Module resurrection: Private Browsing

[Ehsan Akhgari]

The Private Browsing module started its life under the Firefox module
<https://wiki.mozilla.org/index.php?title=Modules/Firefox&oldid=351420>
and then was unintentionally killed when we merged all of the modules
under Firefox.

Since Private Browsing currently serves all of our products and as
experience has shown, it is tough to get it right all the time, I would
like to resurrect the module officially under Core this time.

This module is special in the sense that its implementation is spread
across the code base because of the nature of the feature.

Here is the details for the resurrected module:

Name: Private Browsing
Description: Implementation of the Private Browsing mode, and the
integration of other modules with Private Browsing APIs.
Owner: Ehsan Akhgari
Peer(s): Josh Matthews
Source Dir(s): Implementation and consumers of Private Browsing APIs in
nsILoadContext, nsIPrivateBrowsingChannel, PrivateBrowsingUtils.jsm and
the related glue code.
Bugzilla Component(s): Firefox::Private Browsing
URL(s): https://wiki.mozilla.org/Per-window_Private_Browsing
Discussion Group: mozilla.dev.platform

[Jonas Sicking]

Hi Ehsan,

I'd really like to get some clarity in what the purpose of the private
browsing feature is supposed to be. Last we talked about this the
answer seemed to be "it's different things to different people. Only
thing that we agree on is that a private browsing window should not
write data to the user's disk".

This doesn't seem like a good state of things given how privacy is one
of the main focus areas for Firefox, and private browsing is our main
feature in the privacy space.

So I think it's quite critical that we figure out what we want this
feature to be on a user level, and not just on a code level.

/ Jonas

> _______________________________________________
> governance mailing list
> gover...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/governance

[Ehsan Akhgari]

On Fri, Jul 10, 2015 at 6:37 PM, Jonas Sicking <jo...@sicking.cc> wrote:

> Hi Ehsan,
>
> I'd really like to get some clarity in what the purpose of the private
> browsing feature is supposed to be. Last we talked about this the
> answer seemed to be "it's different things to different people. Only
> thing that we agree on is that a private browsing window should not
> write data to the user's disk".
>

To make it more clear, there is no contention on what the feature should do
from our side. It's just that we haven't done a very good job teaching
what this feature is intended to do to the _users_. There are for example
unintended use cases that came up after the feature was first implemented,
such as using this feature to login to the same website twice at the same
time (by essentially getting a separate cookie jar) but those are well
understood now. But developers are also users, and as a result, developers
who are not familiar with private browsing may also have assumptions formed
as users of the feature which may not accurately reflect what the feature
does. Perhaps this is an example of what you had in mind?

There is also cases where deciding how to handle something is difficult.
For example, we store newly created bookmarks in private windows to the
disk as an unvisited bookmark. That is a choice that we made because we
considered bookmarking an explicit action by the user to ask the browser to
remember something, but an argument can be constructed for not doing that.

While these decisions may sound arbitrary, they were made carefully with
context that may not be super obvious.

There is also work under way now in order to integrate tracking protection
with private browsing, which would mean there would be new decisions like
this to be made. I have already started to talk to people about this.

> This doesn't seem like a good state of things given how privacy is one
> of the main focus areas for Firefox, and private browsing is our main
> feature in the privacy space.
>
> So I think it's quite critical that we figure out what we want this
> feature to be on a user level, and not just on a code level.
>

As far as I'm aware, we (as in me and Josh!) have a pretty clear picture of
what we want this feature to be. If you're aware of other parts of Mozilla
where there are misunderstanding about this, I would be glad to talk to
people and see how I can help.

Cheers,
Ehsan

--
Ehsan

[Jonas Sicking]

On Fri, Jul 10, 2015 at 4:02 PM, Ehsan Akhgari <ehsan....@gmail.com> wrote:
> On Fri, Jul 10, 2015 at 6:37 PM, Jonas Sicking <jo...@sicking.cc> wrote:
>>
>> Hi Ehsan,
>>
>> I'd really like to get some clarity in what the purpose of the private
>> browsing feature is supposed to be. Last we talked about this the
>> answer seemed to be "it's different things to different people. Only
>> thing that we agree on is that a private browsing window should not
>> write data to the user's disk".
>
>
> To make it more clear, there is no contention on what the feature should do
> from our side. It's just that we haven't done a very good job teaching what
> this feature is intended to do to the _users_. There are for example
> unintended use cases that came up after the feature was first implemented,
> such as using this feature to login to the same website twice at the same
> time (by essentially getting a separate cookie jar) but those are well
> understood now. But developers are also users, and as a result, developers
> who are not familiar with private browsing may also have assumptions formed
> as users of the feature which may not accurately reflect what the feature
> does. Perhaps this is an example of what you had in mind?

Right.

I have never seen that documented anywhere. I think doing that would
be very useful.

