Security/Anonymous Browsing
This page will serve as a design requirements and discussion for an Anonymous Browsing Mode. Whether or not it is implemented, the requirements and goals for such a mode will be documented here.
Anonymous Browsing Mode
Unlike Private Browsing, which mainly attempts to protect a user from a local attacker, Anonymous Browsing will serve to minimize the amount of identifying data that is available to a remote (web or network) attacker (for example, consider the EFF panopticlick project). The main motivations behind such a mode are to prevent user tracking and fingerprinting, but there are many use cases.
Scope of this Document
This working document will serve as an explanation of why users will want Anonymous Browsing, how such a mode would behave and what will need to be different in this mode from regular browsing sessions for such a mode to be useful.
Metadata
| Driver: | Sid Stamm |
| Status: | Brainstorming |
| Started: | 24-June-2010 |
Relevant Links:
Use Cases
Users of anonymous browsing mode would be concerned about tracking from Internet sites under various circumstances, and may or may not be concerned about local records on their computer's disk.
Public awareness of the privacy issues surrounding using the web is rising, as evidenced by the need for advertising networks to resort to flash cookies and fingerprinting due to the frequency with which normal users clear their cookies. The popularity of privacy-enhancing addons and the private browsing modes of the major browsers also suggest that a mode that helps to mitigate ubiquitous web tracking may be a key differentiator against competing browsers.
The target users of this mode may have a number of different browsing behaviours and needs. It is best to represent these behaviours as "stories", to better understand the needs of different types of users, and to properly design feature and option choices to accommodate them.
The Medical Patient/Abuse Victim
The medical patient has some kind of condition that they would prefer that ad networks not be aware of: possibly one that puts them at risk for raised medical, life, or auto insurance premiums, or carries other social stigma. Such a user may decide to use the mode after receiving mysterious targeted ads for their condition while visiting unrelated sites.
They are possibly a member of a number of online support groups that they log in to and post to under a pseudonym (such as alcoholics anonymous, narcanon, etc) using the mode.
They are likely an occasional user, and would remain logged in to social media services, their email account, and other websites continuously during normal browsing, but would prefer a clean slate for web usage relating to their condition.
They may or may not be concerned about records of anonymous web activity on their own computer. They likely use the mode from home, but may opt to use a proxy.
The Pseudonymous Blogger
The pseudonymous blogger maintains a politically or technically controversial blog that may expose them to subpoena risk to uncover their identity. There have been several cases of Apple in particular demanding the identity of bloggers posting about unreleased or otherwise secret product releases or features. Bloggers in China and other countries also face risk of attempts to identify them.
This user likely uses public wifi, a prepaid data device, a VPN, or a proxy to access the Internet, as opposed to their normal Internet connection.
If operating in the United States, this user is likely not concerned about logs on their local disk.
This user may wish to preserve their "Anonymous mode" cookies beyond a single session, but does not want them mixing with their normal cookies. They may have a seperate Facebook, twitter, and other social media accounts for their blogging persona, in addition to their regular persona.
The Anonymous Commenter
The anonymous commenter is a user who is posting relevant information to a blog post or news article. Those that truly require anonymity need it because they have inside or privileged information relevant to a story.
Most likely, they spend the majority of their Internet usage logged into a number of services online that record various things about them, and may log them into arbitrary services automatically due to federated login systems such as OpenID, and have been exposed to a number of ad networks intent on tracking them.
They use Anonymous Mode to ensure that the blog or news site (which may have numerous advertising partnerships) would have a very hard time correlating their comment to their normal browsing.
They likely do not care about their activity being recorded to their computer's disk. They most likely use the mode from home, but may use public wifi or a proxy.
The Whistleblower/Anonymous Tipster
Similar to the Anonymous Commenter, the whistleblower uses the web normally for the majority of the time. However, at some point they discover wrongdoing at their workplace or otherwise need to anonymously contact the press.
The whistleblower will only use the mode once or rarely, though they may create an email account to establish communication with the press.
They will likely use public wifi, a prepaid data device, and/or a proxy.
The Paranoid
Just because you're paranoid doesn't mean they aren't out to get you.
The paranoid wants to avoid most of their activity being recorded by ad networks and services. They are suspicious of Facebook, social media sites, and tend not to be logged in to any services continuously. They clear their cookies regularly, and may disable javascript and/or run NoScript, BetterPrivacy, RequestPolicy, Adblock Plus, TACO, CookieCuller, and other addons to improve their privacy online. These are some of the most popular Firefox addons on addons.mozilla.org.
They likely use the mode continuously from home.
The Privacy Power User
The power user would prefer to maintain multiple independent identities logged in to various social media services. They would prefer to be able to configure their browser to quickly switch between these identities, which may represent different personae, or may simply represent individual services or websites that they do not want to be logged in to concurrently.
They likely author independent blogs, have multiple email accounts, post on multiple mailinglists/web forums, contribute to a number of open source projects, and/or operate multiple twitter feeds, all under different pseudonyms.
They likely use a prepaid data device or proxy of some sort. They are not concerned about their activity being stored on their computer: in fact they would prefer it, to ease their ability to remain logged in to services and retain history and bookmarks without suffering the privacy consequences.
They would likely also prefer the ability to configure their browser to only retain cookies for certain sites, and to periodically clear all other browser state. They would be satisfied if these features were available only through addons, as opposed to core browser features. However, it looks as if the proposed Weave Identity project called Account Manager could be extended to support this use case.
Adversary Model
The adversary is interested in tracking the user by any means necessary. However, mechanisms that are already being addressed by other projects will not be discussed in this document. Private Browsing Mode, in particular, is primarily concerned with preventing the storage of browsing data.
This document will focus on network-based tracking mechanisms. In particular, the adversary is interested in correlation of regular mode browsing to anonymous mode browsing using unique identifiers, in obtaining location information, and in fingerprinting the user's browser characteristics.
The adversary may have many motivations for doing this, but to keep scope simple, it may be best to assume that their primary motivation is to correlate user web activity for purposes of tracking users against their will for purposes of serving ads. A large class of adversaries (the ad networks) are interested in deploying semi-intrusive mechanisms to do so, in light of increasing number of users choosing to clear their cookies regularly, and in light of potential future Third Party Cookie protection mechanisms implemented by the major browsers.
Behavior
This section describes the major browser behaviours the mode will need to alter in order to address the adversary model. Many of these come from the Fingerprinting page, but some are just general privacy mechanisms.
User Agent
Caches and History
Cookies
Location Information
External Protocol Handlers
Fonts and Font Lists
Locale issues, standard font lists, etc.
Clock Delta+Precision
Screen Resolution and Properties
HTTP Headers/Activity
User-Agent string, Accept headers, etc.
Plug-Ins
Extensions/Add-Ons
SSL
The SSL Layer currently exposes a few different pieces of identifying information that would need to be altered while the user is in anonymous browsing mode. Stored client certificates must be disabled during the mode. All current SSL session identifiers must be cleared upon entering the mode.
Stored server and CA certificates may also need to be optionally disabled, though this should be left to user preference.
Finally, the SSL handshake also contains a timestamp from the client. A small random, per-domain offset could be added to it, but since it is already truncated to the second, this may not be terribly important.
Form Fill
Interface and Options
Impact
How much will this impact web experience for the users? Sure we can break things in the name of anonymity if users opt for such a mode, but how much is tolerable?