<div dir="ltr"><div class="gmail_extra">On Mon, Sep 7, 2015 at 9:28 PM, Bram Pitoyo <span dir="ltr"><<a href="mailto:bram@mozilla.com" target="_blank">bram@mozilla.com</a>></span> wrote:<br></div><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div>Hi Eric,<br><br></div>One interesting thing about this proposal is that it’s useful for sites that offer anti-abuse services (often, they’re domestic abuses). They have no need to track user’s activities, and therefore would have no interest in Tracking Protection. They just want to make sure that visitors, potential victims of abuse, can open the site and feel secure that their abusers won’t be able to track their activity.<br><br></div>You can find the original suggestion here:<br><a href="https://lists.w3.org/Archives/Public/public-privacy/2015JulSep/0087.html" target="_blank">https://lists.w3.org/Archives/Public/public-privacy/2015JulSep/0087.html</a><br><br></div>And the relevant quote below:</div></blockquote><div><br></div><div>Sure, that seems like one valid use case. I'm trying to figure out how widely</div><div>used a feature like this would really be. Note that this is a different use case</div><div>from the one Gerv proposes in that the *history* needs to be deleted, not</div><div>just locally stored site information.</div><div><br></div><div>-Ekr</div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><span style="font-family:arial,helvetica,sans-serif"><br></span><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote"><pre><span style="font-family:arial,helvetica,sans-serif">One example is <a href="http://www.kidshelpphone.ca/" target="_blank">http://www.kidshelpphone.ca/</a> they provide anonymous phone
line for kids that may have issue or problem in their family. This lead to
a sensitive problem, a kid visiting this site need to know how to clean
browsing history since a adult seeing the browsing history might challenge
the kids about the visit and lead to more stress or bigger problems. They
did explain on the site header how to flush history and train visitor about
the anonymous tab, this isn't perfect at all, because it really entirely on
the user actions and the assumption that he read and understood the
section.<br><br>[…]<br><br>Of course I'm quite sure, site with adult content would also be like such
features but this is not really the issue I'm trying to resolve at this
point.</span><br></pre></blockquote><div> </div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Sep 8, 2015 at 3:07 PM, Eric Rescorla <span dir="ltr"><<a href="mailto:ekr@rtfm.com" target="_blank">ekr@rtfm.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote"><span>On Mon, Sep 7, 2015 at 7:17 PM, Javaun Moradi <span dir="ltr"><<a href="mailto:jmoradi@mozilla.com" target="_blank">jmoradi@mozilla.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">It’s a really compelling idea that Bram and Francois thought up. Low-risk, low-effort, and a potentially big upside.<br>
<br>
Right now, users have to be aware that PBM even exists and then remember to turn it on in certain situations. Turning it on automatically removes that cognitive barrier, grows the number of users protected by PBM, and educates them on the feature and on situations where they may want more privacy. All of those are good things for users, and since we’re making a big bet that we’ll have the best PBM of any mainstream browser, growing the market appetite for private mode would be really good for Firefox.<br></blockquote><div><br></div></span><div>I'm not convinced about the connection to private browsing mode.</div><div>It might well be true that sites would be interested in clearing their</div><div>state when the user logs out (though it's worth noting that in fact</div><div>many sites retain state across logins and use it to present a</div><div>partially individualized user experience even though they would</div><div>require you to log in in order to access any really sensitive data.</div><div><br></div><div>However, PBM is something different and many of the applications</div><div>for PBM actually have you in a position adversarial to the site. For</div><div>instance:</div><div><br></div><div>- Using PBM to bypass limits on the number of free articles you can</div><div>read.</div><div>- Hiding your history from sites</div><div> (cf. <a href="http://cseweb.ucsd.edu/~hovav/papers/jjls10.html" target="_blank">http://cseweb.ucsd.edu/~hovav/papers/jjls10.html</a>)</div><div>- Tracking protection</div><div><br></div><div>I think it's an open question whether enough sites would want to</div><div>actually exercise this capability to create a material improvement in</div><div>user privacy.</div><div><br></div><div>-Ekr</div><div><div><div><br></div><div><br></div><div><br></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
There are some potential UX challenges like those you mentioned Mike — do users understand why a PB window just opened? But it’s worth doing some exploration to see how users feel about it.<br>
<span><font color="#888888"><br>
Javaun Moradi | <a href="mailto:jmoradi@mozilla.com" target="_blank">jmoradi@mozilla.com</a> | IRC: javaun | @javaun<br>
</font></span><div><div><br>
> On Sep 7, 2015, at 7:47 PM, Mike Hommey <<a href="mailto:mh@glandium.org" target="_blank">mh@glandium.org</a>> wrote:<br>
><br>
> On Tue, Sep 08, 2015 at 11:19:39AM +1200, Bram Pitoyo wrote:<br>
>> Hi Gerv,<br>
>><br>
>> Some of us at the Privacy and Security team has been thinking of the same<br>
>> thing!<br>
>><br>
>> Instead of a per-site caching rule, we’d like to have it so that a site can<br>
>> say to any browser: “Please always open me in Private Browsing”, and the<br>
>> browser would respect that.<br>
>><br>
>> The end result is the same: confidential information is never recorded in<br>
>> the cache.<br>
>><br>
>> The user flow and interface can be seen here (graciously written by<br>
>> Francois):<br>
>> <a href="https://wiki.mozilla.org/Security/Automatic_Private_Browsing_Upgrades" rel="noreferrer" target="_blank">https://wiki.mozilla.org/Security/Automatic_Private_Browsing_Upgrades</a><br>
><br>
> While that seems interesting, I'll point out that my gut reaction was<br>
> "oh great, a new way for abusers to open popups".<br>
><br>
> Another gut feeling is that users are now accustomed to links never<br>
> opening new windows, and that would be a step back. I, personally, would<br>
> hate this feature because of that.<br>
><br>
> Mike<br>
> _______________________________________________<br>
> firefox-dev mailing list<br>
> <a href="mailto:firefox-dev@mozilla.org" target="_blank">firefox-dev@mozilla.org</a><br>
> <a href="https://mail.mozilla.org/listinfo/firefox-dev" rel="noreferrer" target="_blank">https://mail.mozilla.org/listinfo/firefox-dev</a><br>
<br>
_______________________________________________<br>
firefox-dev mailing list<br>
<a href="mailto:firefox-dev@mozilla.org" target="_blank">firefox-dev@mozilla.org</a><br>
<a href="https://mail.mozilla.org/listinfo/firefox-dev" rel="noreferrer" target="_blank">https://mail.mozilla.org/listinfo/firefox-dev</a><br>
</div></div></blockquote></div></div></div><br></div></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div></div>