Not just to make sure that we're all pulling in the same direction
(Gecko developers interact with private browsing code all the time),
but also so that we can have a discussion about if that intended goal
is the right one.

For example, the only intended goal that I've heard described is that
"Actions taken during private browsing should not cause data to be
written to disk". If that is the only goal of private browsing then
for example adding the new tracking protection doesn't make much
sense.

But to be honest, I actually think that if that was the only thing
that private browsing accomplished, then such a feature would be
fairly useless, as well as hard to explain to users. It's much more
likely that friends and family will see my google-stored search
history, than that they will snoop around in the cache database or
cookie database.

/ Jonas

[Nicholas Nethercote]

Sounds like a good idea to me!

Nick

[Ehsan Akhgari]

On Fri, Jul 10, 2015 at 8:05 PM, Jonas Sicking <jo...@sicking.cc> wrote:

Sorry it took such a long time to reply, but I was putting this together: <
https://wiki.mozilla.org/Private_Browsing>. Hopefully this clears the
design principles of the feature.

> Not just to make sure that we're all pulling in the same direction
> (Gecko developers interact with private browsing code all the time),
> but also so that we can have a discussion about if that intended goal
> is the right one.
>

I would like to know what you think after reading the above.

> For example, the only intended goal that I've heard described is that
> "Actions taken during private browsing should not cause data to be
> written to disk". If that is the only goal of private browsing then
> for example adding the new tracking protection doesn't make much
> sense.
>
> But to be honest, I actually think that if that was the only thing
> that private browsing accomplished, then such a feature would be
> fairly useless, as well as hard to explain to users. It's much more
> likely that friends and family will see my google-stored search
> history, than that they will snoop around in the cache database or
> cookie database.
>

The document above explains what the intended goal so far has been, it's a
bit more nuanced than just not writing data to the disk.

I disagree that the feature as it is today is useless but I don't have data
on the usage of the feature one way or another. But note that by default,
when using private browsing, your search history won't show up in your
Google history since the isolation provided prevents Google from
associating the search with your login (unless you log in, of course.)

But I will note that people have been asking for more privacy features to
be integrated into private browsing for as long as I remember. It has
always been technical difficulties that have made a lot of such features
very difficult to implement. Now that for example we have the opportunity
to turn tracking protection on inside private browsing, I think we should
do that, but the different features are orthogonal to each other, it is
just a matter of what we show in the user interface. And given the fact
that we phrase the UI as a "private" window, this association does make
sense to me. But for the purposes of this discussion, private browsing and
tracking protection should not be intertwined (even though they will
interact.)

Also, I would like to know if you're objecting to the resurrection of the
module, or just asking questions on what the module entails.

Thanks!
--
Ehsan

[Jonas Sicking]

This is great!

>> For example, the only intended goal that I've heard described is that
>> "Actions taken during private browsing should not cause data to be
>> written to disk". If that is the only goal of private browsing then
>> for example adding the new tracking protection doesn't make much
>> sense.
>>
>> But to be honest, I actually think that if that was the only thing
>> that private browsing accomplished, then such a feature would be
>> fairly useless, as well as hard to explain to users. It's much more
>> likely that friends and family will see my google-stored search
>> history, than that they will snoop around in the cache database or
>> cookie database.
>
> The document above explains what the intended goal so far has been, it's a
> bit more nuanced than just not writing data to the disk.
>
> I disagree that the feature as it is today is useless but I don't have data
> on the usage of the feature one way or another. But note that by default,
> when using private browsing, your search history won't show up in your
> Google history since the isolation provided prevents Google from associating
> the search with your login (unless you log in, of course.)

I definitely don't think that the feature is useless. Because we *do*
use a separate cookiejar in the private browsing window. I think the
story would have been different if we hadn't.

> But I will note that people have been asking for more privacy features to be
> integrated into private browsing for as long as I remember. It has always
> been technical difficulties that have made a lot of such features very
> difficult to implement. Now that for example we have the opportunity to
> turn tracking protection on inside private browsing, I think we should do
> that, but the different features are orthogonal to each other, it is just a
> matter of what we show in the user interface. And given the fact that we
> phrase the UI as a "private" window, this association does make sense to me.
> But for the purposes of this discussion, private browsing and tracking
> protection should not be intertwined (even though they will interact.)

I think it'd be great to have a short and clear list of what the
private browsing feature is. I think your wiki page is a great start
to that. It's definitely is short enough that you can read through it
and get an understanding of the current goals.

I think it's also great that your page mention research that has been
done about user expectations so that we can see where user
expectations doesn't match the list of features/goals of what the
feature is.

