Opened 18 months ago

Last modified 4 months ago

#28800 needs_information task

Implement New Identity functionality for Tor Browser on Android

Reported by: gk Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-mobile, tbb-newnym, ux-team, TBA-a3, tbb-8.5, tbb-parity, TorBrowserTeamTriaged, post-fenix-migration
Cc: anontela, sysrqb, igt0, jan@…, sisbell Actual Points:
Parent ID: Points:
Reviewer: Sponsor: Sponsor9

Description

We want to have an easy to use New Identity functionality for Tor Browser for Android. Currently there is some New Identity-like functionality provided by Orbot but a) that's only responsible for circuit-switching and b) it is not clear whether we stick to Orbot in our grand scheme of things.

Child Tickets

Attachments (1)

tba-trash.png (36.2 KB) - added by antonela 15 months ago.

Download all attachments as: .zip

Change History (17)

comment:1 Changed 18 months ago by darkspirit

Cc: jan@… added

comment:2 Changed 18 months ago by gk

Keywords: TBA-a3 added

comment:3 Changed 17 months ago by gk

Keywords: TorBrowserTeam201901 added; TorBrowserTeam201812 removed

Moving tickets to Jan 2019.

comment:4 Changed 16 months ago by gk

Keywords: TorBrowserTeam201902 added; TorBrowserTeam201901 removed

Moving tickets to February.

comment:5 Changed 15 months ago by gk

Keywords: TorBrowserTeam201903 added; TorBrowserTeam201902 removed

Moving remaining tickets to March.

comment:6 Changed 15 months ago by gk

Keywords: tbb-8.5 added

Tickets on our radar for 8.5

comment:7 Changed 15 months ago by gk

Status: newneeds_information

antonela: Any suggestions on how this should get exposed to mobile users?

Changed 15 months ago by antonela

Attachment: tba-trash.png added

comment:8 Changed 15 months ago by antonela

Hi, I have been thinking about the New Identity feature also for desktop, and I have some notes made back for an OTF proposal. Maybe is time to sharing those here :)

For readers, the documentation available about what the New Identity feature does and how we are communicating this to users is here.

https://www.torproject.org/projects/torbrowser/design/#new-identity

Also, this StackExchange questions illuminated me about where this feature name is coming from

https://tor.stackexchange.com/questions/13981/new-identity-vs-reopening-browser/13986#13986

TL;DR: Design goal: "All linkable identifiers and browser state MUST be cleared by this feature."

If we trace a user journey map, we can see how the need of a new identity is triggered by some specific situations defined by previous browsing activities that not necessarily imply a new user but sometimes does. In other words, users with technical background rely on a new identity when they want to clean back their previous activity. And they want to be sure about it.

During our global south travels, we quickly learned that our target demographic did not understand why they would want to use such a feature. They did not understand what a new identity would affect, why it would be essential to use, and what risks they were facing if they didn’t use the new identity feature. The feature did not include enough information to guide them through the process or tell them when and why to use a new identity.

Often, users asked us what a difference between asking for a new circuit vs. a new identity vs. open a new tab is. Users click on New Identity when they want to clean all that they have been doing before, like sensible searching.

My goal with this redesign is changing the perspective of the experience of the feature from “what the browser is doing” to “how a user benefits from it.”

If users are using new identity when they want to clean previous activity and also to have a new fresh tab, why we don't rename this feature as something that can recall on users for the immediate action?

I think we can rename this feature using terms/icons like "Fire," “Forget,” “Trash,” “Delete,” or “Clean” to indicate 1. the clean of previous identifiers and, 2. creation of a fresh tab.

We could make it consistent with other browsers too. Language consistency with other major browsers that users may be familiar with--like Chrome, Safari, and Firefox--should make it more clear that clicking the button will close the user’s tabs, clear all cookies, and reset the browser’s connection to the Tor network.

Since we are also removing cookies, we need to educate users on their first time experience about how sessions will expire and tabs will close.

The new identity feature improvement is especially critical for mobile users. Ephimerous sessions for sensible searches are a core feature for a sharing device context like we discovered in Colombia with activists collectives. This presentation and this paper talk about these contexts deeply.

Proposed new user flow

  1. User clicks on the icon. This action is global, so the icon should be placed at the toolbar.
  2. All tabs get closed, and all cookies get cleared (logged sessions will expire)
  3. about:tor is open

TBA Concept
https://trac.torproject.org/projects/tor/attachment/ticket/28800/tba-trash.png

Questions for development

  • Do you have a better label to rename this feature that recalls what the user wants to do immediately instead of what the browser will do later?
  • Can we offer ephemeral sessions per tabs? Is this possible?
  • Will TBA replicate the same behavior TB has on the desktop?
  • The design doc says "Finally, a fresh browser window is opened, and the current browser window is closed (this does not spawn a new Firefox process, only a new window)."
    • Can we do it without closing the window? Can we use another visual feedback for users to explain that the action has been done?

