1
edit
Changes
no edit summary
Many people believe that the primary use case for private browsing mode is viewing pornography. While viewing pornography may be a popular use case due to the nature of content on the Web, assuming that this is the only reason that users need private browsing trivializes the overall feature. For instance, users may wish to begin a private browsing session to research a medical condition, or plan a surprise vacation or birthday party for a loved one. Use cases will range from users [https://bugzilla.mozilla.org/show_bug.cgi?id=330884 cheating] on their spouse, to users buying engagement rings. Given the breadth of our user base, specific use cases are likely to be extremely varied.
===Shared Computers===
In extreme cases where computers are being shared by many people an hour, for example Internet Cafés, users viewing in Private Browsing mode can be confident that nobody (including the owner of the Internet Café!) will be able to view their browsing history or see details that they've entered into web sites. This creates a key differentiator from Internet Explorer, which offers no such assurances.
==Requirements Scope==
It is important to decide early on what is meant by Private Browsing. The bullet-proof solution is to not write anything to disk. This will give users maximum confidence and will remove any possible criticism of the feature from security experts.
By choosing to write *some* data to disk (perhaps in an encrypted format) we have broken a clear and easy to understand contract between Firefox and the user. The user / security expert will not be sure that there is no security risk.
The top level requirements can be summed up as:
* Provide a feature that for all realistic scenarios hides the user's activity while in Private Browsing mode.
* Instill confidence in the user that Private Browsing isn't leaving any trace on their PC. "It doesn't write anything to disk" is a good clear start.
* Clearly indicate to the user when they are protected by Private Browsing and when they are not.
==User Interface==
A private browsing session should be initiated with a menu item named "Begin Private Browsing" above "Clear Private Data" in the Tools menu. This option can either change the currently running instance of Firefox, create a new window, or create an entirely new instance of Firefox depending on how this feature is implemented.
It is critical that a user must be prompted and must knowingly accept when they are moving from Private Browsing mode back into normal browsing mode. If the feature is implemented as a whole new instance of Firefox then this requirement is fulfilled by the user closing the browser instance.
===Making Sure the User has the Correct Mental Model===
