User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.33 Safari/534.3 Build Identifier: In a recent bug comment (https://bugzilla.mozilla.org/show_bug.cgi?id=575230#c1), Brendan Eich wrote that: "Private browsing mode is about preventing local traces, not protecting against remote tracking. There are *tons* of ways for a determined host with which you are interacting to track your identity. Apart from protecting against omniscient (government) tracking, the suggested solution is Tor." Based upon his comments and conversations with others, as I understand it, the threat model for private browsing is to protect users from inquisitive, yet not too malicious local attackers -- and not truly evil local attackers willing to install keyboard sniffers, the user's employer (and IT department), their ISP or tracking by any remote host(either 1st party or third party). What concerns me, is that this very limited threat model is not conveyed to users via easy to understand text. Quite simply, the text that is displayed when the user enters private browsing mode does an extremely poor job in making clear the limitations of the feature. Looking at the warning text that is displayed when a user enters private browsing mode (in 4.0b1), they are first told that: "In a Private Browsing session, Firefox won't keep any browser history, search history, download history, web form history, cookies, or temporary internet files. However, files you download and bookmarks you make will be kept." That is all useful information I suppose, but it doesn't provide any useful information on the threat model. It doesn't convey, for example, that a local attacker could install spyware or a keyboard sniffer on their computer to record the information that Firefox is not retaining. Then, the text states that: "While this computer won't have a record of your browsing history, your internet service provider or employer can still track the pages you visit." This bit is useful, but it doesn't discuss the issue of remote tracking by 3rd parties (1st party sites, 3rd party ad networks, etc). If the private browsing mode isn't going to protect users from such sites and their tracking, it would seem like a good idea to let users know that. Essentially, I am really quite scared that most users have no idea that the current implementation of private browsing mode provides very little in the way of effective privacy against many forms of privacy invasion. Ideally, I would like the browser to protect me against all threats -- but until it does so, at the very least, being clear about the threats that it does and doesn't protect against would seem like a good idea. And If Tor really is the recommended solution for users who are concerned about remote sites tracking them, perhaps you should be mentioning Tor to users who enter private browsing mode? Reproducible: Always

I _think_ that the text conveys this information, but I'm CCing Faaborg so that he can comment here anyway.

The original plan was for the linked support article to contain all of this information: http://support.mozilla.com/en-US/kb/Private+Browsing?style_mode=inproduct&as=u I never got around to following up on that, and aside from a single line in the article, it doesn't really elaborate: >Note: Private Browsing prevents information from being recorded on your computer. >It does not make you anonymous on the Internet. We should try to update that page to include more extended information about protecting your privacy, including some information about: -keyloggers -third party cookies (do we block these yet in private browsing mode?) -discussion of Tor In terms of mentioning these things in product, we are trying to focus on what the feature does do instead of what it doesn't. This is a more finite list, and allows us to avoid a very in-depth technical discussion. I do agree that we should provide the user with easy access to all of this information.

Great, moving this to SUMO then.

While I think the idea of adding more information to SUMO is a great idea, I don't think this is sufficient, since most users are never going to click through and read it. The recent Test Pilot study of FF 4 beta users shows a clear, massive spike of people using private browsing mode at lunch time. See: http://blog.mozilla.com/metrics/2010/08/23/understanding-private-browsing/ When users enter private browsing mode, they are told that "While this computer won't have a record of your browsing history, your internet service provider or employer can still track the pages you visit." However, this doesn't seem to impact the fact that one of the largest uses of private browsing mode is during the lunch hour, when most people are at work, and thus potentially monitored by their employer. These powerful stats send a clear message, which, IMHO, is that lots of Firefox users are seeking some degree of privacy during their lunch-time browsing. Either Firefox should deliver it (something I don't think is possible, given that the employer controls the network, and often, the desktop), or be even more clear about the fact that private browsing is not protecting them against such threats. Burying this information in a help file is not sufficient.

An employer is unlikely to deploy a keylogger on employees, and we do specifically call out that they can still monitor the traffic (although we don't suggest tor as a solution). So I'm not sure I understand why you feel we aren't providing a clear enough warning for lunch hour users. >Burying this information in a help file is not sufficient. How would you propose that we word the about:private browsing text?

If we want the message to target non-technical users (since they're most likely to be unaware of tracking by ISPs, third parties, etc.), I would propose even avoiding terms like "cookies" or "keyloggers" and making the warning as simple as possible. A link to more information could then be available for those who do understand details and want to know precisely what's saved or transmitted. I'll just throw out an example off the top of my head, such as these four bullet points... - When you use the Internet, you leave footprints that others may be able to track. - In this mode, some footprints on your computer are erased when you're done. - Your Internet provider and other people may still track your use with other footprints. - If you want to leave no footprints at all, you'll need a more secure solution. ...followed by a link to "More Information" about what exactly happens in this mode and what some of those more secure solutions would be. This may seem like overkill in terms of simplification, but I think it's necessary to target most Web users and still maintains enough clarity to accurately portray the situation. (Of course, internationalization issues might need to be taken into account when it comes to the wording.)

