I don't have a strong opinion on whether to get rid of the "clear
private data" option, but here are some thoughts on some specifics:
> number 2 [time delay while deleting data] is a huge
> problem, which is really hard to address.
Why don't we just pop up a "Clearing private data" box at shutdown if
the user has selected it and it's taking more than a second or so?
I'm not a UI guy, but this doesn't seem like such a huge deal to me.
Tinfoil hat users might even appreciate the evidence that their data
is being scrubbed :) (The story for data deletion when we're killed
on Android or crash is less fabulous, but we still handle the common
leak case--the next user won't see your data when they run the
browser. Users who really want forensic-level data deletion are going
to need stronger tools than a simple filesystem delete anyway).
We still wouldn't want such a dialog to sit there for minutes. But if
you clear your browser's cache every time you exit, then it will
presumably not be so massive that it'll take a really long time to
delete (seconds, not minutes). I'm adding telemetry for that, so we
can revisit. [I think we may also want to simply shrink our HTTP disk
cache down from 1 GB to something smaller, as the latency/"hang"
tradeoffs may not be worth it given that working set size of most
surfing sessions is probably much smaller than 1 GB--I've posted about
that to dev.tech.networking]
> So, as other people have mentioned, permanent private browsing is not
> really equivalent with the "clear on exit" option in every case.
Yes, the semantics are different and clear private data has finer
control. I'd suggest we add telemetry to see how many users are
actually using it. Even if it's better/different we might still want
to get rid of it if it's not used much and is causing us engineering
difficulties. (For instance: if we crash, the cache is marked as bogus
and we don't use it on startup. Is that true for cookies/history/form
data as well? I suspect not but I don't know.)