/ Jonas

[Ehsan Akhgari]

On 2015-07-20 3:04 PM, Jonas Sicking wrote:
>> I disagree that the feature as it is today is useless but I don't have data
>> on the usage of the feature one way or another. But note that by default,
>> when using private browsing, your search history won't show up in your
>> Google history since the isolation provided prevents Google from associating
>> the search with your login (unless you log in, of course.)
>
> I definitely don't think that the feature is useless. Because we *do*
> use a separate cookiejar in the private browsing window. I think the
> story would have been different if we hadn't.

Agreed.

>> But I will note that people have been asking for more privacy features to be
>> integrated into private browsing for as long as I remember. It has always
>> been technical difficulties that have made a lot of such features very
>> difficult to implement. Now that for example we have the opportunity to
>> turn tracking protection on inside private browsing, I think we should do
>> that, but the different features are orthogonal to each other, it is just a
>> matter of what we show in the user interface. And given the fact that we
>> phrase the UI as a "private" window, this association does make sense to me.
>> But for the purposes of this discussion, private browsing and tracking
>> protection should not be intertwined (even though they will interact.)
>
> I think it'd be great to have a short and clear list of what the
> private browsing feature is. I think your wiki page is a great start
> to that. It's definitely is short enough that you can read through it
> and get an understanding of the current goals.
>
> I think it's also great that your page mention research that has been
> done about user expectations so that we can see where user
> expectations doesn't match the list of features/goals of what the
> feature is.

I don't know of what research has been done here, if any. My impression
on what the users expect is mostly formed by looking at bug reports, and
mentions of this feature in various fora over the years, which is not
really research! So I'm not sure what else I could mention with regards
to that in the wiki page.

I think if we think that question is worth a good answer, we should do
some actual user research on how people perceive what private browsing
is, and not just take our impression as the ultimate answer.

[Jonas Sicking]

On Mon, Jul 20, 2015 at 1:41 PM, Ehsan Akhgari <ehsan....@gmail.com> wrote:
>> I think it'd be great to have a short and clear list of what the
>> private browsing feature is. I think your wiki page is a great start
>> to that. It's definitely is short enough that you can read through it
>> and get an understanding of the current goals.
>>
>> I think it's also great that your page mention research that has been
>> done about user expectations so that we can see where user
>> expectations doesn't match the list of features/goals of what the
>> feature is.
>
> I don't know of what research has been done here, if any. My impression on
> what the users expect is mostly formed by looking at bug reports, and
> mentions of this feature in various fora over the years, which is not really
> research! So I'm not sure what else I could mention with regards to that in
> the wiki page.
>
> I think if we think that question is worth a good answer, we should do some
> actual user research on how people perceive what private browsing is, and
> not just take our impression as the ultimate answer.

I certainly think that the current document can be improved, both in
terms of doing more research to back up the assertions in it, and by
making it get an overview of the implementation/goals. But that can be
done as needed I think.

In any case, given that there's now official documentation for what
the private browsing feature is, I'm happy to see the module created.

/ Jonas

[Ehsan Akhgari]

Thanks, done: https://wiki.mozilla.org/Modules/Core#Private_Browsing

[Panos Astithas]

On Mon, Jul 20, 2015 at 11:41 PM, Ehsan Akhgari <ehsan....@gmail.com>
wrote:

> On 2015-07-20 3:04 PM, Jonas Sicking wrote:I think it's also great that

> your page mention research that has been
>
>> done about user expectations so that we can see where user
>> expectations doesn't match the list of features/goals of what the
>> feature is.
>>
>
> I don't know of what research has been done here, if any. My impression
> on what the users expect is mostly formed by looking at bug reports, and
> mentions of this feature in various fora over the years, which is not
> really research! So I'm not sure what else I could mention with regards to
> that in the wiki page.
>
> I think if we think that question is worth a good answer, we should do
> some actual user research on how people perceive what private browsing is,
> and not just take our impression as the ultimate answer.
>

There was some recent user research on the tracking protection in private
browsing mode feature that IIRC contained some broader bits of information
about how people perceive private browsing. You should ping Aislinn Grigas
from UX for her slides if this sounds interesting.

Panos

[Ehsan Akhgari]

Hi Aislinn,

I'm curious to look at the slides that past mentioned above. Do you
mind please linking me to those?

Thanks!
Ehsan

[Aislinn Grigas]

Here is my recent research - note its qualitative NOT quantitative. For
earlier research that may have been done its best to contact our UX
researcher on Firefox Desktop Bill Selman.

https://docs.google.com/a/mozilla.com/presentation/d/1MJVZhXvZP0HHw9_1y0LQW04M-_6q2Jq_jUXZ_1gp4To/edit?usp=sharing

Aislinn

On Thu, Jul 23, 2015 at 9:05 AM, Ehsan Akhgari <ehsan....@gmail.com>
wrote:

--
*Aislinn Grigas* *(Ash*)
Senior Interaction Designer
Firefox Privacy and Security Team | *m* 978-930-3729 | *irc* aislinn