19:59:52 #startmeeting tor-browser-vision 02/08 19:59:52 Meeting started Fri Feb 8 19:59:52 2019 UTC. The chair is pili. Information about MeetBot at http://wiki.debian.org/MeetBot. 19:59:52 Useful Commands: #action #agreed #help #info #idea #link #topic. 19:59:58 <- is here too 19:59:59 o/ 20:00:02 hii 20:00:10 ← lurking until my eyes + brain go on strike. 20:00:12 Let me share the pad I will use to take notes: https://storm.torproject.org/shared/p5Hi-Jm8R5fBzdXSL5CuZbAF84oPlFRgL6qEocyEFfK 20:00:22 wow, the room is crowded 20:00:28 nice to see some people not on the browser team! :) 20:00:38 (it's always nice to see the browser team people ;) ) 20:00:39 well, they are :) 20:00:44 hah 20:01:34 so, I called this session to try to organise our vision for where the Tor Browser should be in the near future (e.g 2 years time) 20:01:58 to hopefully help the team get there 20:02:10 * sysrqb is actually here, too (surprisingly) 20:02:32 we can structure the session with some questions or people can just fire away their ideas :) 20:03:02 so maybe I'll start with an ice breaker question of why we need Tor Browser? 20:03:12 (first answer gets a virtual beer) 20:03:40 for protection against tracking, surveillance, and censorship online 20:03:43 Tor Browser is the interface for freedom 20:03:48 To provide and easy and safe way for people to use the Internet 20:03:49 to make tor accessible for more people and easy to use 20:03:54 s/and/an/ 20:04:16 first🍺 for stephw :D 20:04:22 :D 20:04:27 we need it right now 20:04:32 but what about in two years 20:04:32 hehe cheers o/ 20:04:40 or 5? 20:04:59 in 2 years we will need it because there will be more need for using onion services 20:05:03 cover metadata 20:05:16 yeah. will there be other private browsers at that time? 20:05:27 yes 20:05:36 (other browsers that meet the Tor Browser standard) 20:05:38 but how many will invest on this type of experience? 20:05:39 Unless another browser meets or gets real close to the security goals of Tor Browser; there will still be a need. 20:05:40 other private browsers using tor, yes 20:05:47 okay, so do we need it because no one else has caught up? 20:06:01 or do we need it because we want to have an own browser we control and ship? 20:06:07 +1 20:06:08 at TB in 2 years we would still be able to offer specific tor experiences 20:06:28 tjr: +1 20:06:40 maybe at some point Firefox is secure enough, Tor Browser is usable enough, and both can merge 20:06:53 and we can show how we envision things to evolve (like the onion services experience, circumvention experience) 20:07:04 We need Tor Browser to make consent a possibility on the web. Because people need means to decide with whom they're intimate with (e.g. Google or not? Facebook or not?), who gets to know where they are and when, what they do online, etc. 20:07:29 But just because another browser meets Tor Browser's security guarentees doesn't mean it always will. cedeing control of the security guarentees by stopping to ship a browser is a risk. 20:08:13 i worry that the Tor Project is not equipped to be a browser vendor 20:08:15 that would need to be a slow process where we also build a way to verify or not if a browser is meeting our standards 20:08:41 and the resources fo TPI can be put toward other application-level privacy improvements rather than concentrating only on a browser 20:09:08 so are we doing it to provide a measuring yard for other browsers in terms of security? 20:09:59 I'll throw out a completely different vector though: Tor Browser could be a monetization opportunity for Tor if we were paid for our searches like every other major browser. 20:10:09 pili: a test thing users can test if a browser meets our standards 20:10:37 but i think that this might be a thing to start at the end of this 2 years timeline 20:10:57 what might be a thing? 20:11:10 tjr: yes, it could! 