Something small but potentially significant thing happened in the world of Tor this week: the app has added the security slider from the desktop Tor browser, meaning it’s easier for users to set predetermined levels of privacy without getting bogged down in settings they might not fully understand.
The news emerged in the latest Android version of Orfox to reach the Play Store and The Guardian Group’s GitHub repository, version Orfox-1.4-RC-3 running on mobile Firefox 52.2.0.
Since the Orweb app was shuffled into retirement in 2015, Orfox’s beta has been the browser the Tor project offers to Android users to access the network, in conjunction with the partner Orbot proxy client on which it runs.
From its earliest days, the point of Orfox was to offer the same privacy that Tor users would get from the Project’s desktop browser – but without making configuration a chore.
In other words, there’s not much point offering a high level of privacy if the app is difficult to configure – and if it’s hard to configure, it can leave users exposed.
However, the Tor developers haven’t really known how users configure the browser because the browser doesn’t collect data on how users interact with it.
Nevertheless, after old-fashioned testing with a small group of users, says Tor:
This was the first time Tor did a full development cycle following UX best practices.
“UX” stands for user experience, and Orfox’s solution to making it easier for users was to turn the settings question into a simple slider with three settings: “standard”, “safer” and “safest”.
You could argue this is just a re-badging of the old “high”, “medium” and “low” labels in which JavaScript and HTML5 video become tap-to-play and HTTPS Everywhere and NoScript are the default as users opt for the two higher settings (the downside being higher settings break some websites).
But the adoption of UX best practice principles bodes well as Tor tries to turn Orfox into something with mainstream appeal.
Why does this matter? Mostly because it underlines how Tor is on the cusp of moving from being an anonymity network used mainly by desktop users to one dominated by mobile.
By some measures, 2016 was the year that mobile web traffic exceeded that from desktops for the first time, especially in the developing countries that could one day be Tor’s heartland. These are also countries full of older Android versions, which explains why Orfox maintains compatibility as far back as v4.1.
It’s tempting to try and hunt for differences between the desktop Tor browser and Orfox – but that would be to miss the point.
The security risks of using Orfox aren’t inside the app itself or even the possibility of it being compromised from the Android side – it’s the big bad web that’s the worry.
Mobile users gravitate towards online services that ask them to log in. The minute people do this it’s game over for anonymity, even if ad tracking is reduced. That’s not perhaps how people use Tor but it’s how a lot of people use the web on mobile – and indeed, Android is a prime enabler.
Resistance isn’t futile by any means, but we must understand that software alone can’t shield us from a world stripped of privacy.
