Private Browsing Support to be required for add-ons

Jorge Villalobos

20

Firefox 3.5 introduced the Private Browsing Mode feature. This feature allows users to browse freely without having any browsing information recorded on their history, or cookies stored in the system. PBM is activated from the Tools menu, with the Start Private Browsing option, and can be deactivated similarly.

Ehsan Akhgari, creator of the PBM feature, asked the editor team recently if we performed any tests to see if add-ons respect PBM. At the moment we don’t, but we definitely should. Add-ons have the ability to obtain and store browsing data, and some of these add-ons may not be taking PBM into account. This is a breach of the user’s privacy expectations when using PBM, so we will be updating our policies shortly, requiring add-ons to respect PBM.

Ehsan has already explained extensively what’s necessary for PBM support in his blog post and the MDC article on PBM. All add-on authors should read both of these and decide what they need to do in order to become compliant with PBM.

There’s one particularity of PBM that is worth repeating here, though. It’s something that was the subject of some debate within the editor team, and most of us agree that it can be confusing for users as well. Private Browsing Mode is only about browsing. PBM shouldn’t be regarded as a general “private mode” where no data is stored. PBM should only limit browsing data: urls, cookies, page content. Anything that indicates where the user has been.

As a user, I find this limitation too subtle and unexpected. In fact, when we implemented support PBM for Fire.fm we assumed a general “private mode”, and I think our users would expect that as well. So, after some discussion with Ehsan, we decided to allow 2 different “levels” of privacy support:

  • If your add-on stores browsing data in any way, it must support PBM. This support cannot be disabled in any way, not even with hidden preferences.
  • If your add-on stores some other type of personal data, support for PBM is optional. What we did with Fire.fm is a good guideline: have a preference “support PBM for the data this add-on handles”, turned on by default.

If you’re an add-on author, this is the moment to look at your add-ons and see if you should support PBM. If you’re unsure about your add-on, please post a comment here, or at the Add-ons Forum. We will begin enforcing PBM support by the end of March, and add-ons nominations and updates that don’t respect PBM will be rejected.

Edit: fixed MDC link.

20 responses

  1. Simon wrote on :

    PBM shouldn’t be regarded as a general “private mode” where no data is stored. PBM should only limit browsing data: urls, cookies, page content. Anything that indicates where the user has been.

    As a user, I have to disagree with that interpretation. Enabling PBM should mean that *nothing* is stored, barring explicit actions like saving a file to disk. If I use a machine in a hotel or internet cafe, I would hope there to be no chance at all of any confidential data being left on that machine after I’m finished with it.

    Ideally, if a particular add-on doesn’t support private browsing (or cannot be trusted to respect it), that add-on should be disabled when entering private mode.

  2. lovinglinux wrote on ::

    My extension FoxMediaCenter is waiting for approval, but I don’t know if it really needs to be PBM compatible, since it is an off-line database driven extension. The user is able to store information on the database even if PBM is enabled, but this is required for the extension to work. Nevertheless, data is only stored if the user insert new entries in the database manually. Additionally, there are some directory paths stored in the extension preferences that are required by the extension, but they are also setup manually.

    Additionally, my extension has a temporary folder, where some files are stored when the user view a programme iInfo or import xml files. These files are basically images that represent the programme status in the Info interface, along with a temporary playlist with paths to local videos related to the selected programme. This playlist is not deleted until the user select another programme and click the Info button again. The xml files are stored until the user import another one.

    Thanks in advance for any help on this.

  3. Morac wrote on :

    Part of the problem is that there are many users who are paranoid (or confused) and always run in private browsing mode on their own computer, for whatever reason.

    When I implemented PBM support in my add-on (Session Manager) back when 3.5 was release, I started getting a number of complaints that my add-on wasn’t working anymore. In every case it turned out that the user was running in PBM and Session Manager was coded to disable saving (automatic or manual) data of any kind. Ironically people who were paranoid enough to turn on PBM, still wanted to be able to save browser session data.

    I finally got enough complaints that I added an option to allow saving, but only if the data was encrypted. I’m not sure if this would fly under the new policy or not.

  4. Jorge wrote on ::

    @Simon: agreed on the notion of PBM, but I have to disagree with disabling add-ons that don’t respect PBM. Not only would it be incredibly hard to detect compliance, it would be very bad user experience to have to restart the browser to enter or exit PBM.

    @Morac: sounds like in your case you should really respect PBM. It’s very odd IMO that your users would want you to save their data while in PBM. What are they using it for, then? I think the idea behind PBM is that no trace of that browsing session remains, not even evidence (encrypted or otherwise) that PBM session occurred.

  5. Jorge wrote on ::

    @lovinglinux: I think you’re OK for any cases where the user intentionally saves any data, but I think you would need to be more specific about the temporary folders. What data, exactly, is stored in them? Keep in mind that PBM doesn’t completely get rid of cookies and other info, what it does is keep the data in-memory, and then it’s flushed when the user exits PBM or closes Firefox. You could do something similar with that temp data, maybe.

  6. lovinglinux wrote on ::

    @jorge

    Thanks for the reply.

    When the user select a TV programme in my extension and click the “Info” button, the extension creates a playlist with paths to the trailer (if exists in the user trailers folder) and videos related to the TV programme (if exists in the user videos folder). This playlist is then loaded by the “Info” chrome dialog to display the videos. This playlist stays in the temp folder until the user click on another programme “Info”.

