Here’s a brain twister for you: why should it matter if a website knows if a visitor is viewing it in some sort of private mode?
Who cares, right?
It could matter for very specific users, though. For example, what if you were some sort of political dissident digging through government web pages and you didn’t want them to know how much time you were spending on it? If those sites can discern someone spending a lot of time in private mode, it might give them a strong incentive to use browser fingerprinting and other tricks find out who it is.
Or what if you were a law enforcement official who had found some well hidden page used by criminals to collaborate on illegal activity, such as exchanging stolen goods? It might be helpful to appear as guileless as possible.
‘Our goal is not only to respect each browser vendor but also to give freedom and control back to users for their pleasure.’
On top of that, browsers are becoming increasingly complex pieces of software. If a user simply wants to make sure that other people with access to a device can’t see what they’ve been looking at, the increasing complexity makes it more and more likely that a browser will hold onto some trace of a session that had supposedly been private. Browser add-ons and extensions only make it worse.
What is to be done?
A new privacy mode, called “UCOGNITO,” has been proposed that simplifies a browser’s approach to privacy, and, in doing so, makes it harder for data to be recorded locally when a user would naturally expect that such local records wouldn’t be kept. The mode was presented by a research team at the Georgia Institute of Technology in a paper for the Association for Computing Machinery’s 22nd Conference on Computer and Communications Security in Denver last month.
Here’s a simplified version of the UCOGNITO proposal: private mode could let websites copy down data in browsers like they always do, such as logging their history, pocketing cookies and caching images. All of it. But every single piece of data written during a private session would be stored in a special bucket (called a sandbox file system), and when the user closes the UCOGNITO window, all that data would get dumped.
Unless he or she had specifically opted to keep some of it.
Then, from the perspective of websites visited, it would appear that the user were little more savvy than someone using Internet Explorer.
The writers describe their privacy goals as keeping a session both stealthy and fresh. Stealthy, in that records from the session won’t be saved. Fresh, in that records from prior sessions in normal modes won’t be used. In both cases, users could opt into slightly less security.
They observe a variety of problems with current implementations of private modes across browsers. First, every time a new feature is added to a browser, developers have to be sure it’s built to work with a browser’s logic for private mode. Second, all browsers make assumptions about what a private mode should mean for users, rather than letting them decide for themselves (and different browsers don’t make the same assumptions).
“In current private mode implementation, there is no way to resolve these conflicts because developers’ decisions are in fact hard-coded in the browser and the only option left to users is to either manually clean this trace (which is non-trivial) or accept developers’ decisions,” the team writes. “Our goal is not only to respect each browser vendor but also to give freedom and control back to users for their pleasure.”
The paper even argues that the new approach makes updating and adding features to the software easier for its devs, because they don’t have to write special conditions for new features when used in some form of private mode. “UCOGNITO does not require any change to browser implementation,” the authors write. “As a result, any browsers or browser-support applications (e.g., Chrome apps) can be run in private browsing mode no matter if the browsers or applications support private browsing mode.”
In fact, in the team’s proposed implementation, UCOGNITO is separate from the browser, a layer added on top, when desired. It has tested the approach on browsers in Linux and found little to no performance costs in using the new approach. See the project on Github.
UCOGNITO is another angle on browser security. We recently wrote about an update to Firefox, which now turns off all trackers when in private mode by default. As the researchers’ paper indicates, this is a separate threat model, unaddressed by their proposal.
SEE ALSO: How I Learned to Stop Worrying and Love PGP.
We asked Meng Xu, the paper’s lead author, about Firefox’s recent security improvements. “It is similar in the fact that users now have a certain degree of control of the information sent out from the browser,” he wrote The Observer in an email. “It is different in the fact that the Tracking Protection feature relies on a URL-domain list to decide whether the information is allowed to be sent out, while in UCognito, such decision is based on the type of information sent out (e.g., whether it is a cookie or local storage entry).”
“We welcome the research into Private Browsing carried out in this paper and will review the results before drawing any conclusions,” Nick Nguyen, a vice-president of Firefox, wrote the Observer in an email, via a spokesperson.
Google was not available for comment for this story.
The paper emphasizes the importance of maximizing users’ control over ways that they trade security for convenience. While that is important, the paper also reports that some users of private browsing functions told other researchers that they would like to use cookies with stored passwords in private modes, for the added convenience.
To those users, we say: you are doing it wrong.
UPDATE: This story has been updated with comment from Mozilla. November 12, 2015 3:53 PM.