1325271 - [meta] Synced data remains on device after signing out

Status: NEW

(Firefox :: Sync, defect, P3)

Description

[Rachelle Yang [:ryang][ryang@mozilla.com]]

Attachment: 螢幕快照 2016-12-22 10.35.26.png

Recorded password will automatically appear after user already disconnected its account and only typed the previous existing email.
If user have chosen to remember the account email and its corresponding passwords.

Comment 1

[Jan Henning [:JanH]]

Just a note that I think this behaviour is common to all types of synced data - disconnecting the sync account doesn't remove any data that has been synced to that device.

Comment 2

[Anthony Lam (:antlam) Find me, @antlam on Slack!]

CC'ing Ryan Feeley who's been working on a lot of the UX for sync

Comment 3

[Sebastian Kaspari (:sebastian; :pocmo)]

I do not really understand what the problem is? If the password was saved previously then it will be auto-filled - Logged in or not. Sync just adds the capability to sync the passwords to other devices.

Comment 4

[Wesley Huang [:wesley_huang] (EPM) (NI me)]

To me the real problem is the "show" password function.

Comment 5

[Alex Davis [:adavis]]

I was about to file something related to this on desktop. On desktop, I realized that when you disconnect your account, your passwords continue to get auto-filled in forms.

Mobile devices are less likely to be shared than desktops but they both bring up the question of what would we like the behavior to be when a user disconnects a device and can we give users a choice? Perhaps more importantly, what behavior does the user expect when they disconnect their account?

CC'ing :rfkelly who's fxa lead and :grisha who's fxa+sync mobile lead

Comment 6

[Richard Newman [:rnewman]]

Alex: see Bug 1162778 and friends.

(Bug 1183693, Bug 1292565, and Bug 1162778 Comment 6 links to some history.)

We've spent quite a lot of time thinking about the UX for this, and the basic conclusion is: we can't guess what the user wants, so we have to ask.

Some things they want, like "undo the changes made by logging in!" are impossible, of course, but we can offer to wipe.

Comment 7

[Richard Newman [:rnewman]]

To reiterate some points here, we have seen users sign out in order to:

- Turn off syncing while they travel. 
- Debug crashes. 
- Sign in temporarily to another account in order to clone their data. 
- Fix their bookmarks. 
- Restore from backup. 

and more besides.

Furthermore, Sync is not a complete copy of your local data, and without a local saved copy of the FxA password, getting back to any server-kept data is not guaranteed. 

For those reasons, it doesn't make sense to automatically discard anything when signing out. We can offer, but we need to make it very clear that the user needs to remember their FxA password, and will lose any data stored on the device. 

An additional security note: deleting data doesn't delete it. There will still be ghost data in places.sqlite and on the file system, so be careful about the guarantees made.

Comment 9

[Richard Newman [:rnewman]]

Making this a kinda central bug for tracking this concept, so we can find it again.

Comment 10

[Dnelub]

Hi everybody, 

I have already shared my opinion about this issue in following bug:https://bugzilla.mozilla.org/show_bug.cgi?id=1302609

However, here what I am seeing in conversations is that it is a problem beyond synchronizing. I will try to be very straight forward on the issue. 

This seems a problem surging from interaction between default user profile and firefox user account because when the user is logged in, firefox does not create a new profile for each logged new user (although it is capable). As the user account is considered as an extension of the default user profile, instead of creating a new profile, firefox is appending the user to the existing profile. So is the information synchronized in the firefox account. Assume that there are already two extensions in the default user profile, if a firefox account with 3 other different extensions is synchronized with the this default profile, there will be 5 installed extensions in the default user profile and in the firefox account too. Consequently, neither the firefox account owner nor default user profile have privacy because in this context, firefox account owner and the default user profile are taken as the same person. As advertised by mozilla-firefox, the firefox account is considered to be used in your personal devices in which firefox account owner and default user profile are the same person. 

I think this is a limitation. Apparently accessing your account in other's devices is insecure. I have thought firefox user account like a safe working environment which I can set up whenever I have a firefox application, not only when I have my devices. I am not able to create this working environment in any public/shared computer/device. 

Frankly speaking, I don't have any idea what it would cost making such changes in firefox. Those are my modest opinion as a long-user of firefox. It may be discussed before, if so, please forgive me.