20:12:08 * arma1 is here and reading in the background 20:12:09 GeKo: work on a way for users to test other browsers - to see if they are following our standards. something like pinoticlick (not sure if it how you write it) 20:12:21 ok, any other ideas about why we need Tor Browser or shall we move on? :) (although we already moved on a bit) 20:12:48 And I will also throw out that Tor Browser is an opportunity for Tor to participate in internet standards as a full fledged member instead of an observer; by being a platform for 'running code' 20:13:03 +1 20:13:09 And vote for change and lodge formal complaints, etc 20:13:49 pili: let's wait a bit because that's one the crucial things we need to decided at some point at least 20:14:06 GeKo: fine with me :) 20:14:09 tjr: yeah, that's somethign we briedly talked about in Mexico, too 20:14:10 even if other browsers come close to tor browser security/privacy, there will still probably be a lot of things we can improve/fix in that domain 20:14:16 (being more involved in standards) 20:14:20 do we want to become or be an own browser vendor or are we planning not to? 20:14:47 geko: i wonder if there is a decision tree you can describe, that pushes you toward one or the other 20:14:57 like, "if x happens, we can stop" 20:14:58 because depending on the answer the priorities for the next years are quite different 20:15:18 GeKo: it's not 100% clear to me what "own browser vendor" means. Is it "not being a Firefox fork"? Anything else? 20:15:18 pushes whom? 20:15:55 ^ arma1 20:16:48 geko: you said "do we want to be A or B" and i am suggesting rather than answering that now, it is based on future events, and we can describe the future events that make us pick A, and the ones that make us pick B 20:16:52 GeKo: I think where we are currently is "We are not our own browser". The advantages of being our own browser (monetization, standards weight) are only advantages if we pursue them; so to become "our own browser" (which to me, means trying to adapt to use as a user's primary browser) is premature until we are prepared to pursue those advantages 20:18:12 tjr: i agree with that but that's a matter of prioritization 20:18:20 tor doing for profit things might be a dicussion for a bigger forum no? 20:18:44 so maybe let me give a bit more background where we come from and where we currently are 20:19:00 there was a time without tor browser (yes!) 20:19:12 where we had torbutton to deal with pricavy issues on the browser level 20:19:43 at some point it turned out the web grew too powerful and mike created the tor browser project to defend against that 20:20:09 the goal was to provide a private browsing mode taking the network attacker into account 20:20:26 and showing that by privacy-by-design alone this was possible 20:21:05 at the same time we thought it's worth to upstream our patches so that at some day in the future browser vendors would do their job 20:21:27 and provide a "meaningful" private browsing mode for those users who wished that 20:21:43 fast forward to today 20:21:54 the tor browser team is still operating in that mode right now 20:22:17 we provide patches so that at some day in the future other browser will provide the things they should provide 20:22:52 so I guess the obvious question is: is that where we want to be in 2 years time, or? :) 20:22:58 my question is whether we should change that mode 20:23:02 provide not just patches but also a set of principles for deciding what needs to be kept safe 20:23:07 and what are the alternatives if not? 20:23:29 and say, okay, we see so much value in a browser that we want to provide our own (with own branding, a proper non-private browsing mode etc.) 20:23:43 GeKo: i think staying in that mode is just fine - but i want to confirm that this mode includes also things like the experiences we are shapping for users in the browser 20:23:58 i see this experiences like patches as well :) 20:24:36 to continue this mode for the next 2 years is a fine thing to do imo 20:24:46 I would say that This Mode will always relegate Tor Browser to being a user's secondary browser, the thing they use 'on purpose' for a specific scenario rather than the browser they use by default for web browsing. 20:25:01 tjr: yes, i totally agree 20:25:03 would proper non-private browsing mode requires operating in a different mode? 20:25:17 and the question is whether we are fine with that 20:25:24 hmm 20:25:30 or whether we want to have tor browser as the user's first browser 20:25:43 a real one, not crippled as it is right now 20:25:58 hmm 20:26:00 (no history, no tab restoring after restarts etc.) 20:26:07 from isa's question, i think making usable security and privacy tools are equally important as implementing the necessary internal changes 20:26:09 That, I feel, is the crux of this question. And the biggest reason I came to this meeting :) 20:26:20 yeah 20:26:35 GeKo: ok 20:26:43 i never thought we were doing two different things here 20:26:57 isabela: this is why i wanted to have you at this meeting :) 20:27:17 i never thoguht we were not considering the current work our way into building a user first browser 20:27:42 that is why i am saying doing what we are doing is ok because i see us working towards that 20:28:04 i don't think we are right now 20:28:11 but we could do so if we wish 20:28:25 what would be different? 