As we choose priorities for the next version of Firefox’s features and development, the Firefox team has been considering the state of the web and looking for areas where online content has changed faster than browser functionality. One area of concern is the growing use of private user data, especially by advertisers. User data being silently and persistently passed between sites and advertisers is disturbing for those with an interest in user choice and transparency on the web.

Privacy vs. Security

Privacy and security are related but distinct topics. Security refers to the prevention of material harm to the user. Avoiding theft, fraud, and data loss are all security issues. Browsers have been working to improve security for decades, prompted by increasingly sophisticated viruses, malware, and other exploits.
Privacy is a broader topic than security. It refers to users’ control over what they reveal about themselves online, whether or not what they reveal might lead to material harm. All internet users reveal some information about themselves to some sites, but the user has privacy if his discretion determines what information is shared with whom.

Firefox has Local Privacy but Needs Network Privacy

The Firefox team has already done some great work on local privacy with improvements such as Private Browsing mode, Clear Recent History, and Forget about this Site. These features give users better control over when their data is exposed and hidden on their own computer. However, wider privacy issues surface when data is shared over a network.

One major problem of the modern web is the ability for private user data to be collected by advertising companies via third-party cookies.

If sites provide rich interaction, they usually require user data. The problem occurs when users willingly share data with a site they trust, but unknowingly their data is shared with other sites and companies via third-party cookies. This is common practice and a growing revenue model online. It first received national attention in November of 1999, when the Federal Trade Commission held a workshop on online profiling and reported that it presented a privacy concern to consumers. The practice has grown since then, despite some failed attempts at regulation by the US’s Federal Trade Commission, the Interactive Advertising Bureau, and Britain’s Office of Fair Trading.

Any website you visit can contain ads and other components that send cookies from your browsing session on the domain you trust to an advertising domain. These third-party cookies can be used to track information about users across multiple sites and multiple browsing sessions, allowing web habits to be profiled and tracked. This data can tell companies limitless kinds of information, such as what purchases you make, what news you read, your income, if you’ve applied for work, and what dating sites you prefer. One manifestation of this data sharing is seeing to ads targeting users based on data and actions from other sites.

The ability for advertisers to gain and use this data violates user privacy for several reasons:

  • It’s nearly impossible to detect. Much of the data-sharing happens in the background during a browsing session without asking or notifying the user. Users usually only discover what has happened when they are seeing targeted ads (long after the data has been transferred).
  • It occurs without user consent. Of the sites that are even aware of third-party cookie sharing, few give users control over how their data is shared with advertisers. Sites that do offer preferences sometimes phrase them in ways that disguise their purpose, such as “do you want relevant content to be shown based on your usage” rather than “do you want ads to be shown based on your personal data.”
  • It contradicts the user’s reasonable expectation of privacy. Some sites that knowingly share data present a false image of being responsible with user data. They may show the user preferences that imply control, assure users that their data is “safe,” or offer to let users read a lengthy privacy policy in order to hide their actual practices. Of course there’s a very special hell set aside for sites that change privacy settings to be more permissive once users have already signed up and entrusted their data.
  • It’s nearly impossible to prevent. Even a user who is privacy conscious and reads all privacy policies, keeps his privacy settings up to date, and avoids sites that don’t guarantee privacy isn’t necessarily safe. Any site he’s given data to could potentially use it without asking, and third-party cookies could be sent via ads and web bugs without the knowledge of the site’s owners. Heck, any site could be scraping identifiable information from his digital fingerprint.
  • It potentially embarrasses the user. Data sharing via third-party cookies takes information given by the user at some point in time and exposes it at another time. While the user may be discrete about where he is viewing certain content and even use Private Browsing Mode for items to not appear in history, advertisers using third-party cookies can expose user actions at times out of the user’s control.

So what can Firefox do to improve its story on privacy?

1. Provide intelligent defaults for third-party cookie behavior

Simply disabling third-party cookies isn’t the solution. Third-party cookies are necessary for legitimate web functionality such as embedded content, session management, mashups, etc. Most bank websites depend on third-party cookies for functions such as bill paying. The goal should not be to outright disable third-party cookies, but to be more intelligent about what behavior is allowed.

The http-state working group is currently working to produce a specification in multiple documents to lay out how clients should behave with regard to cookies (see current drafts here). Dan Witte, the cookie module owner at Mozilla, has been in communication with them and is doing his own work to develop a modern cookie standard. The goal is to create a guideline that Mozilla can follow that aligns with our Manifesto to protect user choice on the web. Dan’s already working on one way Firefox could address the problem by enabling third-party cookies, but only temporarily. His idea is to keep third-party cookies active only for the life of one tab. When the tab is closed, the cookies are deleted – advertisers could not track users from site to site. Dan will be blogging about this later with more details on his work.

