The purpose of private browsing is to put Firefox into a temporary state where no information about the user's browsing session is stored locally. Firefox currently handles the user's privacy with a feature in preferences to clear all private data. This feature forces the user to choose between having privacy (even if only momentary), and other useful features like browsing history, and saved passwords. Users should be able to go "off the record", they shouldn't have to shoot the reporter.
As we improve the functionality of history to include full text indexing, and possibly capturing thumbnails of sites visited, the need to respect user's privacy only increases.
Many people believe that the primary use case for private browsing mode is viewing pornography. While viewing pornography may be a popular use case due to the nature of content on the Web, assuming that this is the only reason that users need private browsing trivializes the overall feature. For instance, users may wish to begin a private browsing session to research a medical condition, or plan a surprise vacation or birthday party for a loved one. Use cases will range from users cheating on their spouse, to users buying engagement rings. Given the breadth of our user base, specific use cases are likely to be extremely varied.
In extreme cases where computers are being shared by many people an hour, for example Internet Cafés, users viewing in Private Browsing mode can be confident that nobody (including the owner of the Internet Café!) will be able to view their browsing history or see details that they've entered into web sites. This creates a key differentiator from Internet Explorer, which offers no such assurances.
It is important to decide early on what is meant by Private Browsing. The bullet-proof solution is to not write anything to disk. This will give users maximum confidence and will remove any possible criticism of the feature from security experts.
By choosing to write *some* data to disk (perhaps in an encrypted format) we have broken a clear and easy to understand contract between Firefox and the user. The user / security expert will not be sure that there is no security risk.
The top level requirements can be summed up as:
- Provide a feature that for all realistic scenarios hides the user's activity while in Private Browsing mode.
- Instill confidence in the user that Private Browsing isn't leaving any trace on their PC. "It doesn't write anything to disk" is a good clear start.
- Clearly indicate to the user when they are protected by Private Browsing and when they are not.
Entering Private Browsing
A private browsing session should be initiated with a menu item named "Begin Private Browsing" above "Clear Private Data" in the Tools menu. This option can either change the currently running instance of Firefox, create a new window, or create an entirely new instance of Firefox depending on how this feature is implemented.
It is critical that a user must be prompted and must knowingly accept when they are moving from Private Browsing mode back into normal browsing mode. If the feature is implemented as a whole new instance of Firefox then this requirement is fulfilled by the user closing the browser instance.
Making Sure the User has the Correct Mental Model
Directly after entering private browsing mode, a dialog box or notification should display, clearly explaining the scope of this feature. It is very important that the user understands that this feature enables local privacy on their machine, but that their ISP, corporation, or government will still be able to monitor their activities online. We don't want to have whistle blowers fired or dissidents jailed on account of bad UI. We may also want to consider not shipping this feature in certain regions where misunderstandings over the scope of this feature could have serious ramifications for the user.
When Firefox is in private browsing mode, the theme should change so that users can tell that they are in private browsing mode using their peripheral vision. This change in visual appearance could range from turning the location bar black, to the entire browser window.
Here are some conceptual mockups:
- Black Location Bar Full Mockup
- Full Theme Change Full Mockup (my apologies for the shoddy photoshop work on this one)
Existing Firefox Extensions
- [easy] Create a temporary profile, destroy it on exit
- [hard] Modify every part of the code where we write to disk
A nearly full implementation exists in Bug 248970 which takes the second approach. This implementation makes the following components aware of the private browsing mode by preventing them from writing anything to disk in this mode.
- Cache service
- Cookies service
- Permissions manager
- SSL Certificate exception manager
- History service
- Form/Search bar auto-complete history manager
- Download manager
- Login manager
- Content-specific preferences manager
- Session restore service
- Error console service
See It in Action
Preliminary builds are available here. You can download the version specific to your platform and try it out. Please note that these are highly experimental builds from random snapshots of the trunk code which may have serious bugs. Make sure you backup your profile data before trying them.
To toggle the private browsing mode in these builds, use the Toggle Private Browsing item from the Tools menu.
The user interface components for private browsing are being tracked in Bug 411929. As of this writing, no official mockups are available. The mockups in the Theme Change section are most likely not considered for any official release, because of the immediate impression of the browser being in private mode, which hurts user's privacy in its own right.