20:28:36 but i am not sure whether the tor project should become a browser vendor 20:28:54 isabela: For one, we'd keep your cookies around, so you'd stay signed into things. 20:29:26 even tor browser users in this room have history enabled in their tor browsers 20:29:33 tjr: sometimes, right? 20:29:42 And then there'd be a bunch of follow-up work and implications around the goal of "Generally, if you want to stay signed into something you will" 20:29:42 normal tab vs private tab? 20:29:52 i heard about those antonela and i was SHOCKED :) 20:30:03 sysrqb: Right in non-Private Browsing Mode. PBM would discard everything like every browser. 20:30:09 i know you were shocked haha 20:30:35 yeah 20:30:44 (just clarifying :) ) 20:31:04 i think there are some people who really want a usable tor browser that saves sate 20:31:08 *state 20:31:29 let me give you a link where arthur thought about that 20:31:31 can we not become a browser vendor, and still offer a browser with an option to save state? 20:31:33 and we're currently straddling that line, between offering that ad ignoring it 20:31:33 how much this would increase in risk for the user tho? 20:31:41 he could not make it to this meeting, though 20:31:50 i wonder who wants this type of feature the most are people with a bit more priviledge no? 20:31:55 https://docs.google.com/document/d/1AN4RsNhZW7uqfjDQBAvw3kLFymFBBaDU6lh4YvEzWgY/edit?usp=sharing 20:32:01 isabela: +1 +1 +1 20:32:09 and wonder if tor should try to do it so we become a full browser yet to compete w/ otehrs doing that 20:32:10 isabela: yes 20:32:20 antonela: I'd love to see user research targetted at folks who do use TB as their primary browser. What kind of tweaks we do to make it comfortable enough. 20:32:49 that could be interesting intrigeri, custom setups from advanced users? 20:33:12 antonela: Yes, this could inform this kind of conversations. 20:33:22 antonela: user research at the next tor meeting :) 20:33:26 i would say users that has tb as primary browser 20:33:30 not necessary 'advanced' 20:34:11 that also, we are talking about people with technical background who made their own risk assessment 20:34:16 like how this would affect the pm we met from access now who lives in ethipia and tb is the only way she access the internet from there 20:34:20 To advanced users it would be more like "what do you change to make it survivable?" and to others it would be "what's the most painful things?". 20:34:45 we will be running something like this india next week :) 20:34:53 will cc you intrigeri to those docs 20:35:03 antonela: :) 20:35:10 yay :) 20:36:06 we also still want to keep it easiest for the most at risk users though right? 20:36:13 so maybe any of these changes would be selected 20:36:15 rather than default 20:36:15 GeKo: the gdoc link is not working for me 20:36:18 i guess one question is: when do we think anotherbrowser will start providing a similar experience and protections as tor browser 20:36:23 certainly one of our challenges is that in some ways we do not know much about our users 20:36:28 and are we willing to wait for that to happen 20:36:36 (so more research is good) 20:36:47 isabela: it works in tor browser for me :) 20:36:53 are you using something else? ;) 20:37:03 ouch. :) 20:37:05 i got one from antonela and is working 20:37:39 so my question would be 20:38:06 should we go on a diferection where we will reduce privacy to provide new features or other usability options 20:38:21 or should we invest on creating experiences where there is more privacy 20:38:25 maybe we can ask how we can make those things even more secure than default browsers? we talked about that, encrypted bookmarks, encrypted history? 20:38:28 GeKo: thanks for sharing, that's a good writeup. 20:38:32 like onion services without metadata etc 20:38:42 yeah, i think arthur has good points 20:38:46 and show how things can be done 20:40:20 is tor browser a prototype private browser, or is tor browser browser? 