The Can’t Be Evil Sandbox

The web was designed in a way that spreads traces of your data around the web with every web site you visit. When you type an address into your web browser, you have no idea what servers that web site will connect to and who will know about your activity. Today’s web apps are like volcanoes sending plumes of your personal information around the internet with each click. At New Internet Labs, we believe that the world deserves better. We believe that together we can build a web of apps that respect your digital rights. Software running on your behalf, not laws, regulation or privacy policies is the best positioned to make sure that those apps Can’t Be Evil. As a first step in that direction, we’ve created the Can’t Be Evil Sandbox. The Can’t Be Evil Sandbox marks a first step towards a new security model for the web and ships as part of the developer preview of our New Internet Extension, a browser extension compatible with Chrome and Firefox. Developers can install the New Internet Extension from source and interested users can sign up here to be notified when it’s available for install from the Chrome and Firefox extension stores. Read on to learn more!

A story about Alice

Let’s follow a successful businesswoman named Alice as she does her accounting with a widely used cloud-based accounting app called EvilBooks. One day she enters a payment she made to Bob. Alice assumes that her transactions are private with only need-to-know employees at her trusted accounting provider EvilBooks able to access them.

Unbeknownst to Alice, the crack development team at EvilBooks has a different idea about privacy. To them, “private” means that other users of the web app won’t see her accounting data on the EvilBooks site if they don’t have her password. Sharing her financial data with “vendors” and “trusted partners” is a-okay.

Building EvilBooks looks something like this: In their rush to ship fast and break things, the EvilBooks dev team includes a bunch of JavaScript libraries served from the CDNs of Unpkg and jQuery from Google. They also include some fonts from Google Fonts and Adobe Typekit. At the request of the marketing team, the dev team pastes in script tags for two different analytics tools and script tags for the product team’s favorite user interaction tracking tools.