19:59:52 <pili> #startmeeting tor-browser-vision 02/08
19:59:52 <MeetBot> Meeting started Fri Feb  8 19:59:52 2019 UTC.  The chair is pili. Information about MeetBot at http://wiki.debian.org/MeetBot.
19:59:52 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
19:59:58 <antonela> <- is here too
19:59:59 <pospeselr> o/
20:00:02 <stephw> hii
20:00:10 <intrigeri> ← lurking until my eyes + brain go on strike.
20:00:12 <pili> Let me share the pad I will use to take notes: https://storm.torproject.org/shared/p5Hi-Jm8R5fBzdXSL5CuZbAF84oPlFRgL6qEocyEFfK
20:00:22 <antonela> wow, the room is crowded
20:00:28 <pili> nice to see some people not on the browser team! :)
20:00:38 <pili> (it's always nice to see the browser team people ;) )
20:00:39 <antonela> well, they are :)
20:00:44 <pospeselr> hah
20:01:34 <pili> so, I called this session to try to organise our vision for where the Tor Browser should be in the near future (e.g 2 years time)
20:01:58 <pili> to hopefully help the team get there
20:02:10 * sysrqb is actually here, too (surprisingly)
20:02:32 <pili> we can structure the session with some questions or people can just fire away their ideas :)
20:03:02 <pili> so maybe I'll start with an ice breaker question of why we need Tor Browser?
20:03:12 <pili> (first answer gets a virtual beer)
20:03:40 <stephw> for protection against tracking, surveillance, and censorship online
20:03:43 <antonela> Tor Browser is the interface for freedom
20:03:48 <mcs> To provide and easy and safe way for people to use the Internet
20:03:49 <stephw> to make tor accessible for more people and easy to use
20:03:54 <mcs> s/and/an/
20:04:16 <pili> first🍺 for stephw :D
20:04:22 <stephw> :D
20:04:27 <GeKo> we need it right now
20:04:32 <GeKo> but what about in two years
20:04:32 <isabela> hehe cheers o/
20:04:40 <GeKo> or 5?
20:04:59 <isabela> in 2 years we will need it because there will be more need for using onion services
20:05:03 <isabela> cover metadata
20:05:16 <sysrqb> yeah. will there be other private browsers at that time?
20:05:27 <isabela> yes
20:05:36 <sysrqb> (other browsers that meet the Tor Browser standard)
20:05:38 <isabela> but how many will invest on this type of experience?
20:05:39 <tjr> Unless another browser meets or gets real close to the security goals of Tor Browser; there will still be a need.
20:05:40 <antonela> other private browsers using tor, yes
20:05:47 <GeKo> okay, so do we need it because no one else has caught up?
20:06:01 <GeKo> or do we need it because we want to have an own browser we control and ship?
20:06:07 <sysrqb> +1
20:06:08 <isabela> at TB in 2 years we would still be able to offer specific tor experiences
20:06:28 <isabela> tjr: +1
20:06:40 <antonela> maybe at some point Firefox is secure enough, Tor Browser is usable enough, and both can merge
20:06:53 <isabela> and we can show how we envision things to evolve (like the onion services experience, circumvention experience)
20:07:04 <intrigeri> We need Tor Browser to make consent a possibility on the web. Because people need means to decide with whom they're intimate with (e.g. Google or not? Facebook or not?), who gets to know where they are and when, what they do online, etc.
20:07:29 <tjr> But just because another browser meets Tor Browser's security guarentees doesn't mean it always will. cedeing control of the security guarentees by stopping to ship a browser is a risk.
20:08:13 <sysrqb> i worry that the Tor Project is not equipped to be a browser vendor
20:08:15 <isabela> that would need to be a slow process where we also build a way to verify or not if a browser is meeting our standards
20:08:41 <sysrqb> and the resources fo TPI can be put toward other application-level privacy improvements rather than concentrating only on a browser
20:09:08 <pili> so are we doing it to provide a measuring yard for other browsers in terms of security?
