The Can’t Be Evil Sandbox
The Can't Be Evil Sandbox introduces a new privacy model for the web.
The web was designed in a way that spreads traces of your data around the web with every web site you visit. When you type an address into your web browser, you have no idea what servers that web site will connect to and who will know about your activity. Today’s web apps are like volcanoes sending plumes of your personal information around the internet with each click.
At New Internet Labs, we believe that the world deserves better. We believe that together we can build a web of apps that respect your digital rights. Software running on your behalf, not laws, regulation or privacy policies is the best positioned to make sure that those apps Can’t Be Evil.
As a first step in that direction, we’ve created the Can’t Be Evil Sandbox. The Can’t Be Evil Sandbox marks a first step towards a new security model for the web and ships as part of the developer preview of our New Internet Extension, a browser extension compatible with Chrome and Firefox. Developers can install the New Internet Extension from source and interested users can sign up here to be notified when it’s available for install from the Chrome and Firefox extension stores. Read on to learn more!
A story about Alice
Let’s follow a successful businesswoman named Alice as she does her accounting with a widely used cloud-based accounting app called EvilBooks. One day she enters a payment she made to Bob. Alice assumes that her transactions are private with only need-to-know employees at her trusted accounting provider EvilBooks able to access them.
Unbeknownst to Alice, the crack development team at EvilBooks has a different idea about privacy. To them, “private” means that other users of the web app won’t see her accounting data on the EvilBooks site if they don’t have her password. Sharing her financial data with “vendors” and “trusted partners” is a-okay.
Building EvilBooks looks something like this: In their rush to ship fast and break things, the EvilBooks dev team includes a bunch of JavaScript libraries served from the CDNs of Unpkg and jQuery from Google. They also include some fonts from Google Fonts and Adobe Typekit. At the request of the marketing team, the dev team pastes in script tags for two different analytics tools and script tags for the product team’s favorite user interaction tracking tools.
When Alice loads the EvilBooks web app, her computer connects directly to these unknown & unseen companies’ servers, downloading and running code their owners’ code on her computer without her knowledge. This code has access to whatever she does in the app. Not only do these parties have access to the transactions she enters into her accounts but since she’s connecting directly to their servers, so they can track things like the location of her home and office, the type of computer or phone that she’s using and more!
Alice isn’t the only one that’s lost control. The EvilBooks dev team also has no idea what code these third-party servers are injecting in their app. That script tag might have appeared to be an innocent web font loader when the dev tested it, but how can they be sure that their users aren’t being served different code? A key logger perhaps?
But Alice’s nightmare doesn’t stop at there. She’s also trusting dozens of other organizations - governments and companies - that play a role in the chain of trust sits between her and her accounting app.
When Alice bought the EvilBooks app, she assumed that EvilBooks would store her transactions in a safe place that only she could access. What she didn’t sign up for is a trust-based relationship with dozens of unknown companies and governments. None of us did!
The web’s security model is broken for users
While there are a number of trust-related issues with the current web, there are two that we’re addressing today. The first is the web’s outdated network security model. It was designed during the time when the internet was a technical curiosity in a trusted academic environment and is no longer appropriate for today’s high-value, adversarial, commercial environment.
The current web uses a blacklist model for network security instead of a more secure whitelist model based on the principle of least privilege. Today's web browsers let web apps connect to any server in the world they want unless the user has installed some sort of content blocker that blocks the unwanted connection. This results in a world where a web app can make an unbounded number of connections and ad or tracking blockers are left to guess which ones might be unwanted. It's an unending game of whack-a-mole that can’t be won.
Cookies are bad for you
The second is the tracking technology with the tasty name: cookies. Cookies are another piece of dated web technology that work against both users and developers trying to build a less evil web. Cookies are a feature that allows servers to store small pieces of data on a user’s web browser. They came from the web 1.0 days before JavaScript when application servers needed to track user state across multiple requests and enabled functionality like being able to sign in to a web app.
The problem with cookies is that they are sent from the user’s browser to servers on every request even if that request has no need for any user-specific identifying information. A cookie that may be needed by a developer for two requests might be sent in thousands of requests after it is no longer needed.
The Can’t Be Evil approach
Version one of the Can’t Be Evil Sandbox takes a first step towards reducing the digital footprint of the web by doing two things: it introduces a new security model for web assets and resources and ends the use of cookies.
Apps opting-in to the Can’t Be Evil Sandbox can only automatically load assets from the domain name (app origin) that is displayed in the user’s address bar. This is a first step towards our ultimate goal of new whitelist security model that prevents all network connections by default and only allows connections on a case-by-case basis based on rules working on the user's behalf: a Can’t Be Evil terms of service.
Cookies aren’t allowed in the Can’t Be Evil Sandbox. There are more modern mechanisms for storing data on browsers such as localStorage that don’t send the data off the user’s browser unless the app developer has explicitly chosen to send the data.
Opting in to the New Internet (Extension)
Version one of the Can’t Be Evil Sandbox ships in a developer preview of our New Internet Extension which serves as a testbed for technology that will ship in our upcoming browser.
Existing web apps can opt-in to the sandbox by setting the http header can't-be-evil to true. When they opt in, the sandbox will apply a special content security policy to enforce the rules. Apps that have not opted-in are monitored for requests that would be (evil) violations of the sandbox rules.
Work with Blockstack app miners
As many of you know, New Internet Labs is the digital rights reviewer for Blockstack’s App Mining incentive program. The App Mining program is an incentive program that distributes money every month to the top apps.
We have already reached out several app developers in the App Mining program and look forward to working with them closely to trial the Can’t Be Evil Sandbox. If we haven’t reached out to you or you’re not a member of the App Mining program and are interested in working with us to help refine it, please let us know here.
We also plan to propose adoption of metrics from the Can’t Be Evil Sandbox as additional scoring criteria in an upcoming iteration of the App Mining program.
One step closer to a new internet
We all know deep down that the tracking-driven web is broken in so many ways but fixing the issue seems like a daunting task. Today, we’re taking a concrete first step for developers with version 1 of the Can’t Be Evil Sandbox and doing it in a way that is backwards compatible with the existing web.
You can learn more about the New Internet Extension and the Can’t Be Evil Sandbox by reading the FAQ, submit pull requests on Github and install the developer preview from source code. If you’re not a developer and want to try this out on your browser, please sign up here and we’ll let you know when it’s published to the Chrome and Firefox extension stores.