2. Give users better control over how sites can access their information in Preferences

Currently, Firefox gives users precise, fine-grained control over the many ways that sites can access user data. All the user needs to do is change their on each Preference panel that effects site privileges:

As can be seen above, the current Firefox interface gives each site privilege type – saving passwords, cookies, etc – its own separate preference window. This design is framed around the implementation model rather than the user’s mental model, meaning it’s designed in a way that corresponds with how it was built rather than how users perceive the action they want to take. Having an individual window for each permission makes sense from an implementation standpoint, because each site privilege is separate in code. From the user’s perspective, however, it’s impossible to tell what privileges a particular site has. A better design would present controls in a site-centric rather than technology-centric view. If a user decides that he doesn’t trust site X and doesn’t want it to have any access, it would be more efficient to control all of site X’s access in one – not 15 – Preference windows. Alex Faaborg made this mockup to illustrate how a site-centric UI could be achieved:

While all of Firefox’s Preferences need to be improved, including site-centric privacy controls like Alex’s above for Firefox 4.0 would go a long way towards putting users back in control of their data.

3. Give users better control of their data while they are browsing

While a site-specific Preference panel will help users have better fine-grained control of their privacy when they’re configuring Firefox, there’s some options and information that can be exposed while the user is browsing. If a site has access to geolocation, for instance, this should be constantly indicated in Firefox’s interface. If a site is storing a password, this should be easy to change or remove without opening Preferences. Firefox’s Site Identity Button, which currently gives very little information about a site, could be improved to give information about a site’s privileges and the ability to change them.

It’s our goal for Firefox 4.0 to give users more control of their data, both by literally giving them controls and, more importantly, creating intelligent defaults that protect a user’s privacy and anonymity without breaking web functionality. It’s my hope that even simply exposing what access sites have to data will be positive for the web by eroding the sense of false security that many sites try to create for their users and creating awareness of and control over how, where, and when data is being shared.

Nothing sucks on the web like not being able to go to the site you want. Page not found and 404 errors are an inconvenience that entirely halt your workflow. What’s worse than not being able to access a site is not being given relevant information to fix the problem. When users are presented with an error message, they tend to do whatever will make the error go away to get back to their task. Page not found errors can’t be dismissed, because they’re shown instead of the content wanted.

What creates an added level of frustration is not being given information on what the problem is. When users get a Page not found error, they likely have two questions in mind:

  1. Is this problem on my end, or not?
  2. If the problem is on my end, how can I fix it?

These are questions that have been hard for browsers to answer. Currently, Firefox’s network error pages aren’t incredibly useful. They’re certainly not as useful as Chrome’s, which use Google Link Doctor to find possible matches both for subdirectories and domains. That won’t necessarily tell the user if the problem is on their end or not, but it will help if the problem is a typo.

So how could a browser tell users if the problem is on their end or not, without infringing on their privacy? One project that currently takes a stab at this is Herdict, which Johnathan Zittrain’s been working on at Harvard University’s Berkman Center for Internet and Society. What Herdict does is let computer users tell the “herd” – via a Firefox extension – what sites are accessible. The aggregated data can tell if a site is down (because no one can access it), or blocked by a firewall (because only some people can access it), or likely on the user’s end (because everyone else can access it). Not only does that answer the question of “is this problem on my end,” but it may start to answer questions like “is this problem only experienced by my country, network provider, or device?”

Useful stuff! Does it have a place in the browser, and specifically in Firefox? I think that getting and submitting anonymized data should have an increased role in the browser, and especially where it promotes transparency and information to the user. Mitchell Baker has been writing about data, and how Mozilla could be treating aggregated, anonymized data as a public asset that should be freely available. Especially in situations where sites are being blocked and censored, giving users knowledge of the situation seems to align with Mozilla’s goals of transparency and viewing the web as global public resource that must remain open and accessible.

One way something like Herdict could be incorporated is through those Page not found errors. If there were an option on these to submit anonymized data, we could build a pretty accurate view of accessibility information for a website and share it. Allowing users to submit data when there’s a problem is something many programs do already – especially for crashes. This is good design; it makes users feel better by registering the annoyance they feel as a useful data point to developers. Here’s some sketches of what it could look like to incorporate Herdict’s aggregated accessibility data with these error messages:

1. No available information on a site:

2. Site is blocked due to local firewall:

3. Site is down for a country:

4. Site is down for everyone:

Watching live video online is generally a great experience. It’s a way to watch important world events without a TV, a way to view with friends without syncing, and still the best way to see a shuttle launch naked.