20:09:59 <tjr> I'll throw out a completely different vector though: Tor Browser could be a monetization opportunity for Tor if we were paid for our searches like every other major browser.
20:10:09 <isabela> pili: a test thing users can test if a browser meets our standards
20:10:37 <isabela> but i think that this might be a thing to start at the end of this 2 years timeline
20:10:57 <GeKo> what might be a thing?
20:11:10 <GeKo> tjr: yes, it could!
20:12:08 * arma1 is here and reading in the background
20:12:09 <isabela> GeKo: work on a way for users to test other browsers - to see if they are following our standards. something like pinoticlick (not sure if it how you write it)
20:12:21 <pili> ok, any other ideas about why we need Tor Browser or shall we move on? :) (although we already moved on a bit)
20:12:48 <tjr> And I will also throw out that Tor Browser is an opportunity for Tor to participate in internet standards as a full fledged member instead of an observer; by being a platform for 'running code'
20:13:03 <pili> +1
20:13:09 <tjr> And vote for change and lodge formal complaints, etc
20:13:49 <GeKo> pili: let's wait a bit because that's one the crucial things we need to decided at some point at least
20:14:06 <pili> GeKo: fine with me :)
20:14:09 <sysrqb> tjr: yeah, that's somethign we briedly talked about in Mexico, too
20:14:10 <boklm> even if other browsers come close to tor browser security/privacy, there will still probably be a lot of things we can improve/fix in that domain
20:14:16 <sysrqb> (being more involved in standards)
20:14:20 <GeKo> do we want to become or be an own browser vendor or are we planning not to?
20:14:47 <arma1> geko: i wonder if there is a decision tree you can describe, that pushes you toward one or the other
20:14:57 <arma1> like, "if x happens, we can stop"
20:14:58 <GeKo> because depending on the answer the priorities for the next years are quite different
20:15:18 <intrigeri> GeKo: it's not 100% clear to me what "own browser vendor" means. Is it "not being a Firefox fork"? Anything else?
20:15:18 <GeKo> pushes whom?
20:15:55 <GeKo> ^ arma1
20:16:48 <arma1> geko: you said "do we want to be A or B" and i am suggesting rather than answering that now, it is based on future events, and we can describe the future events that make us pick A, and the ones that make us pick B
20:16:52 <tjr> GeKo: I think where we are currently is "We are not our own browser". The advantages of being our own browser (monetization, standards weight) are only advantages if we pursue them; so to become "our own browser" (which to me, means trying to adapt to use as a user's primary browser) is premature until we are prepared to pursue those advantages
20:18:12 <GeKo> tjr: i agree with that but that's a matter of prioritization
20:18:20 <isabela> tor doing for profit things might be a dicussion for a bigger forum no?
20:18:44 <GeKo> so maybe let me give a bit more background where we come from and where we currently are
20:19:00 <GeKo> there was a time without tor browser (yes!)
20:19:12 <GeKo> where we had torbutton to deal with pricavy issues on the browser level
20:19:43 <GeKo> at some point it turned out the web grew too powerful and mike created the tor browser project to defend against that
20:20:09 <GeKo> the goal was to provide a private browsing mode taking the network attacker into account
20:20:26 <GeKo> and showing that by privacy-by-design alone this was possible
20:21:05 <GeKo> at the same time we thought it's worth to upstream our patches so that at some day in the future browser vendors would do their job
20:21:27 <GeKo> and provide a "meaningful" private browsing mode for those users who wished that
20:21:43 <GeKo> fast forward to today
20:21:54 <GeKo> the tor browser team is still operating in that mode right now
20:22:17 <GeKo> we provide patches so that at some day in the future other browser will provide the things they should provide
20:22:52 <pili> so I guess the obvious question is: is that where we want to be in 2 years time, or? :)
20:22:58 <GeKo> my question is whether we should change that mode
20:23:02 <arma1> provide not just patches but also a set of principles for deciding what needs to be kept safe
20:23:07 <pili> and what are the alternatives if not?
