Request "Off the Record"

This is the 26th post in an ongoing series describing new privacy features in Brave browsers. This post describes work done by Sr. Software Engineer Mark Pilgrim, with critical help from Cryptography Researcher Sofia Celi and Sr. Research and Privacy Engineer Shivan Sahib. This post was written by Peter Snyder.

Starting in version 1.53, Brave will begin rolling out a new feature called “Request Off the Record (OTR).” This feature aims to help people who need to hide their browsing behavior from others who have access to their computer or phone. For example, a person who is the victim of intimate partner violence who needs to find support services without their partner knowing, or someone needing to find personal healthcare without others in their home finding out.

Request OTR allows websites to optionally describe their own content as “sensitive.” The browser can then ask if the user would like to visit the site in OTR mode, where the site is visited in a clean, temporary storage area. Sites visited in OTR mode are not saved to your browsing history, and any cookies, permissions, or other site data do not persist to disk. Meanwhile, other sites visited are stored and treated as normal, obscuring to anyone who may access the device later that any “unusual” behavior happened.

Request OTR is another in Brave’s suite of features that support the privacy needs of individual users, protecting far beyond the “standard” threats browsers typically watch out for. Brave intends to work with other browser vendors to standardize OTR, so that at-risk browser users can be private and safe, across the Web, regardless of which browser they’re using.

This feature has been designed with the input of, and in collaboration with, several civil society and victim advocacy groups. We agree with Mallory Knodel, the CTO at the Center for Democracy and Technology, in the following:

Brave Browser's attention to detail with OTR Mode—users can more easily choose which websites are recorded in their browsing history—is an important privacy innovation that can protect users in "attacker you know" situations or anyone who wants more control over what their browser remembers and what it doesn't. This feature empowers people who browse the web—all of us—and gives us more agency over content consumption.

— Mallory Knodel, CTO at the Center for Democracy and Technology

Some users need to hide their browsing from people who have access to their device

Most often, when people talk about Web privacy they’re talking about protecting personal data from websites (e.g. blocking Google from recording the sites you visit).

However, Web users have other privacy needs too, needs that are currently poorly served by most browsers. Consider “Sarah,” a hypothetical Web user who lives with “Stan,” a physically abusive partner. Sarah needs to use the Web to learn about legal, medical, and other support services in her area, so she can safely exit her relationship. Stan, though, suspects Sarah may be planning to leave, and begins monitoring Sarah’s phone, computer, and other devices to see if she’s contacting support services.

Unfortunately, not only do browsers fail to protect users like Sarah, they actually make it easier for abusers like Stan to digitally surveil others. Browsers record a wealth of information about our browsing behavior and interests, both explicitly (e.g. browsing history, DOM storage, and cookies) and implicitly (e.g. cache state, saved credentials, URL autocomplete). Worse still, the tools browsers do include to protect people like Sarah are incomplete and / or difficult to use correctly.

Current browsers tools are insufficient for protecting against known abusers

Browsers currently provide some tools to help users hide their activity on sensitive sites. However, these tools are insufficient to protect people whose safety depends on hiding visits to specific sites from people who have access to their device. Existing tools either hide too much (thus inviting suspicion from abusers), too little (thus allowing abusers to recover browsing history), or are otherwise difficult to use successfully.

Private (also known as Incognito) windows allow users to browse the Web without their browsing activity being permanently recorded. Unfortunately, private windows do a poor job protecting users from on-device surveillance. It’s easy to forget to open a private window before visiting a site, especially under stress, thus causing the site visit to be permanently recorded. And it’s equally as easy to forget to close the private window, and thus continue browsing in the private window beyond just the target sensitive site. This can reveal to the abuser that private browsing modes have been used, which on its own may elicit suspicion or put the victim at further risk.

Similarly, some browsers include advanced browser controls that can be used to delete browser storage for specific sites. This approach has the drawback of needing to be performed after the site was visited, instead of protecting the user during the visit, which may put the user at risk if the browser needs to be closed quickly. Additionally, these controls are often difficult to find, and more difficult still to use correctly for non-technical users. And finally, these browser controls typically only allow the user to delete stored values for the site (e.g. cookies or permissions), but do not allow the user to delete other traces of the site (e.g. browsing history or caches).

Finally, some sensitive sites include quick-exit buttons in the site themselves, which allow a visitor to quickly navigate away from the site in a way that may be semi-difficult for an abuser to detect. While useful, this approach is also incomplete. Quick-exit buttons cannot delete many types of site data (e.g. permissions or caches), and are constrained in their ability to modify browsing history. Further, they depend completely on the correct implementation by the site; the browser is unable to protect the user.