But online live video could be improved. For instance, there’s usually no way to rewind video to see a clip again, nor a way to pause and watch video from where you left off.  In fact, current implementations of live video have very few features – usually they are adaptations of regular video controls, but with non-interactive elements such as stationary or removed timelines.

2_other_live_player_examples

We think users would benefit from the ability to pause and go back in live video by keeping some amount of the video buffered.  However, this presents a few design challenges:

  • How to visually represent when the user is “live” vs. viewing buffered video
  • How to visually represent the amount of video in the buffer
  • How to make it easy for the user to jump between live and buffered video

Limi and myself did some brainstorming to develop ways to present this functionality. Below is an idea we had that we’d love feedback on. It’s based on the idea of a “live mode,” which users can enter and exit via the video controls. By default, the user begins in live mode (the box on the right of the timeline). As the user watches the live video, the timeline to the left encompasses how much video has been buffered. So, after one minute the timeline represents one minute in length, and after two minutes it represents two minutes. To give an indication of how much time the bar represents, ticks marking minutes will scroll left as the video plays. Clicking the live mode button or moving the slider back to the live point puts the user back in live mode.

3_live_mode_player

However, eventually the video will reach the maximum that can be buffered. For the purposes of these mockups, we’ll say that 10 minutes is the limit. After the video plays for 10 minutes, the beginning of the video is dropped and no longer accessible. The user sees this as the 0:00 mark disappearing from the timeline, and higher time markers continuing to scroll left.

4_live_mode_player_with_buffer2

If the user pauses the video, he exits live mode and the slider moves off of the live mode box. A visual indication will show that the video is no longer live – perhaps by fading the live mode and/or changing the shape and color of the slider. As the video is paused, new live video will be buffered and old video will continue to be dropped, moving the paused slider and the timeline left.

5_slider_moving_backwards

Once the slider has moved back 10 minutes, the new video is no longer buffered: only the ten minutes immediately after the pause is stored. This is so that when the user returns, the video will play from the point they left off and not the somewhat arbitrary 10 minutes before the live video. At this point, the buffered 10 minutes and the live point are no longer connected – a visual indication such as a break of the timeline will indicate this.

7_slider_break

So, what do you think?  Was this difficult to understand?  It’s a bit of a shift from commonly understood video control interaction, but I think it may be intuitive once users play with it.  I’ll be eager to find out.

You can read more about our progress in the wiki.

P.S. This is the first blog post I’ve made in awhile, but unfortunately for you I’m going to be posting a lot more frequently, starting now.  Please don’t cry, they won’t all be this long.

As many of you know, Dão Gottwald has been working for awhile on his Ctrl-Tab add-on. Ctrl-Tab has two parts: a filmstrip that allows the user to quickly jump to recently used tabs, and a tab preview mode. These features have been widely used, and lately we at Mozilla have been working to give them a home as a Firefox feature.

Dão and I have been working on the design of a feature based on Ctrl-Tab, while Dão has been building patches. We’re happy to announce the filmstrip of recently-viewed tabs landed today and will show up in tomorrow’s nightlies as a new Firefox feature: Control-Tab.

Since this change will affect current Firefox users’ workflow, I want to describe briefly how Control-Tab works, why it is being added, and what changes you’ll see.

How does Control-Tab work?

Pressing Control-Tab in Firefox will bring up a filmstrip view of your recently visited tabs. Pressing Tab repeatedly with Control held down will cycle through thumbnails of the tabs you’ve visited in order, with each press of Tab going one thumbnail back in time.

Why Is Control-Tab being added?

  • Fast Switching between Tabs. Control-Tab will show thumbnails of the last tabs you have visited in the order you have visited them. This means that if you’re on Site A, pressing Control-Tab will take you to Site B that you last visited. Pressing Control-Tab again will take you back to A, and again to B, etc. This is useful if you need to quickly flip between two tabs that aren’t next to each other and makes it easier to carry out tasks which require multiple tabs.
  • Visual Navigation. Control-Tab shows thumbnails of your previously used tabs, so finding them by sight is fast. This is especially helpful if you’ve opened up so many tabs that some are obscured.

What’s going to change?

Pressing Control-Tab will no longer open the next tab (Control-PageDown still will). We know that expert users are used to this shortcut, and changing it will mean an annoying adjustment.  However, we’re creating Control-Tab because we feel the benefits it offers are greater than the drawback of having to adjust your workflow.

Control-Tab is a first step towards increased visual navigation and content organization features, and we would love to hear what you think. Usage and feedback of Control-Tab will help guide future designs and features, so please leave a comment here or in the forums to tell us your opinion.

