Core Privacy Principles

Privacy Browser adheres to two core privacy principles.

1. Minimize the amount of information that is sent to the internet.
2. Minimize the amount of information that is stored on the device.

Let me explain why both of these are important and how they effect which features are included in Privacy Browser.

Minimize the amount of information that is sent to the internet

The fundamental reason why it is so easy for websites to track you is because your browser sends far, far, far too much information to the internet. Sometimes this is because someone thought up a neat feature that, as a side effect, allows websites to track you. Other times these features were specifically designed to track users. But the end result is the same: websites can track you despite almost everything you do to stop it.

At a very basic level, websites only need two pieces of information to send you a webpage.

1. The URL you are requesting.
2. The IP address and port number the response should be sent to.

If the website requires a login, this is expanded to three pieces of information.

1. The URL you are requesting.
2. The IP address and port number the response should be sent to.
3. A cookie that demonstrates you have correctly been authenticated (there are no other valid uses for cookies, in my opinion).

They don’t need anything else. They don’t need JavaScript. They don’t need to know your user agent. They don’t need to know anything about your screen size. They don’t need to probe the specs of your graphics card. They don’t need to read your accelerometer. They shouldn’t get to control tabs, or system popup boxes, or track your mouse position, or what you are typing before you send it to them. They shouldn’t know how you display the information they send you. They don’t need to do any of these things.

Now, for every one of these items above, and hundreds of other examples, there is some genuinely sincere web developer out there who says, “But I can build this really cool website if I just have access to that information.” That may be true, but either there is some way to build that same website (or one just as good) without spying on you, or, as a user, you should make a conscious decision to enable some dangerous permission for that domain because you trust the web developer. None of this stuff should be on by default.

There is an outside argument that can be made for also sending the language of the device, so that websites can automatically switch languages to match. Maybe. But from a privacy perspective it would be better to just include the language in the URL.

Another way of saying this is that I think the browser should be a limited client instead of a general computing platform. This philosophy is in direct opposition to that held by Google or Mozilla, who believe that the browser should be the operating system. The reason why that is a bad idea is because a browser is designed to process input from untrusted third-parties and so it should be very limited in what it allows those untrusted third-parties to do, where an operating system is designed to run trusted code that a user with appropriate authority has installed, so it should allow those trusted programs to do powerful—and therefore potentially dangerous—things. One application of this principle is that I have no intention of creating a plugin framework for Privacy Browser. Although some plugins do useful things, more frequently they do things the user would never approve of it they knew what was going on.

Because Privacy Browser is currently based on Android’s WebView, there is a limit to how much information I can choose not to send to the internet. But in the 4.x series I am going to create a rolling fork of WebView called Privacy WebView, and that is when it is going to get serious. Among other things, this means I am going to break a whole bunch of RFCs that govern how the internet is supposed to work. I am normally very supportive of open standards, and I do not advocate breaking them lightly. But, because the internet has been built from the ground up to track us, and because this tracking has been baked into the core internet standards, overriding them is the only way to reclaim our privacy. In other words, if there is ever a conflict between privacy and a web standard, privacy will always win out (WebRTC being an example that is understood by a lot of people).

This is unlikely to make me popular with web developers. But my end goal is for Privacy Browser to gain sufficient market share so that web developers start making their websites function well without spying on us, and so that other browsers also start adopting this philosophy.

Minimize the amount of information that is stored on the device

Most browsers store massive amounts of information on your device. This information can then be abused by third parties. There are a long list of incidents of websites being able to extract browsing histories by abusing cache timing, or cookies, or other stored information that was supposed to be private.

As a general guideline, Privacy Browser does not store anything permanently on the device unless there is specific user interaction to do so. The Service Worker directory is deleted after every page load. Everything else is wiped when Clear and Exit is selected from the navigation menu or the last tab is closed. Privacy Browser allows users to store bookmarks and domain settings across app restarts, but users do not need to take advantage of these features if they do not want to use them.

For people who need extreme privacy in this regard, there is an Incognito Mode that wipes the cache and history every time a webpage finishes loading. For a human rights worker in an oppressive regime, where visiting a forbidden website could be the difference between life and death, this can be worth the usability trade off.

From time to time I receive requests to add features to Privacy Browser that automatically store comprehensive histories across reboots or restore tabs on a restart. Although I can see the usefulness of such features, I am opposed to anything that automatically stores a browsing history just by engaging in normal browsing behaviors. Doing so makes it easy for malicious apps or devices made by companies like Cellebrite to extract browsing history from user devices without consent. As such, these type of features are unlikely to ever be implemented.