Brave’s Request OTR provides a novel, powerful protection

Brave’s Request OTR approach provides a comprehensive way for sensitive sites to request to be omitted from a user’s browsing history and local storage. Any site can request to go OTR, and the user is prompted to see if the user would like to do so. If so, the Brave browser creates a temporary storage area for the site, and does not record the site visit in the user’s browsing history. The OTR session is tied to the site, and any other sites the user visits in the same tab (along with any sites visited in any other tabs) are recorded in browsing history as normal.

More specifically, Brave’s implementation of Request OTR protects the user in the following ways:

1. The user is protected the entire time they’re visiting a sensitive site; they don’t need to try and scrub their browsing history later.
2. Other, non-sensitive sites are recorded as normal, which prevents big gaps in browsing history that might look suspicious to an abuser.
3. All target site behaviors are prevented from persisting to disk, including cookies, caches, browsing history, permissions, etc.
4. OTR prevents sites from abusing the feature; a site cannot go off-the-record unless a user explicitly gives the site permission to do so.

How can sites request to be off the record

Brave has developed Request OTR specifically to help people suffering from intimate partner violence, or people otherwise needing to hide visits to sensitive sites from their browsing history. However, OTR is intentionally a general browser feature, and is intended to be usable by any site on the Web. 

Request-OTR header

Currently, there are two ways for a site to request to go off the record in Brave. The primary, intended way is for the site to include the header Request-OTR: 1 in the response to the initial navigation request for a site. If the browser sees this header, the browser will halt the navigation and ask the user if they would like to visit the site off the record.

If the user says yes, then the browser does two things:

• It does not record the site visit in the browser history
• It creates a temporary storage area for caches, cookies, permissions, etc.

The browser continues using this temporary storage area for all subsequent pages visited within the same tab, within the same site. When the user closes the tab, or navigates away from the site, the temporary storage area is discarded, and browsing behaviors return to being recorded as normal.

Request-OTR preload list

The second way for a site to request to go off the record is to be included in Brave’s preloaded list of “request off the record” partner sites. These are sites that serve victims of intimate partner violence, and have told Brave they’re interested in being considered a sensitive site by the browser. This list is intended as a bridge measure, until all sites can implement the previously mentioned header approach.

Limitations of Brave’s Request-OTR implementation 

Brave’s Request OTR feature prevents visits to sensitive sites from being recorded in a user’s browser history, both overtly (browser history, cookies) and incidentally (caches, permissions, etc). Brave’s Request OTR feature is covered by Brave’s security bug bounty program, and we welcome any reports of data from an “off the record” session being incorrectly or incompletely cleared.

However, users should be aware that Brave’s Request OTR feature does not protect users from other software on their computer that might record information about what sites they visit. Examples of software the Brave browser cannot hide browsing history from include:

• Browser extensions
• Network spying
• Malware or spyware installed on the device
• Information saved by sites before or after you visit the “off the record” (such as if you have “Google Web History” enabled on Google Search or Gmail)
• Operating-system level logging
• Crash logs

Brave is exploring what additional protections can be provided against such threats, but users should be aware that (as with systems like private browsing mode) Brave’s Request OTR mode only prevents recording of core browsing behaviors and data.

Next steps in Request-OTR

We’re excited to release Request Off the Record in upcoming version 1.53 of our desktop browser, with an Android version coming in the 1.54 release. We’ll be rolling it out to users shortly, though people interested in testing the feature now can enable it by visiting brave://flags and enabling #brave-request-otr-tab. Please note that this should only be done if you understand the risks of testing experimental browser features. We welcome all feedback on the feature.

We’re also excited about the next steps we’re taking to further improve the Request OTR feature. First, we’re working with experts and researchers at George Washington University and Paderborn University to evaluate how Request-OTR is understood by users, and how we can further convey to users exactly what protections the feature does (and does not) provide. We will both share the research that results from this collaboration on this blog, and incorporate it into future versions of Request-OTR in Brave.

Second, we’re interested in working with other browsers, organizations, and Web companies to potentially standardize Request-OTR, so that users of other websites and browsers can benefit from the protection. Our current implementation is the result of working with a wide range of abuse advocates, technologists, browser specialists, and NGOs, and we’re eager to continue working with similar organizations to best support Web users.