20:40:26 *a browser 20:40:42 right now it's meant to be a prototyp private browser 20:40:58 because be basically cut out a lot and take shortcuts 20:41:06 i like most of the points on arthur's doc 20:41:17 at the expense of functionality and usability 20:41:17 i think the history thing should be an opted in 20:41:34 it is aleady as some browser devs show :) 20:41:36 but i dont see those different from the current mode we are now 20:41:42 but it's not recommended and not maintained 20:41:47 basically yolo 20:42:05 antonela: I'm supportive of that approach 20:42:19 antonela, tjr: +1 20:42:21 me too, arthuredelstein and i talked about all this things multiple times 20:42:35 I mean it would be pretty easy to do something like "To retain history, you must set a passphrase you enter at browser start" 20:42:53 yeah the password-safe like experience seems like it would be a good fit with a browser 20:43:27 yep 20:44:01 isabela: it's not *that* different (it perhaps belong to the symbolic domain at this point), but I suspect that once a real thing, targetting "making it more realistic that people want to use TB as their primary browser" would, later on, change things a lot, from a product perspective and user PoV. 20:44:11 so would people agree that in 2 years we want a browser that is the standard for safe and private browsing, whilst being as usable as any other browser out there? 20:44:20 intrigeri: yes 20:44:33 and is that something that we think is achievable and what do we need in order to get there? 20:45:11 being as usable as any other browser out there == being the primary browser for X% of users 20:45:26 pili: 1. ask users who manage to survive "TB as my primary/only browser" already; 2. ask users who tried but gave up; 3. fix what can be fixed :) 20:45:46 intrigeri: you make it sound so easy :D 20:45:48 (or 3. realize we can't.) 20:46:13 i think we'd need to consider changing the "Application Data Isolation" requirement from the design doc 20:46:21 I worry that connections through Tor are going to permanently exclude us from "as usable as any other browser"; but that we could at least get better than we are today. 20:46:41 yeah, modulo that 20:47:10 sysrqb: not only that 20:47:35 yes, true 20:47:42 we might want to seriously think about getting away from the esr cycle e.g. 20:48:25 * isabela has another meeting in 10min fyi 20:48:29 because we get users coming to us saying this works in firefox, your browser is broken 20:48:48 and it turns out this indeed works in firefox, but not in firefox based on esr 20:49:10 i've heard serious criticism about following esr, too 20:49:10 there are a lot of those gotchas if we want to go that road 20:49:15 yeah 20:49:22 from a security perspective 20:49:29 yeah, I was just going to say that we hadn't explicitly said this meeting was going to be an hour long, but maybe we should think about wrapping this up for today and how we want to continue this conversation 20:50:20 everyone is of course welcome to carry on discussing here :) 20:50:29 I think we're having a really good conversation 20:50:48 and I don't necessarily want to stop people from continuing that 20:50:58 it's been an overdue one 20:51:30 but it's late on a friday, too :) 20:51:41 (sorry for the scheduling... :) ) 20:51:42 so respecting people time is important too 20:51:45 for some folks :) 20:51:59 * sysrqb is not talking about themself 20:52:16 :) 20:52:34 scheduling a follow up meeting sounds like a good idea, at least 20:52:36 hey pili, lets do a second part? 20:52:38 yes yes 20:52:41 :) 20:52:42 sounds good to me 20:52:56 having an option to keep state sounds very nice, but I think we need to make sure users understand well the risks/threat model with this option before they enable it 20:53:09 I was also going to say that I think it might be good to distill some of these conversations we've been having today into an email and possibly start a thread on it 20:53:14 boklm: +1 20:53:14 ready for part 2 after GeKo gets back from holidays? 20:53:33 boklm: yes 20:53:33 would be good to organize the ideas that came out here? 20:53:40 boklm: yes 20:53:42 isabela: yup, I would do that 20:53:48 tx 20:54:08 boklm: +1 20:54:12 pili: excellent. 20:54:14 pili: sending the result to tor-project would be worthwhile i think 20:54:22 GeKo: yup, definitely 20:55:08 any final words from anyone? 20:55:14 you have 3 minutes ;) 20:55:25 thanks for this meeting i think is indeed a necessary chat 20:55:25 s/you/we :D 20:57:08 ok, I guess not :) 20:57:17 thank you so much everyone for taking the time to come and share your ideas today 20:57:22 thanks folks! a pleasure as always! 20:57:27 +1 20:57:44 I will follow up on monday with a summary and points for discussion 20:57:50 thanks 20:57:56 and we can take it from there, ready to schedule another session in a few weeks time 20:58:10 #endmeeting