@@ -196,7 +196,7 @@ In addition to the above design requirements, the technology decisions about the
### 2.4 Limitations
1.**Application Data Isolation**
1.**Application data isolation**
In the past, we have made [application data isolation](https://2019.www.torproject.org/projects/torbrowser/design/#app-data-isolation) an explicit goal, whereby all evidence of the existence of Tor Browser usage can be removed via secure deletion of the installation folder.
This is not generally achievable.
...
...
@@ -212,6 +212,17 @@ In addition to the above design requirements, the technology decisions about the
Tails is a purpose-built Linux-based operating system which is ephemeral by default, and also supports full-disk encryption for optional persistent storage if needed.
It essentially provides whole operating system level data isolation to its users with a level of confidence unachievable for Tor Browser on its own.
1.**Arbitrary code execution**
In the general case, we must also presume the adversary does not have the ability to run arbitrary code outside of the browser's sandbox.
That is to say, we presume the user's system has not been exploited and is free of malware, keyloggers, rootkits, etc.
For the purposes of our adversary model, we presume that user's operating system is not compromised or otherwise working against the user's own interests.
This assumption is most likely not true in the general case, particularly in the case of the aforementioned for-profit platforms or for computers which the user shares with others.
However, the browser is ultimately just another process running with limited privileges within a larger ecosystem which it has no control over.
We are therefore unable to make promises about the browser's capabilities or protections in such environments.
We would again direct users whose threat model necessitates being unable trust their computer to use the [Tails operating system](https://tails.net/).