Comment 11

[Richard Newman [:rnewman]]

(In reply to Dnelub from comment #10)

> This seems a problem surging from interaction between default user profile
> and firefox user account because when the user is logged in, firefox does
> not create a new profile for each logged new user (although it is capable).

That's right. There are two main ways to approach having persistent data and accounts.

1. Data belongs to a profile. "Signing in" means combining remote data and local data in both places. Signing out leaves the merged data in both places. It's hard to lose data, but easy to merge it if you switch accounts.
2. Data belongs to an account. "Signing in" means getting a copy of the remote data so you can use it. Signing out is an open question: delete the local copy? There are other open questions about how you record data before you sign in, and what to do when you want to sign out but keep your data. It's easy to lose data, and hard to merge it.

The current design of Firefox Sync, and indeed the behavior of other mainstream browsers, is the former. Partly that's due to significant product and technical inertial. Partly it's because users seem to expect their browser data to stick around.

Common account-centric apps, like Instagram and Facebook, follow the latter pattern, perhaps because they 'feel' like services rather than apps, and they don't let you get started without creating an account.


> Consequently, neither the firefox account owner nor default user profile
> have privacy because in this context, firefox account owner and the default
> user profile are taken as the same person. 

If we're talking in terms of examples, here's another: you set up an account for the Firefox you use on your living room tablet, or your video game PC. Six months later you're annoyed at having two accounts, so you want to sign out of one account and sign in to the other, keeping your data. Or you have an old computer and you can't remember your account password, but you want to keep the data on it.


> I think this is a limitation. Apparently accessing your account in other's
> devices is insecure. I have thought firefox user account like a safe working
> environment which I can set up whenever I have a firefox application, not
> only when I have my devices. I am not able to create this working
> environment in any public/shared computer/device. 

Yes, that's a misconception, albeit an understandable one.

Your assumption is that Firefox works like what we call "sign in to browser" -- that when you sign in you get your data, and when you sign out it's gone.

The thing about this design question is that misconceptions and problems can occur in all directions.

* "I signed out of my account and all of my data disappeared, and I don't remember my password! How do I get it back?"
* "I signed in to my account on my friend's computer, but when I signed out my data was still on the disk! Why didn't you delete it?!"
* "Every time I sign in to my Firefox Account, it downloads 50MB of data! Why doesn't it stay on the disk?!"
* "I signed out of my account, but next time I signed in my data was all gone!".
* "I have two accounts. How do I merge the data?"

You _can_ create your intended scenario: open about:profiles, make a new profile, sign in, and delete it when you're done. 

That's not super convenient, and we could certainly alter messaging to make things clearer, but it's not clear-cut that any change we make would be a net win for all of our users. Certainly I'm very leery of any choice that makes it more likely for users to lose their data. It's much harder to build guard rails to stop users from losing data if we were to trap your data in your account, and both approaches have tricky engineering problems.

Comment 12

[Richard Newman [:rnewman]]

Oh, and another perspective on this: for quite a while our thinking was shaped around guest/user accounts, either in Firefox (Firefox for Android had this feature for several years: temporary profiles!), or in the OS.

The OS won as the method for switching personae. When you're signed in to your Mac you get notifications, calendar invitations and reminders, 2FA pushes, all of your passwords and notes, and your name is at the top of the screen. It doesn't make much sense for Firefox to build its own user account switcher: it's not 1997, with everyone huddled around a Windows machine with a CRT and no OS-level user isolation.

That pattern of behavior might still exist for tablets, and also for computers outside of the affluent Western context, but OS-based secure encrypted user switching is a much better solution than making Firefox a good multi-user system.

Comment 13

[Dnelub]

Hi Richard 

Thanks for letting me clarify my proposal but first of all I don't see two contending approaches here because we are talking about two different needs. You may need to use your firefox account only on devices, belongs to you. What about the need of some to access it on other's devices? As a community driven community, firefox has always been flexible to solve the problems of user. This is why I believe that the needs of community will be regarded by developers.   

However, I am surprised with questions you have oriented to my proposal. Frankly speaking, I didn't understand why simple problems suddenly become insolvable challenges. 

"Your assumption is that Firefox works like what we call "sign in to browser" -- that when you sign in you get your data, and when you sign out it's gone."

