Implement New Identity functionality for Tor Browser on Android

We want to have an easy to use New Identity functionality for Tor Browser for Android. Currently there is some New Identity-like functionality provided by Orbot but a) that's only responsible for circuit-switching and b) it is not clear whether we stick to Orbot in our grand scheme of things.

added TBA-a3 TorBrowserTeamTriaged component::applications/tor browser owner::tbb-team post-fenix-migration priority::high severity::normal sponsor::9 status::needs-information tbb-8.5 tbb-mobile tbb-newnym tbb-parity type::task ux-team labels

Trac:
Username: darkspirit
Cc: anontela, sysrqb, igt0 to anontela, sysrqb, igt0, jan@ikenmeyer.eu

Trac:
Keywords: N/A deleted, TBA-a3 added

Moving tickets to Jan 2019.

Trac:
Keywords: TorBrowserTeam201812 deleted, TorBrowserTeam201901 added

Moving tickets to February.

Trac:
Keywords: TorBrowserTeam201901 deleted, TorBrowserTeam201902 added

Moving remaining tickets to March.

Trac:
Keywords: TorBrowserTeam201902 deleted, TorBrowserTeam201903 added

Tickets on our radar for 8.5

Trac:
Keywords: N/A deleted, tbb-8.5 added

antonela: Any suggestions on how this should get exposed to mobile users?

Trac:
Status: new to needs_information

Trac:

Hi, I have been thinking about the New Identity feature also for desktop, and I have some notes made back for an OTF proposal. Maybe is time to sharing those here :)

For readers, the documentation available about what the New Identity feature does and how we are communicating this to users is here.

https://www.torproject.org/projects/torbrowser/design/#new-identity

Also, this StackExchange questions illuminated me about where this feature name is coming from

https://tor.stackexchange.com/questions/13981/new-identity-vs-reopening-browser/13986#13986

TL;DR: Design goal: "All linkable identifiers and browser state MUST be cleared by this feature."

If we trace a user journey map, we can see how the need of a new identity is triggered by some specific situations defined by previous browsing activities that not necessarily imply a new user but sometimes does. In other words, users with technical background rely on a new identity when they want to clean back their previous activity. And they want to be sure about it.

During our global south travels, we quickly learned that our target demographic did not understand why they would want to use such a feature. They did not understand what a new identity would affect, why it would be essential to use, and what risks they were facing if they didn’t use the new identity feature. The feature did not include enough information to guide them through the process or tell them when and why to use a new identity.

Often, users asked us what a difference between asking for a new circuit vs. a new identity vs. open a new tab is. Users click on New Identity when they want to clean all that they have been doing before, like sensible searching.

My goal with this redesign is changing the perspective of the experience of the feature from “what the browser is doing” to “how a user benefits from it.”

If users are using new identity when they want to clean previous activity and also to have a new fresh tab, why we don't rename this feature as something that can recall on users for the immediate action?

I think we can rename this feature using terms/icons like "Fire," “Forget,” “Trash,” “Delete,” or “Clean” to indicate 1. the clean of previous identifiers and, 2. creation of a fresh tab.

We could make it consistent with other browsers too. Language consistency with other major browsers that users may be familiar with--like Chrome, Safari, and Firefox--should make it more clear that clicking the button will close the user’s tabs, clear all cookies, and reset the browser’s connection to the Tor network.

Since we are also removing cookies, we need to educate users on their first time experience about how sessions will expire and tabs will close.

The new identity feature improvement is especially critical for mobile users. Ephimerous sessions for sensible searches are a core feature for a sharing device context like we discovered in Colombia with activists collectives. This presentation and this paper talk about these contexts deeply.

Proposed new user flow

1. User clicks on the icon. This action is global, so the icon should be placed at the toolbar.
2. All tabs get closed, and all cookies get cleared (logged sessions will expire)
3. about:tor is open

TBA Concept https://trac.torproject.org/projects/tor/attachment/ticket/28800/tba-trash.png

Questions for development

• Do you have a better label to rename this feature that recalls what the user wants to do immediately instead of what the browser will do later?
• Can we offer ephemeral sessions per tabs? Is this possible?
• Will TBA replicate the same behavior TB has on the desktop?
• The design doc says "Finally, a fresh browser window is opened, and the current browser window is closed (this does not spawn a new Firefox process, only a new window)."
  • Can we do it without closing the window? Can we use another visual feedback for users to explain that the action has been done?