    Additionally, when the user import a xmltv file with TV schedules or a xml file created by IMDB Ripper extension, the xml file is copied to the temp folder in order to apply some character filters and then perform the data import into the database. Theses files remain in the temporary folder until the user import another file.

  7. Bee wrote on ::

    YEAH!!!!!!!!! I did it a long time ago!!!!!!!!!! I added the support for the private browsing mode (often called “porn mode”) to BeeFREE in its 1.8 version!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    I dont know this, but is PBM the acronym of “private browsing mode” or “porn browsing mode”??!!!!!!!! It works both ways though!!!!!!!!!!!!!!!!!!!!

    bye!!!!!!!!!!!!!!!!!!!!
    bee!!!!!!!!!!

  8. Bee wrote on ::

    Well, it looks like the real name is “privacy mode” or, just like i call it, “porn mode”!!!!!!!!!!!!!!!!

    http://en.wikipedia.org/wiki/Privacy_mode

    “private browsing” does not exist!!!!!!!!!!!!!!!!!!!!!!!!
    It’s another weird name Mozilla has invented!!!!!!!!!

    Perhaps `PM’ is the acronym of either “privacy mode” or “porn mode”, for sure its meaning is not “private mode”!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Mozilla is just trying to confuse people overlapping acronyms!!!!!! I don’t know why they invented a new name for something that already had a name!!!!!!!!!

    bye!!!!!!!!!!!!!!!!!!!
    ~bee!!!!!!!!!!!!!!

  9. Jorge wrote on ::

    @lovinglinux: if the trailer and video links are fetched from a remote source, or the selected TV programme comes from a webspage, then I would consider that browsing data, and it should not be written to disk in PBM. It should be kept in memory, and deleted if the user exist PBM.

    The XML parsing case seems to be completely local, so I think it’s no problem.

    Also keep in mind we won’t be too extreme about enforcing this, so we’ll be happy to hear your case if there are major technical difficulties in doing any of this.

  10. Morac wrote on :

    @Jorge: In most cases the user simply wanted to be able to load previous sessions, but not keep the data around permanently. It would be kind of like setting Firefox to “show my windows and tabs from last time”, but also set it to never remember anything. I think they were hoping my Session Manager add-on was a way around that.

    I’ll take out the work around. I know some people won’t be happy though.

  11. David wrote on ::

    PBM is a good feature that I believe should be used more often. Like any ad-on it should be implimented for ease of use to the novice user.

    Ive started to evaluate my use of PBM and I’ll post when I have thoroughly evaluated it.

  12. noid user wrote on :

    in response 2 Morac:

    That is exactly how I use PBM. I generally use PBM by default, without even thinking. I don’t necessarily want any info to be traced/stored, but sometimes (as just happened) FF crashes, and I can’t recover any of the tabs that I had open.

    I know it practically defeats the purpose of being “Private”, but I’m kinda odd/difficult like that. Often, there are many un-bookmarked sites I had, which I want to re-visit after a crash, but I have no idea what they were. Is it counter-productive to have an exception for crashes? I’m not a coder, so I can’t imagine how difficult that would be.

  13. Jason Johnson wrote on ::

    How is Firefox’s private browsing mode different than Chrome’s Incognito mode? I currently use Chrome but am considering switching to Firefox because of the add-ons. Do they both prevent data from being stored on the user’s computer? And finally…do Firefox add-ons support private browsing made? Sorry for so many questions!

  14. pronostics wrote on ::

    @Jason Johnson : Hello Jason ! Don’t hesitate to try Firefox ! As you said, one of the (many) strengh of Firefox is it’s add-ons. There is much more that on chrome.
    I’ve tested personally Chrome and, in spite of its speed, I find it no particular advantage in front of Firefox.

    Good luck !

  15. Edwin wrote on ::

    Is it also using a type of proxy. Because how private is it when my ip is recorded by the website that I am visting and they store cookies on their end?

  16. Rich wrote on ::

    While private browsing mode is a step in the right direction you still need to make sure that you are using a anon proxy between you and the sites you are browsing. Otherwise it is still relativly easy for your data to be stored and used ageinst you at a later date.

    But… Firefox is a great browser and they only keep making it better. I was using a friend laptop recently, running only IE. The computer was soooo… slow it prompted me to open up task manager which showed that IE was consuming 50% of the CPU and 35% of the 4GB of memory.

    Eeeekkkk….. I hate IE

    Cheers Rich

  17. Andy Moore wrote on ::

    The only real way to browse the web privately is with a proxy, That is the only way to hide your actual IP

  18. Miguel Ribeiro wrote on ::

    Well, not even with a proxy. You can be sure that, if something important happens, they’ll get you. Of course, I’m talking about normal proxies you buy/rent around.

    PBM is a nice feature for what it was created for. And I believe its purpose was clear from the beginning.

  19. Fewos Allgäu wrote on ::

    To Andy Moore: I think you are right that by using a proxy or vpn you could hide your actual IP, but users of Google Chrome which has a built in ID should be able to be identified any time! Therefore I love Mozilla Firefox´ independence!

  20. Franko wrote on ::

    Will the add-ons respect PBM retroactively? I mean old addons, will they need to change?