20:23:29 <GeKo> and say, okay, we see so much value in a browser that we want to provide our own (with own branding, a proper non-private browsing mode etc.)
20:23:43 <isabela> GeKo: i think staying in that mode is just fine - but i want to confirm that this mode includes also things like the experiences we are shapping for users in the browser
20:23:58 <isabela> i see this experiences like patches as well :)
20:24:36 <isabela> to continue this mode for the next 2 years is a fine thing to do imo
20:24:46 <tjr> I would say that This Mode will always relegate Tor Browser to being a user's secondary browser, the thing they use 'on purpose' for a specific scenario rather than the browser they use by default for web browsing.
20:25:01 <GeKo> tjr: yes, i totally agree
20:25:03 <boklm> would proper non-private browsing mode requires operating in a different mode?
20:25:17 <GeKo> and the question is whether we are fine with that
20:25:24 <isabela> hmm
20:25:30 <GeKo> or whether we want to have tor browser as the user's first browser
20:25:43 <GeKo> a real one, not crippled as it is right now
20:25:58 <isabela> hmm
20:26:00 <GeKo> (no history, no tab restoring after restarts etc.)
20:26:07 <sysrqb> from isa's question, i think making usable security and privacy tools are equally important as implementing the necessary internal changes
20:26:09 <tjr> That, I feel, is the crux of this question. And the biggest reason I came to this meeting :)
20:26:20 <GeKo> yeah
20:26:35 <isabela> GeKo: ok
20:26:43 <isabela> i never thought we were doing two different things here
20:26:57 <GeKo> isabela: this is why i wanted to have you at this meeting :)
20:27:17 <isabela> i never thoguht we were not considering the current work our way into building a user first browser
20:27:42 <isabela> that is why i am saying doing what we are doing is ok because i see us working towards that
20:28:04 <GeKo> i don't think we are right now
20:28:11 <GeKo> but we could do so if we wish
20:28:25 <isabela> what would be different?
20:28:36 <GeKo> but i am not sure whether the tor project should become a browser vendor
20:28:54 <tjr> isabela: For one, we'd keep your cookies around, so you'd stay signed into things.
20:29:26 <antonela> even tor browser users in this room have history enabled in their tor browsers
20:29:33 <sysrqb> tjr: sometimes, right?
20:29:42 <tjr> And then there'd be a bunch of follow-up work and implications around the goal of "Generally, if you want to stay signed into something you will"
20:29:42 <sysrqb> normal tab vs private tab?
20:29:52 <GeKo> i heard about those antonela and i was SHOCKED :)
20:30:03 <tjr> sysrqb: Right in non-Private Browsing Mode.  PBM would discard everything like every browser.
20:30:09 <antonela> i know you were shocked haha
20:30:35 <sysrqb> yeah
20:30:44 <sysrqb> (just clarifying :) )
20:31:04 <sysrqb> i think there are some people who really want a usable tor browser that saves sate
20:31:08 <sysrqb> *state
20:31:29 <GeKo> let me give you a link where arthur thought about that
20:31:31 <boklm> can we not become a browser vendor, and still offer a browser with an option to save state?
20:31:33 <sysrqb> and we're currently straddling that line, between offering that ad ignoring it
20:31:33 <isabela> how much this would increase in risk for the user tho?
20:31:41 <GeKo> he could not make it to this meeting, though
20:31:50 <isabela> i wonder who wants this type of feature the most are people with a bit more priviledge no?
20:31:55 <GeKo> https://docs.google.com/document/d/1AN4RsNhZW7uqfjDQBAvw3kLFymFBBaDU6lh4YvEzWgY/edit?usp=sharing
20:32:01 <pospeselr> isabela: +1 +1 +1
20:32:09 <isabela> and wonder if tor should try to do it so we become a full browser yet to compete w/ otehrs doing that
20:32:10 <antonela> isabela: yes
20:32:20 <intrigeri> antonela: I'd love to see user research targetted at folks who do use TB as their primary browser. What kind of tweaks we do to make it comfortable enough.
20:32:49 <antonela> that could be interesting intrigeri, custom setups from advanced users?
