Core Privacy Principles

Privacy Browser adheres to two core privacy principles.

  1. Minimize the amount of information that is sent to the internet.
  2. Minimize the amount of information that is stored on the device.

Let me explain why both of these are important and how they effect which features are included in Privacy Browser.

Minimize the amount of information that is sent to the internet

The fundamental reason why it is so easy for websites to track you is because your browser sends far, far, far too much information to the internet. Sometimes this is because someone thought up a neat feature that, as a side effect, allows websites to track you. Other times these features were specifically designed to track users. But the end result is the same: websites can track you despite almost everything you do to stop it.

At a very basic level, websites only need two pieces of information to send you a webpage.

  1. The URL you are requesting.
  2. The IP address and port number the response should be sent to.

If the website requires a login, this is expanded to three pieces of information.

  1. The URL you are requesting.
  2. The IP address and port number the response should be sent to.
  3. A cookie that demonstrates you have correctly been authenticated (there are no other valid uses for cookies, in my opinion).

They don’t need anything else. They don’t need JavaScript. They don’t need to know your user agent. They don’t need to know anything about your screen size. They don’t need to probe the specs of your graphics card. They don’t need to read your accelerometer. They shouldn’t get to control tabs, or system popup boxes, or track your mouse position, or what you are typing before you send it to them. They shouldn’t know how you display the information they send you. They don’t need to do any of these things.

Now, for every one of these items above, and hundreds of other examples, there is some genuinely sincere web developer out there who says, “But I can build this really cool website if I just have access to that information.” That may be true, but either there is some way to build that same website without spying on you, or there is some way to build a different website that is just as good that doesn’t spy on you, or, as a user, you should make a conscious decision to enable some dangerous permission for that domain because you trust the web developer. None of this stuff should be on by default.

There is an outside argument that can be made for also sending the language of the device, so that websites can automatically switch languages to match. Maybe. But from a privacy perspective it would be better to just include the language in the URL.

Another way of saying this is that I don’t think the browser should be considered a general computing platform like an operating system. This is in direct opposition to companies like Google or Mozilla, who believe that the browser should be the operating system. The reason why that is a bad idea is because a browser is designed to process input from untrusted third-parties and so it should be very limited in what it allows those untrusted third-parties to do, where an operating system is designed to run any trusted code that a user with appropriate authority has installed, so it should allow those trusted programs to do powerful (and therefore potentially dangerous) things.

Because Privacy Browser is currently based on Android’s WebView, there is a limit to how much information I can choose not to send to the internet. But in the 4.x series I am going to create a rolling fork of WebView called Privacy WebView, and that is when it is going to get serious. Among other things, this means I am going to break a whole bunch of RFCs that govern how the internet is supposed to work. I am normally very supportive of open standards, and I do not advocate breaking them lightly. But, because the internet has been built from the ground up to track us, and because this tracking has been baked into the core internet standards, in this case it is the only way to reclaim our privacy. In other words, if there is ever a conflict between privacy and a web standard, privacy will always win out (WebRTC being an example that is understood by a lot of people).

This is likely to not make me popular with web developers. But my end goal is for Privacy Browser to gain sufficient market share so that web developers start making their websites function well without spying on us and so that other browsers also start adopting this philosophy.

Minimize the amount of information that is stored on the device

This is an even more controversial principle, if possible, than breaking the internet as it now exists. Most browsers store massive amounts of information on your device. This information can then be abused by third parties, either through remote means or via physical access.

As a general guideline, Privacy Browser does not store anything permanently on the device unless there is specific user interaction to do so. Everything else is wiped when Clear and Exit is selected. So, for example, Privacy Browser allows users to store bookmarks and domain settings. But this does not happen automatically.

For people who need extreme privacy in this regard, there is an Incognito Mode that wipes the cache and history every time a webpage finishes loading. For a human rights worker in an oppressive regime, where visiting a forbidden website could be the difference between life and death, this can be worth the usability trade off.

From time to time I receive requests to add features to Privacy Browser that automatically store comprehensive histories across reboots or restore tabs on a restart. Although I can see the usefulness of such features, I am opposed to anything that automatically stores a browsing history just by engaging in normal browsing behaviors. As such, these type of features are not likely to ever be implemented.

Leave a comment

Your email address will not be published. Required fields are marked *