Unlike Private Browsing, which mainly attempts to protect a user from a local attacker, Anonymous Browsing will serve to minimize the amount of identifying data that is available to a remote (web or network) attacker (for example, consider the EFF panopticlick project). The main motivations behind such a mode are to prevent user tracking and fingerprinting, but there are many use cases.

Scope of this Document

This working document will serve as an explanation of why users will want Anonymous Browsing, how such a mode would behave and what will need to be different in this mode from regular browsing sessions for such a mode to be useful.

Metadata

Relevant Links:

• ...

Users of anonymous browsing mode would be concerned about tracking from Internet sites under various circumstances, and may or may not be concerned about local records on their computer's disk. They may have a number of browsing behaviours. It is best to represent these behaviours as "stories", to better understand the needs of different types of users, and to properly design feature and option choices to accommodate them.

The Medical Patient/Abuse Victim

The medical patient has some kind of condition that they would prefer that ad networks not be aware of - possibly one that puts them at risk for raised medical, life, or auto insurance premiums, or carries other social stigma. Such a user may decide to use the mode after receiving mysterious targeted ads for their condition while visiting unrelated sites.

They are possibly a member of a number of online support groups that they also post to under a pseudonym (such as alcoholics anonymous, narcanon, etc).

They would likely be an occasional user, and would remain logged in to a number of websites, social media services, etc continuously during normal browsing, but would prefer a clean slate for web usage relating to their condition.

They may or may not be concerned about records of anonymous web activity on their own computer. They likely use the mode from home.

The Pseudonymous Blogger

The pseudonymous blogger maintains a politically or technically controversial blog that may expose them to subpoena risk to uncover their identity. There have been several cases of Apple in particular demanding the identity of bloggers blogging about unreleased or otherwise secret product releases or features. Bloggers in China and other countries also face risk of attempts to identify them.

This user may use public wifi or a proxy to access the Internet, as opposed to their normal Internet connection.

If operating in the United States, this user is likely not concerned about logs on their local disk.

This user may wish to preserve their "Anonymous mode" cookies beyond a single session, but does not want them mixing with their normal cookies. They may have a seperate Facebook, twitter, and other social media accounts for their blogging persona, in addition to their regular persona.

The Paranoid

The paranoid wants to avoid most of their activity being recorded by ad networks and services. They are suspicious of Facebook, social media sites, and tend not to be logged in to any services continuously. They are the types that disable javascript, run NoScript, use BetterPrivacy, and other addons to improve their privacy online.

They likely use the mode continuously from home.

The Whistleblower/Anonymous Tipster

The whistleblower uses the web normally for the majority of the time. However, at some point they discover wrongdoing at their workplace or otherwise need to anonymously contact the press.

The whistleblower will only use the mode once or rarely, though they may create an email account to establish initial communication with the press.

They will likely use public wifi, or a proxy.

The Anonymous Commenter

Most likely, they spend the majority of their Internet usage logged into a number of services online that record various things about them, and may log them into arbitrary services automatically due to federated login systems such as OpenID, and have been exposed to a number of ad networks intent on tracking them.

The user has some activity that they do not want trivially tracked

Caches and History

Fonts and Font Lists

Locale issues, standard font lists, etc.

Advertised Capabilities

User-Agent string, Accept headers, etc.

Plug-Ins

Extensions/Add-Ons

Security

SSL certs, etc.

How much will this impact web experience for the users? Sure we can break things in the name of anonymity if users opt for such a mode, but how much is tolerable?