This ongoing research is being conducted by Ruba Abu-Salma, a Ph.D student in Computer Science from University College London (UCL), and Brave’s Chief Scientist, Dr. Ben Livshits. The final findings will be submitted as a paper in the next several weeks.
Private browsing is a privacy-enhancing tool, where the web browser does not record users’ private browsing activities on the local device [1]. It is a special mode that allows users to browse the Internet without saving any information (e.g., cookies, temporary files) about the websites they have visited in private mode.
Prior work has quantitatively (through survey studies) investigated whether users are aware of private browsing, what they use it for, and whether they understand what it does [2, 3, 4, 5, 6]. Most surveyed respondents were either unaware of private browsing, or did not use it. Further, the vast majority of respondents had misconceptions about private browsing — such as incorrectly believing private browsing protects against visited websites, ISPs, and governments. However, prior work has not investigated why users misunderstand the benefits and limitations of private browsing.
In this work, we seek to explore why users misunderstand private browsing by investigating their mental models of private browsing and its security goals. We also study users’ private browsing habits. We do so by conducting a qualitative, interview-based study with users and non-users of private browsing. The value of conducting qualitative research lies in providing a holistic understanding of the phenomenon under enquiry using predominantly subjective qualitative data, which can be later supplemented by quantitative data.
Our Study: Exploring User Mental Models of Private Browsing
We hypothesize that users’ mental models of private browsing are diverse and do not necessarily map to the narrow set of threats against which browsers actually protect. In our study, we build on prior work and conduct a qualitative study to explore users’ mental models of private browsing and its security goals. We also study how people use private browsing.
Typically, a study of this nature [a qualitative user study] involves between 12 and 25 participants [7, 8]. To recruit our 25 participants, we posted flyers and distributed leaflets in London, UK. We asked interested participants to complete an online screening questionnaire. We aimed to recruit a demographically-diverse sample of participants — in terms of gender, age, race, educational level, and employment status — to assess whether participants’ demographics affected the robustness of their mental models. We also assessed participants’ technical background. Further, we provided participants with a list of different web browsers, and then asked which browsers they used. Google Chrome was the most used web browser by our participants, followed by Firefox, Safari, Internet Explorer, and Brave, respectively.
Preliminary Findings
We now present some preliminary findings of our qualitative study. We do not report how many participants mentioned each finding in this post because this is ongoing work. We only describe high-level findings and insights.
What are users’ mental models of private browsing?
Participants drew their mental models of private browsing. We show some of the participant drawings throughout the post, to illustrate participants’ conceptual understanding of the term “private browsing.”
Although all participants mentioned that they had heard of the term “private browsing,” and felt confident explaining it, almost all participants associated private browsing with privacy tools that provide more protection than what private browsing in Google Chrome, Firefox, Internet Explorer, and Microsoft Edge guarantees. For example, some participants associated private browsing with secure browser connections (i.e., network encryption). Others associated private browsing with end-to-end encrypted communications, anonymous communications (using a VPN or Tor), or user authentication. The drawings below explain some of our participants’ mental models of private browsing.
Who uses private browsing?
We also investigated users’ private browsing habits. There appear to be three types of users:
- Habitual users: those who regularly browse in private mode and describe themselves as “paranoid” or “cautious.” Participants who used private mode for all browsing activities reported using private browsing made them feel “safer.”
- Ephemeral users: those who occasionally browse in private mode depending on their browsing activities and the websites they visit.
- Former users: those who have used private mode, but stopped using it mainly due to (1) lack of utility; (2) lack of usability; (3) misperceptions of private browsing.
We found participants who had browsed in private mode did not necessarily visit “embarrassing websites.” Many participants used private browsing for logging into a service using another account, online shopping, or developing/debugging software.
Alarmingly, some participants performed several browsing activities that they regarded as sensitive in private mode while being authenticated to their personal online accounts (e.g., their Google or YouTube account), believing their search history would be deleted after exiting private browsing.
Participants who stopped browsing in private mode did so due to:
- Lack of utility – e.g., some participants stopped using private browsing because they thought browsers did not allow extensions to run in private mode (although users can manually enable extensions in private mode in most browsers);
- Lack of usability – e.g., some participants reported all entries added to the browser history file while privately browsing would get deleted after they exited private mode;
- Misperceptions of private browsing – e.g., some participants perceived those who browse in private mode as, for example, people who are up to no good.