What other browsers are doing?

DDG for Mobile
https://share.riseup.net/#WnqvMynmrlSOVhzhz-mdjg
https://share.riseup.net/#w9IJcEhOLNOu_nuHs5mNhw

Firefox Focus (sorry for the spanish version, Borrar=Clean)
https://share.riseup.net/#2fMSGTg_JZpYjWMat5-QKg

comment:9 Changed 15 months ago by gk

Keywords: tbb-parity added

Introducing tbb-parity.

comment:10 Changed 14 months ago by gk

Keywords: TorBrowserTeam201904 added; TorBrowserTeam201903 removed

Moving tickets to April.

comment:11 Changed 12 months ago by pili

Sponsor: Sponsor9

comment:12 in reply to:  8 Changed 9 months ago by gk

Replying to antonela:

[snip]

Questions for development

  • Do you have a better label to rename this feature that recalls what the user wants to do immediately instead of what the browser will do later?
  • Can we offer ephemeral sessions per tabs? Is this possible?
  • Will TBA replicate the same behavior TB has on the desktop?
  • The design doc says "Finally, a fresh browser window is opened, and the current browser window is closed (this does not spawn a new Firefox process, only a new window)."
    • Can we do it without closing the window? Can we use another visual feedback for users to explain that the action has been done?

Copying part of my comment in comment:16:ticket:27511 over for posterity:

I think that comment makes sense to me. I am totally fine with renaming that feature as "New Identity" might be a concept that's too hard to grasp. So, anything that's easier here to understand and does the same under the hood is a win in my opinion.

For the remaining dev questions:
1) ephemeral tabs: that could be an idea but we should discuss it in a different ticket, not one related to new identity as I would assume both might live together in the browser (i.e. the ephemeral tabs would not replace New Identity)

2) New Identity on TBA: Yes, TBA should replicate the behavior as we have it on desktop (although that's not relevant for this bug)

3) New Identity without closing the window: I am afraid it's already hard to get rid of all browser state the way we are doing it right now. So, to be sure we get rid of all window state the only option we have so far is closing the window and create a new one. We might get away from that requirement if we audited all the relevant parts properly but that's a tricky task and would definitely be something for a new ticket.

[snip]

comment:13 Changed 6 months ago by boklm

Cc: sisbell added
Keywords: TorBrowserTeam201911 added; TorBrowserTeam201904 removed

#32535 is a duplicate.

comment:14 Changed 6 months ago by sisbell

Looking at tor button code, we have the following comment

The "New Identity" implementation does the following:

  • 1. Disables Javascript and plugins on all tabs
  • 2. Clears state:
  • a. OCSP
  • b. Cache + image cache
  • c. Site-specific zoom
  • d. Cookies+DOM Storage+safe browsing key
  • e. google wifi geolocation token
  • f. http auth
  • g. SSL Session IDs
  • h. last open location url
  • i. clear content prefs
  • j. permissions
  • k. site security settings (e.g. HSTS)
  • l. IndexedDB and other DOM storage
  • m. plugin data
  • n. media devices
  • o. predictor network data
  • 3. Sends tor the NEWNYM signal to get a new circuit
  • 4. Opens a new window with the default homepage
  • 5. Closes this window *
  • XXX: intermediate SSL certificates are not cleared.

Is it just a matter off hooking up this functionality or is there something else involved here?

comment:15 in reply to:  14 Changed 6 months ago by sysrqb

Keywords: TorBrowserTeamTriaged fenix-migration added; TorBrowserTeam201911 removed

Replying to sisbell:

Is it just a matter off hooking up this functionality or is there something else involved here?

That should be most of it. We'll need a UI for it (where do we put the button for this?), and we need to make sure the UI doesn't hold any references to now-invalid objects. torbutton should handle clearing all of the actual data with Gecko, so we'll need to make sure we handle clearing any higher-level abstractions around that data (like closing all tabs when this is triggered, clearing any in-memory history). We'll need to send NEWNYM ourselves, because torbutton doesn't have a controller connection on Android.

With all of that said, we're not going to work on this until after the fenix migration.

comment:16 Changed 4 months ago by sysrqb

Keywords: post-fenix-migration added; fenix-migration removed

Renaming 'fenix-migration' as 'post-fenix-migration'

Note: See TracTickets for help on using tickets.