20:33:12 <intrigeri> antonela: Yes, this could inform this kind of conversations.
20:33:22 <sysrqb> antonela: user research at the next tor meeting :)
20:33:26 <isabela> i would say users that has tb as primary browser
20:33:30 <isabela> not necessary 'advanced'
20:34:11 <antonela> that also, we are talking about people with technical background who made their own risk assessment
20:34:16 <isabela> like how this would affect the pm we met from access now who lives in ethipia and tb is the only way she access the internet from there
20:34:20 <intrigeri> To advanced users it would be more like "what do you change to make it survivable?" and to others it would be "what's the most painful things?".
20:34:45 <antonela> we will be running something like this india next week :)
20:34:53 <antonela> will cc you intrigeri to those docs
20:35:03 <intrigeri> antonela: :)
20:35:10 <sysrqb> yay :)
20:36:06 <stephw> we also still want to keep it easiest for the most at risk users though right?
20:36:13 <stephw> so maybe any of these changes would be selected
20:36:15 <stephw> rather than default
20:36:15 <isabela> GeKo: the gdoc link is not working for me
20:36:18 <sysrqb> i guess one question is: when do we think anotherbrowser will start providing a similar experience and protections as tor browser
20:36:23 <mcs> certainly one of our challenges is that in some ways we do not know much about our users
20:36:28 <sysrqb> and are we willing to wait for that to happen
20:36:36 <mcs> (so more research is good)
20:36:47 <GeKo> isabela: it works in tor browser for me :)
20:36:53 <GeKo> are you using something else? ;)
20:37:03 <sysrqb> ouch. :)
20:37:05 <isabela> i got one from antonela and is working
20:37:39 <isabela> so my question would be
20:38:06 <isabela> should we go on a diferection where we will reduce privacy to provide new features or other usability options
20:38:21 <isabela> or should we invest on creating experiences where there is more privacy
20:38:25 <antonela> maybe we can ask how we can make those things even more secure than default browsers? we talked about that, encrypted bookmarks, encrypted history?
20:38:28 <intrigeri> GeKo: thanks for sharing, that's a good writeup.
20:38:32 <isabela> like onion services without metadata etc
20:38:42 <GeKo> yeah, i think arthur has good points
20:38:46 <isabela> and show how things can be done
20:40:20 <sysrqb> is tor browser a prototype private browser, or is tor browser  browser?
20:40:26 <sysrqb> *a browser
20:40:42 <GeKo> right now it's meant to be a prototyp private browser
20:40:58 <GeKo> because be basically cut out a lot and take shortcuts
20:41:06 <isabela> i like most of the points on arthur's doc
20:41:17 <GeKo> at the expense of functionality and usability
20:41:17 <isabela> i think the history thing should be an opted in
20:41:34 <GeKo> it is aleady as some browser devs show :)
20:41:36 <isabela> but i dont see those different from the current mode we are now
20:41:42 <GeKo> but it's not recommended and not maintained
20:41:47 <GeKo> basically yolo
20:42:05 <tjr> antonela: I'm supportive of that approach
20:42:19 <intrigeri> antonela, tjr: +1
20:42:21 <antonela> me too, arthuredelstein and i talked about all this things multiple times
20:42:35 <tjr> I mean it would be pretty easy to do something like "To retain history, you must set a passphrase you enter at browser start"
20:42:53 <pospeselr> yeah the password-safe like experience seems like it would be a good fit with a browser
20:43:27 <antonela> yep
20:44:01 <intrigeri> isabela: it's not *that* different (it perhaps belong to the symbolic domain at this point), but I suspect that once a real thing, targetting "making it more realistic that people want to use TB as their primary browser" would, later on, change things a lot, from a product perspective and user PoV.
20:44:11 <pili> so would people agree that in 2 years we want a browser that is the standard for safe and private browsing, whilst being as usable as any other browser out there?
20:44:20 <GeKo> intrigeri: yes
20:44:33 <pili> and is that something that we think is achievable and what do we need in order to get there?