Finally, participants who occasionally browsed in private mode (ephemeral users) or stopped browsing in private mode (former users) perceived the routine/daily use of private browsing as paranoid. In particular, they described habitual users of private mode as “paranoid people,” “people who have something to hide,” or “people who are up to no good.”
What do users want from private browsing?
Most participants expected that anyone who has physical access to their device should find no evidence of the websites they visited in private mode. Further, the vast majority of non-technical, “unsophisticated” participants expected a private mode that works properly not to link the user’s activities in private mode to those in public mode, as well as not to track the user’s activities on other websites. Additionally, most participants expected a website visited in private mode not to determine whether the user’s web browser is currently in private mode. Participants did not consider how IP addresses and various browser features – such as screen resolution and timezone – can be used by a visited website in private mode to fingerprint users.
Some browsers have added privacy functions to help reduce website tracking. For example, Brave has recently added onion routing (Tor) as an option to its private tabs. Also, Firefox disables third-party cookies while browsing in private mode. However, no web browser currently meets all users’ expectations.
Conclusions: Designing Better Browser Disclosures
Our preliminary findings suggest that users’ mental models of private browsing are diverse and do not necessarily map to the definition generally agreed upon by the security and privacy community or browser vendors. Prior work has shown that users usually overestimate the benefits of private browsing [2, 3, 4]. We argue:
- Users’ understanding of the security goals of private mode depends on their interpretation of the term “private browsing.”
- A key user-related challenge for private browsing is not adoption (i.e., trying to increase the adoption of private browsing by mainstream users, as prior work (e.g., [2, 3, 4]) has been investigating), but appropriate use. We need to ensure that people have correct mental models of private browsing and understand what it does before adopting this privacy tool. This could be achieved through the design of effective browser disclosures – a browser disclosure is the full-page explanation a browser presents when users open a new window or tab in private mode.
The high-level description of private mode as a “private window” or a “private tab” is vague, and insufficiently informs users (especially first-time users who have not used private browsing before) of the security goals of private mode. As our findings, as well as prior work [5, 6], suggest, current browser disclosures are not effective in communicating the benefits and limitations of private mode. Little work has investigated how to design effective browser disclosures. We, therefore, plan to perform a participatory design study with end users to develop better browser disclosures, through the use of illustrations and diagrams, to better communicate the security goals of private browsing and address users’ misconceptions.
References
- Gaurav Aggrawal, Elie Bursztein, Collin Jackson, and Dan Boneh. An Analysis of Private Browsing Modes in Modern Browsers. In Proc. USENIX Security Symposium, 2010.
- Xianyi Gao, Yulong Yang, Huiqing Fu, Janne Lindqvist, and Yang Wang. Private Browsing: An Inquiry on Usability and Privacy Protection. In Proc. Workshop on Privacy in the Electronic Society, 2014.
- DuckDuckGo. A Study on Private Browsing: Consumer Usage, Knowledge, and Thoughts. Technical Report, January, 2017.
- Elie Bursztein. Understanding How People Use Private Browsing. Technical Report, July, 2017.
- Yuxi Wu, Panya Gupta, Miranda Wei, Yasemin Acar, Sascha Fahl, and Blase Ur. Your Secrets Are Safe: How Browsers’ Explanations Impact Misconceptions About Private Browsing Mode. In Proc. Conference on World Wide Web, 2018.
- Hana Habib, Jessica Colnago, Vidya Gopalakrishnan, Sarah Pearman, Jeremy Thomas, Alessandro Acquisti, Nicolas Christin, and Lorrie Faith Cranor. Away From Prying Eyes: Analyzing Usage and Understanding of Private Browsing. In Proc. Symposium on Usable Privacy and Security, 2018.
- Tamy Guberek, Allison McDonald, Sylvia Simioni, Abraham H Mhaidli, Kentaro Toyama, and Florian Schaub. Keeping a Low Profile?: Technology, Risk and Privacy among Undocumented Immigrants. In Proc. ACM Conference on Human Factors in Computing Systems, 2018.
- Rock Stevens, Daniel Votipka, Elissa M. Redmiles, Colin Ahern, Patrick Sweeney, and Michelle L. Mazurek. The Battle for New York: A Case Study of Applied Digital Threat Modelling at the Enterprise Level. In Proc. USENIX Security Symposium, 2018.