What other browsers are doing?

DDG for Mobile https://share.riseup.net/#WnqvMynmrlSOVhzhz-mdjg https://share.riseup.net/#w9IJcEhOLNOu_nuHs5mNhw

Firefox Focus (sorry for the spanish version, Borrar=Clean) https://share.riseup.net/#2fMSGTg_JZpYjWMat5-QKg

Introducing tbb-parity.

Trac:
Keywords: N/A deleted, tbb-parity added

Moving tickets to April.

Trac:
Keywords: TorBrowserTeam201903 deleted, TorBrowserTeam201904 added

Trac:
Sponsor: N/A to Sponsor9

Replying to antonela:

[snip]

Questions for development

• Do you have a better label to rename this feature that recalls what the user wants to do immediately instead of what the browser will do later?
• Can we offer ephemeral sessions per tabs? Is this possible?
• Will TBA replicate the same behavior TB has on the desktop?
• The design doc says "Finally, a fresh browser window is opened, and the current browser window is closed (this does not spawn a new Firefox process, only a new window)."
  • Can we do it without closing the window? Can we use another visual feedback for users to explain that the action has been done?

Copying part of my comment in comment:16:ticket:27511 over for posterity:

I think that comment makes sense to me. I am totally fine with renaming that feature as "New Identity" might be a concept that's too hard to grasp. So, anything that's easier here to understand and does the same under the hood is a win in my opinion.

For the remaining dev questions:

1. ephemeral tabs: that could be an idea but we should discuss it in a different ticket, not one related to new identity as I would assume both might live together in the browser (i.e. the ephemeral tabs would not replace New Identity)

2. New Identity on TBA: Yes, TBA should replicate the behavior as we have it on desktop (although that's not relevant for this bug)

3. New Identity without closing the window: I am afraid it's already hard to get rid of all browser state the way we are doing it right now. So, to be sure we get rid of all window state the only option we have so far is closing the window and create a new one. We might get away from that requirement if we audited all the relevant parts properly but that's a tricky task and would definitely be something for a new ticket.

[snip]

#32535 (moved) is a duplicate.

Trac:
Keywords: TorBrowserTeam201904 deleted, TorBrowserTeam201911 added
Cc: anontela, sysrqb, igt0, jan@ikenmeyer.eu to anontela, sysrqb, igt0, jan@ikenmeyer.eu, sisbell

Looking at tor button code, we have the following comment

The "New Identity" implementation does the following:

• 1. Disables Javascript and plugins on all tabs
• 2. Clears state:

•  a. OCSP

•  b. Cache + image cache

•  c. Site-specific zoom

•  d. Cookies+DOM Storage+safe browsing key

•  e. google wifi geolocation token

•  f. http auth

•  g. SSL Session IDs

•  h. last open location url

•  i. clear content prefs

•  j. permissions

•  k. site security settings (e.g. HSTS)

•  l. IndexedDB and other DOM storage

•  m. plugin data

•  n. media devices

•  o. predictor network data

• 3. Sends tor the NEWNYM signal to get a new circuit
• 4. Opens a new window with the default homepage
• 5. Closes this window
• XXX: intermediate SSL certificates are not cleared.

Is it just a matter off hooking up this functionality or is there something else involved here?

Replying to sisbell:

Is it just a matter off hooking up this functionality or is there something else involved here?

That should be most of it. We'll need a UI for it (where do we put the button for this?), and we need to make sure the UI doesn't hold any references to now-invalid objects. torbutton should handle clearing all of the actual data with Gecko, so we'll need to make sure we handle clearing any higher-level abstractions around that data (like closing all tabs when this is triggered, clearing any in-memory history). We'll need to send NEWNYM ourselves, because torbutton doesn't have a controller connection on Android.

With all of that said, we're not going to work on this until after the fenix migration.

Trac:
Keywords: TorBrowserTeam201911 deleted, fenix-migration, TorBrowserTeamTriaged added

Renaming 'fenix-migration' as 'post-fenix-migration'

Trac:
Keywords: fenix-migration deleted, post-fenix-migration added

mentioned in issue #32535 (moved)

mentioned in issue #34408 (moved)

mentioned in issue tpo/applications/fenix#34408 (moved)

moved to tpo/applications/tor-browser#28800

mentioned in issue tpo/applications/tor-browser#41231