20:45:11 <pili> being as usable as any other browser out there == being the primary browser for X% of users
20:45:26 <intrigeri> pili: 1. ask users who manage to survive "TB as my primary/only browser" already; 2. ask users who tried but gave up; 3. fix what can be fixed :)
20:45:46 <pili> intrigeri: you make it sound so easy :D
20:45:48 <intrigeri> (or 3. realize we can't.)
20:46:13 <sysrqb> i think we'd need to consider changing the "Application Data Isolation" requirement from the design doc
20:46:21 <tjr> I worry that connections through Tor are going to permanently exclude us from "as usable as any other browser"; but that we could at least get better than we are today.
20:46:41 <GeKo> yeah, modulo that
20:47:10 <GeKo> sysrqb: not only that
20:47:35 <sysrqb> yes, true
20:47:42 <GeKo> we might want to seriously think about getting away from the esr cycle e.g.
20:48:25 * isabela has another meeting in 10min fyi
20:48:29 <GeKo> because we get users coming to us saying this works in firefox, your browser is broken
20:48:48 <GeKo> and it turns out this indeed works in firefox, but not in firefox based on esr
20:49:10 <sysrqb> i've heard serious criticism about following esr, too
20:49:10 <GeKo> there are a lot of those gotchas if we want to go that road
20:49:15 <GeKo> yeah
20:49:22 <sysrqb> from a security perspective
20:49:29 <pili> yeah, I was just going to say that we hadn't explicitly said this meeting was going to be an hour long, but maybe we should think about wrapping this up for today and how we want to continue this conversation
20:50:20 <pili> everyone is of course welcome to carry on discussing here :)
20:50:29 <pili> I think we're having a really good conversation
20:50:48 <pili> and I don't necessarily want to stop people from continuing that
20:50:58 <GeKo> it's been an overdue one
20:51:30 <sysrqb> but it's late on a friday, too :)
20:51:41 <pili> (sorry for the scheduling... :) )
20:51:42 <sysrqb> so respecting people time is important too
20:51:45 <GeKo> for some folks :)
20:51:59 * sysrqb is not talking about themself
20:52:16 <sysrqb> :)
20:52:34 <sysrqb> scheduling a follow up meeting sounds like a good idea, at least
20:52:36 <antonela> hey pili, lets do a second part?
20:52:38 <antonela> yes yes
20:52:41 <isabela> :)
20:52:42 <pili> sounds good to me
20:52:56 <boklm> having an option to keep state sounds very nice, but I think we need to make sure users understand well the risks/threat model with this option before they enable it
20:53:09 <pili> I was also going to say that I think it might be good to distill some of these conversations we've been having today into an email and possibly start a thread on it
20:53:14 <mcs> boklm: +1
20:53:14 <pili> ready for part 2 after GeKo gets back from holidays?
20:53:33 <antonela> boklm: yes
20:53:33 <isabela> would be good to organize the ideas that came out here?
20:53:40 <pospeselr> boklm: yes
20:53:42 <pili> isabela: yup, I would do that
20:53:48 <isabela> tx
20:54:08 <isabela> boklm: +1
20:54:12 <intrigeri> pili: excellent.
20:54:14 <GeKo> pili: sending the result to tor-project would be worthwhile i think
20:54:22 <pili> GeKo: yup, definitely
20:55:08 <pili> any final words from anyone?
20:55:14 <pili> you have 3 minutes ;)
20:55:25 <isabela> thanks for this meeting i think is indeed a necessary chat
20:55:25 <pili> s/you/we :D
20:57:08 <pili> ok, I guess not :)
20:57:17 <pili> thank you so much everyone for taking the time to come and share your ideas today
20:57:22 <antonela> thanks folks! a pleasure as always!
20:57:27 <sysrqb> +1
20:57:44 <pili> I will follow up on monday with a summary and points for discussion
20:57:50 <GeKo> thanks
20:57:56 <pili> and we can take it from there, ready to schedule another session in a few weeks time
20:58:10 <pili> #endmeeting