Implement "Do Not Track" as privacy-by-design

The purpose of Tor Browser is to build a private-by-design reference implementation of "Do Not Track", but through the alteration of browser behavior and without the need for regulation or begging. See also: https://blog.torproject.org/blog/improving-private-browsing-modes-do-not-track-vs-real-privacy-design

We've done this by taking the basic ideas of "Do Not Track" and defining them as privacy properties in terms of linkability between domains: https://www.torproject.org/projects/torbrowser/design/#privacy

Here's the current list of known violations of the identifier linkability: [[TicketQuery(keywords=tbb-linkability,status!=closed,format=table,col=component|priority|type|summary|owner,order=priority)]]

Here's the current list of known violations of fingerprinting linkability: [[TicketQuery(keywords=tbb-fingerprinting,status!=closed,format=table,col=component|priority|type|summary|owner,order=priority)]]

added SponsorZ-large component::applications/tor browser owner::tbb-team priority::high resolution::worksforme severity::normal status::closed tbb-firefox-patch type::project labels

Hmmm, I wonder how your list above fits to the Torbrowser design document. E.g.

"Design Goal: DOM storage for third party domains MUST be isolated to the url bar origin, to prevent linkability between sites."

But there is no such ticket mentioned in your description. My question propbably boils down to whether disabling features counts as a solution. That does not seem to be the case as you explicitly mentioned the 3rd party cookie patch in the description while having 3rd party cookies disabled in the current bundles. Thus, I guess tickets for applying the double keying to DOM storage, SSL Session IDs (3.5.6)... are "just" missing...

Trac:
Cc: N/A to g.koppen@jondos.de

Yeah, there should be a ticket for DOM storage and other things that provide functionality to sites (hence I would call these 'major' bugs). We can live without things like SSL session IDs without much more than performance impact (hence I would call this 'normal').

Please feel free to file whatever tickets you notice are missing and tag them with tbb-linkability or tbb-fingerprinting and we'll prioritize them appropriately. I'll do one for DOM storage right now.

Trac:
Keywords: SponsorZ deleted, SponsorZ-large added

The same developer here could also work on items from #6548 (moved), but if the browser vendors entirely ignore privacy-by-design, this ticket will also need additional development assistance in the long run.

Trac:
Description: The purpose of Tor Browser is to build a private-by-design reference implementation of "Do Not Track", but through the alteration of browser behavior and without the need for regulation or begging. See also: https://blog.torproject.org/blog/improving-private-browsing-modes-do-not-track-vs-real-privacy-design

We've done this by taking the basic ideas of "Do Not Track" and defining them as privacy properties in terms of linkability between domains: https://www.torproject.org/projects/torbrowser/design/#privacy

Here's the current list of known violations of the identifier linkability: [[TicketQuery(keywords=tbb-linkability,status!=closed,format=table,col=component|priority|summary|owner,order=priority)]]

Here's the current list of known violations of fingerprinting linkability: [[TicketQuery(keywords=tbb-fingerprinting,status!=closed,format=table,col=component|priority|summary|owner,order=priority)]]

to

The purpose of Tor Browser is to build a private-by-design reference implementation of "Do Not Track", but through the alteration of browser behavior and without the need for regulation or begging. See also: https://blog.torproject.org/blog/improving-private-browsing-modes-do-not-track-vs-real-privacy-design

We've done this by taking the basic ideas of "Do Not Track" and defining them as privacy properties in terms of linkability between domains: https://www.torproject.org/projects/torbrowser/design/#privacy

Here's the current list of known violations of the identifier linkability: [[TicketQuery(keywords=tbb-linkability,status!=closed,format=table,col=component|priority|type|summary|owner,order=priority)]]

Here's the current list of known violations of fingerprinting linkability: [[TicketQuery(keywords=tbb-fingerprinting,status!=closed,format=table,col=component|priority|type|summary|owner,order=priority)]]

Trac:
Cc: g.koppen@jondos.de to g.koppen@jondos.de, runa

From the FTC's report on DNT, page 53 (PDF page 69): http://www.ftc.gov/os/2012/03/120326privacyreport.pdf

"The Commission commends recent industry efforts to improve consumer control over behavioral tracking and looks forward to final implementation. As industry explores technical options and implements self-regulatory programs, and Congress examines Do Not Track, the Commission continues to believe that in order to be effective, any Do Not Track system should include five key principles:

First, a Do Not Track system should be implemented universally to cover all parties that would track consumers. Second, the choice mechanism should be easy to find, easy to understand, and easy to use. Third, any choices offered should be persistent and should not be overridden if, for example, consumers clear their cookies or update their browsers. Fourth, a Do Not Track system should be comprehensive, effective, and enforceable. It should opt consumers out of behavioral tracking through any means and not permit technical loopholes. Finally, an effective Do Not Track system should go beyond simply opting consumers out of receiving targeted advertisements; it should opt them out of collection of behavioral data for all purposes other than those that would be consistent with the context of the interaction (e.g., preventing click-fraud or collecting de-identified data for analytics purposes)."

While we don't meet all of those right now (we miss !#2 (closed) due to tbb-usability bugs, and !#3 (closed) due to our lack of updater, and !#4 (closed) due to the above bugs in this ticket's description), there's no technical reason we couldn't meet them all. However, the task is impossible for the actual DNT:1 header. In particular, there's no way for DNT:1 to ever satisfy requirements !#1 or !#4 (closed) (and arguably even !#5 (closed)).

See also my submission to http://www.w3.org/2012/dnt-ws/papers.html at: http://www.w3.org/2012/dnt-ws/position-papers/21.pdf

Trac:
Keywords: N/A deleted, tbb-firefox-patch added

Trac:
Component: Firefox Patch Issues to Tor Browser
Owner: mikeperry to tbb-team

Trac:
Username: michael
Cc: g.koppen@jondos.de, runa to g.koppen@jondos.de, runa, michael

This ticket is tagged SponsorZ, but it looks like progress stalled a while ago and its path forward is unclear. Is this still an open issue? Do we still want to seek funding for it?

Trac:
Reviewer: N/A to N/A
Sponsor: N/A to N/A
Severity: N/A to Normal
Cc: g.koppen@jondos.de, runa, michael to g.koppen@jondos.de, runa, michael, cass

I don't think we need to have a meta ticket for that with Trac queries.

Trac:
Resolution: N/A to worksforme
Status: new to closed

closed

moved to tpo/applications/tor-browser#6549 (closed)