I think the current default message (ff 3.6.10 and 4.0b5) is correctly balanced between being informative enough and not too sophisticated. More sophisticated information should go to the linked text "Learn more". I disagree with the above proposition about "footprints", Firefox already has simple description with big fonts, which is much simpler than about "footprints": * Private Browsing * Firefox won't remember any history for this session. It is positioned above the second level description about stuff and cookies. So user, who want most simplicity wont read the next informative paragraph. User who want more information will read the next paragraph, and will get useful information, unlike with "footprints", where the user will spend time on reading paragraph without getting any concrete useful info. By the way I think it must mention the word "cookies" or renamed to "internet cookies". P.S. http://crypto.stanford.edu/~dabo/pubs/abstracts/privatebrowsing.html

From: http://www.mozilla.com/en-US/firefox/features/ Private Browsing Surf the Web without leaving a single trace. I realize that it is really tough to capture the complexities of this feature in a single sentence, but this one liner could very easily give a non-technical user the idea that the feature offers far more than it does.

(In reply to comment #8) > From: http://www.mozilla.com/en-US/firefox/features/ > > Private Browsing > Surf the Web without leaving a single trace. > > I realize that it is really tough to capture the complexities of this feature > in a single sentence, but this one liner could very easily give a non-technical > user the idea that the feature offers far more than it does. This should be filed as a bug against the www.mozilla.com component.

I will open an additional bug. However, the reason I have included it in this bug report thread is that it serves as further evidence to back up my point. If Mozilla can't accurately explain the limitations of this feature in the marketing materials on the Firefox website, how are non-technical users supposed to fully grasp the numerous limitations of this feature. I'll take a stab later this week at proposing better language for about:private browsing. However, I think Joey's suggestion (above) about bulletpoints is a good start.

Ok, this is the first stab at improving the dialog text. Anything surrounded by * symbols is bold. A properly formatted version can be found here: https://docs.google.com/document/d/1Q3fQ6YgdmDwtAvON3x5oVNsv6kzvOJYtBHI_CCBADbQ/edit?hl=en&authkey=CN-m6ogP ------------------------ *You've entered private browsing mode.* *When you use the Internet, you leave traces of data behind that others may be able to track. In private browsing mode, Firefox will not save on your computer the following types of information:* [Indent]Browser history, search history, download history, web form history, cookies, Flash cookies, and temporary Internet files. However, any files you download and bookmarks you make will be kept.[Close indent] *Private browsing does not protect you from other people, servers, or software that may try to track you. This includes:* [Indent] [Bullet] Websites that collect or share information about you, such as online advertising companies. [Bullet] Your employer, school or university if you are using an Internet connection or computer that they have provided. [Bullet] Your Internet Service Provider. [Bullet] Viruses, spyware or other malicious software that you may have unknowingly installed, or that someone else may have installed on your computer without your knowledge. [Bullet] Surveillance by the police and other government agencies. [Close Indent] *If you want to leave no footprints at all, you'll need a more secure solution. Click here to learn learn more about these types of tracking, and how you may be able to protect yourself.*

I'm closing this as invalid, since we don't track article requests in Bugzilla anymore. Please open a new thread in the article forum [1] and link back to this discussion. Otherwise, just move it to another component. [1] https://support.mozilla.com/en-US/forums/knowledge-base-articles

Resurrecting this bug in the correct place with new proposed text which takes inspiration from the SUMO page on this topic. Chris, perhaps you'd like to add more info to the SUMO page, or create a new page about tracking in general, and how to avoid it? https://support.mozilla.org/en-US/kb/Private-Browsing --- Private Browsing Private Browsing allows you to browse the Internet without saving any information about the sites and pages you visit. <dramatic-box> *Warning:* Private Browsing doesn't make you anonymous on the web. The pages you visit can still be tracked by your Internet service provider, employer, or the sites themselves. Private Browsing also doesn't protect you from keyloggers or spyware that may be installed on your computer. </dramatic-box> One you leave Private Browsing mode, $PRODUCNAME will forget which pages you've visited, anything that you've entered in forms or the search bar, any new passwords, anything in the downloads list, any new cookies or Flash cookies, and any cached or offline web content. $PRODUCTNAME will *not* forget any new files that you download or bookmarks that you make. To stop Private Browsing, select Tools > Stop Private Browsing, or close $PRODUCTNAME. Learn More

CCing some of the UX folks to give feedback on comment 13.

(In reply to Ehsan Akhgari [:ehsan] from comment #14) > CCing some of the UX folks to give feedback on comment 13. Is there any feedback on the proposed text?

Looks like the current text reflects the mentioned concerns and the current text covers the proposed text very closely.