In my proposal for the specific need to use the firefox account in other's devices, I suggest to create a new profile for each new logged user. In this way, all your customization might be back up easily. When the user sign out, of course, s/he must be asked what the user would like to keep on this device. No matter what is kept on the device it is still not available to any other user of the device because it kept in a different profile protected with password.  

"I signed out of my account and all of my data disappeared, and I don't remember my password! How do I get it back?"

Your data won't disappear unless you remove your profile from this device. If you don't remember your password, the present system has already solved this question. by email!

"I signed in to my account on my friend's computer, but when I signed out my data was still on the disk! Why didn't you delete it?!"

This is what I am saying. Why doesn't firefox help me to delete the data uploaded to the device by me? 

"Every time I sign in to my Firefox Account, it downloads 50MB of data! Why doesn't it stay on the disk?!"
"I signed out of my account, but next time I signed in my data was all gone!".
"I have two accounts. How do I merge the data?"

I don't think these are serious questions which developers cannot overcome. Within the present structure of firefox, these questions have already been solved.

Comment 14

[Richard Newman [:rnewman]]

(In reply to Dnelub from comment #13)

> However, I am surprised with questions you have oriented to my proposal.
> Frankly speaking, I didn't understand why simple problems suddenly become
> insolvable challenges. 

In short, and with the greatest respect, I think this situation is more complex than you understand it to be.

For example:

> No matter what is kept on the device it is still not available to any
> other user of the device because it kept in a different profile
> protected with password.  

That's simply not the case: the owner of the device has full access to all Firefox profiles. They're not protected by a password. Your bookmarks, history, form autofill data, etc. are all stored in cleartext on disk.

The only mechanism that avoids this, if you trust the hardware, is to use a different OS user account when you sign in to Firefox. You can already do this today.

If you're proposing that Firefox offer a sign-in feature that only exposes your data within Firefox when signed in, and protects it from the owner of the device when you're not, then you're talking about a fundamental change to how Firefox stores data. Doing this in a cross-platform way isn't easy.

You're also talking about a sign-in experience that's fundamentally new, with consequences throughout UX and engineering and across platforms. Should guests be able to sign in to Firefox on iOS or Android?

Can you sign in to your profile when your laptop is offline?

What happens to your local data -- particularly the local data that doesn't sync! -- when you change your Firefox Account password on another device?

I'm personally a big fan of the concept of sign-in-to-browser, and I'd love for us to get to that point… but I'd be lying if I said it wasn't a large, complex, and expensive change to consider.

Comment 15

[Dnelub]

I have to address my question to the community. Are you really content with the responses of Richard. Is he not sounding very aggressive? I dont think I am able to keep on the discussion in that mood. 

The last but not the least important, please inform firefox account users explicitly that the firefox account must not be used in other's devices because it is not made for this purpose. 

thanks

Comment 16

[Alex Davis [:adavis]]

Hi dnelub,
You bring up a lot of excellent points. While the ideal solutions might be really complicated (as Richard pointed out), there might be some small/medium sized UX improvements to make this better.

- We already warn users on desktop if they are going to merge their account with a computer that was previously syncing with another account. This warning could be exposed if there is data already present on the local browser (even if no other account was previously syncing).
- I will make sure that this warning is also visible on Android and iOS (I can't recall if we are doing it there)
- Next, I think that after a user signs-out, we could notify users that the data will not be deleted from the local browser and offer them the option to wipe the data from the device. This transparency should avoid some unwanted experiences.
- Finally, although a little harder to do but still easier than the architecture overhall, we're exploring the idea of allowing users to access their content via the web so that when they are at a friend's house or travelling, they don't need to do a full sync to Firefox to access their data. This isn't currently scheduled to be worked on but closely aligns with other projects we are currently planning so hopefully this will be more in reach in 2018.

I thank you for the suggestions and hope we can improve this part of the user experience as much as possible at the start of the new year.

Let me know if there are other UX experiences that could be improved around this. Perhaps my suggestions will spawn new ideas. :)

Comment 17

[Richard Newman [:rnewman]]

(In reply to Alex Davis [:adavis] [PM FxA+Sync] from comment #16)

> - Next, I think that after a user signs-out, we could notify users that the
> data will not be deleted from the local browser and offer them the option to
> wipe the data from the device. This transparency should avoid some unwanted
> experiences.

We actually already do that on iOS, at least; not sure about other platforms.