Private mode/incognito

[martinthomson]

Studies have shown that people do not want their data sold or shared. However, in some jurisdictions they can only avail themselves of that preference by explicitly asserting control.

This makes it clear that defaulting to GPC being on might engage some additional obligations on the browser side. Does this make it impossible to default to enabling GPC in private browsing modes, only with appropriate interface affordances, or only in some jurisdictions?

Some more guidance here seems like it might be warranted as this particular choice imposes a burden on implementations that is potentially confusing or inconsistent. At worst, it means that implementations might need to choose universally safe options, which tend to result in transfer of the responsibility for privacy labour to their users.

[arichiv]

I'm taking a stab at flexibility for this here: #39

It's not fully answering your question but makes it clear the door is at least open to it.

[SebastianZimmeck]

Does this make it impossible to default to enabling GPC in private browsing modes, only with appropriate interface affordances, or only in some jurisdictions?

The answer to these questions depends on the laws and regulations in a particular jurisdiction. For example, per the CCPA, a consumer’s choice of using privacy-preserving browsers or other tools is considered a sufficiently deliberate act that is interpreted as a consumer expression of a preference to not have personal information sold or shared:

The consumer exercises their choice by affirmatively choosing the privacy control [...] including when utilizing privacy-by-design products or services.

Maybe, in other cases turning on a privacy mode of a "normal" product or service is sufficient to also turn on GPC by default in this mode.

To leave this flexibility we may want to take out section 5.1.

[darobin]

(None of this is legal advice, just my personal understanding. Ask Mozilla counsel before acting on any of this, etc.)

I think it depends on what you mean by obligations on the browser. I don't believe that the browser incurs any legal obligation from GPC in any jurisdiction that I'm aware of. A browser that wishes to make GPC legally effective may in some jurisdictions need to do more than just send the header. However, in every existing jurisdiction that I am aware of, I believe that turning on Private Browsing would be more than enough to meet even a pessimistic interpretation of the law.

I agree with you that there is a risk that privacy labour could be transferred to people, however I believe that it can be minimised. Again, check with counsel but I believe that at worst showing a "Do you want to sell your data?" prompt at first launch ought to be sufficient.

[SebastianZimmeck]

showing a "Do you want to sell your data?" prompt

A bit of an aside, we tested a UI mockup in an upcoming PETS paper to get a sense of whether people understand GPC (81%) and how many would turn it on (94%). Here is the UI we tested (and some more intricate UI tests are in progress ...):

[AramZS]

I would like to say that this is out of scope for the specification and up to the implementer. Browser vendors / extension developers have a better understanding of their users' intent in private/incognito mode than the spec writers and arguably user intent is not consistent across every browser. Different browsers provide different messaging on activation of clean-state browser modes and the activation of GPC in those modes may make sense based on one browser's messaging but not on another and in some cases it may even make sense to present it as an option on activation of that mode, as @darobin suggests. I do not think we need language in the spec to address this.

[AramZS]

Different user agents conceive of Incognito mode/private mode in different ways and enable different features. I'm not sure it makes sense to try to dictate a reaction to such a mode at the level of this specification. Can we discuss in the next PrivacyCG?

[AramZS]

Some brief notes from the perspective of the meeting about things to add to address this:

Context matters, browsers understand what people want, they try very hard to interpret and there needs to be flexibility on defaults and activation at the browser level. Should make it clear that GPC default settings is based on the user agent or extensions' understanding of how they anticipate their audience behaves. Browser modes alteration of user state in this signal should be considered based on the accompanying messaging to the browser users. Add in as deeper context around how to make the decisions and expectations. Maybe also an explainer for how this has worked and resources from legal decisions, regulator statements, etc...

[martinthomson]

How browsers interpret user intent or anticipate user expectations is a bit of a science and a bit of an art, but I think that this conclusion is right. We plan to clearly document our rationale for how we interpret various signals and use those to decide to turn GPC on or off. We're happy to share that.