social media sites, and tend not to be logged in to any services continuously. They are the types that currently disable javascript and/or run NoScript, BetterPrivacy, RequestPolicy, Adblock Plus, CookieCuller, and other addons to improve their privacy online. | ||
They likely use the mode continuously from home. | They likely use the mode continuously from home. | ||
| Line 66: | Line 66: | ||
They likely do not care about their activity being recorded to their computer's disk. They most likely use the mode from home, but may use public wifi or a proxy. | They likely do not care about their activity being recorded to their computer's disk. They most likely use the mode from home, but may use public wifi or a proxy. | ||
== The Privacy Power User == | |||
The power user would prefer to maintain multiple independent identities logged in to various social media services. They would prefer to be able to configure their browser to quickly switch between these identities, which may represent different personae, or may simply represent individual services or websites that they do not want to be logged in to concurrently. | |||
They likely author independent blogs, have multiple email accounts, post on multiple mailinglists/web forums, contribute to a number of open source projects, and/or operate multiple twitter feeds, all under different pseudonyms. | |||
They likely use a proxy of some sort. They are not concerned about their activity being stored on their computer: in fact they would prefer it, to ease their ability to remain logged in to services and retain history and bookmarks without suffering the privacy consequences. | |||
=User Agent Considerations= | =User Agent Considerations= | ||
Revision as of 09:48, 25 June 2010
This page will serve as a design requirements and discussion for an Anonymous Browsing Mode. Whether or not it is implemented, the requirements and goals for such a mode will be documented here.
Anonymous Browsing Mode
Unlike Private Browsing, which mainly attempts to protect a user from a local attacker, Anonymous Browsing will serve to minimize the amount of identifying data that is available to a remote (web or network) attacker (for example, consider the EFF panopticlick project). The main motivations behind such a mode are to prevent user tracking and fingerprinting, but there are many use cases.
Scope of this Document
This working document will serve as an explanation of why users will want Anonymous Browsing, how such a mode would behave and what will need to be different in this mode from regular browsing sessions for such a mode to be useful.
Metadata
| Driver: | Sid Stamm |
| Status: | Brainstorming |
| Started: | 24-June-2010 |
Relevant Links:
- ...
Use Cases
Users of anonymous browsing mode would be concerned about tracking from Internet sites under various circumstances, and may or may not be concerned about local records on their computer's disk. They may have a number of browsing behaviours. It is best to represent these behaviours as "stories", to better understand the needs of different types of users, and to properly design feature and option choices to accommodate them.
The Medical Patient/Abuse Victim
The medical patient has some kind of condition that they would prefer that ad networks not be aware of: possibly one that puts them at risk for raised medical, life, or auto insurance premiums, or carries other social stigma. Such a user may decide to use the mode after receiving mysterious targeted ads for their condition while visiting unrelated sites.
They are possibly a member of a number of online support groups that they log in to and post to under a pseudonym (such as alcoholics anonymous, narcanon, etc) using the mode.
They are likely an occasional user, and would remain logged in to social media services, their email account, and other websites continuously during normal browsing, but would prefer a clean slate for web usage relating to their condition.
They may or may not be concerned about records of anonymous web activity on their own computer. They likely use the mode from home, but may opt to use a proxy.
The Pseudonymous Blogger
The pseudonymous blogger maintains a politically or technically controversial blog that may expose them to subpoena risk to uncover their identity. There have been several cases of Apple in particular demanding the identity of bloggers posting about unreleased or otherwise secret product releases or features. Bloggers in China and other countries also face risk of attempts to identify them.
This user likely uses public wifi or a proxy to access the Internet, as opposed to their normal Internet connection.
If operating in the United States, this user is likely not concerned about logs on their local disk.
This user may wish to preserve their "Anonymous mode" cookies beyond a single session, but does not want them mixing with their normal cookies. They may have a seperate Facebook, twitter, and other social media accounts for their blogging persona, in addition to their regular persona.
The Paranoid
The paranoid wants to avoid most of their activity being recorded by ad networks and services. They are suspicious of Facebook, social media sites, and tend not to be logged in to any services continuously. They are the types that currently disable javascript and/or run NoScript, BetterPrivacy, RequestPolicy, Adblock Plus, CookieCuller, and other addons to improve their privacy online.
They likely use the mode continuously from home.
The Whistleblower/Anonymous Tipster
The whistleblower uses the web normally for the majority of the time. However, at some point they discover wrongdoing at their workplace or otherwise need to anonymously contact the press.
The whistleblower will only use the mode once or rarely, though they may create an email account to establish initial communication with the press.
They will likely use public wifi, or a proxy.
The Anonymous Commenter
The anonymous commenter is a user who is posting relevant information to a blog post or news article. Those that truly require anonymity need it because they have inside or privileged information relevant to a story.
Most likely, they spend the majority of their Internet usage logged into a number of services online that record various things about them, and may log them into arbitrary services automatically due to federated login systems such as OpenID, and have been exposed to a number of ad networks intent on tracking them.
They use Anonymous Mode to ensure that the blog or news site (which may have numerous advertising partnerships) would have a very hard time correlating their comment to their normal browsing.
They likely do not care about their activity being recorded to their computer's disk. They most likely use the mode from home, but may use public wifi or a proxy.
The Privacy Power User
The power user would prefer to maintain multiple independent identities logged in to various social media services. They would prefer to be able to configure their browser to quickly switch between these identities, which may represent different personae, or may simply represent individual services or websites that they do not want to be logged in to concurrently.
They likely author independent blogs, have multiple email accounts, post on multiple mailinglists/web forums, contribute to a number of open source projects, and/or operate multiple twitter feeds, all under different pseudonyms.
They likely use a proxy of some sort. They are not concerned about their activity being stored on their computer: in fact they would prefer it, to ease their ability to remain logged in to services and retain history and bookmarks without suffering the privacy consequences.
User Agent Considerations
Caches and History
Fonts and Font Lists
Locale issues, standard font lists, etc.
Advertised Capabilities
User-Agent string, Accept headers, etc.
Plug-Ins
Extensions/Add-Ons
Security
SSL certs, etc.
Impact
How much will this impact web experience for the users? Sure we can break things in the name of anonymity if users opt for such a mode, but how much is tolerable?