The release of Firefox 3 has happened, and there was much rejoicing. And now, our sights are set for Firefox 3.1 and beyond.

As I wrote in a previous post, a lot of people’s sights are on better ways to incorporate visual navigation into Firefox (see posts from Madhava, Aza, Bryan, and Andy.)

Some ways of incorporating visual navigation are relatively minor and would actually bring more consistency to the Firefox interface, allowing the same navigation for tabs as already exist for bookmarks and tags. Two of these are:

  1. Awesomebar results giving indication if an item is already opened in a tab (see Madhava’s post )
  2. Tabs shown in the sidebar, and thus easily scanned, deleted en masse, and grouped by characteristics such as domain and frequency of visit

Another quick way to add visual navigation to content is to expand tooltips to include information such as thumbnails.

These changes are fairly basic and nondisruptive to the current workflow. However, more substantial ways of browsing content could pay off in increased efficiency online.

In brainstorming what some of these could be, I thought about the drawbacks of the current system of tabbed browsing. One problem is that tabs are displayed linearly, while the tasks they contain can be sprawling and nonlinear. In the following sketch, the user is visiting five domains, but the tab structure gives no visual indication of the link between the tabs other than the favicon and title:

Being able to group open tabs by domain is one way to address this problem. In the following sketch, based on an idea by Jay Sullivan, the user clicks and holds down a tab. This produces a drop-down menu which shows all tabs open for that domain. This interaction mirrors the operating system method of seeing all windows open for a particular application in that application’s menu.

Another way to bring visual navigation to Firefox would be to expand the metaphor of the desktop and bring its interactions into the browser. The current Firefox library is similar to an OS file directory, but with none of the visual navigation that OSes do well. Allowing the user to navigate their library visually would draw on a familiar metaphor, give visual navigation only when needed, and perhaps ease users into the browser and desktop beginning to merge. Certainly one could imagine dragging a “file” from the Firefox library onto the desktop, turning the item into a web application.

As always, more details are in the wiki and comments are very welcome!

Hello!

May 21, 2008

I’m Jennifer Boriss, but I go by just Boriss. Two weeks ago I started work at Mozilla as a user experience designer. I’ll be working alongside established superheros Mike Beltzner, Alex Faaborg, Madhava Enros, and Aza Raskin to make the Firefox the best online experience possible.

I’m joining Mozilla at an interesting and exciting time. The much anticipated Firefox 3 will arrive soon, and its first release candidate was released on May 17. The response to RC1 so far has been overwhelmingly positive, and deservedly so. Firefox 3 is a solid, excellent product, and everyone here and in the community is very thrilled to see it out the door. The Firefox 3 release is the latest in a long series of exciting events to happen at Mozilla. Ever since Firefox 1.0’s release in 2004, it’s been steadily gaining users in almost every country. Today, Firefox enjoys over 16%[1] market share online (28%[2] in Europe), and this is only growing. Fairly impressive, considering IE held 95%[3] of the market at Firefox 1.0’s release.

Like many, I found the success little open-source browser that could very exciting. Beyond the fast, clean web experience, the collaborative and open nature of Firefox’s development is exciting as a model for achieving projects online across many countries. And also like many, I found the previous lack of choice in browsing and the poor user experience of Internet Explorer disturbing. If the internet is the new medium of information, business, and communication, the experience of its users is too important to be entirely written by Microsoft. This is why I joined Mozilla and am pumped about what’s to come.

This is a formative time for Mozilla, but also the internet as a whole. The nature of the browser and online experience will go through a series of important changes – evidenced in part by the hype of web 2.0 and more recent development of rich internet applications. How we access and create content is still shifting and being rewritten. While no one knows the precise direction the internet will take, we can set broad goals and work through advancing technology to achieve them. My focus is on user experience, so some possible goals could be:

  • Accessibility and freedom of information
  • Protection of the user’s privacy and data
  • Ease of content access and creation
  • Ability to customize one’s personal online experience
  • A positive online experience for any task from work to leisure
  • These are fairly broad goals, and I surely don’t know all the specifics of how we should achieve them. And, given the number of very passionate Firefox users, the task of improving the user experience is a bit daunting. If Firefox were a poor product, this job would be easy. As it is, Firefox already has what I consider an excellent user experience, and I know the risk of fixing something that isn’t broken – I won’t do it lightly. That’s why I’m hoping this blog will be more of a conversation than a monologue. I’ll use it to post ideas and designs for Firefox, and hope that people will comment. I welcome all feedback, especially negative. After all, my job at Mozilla isn’t to implement my own personal visions, but rather to be an advocate for the users. So rant, rave, complain, tell me what makes your grandmother angry, whatever – let’s start the conversation.