Google Chrome 76 is limiting how you can be tracked in its Incognito Mode. But that doesn’t mean you’re not being tracked at all
The icon is a detective style hat and glasses, the colour scheme is moody, and many think that entering Google Chrome’s Incognito Mode is like slipping under a cloak of invisibility. Yet it turns out that this is hopelessly misguided. Despite the long-known fact that Incognito isn’t truly anonymous, new research has re-emphasised that Google and other web browsers are still tracking you in privacy mode, even on the most sensitive of sites.
A forthcoming research paper, set to be published in the journal New Media & Society and first reported on by the New York Times, saw researchers scan 22,484 porn websites. They found 93 per cent of them housed trackers sending information to an average of seven third party domains. While this may be startling many people, incognito has always made for an inadequate privacy tool.
“Private modes in web browsers were never designed as a general privacy fix,” says Lukasz Olejnik, independent cybersecurity and privacy advisor, as well as research associate at the Center for Technology and Global Affairs at Oxford University. “In practice, they offer very little.”
The modes are short-term options that can limit what’s recorded on one machine – not an all-encompassing way to be private online. The main functionality of incognito mode is not saving cookies or browser history on the hard disc, meaning that private browsing sessions are isolated from normal ones.
Third party tracking is generally achieved by websites storing cookies on a visitor’s hard drive. Cookies are generally used to track repeat visits from the same user, and build up a profile that’s used to serve ads. In incognito mode, your data is tracked in exactly the same way as normal mode. “The difference is that in ordinary circumstances, trackers are unable to link a “private browsing” session with the “normal session”,” says Olejnik. “This means that in principle, after the user closes the browser window no trace should be left.”
But there are of course problems. Notably, third-party sites are able to detect whether site visitors are in private browsing mode, something that Olejnik says is being weaponised against them. It’s this capability that allows, for example, news sites with paywalls to block access to visitors with this mode enabled. If you reach your limit of free articles on the New York Times, it’s still able to recognise you (and stop access) if you click into incognito.
However, most browsers have never really considered this a major privacy flaw. This is why one loophole that allows third party websites to do this – through Filesystem API detection – has remained in place for so long. The FileSystem API is disabled in Incognito mode, meaning that if a site searches for it and gets an error message, they can determine that a user is in privacy mode. Google has announced the next iteration of its web browser, Chrome 76, will close the loophole. When it’s released on July 30, it’s probably not going to please publishers.How to delete your Google search history and stop tracking
How to delete your Google search history and stop tracking
However, despite the loophole being shut, this doesn’t mean that Chrome’s Incognito Mode will become a better way to browse anonymously. Matthew Forshaw, a lecturer in Data Science at Newcastle University was involved in research that compared the privacy modes of different browsers, and found that a lot of their claims didn’t stack up.
This research, conducted back in 2014, uncovered that third party websites were leveraging cookies to identify which users were browsing privately. In normal browsing, cookies are written onto the hard disc itself, whereas in incognito mode, they are held in a device’s memory. The research demonstrated that a third party website could remotely instruct someone’s browser to write one million cookies, and track how long it took – in a normal browser mode it should take a number of seconds, but when using private mode it’s almost instantaneous.
Another means of determining this mode is almost deceptively simple. Though you may be in private mode, there will only be so many people running the same version of your operating system with that version of the browser. From this information alone, trackers can often identify more personally sensitive and identifiable information. Forshaw says internet users can use a programme called Panoptoclick to obtain a ‘uniqueness score’ – ostensibly telling you how easily identifiable you are as you browse the web. The research project is run by the Electronic Frontier Foundation.
Is your browsing history at least safe from family members or partners who may have access to your computer? Forshaw’s research found that someone with access to your machine could discover which websites had been browsed with easily available tools. On the hard disc and in the memory, there were traces of which websites had been visited when in incognito mode.
But is this all of this by design? From its inception, Google’s whole business model has been predicated on collecting vast collections of data about its users. To create a truly private browsing option where no data is tracked would run directly counter to the tech giant’s raison d’etre. However, Google doesn’t claim that incognito is a catch-all security salve. In fact, it highlights that your activity might still be visible to the websites that you visit, your employer or school (if you are accessing content via an institution’s internet connection) and your internet service provider.
However, when it comes to third party tracking, Forshaw dismantles the notion that these entities may end up capturing such data ‘by accident’. “There’s a possibility than one of these trackers makes a decision about what they consider in and out of scope, and that through technical fluke, they end up capturing more information than they intended,” he says, “but in general, it’s probably very well considered.”
Given privacy modes don’t guarantee a true layer of anonymity, it’s not surprising that they offer no protection higher up the food chain. Your activity will still be available to your internet service provider which can monitor your activity using your public IP address.
There are other options though. If you’re looking for a more private online experience, you want to consider a privacy-first web browser. You’ll get the most protection by using Tor, which reroutes and encrypts your online activity in multiple layers, but other alternatives such as Brave and DuckDuckGo collect less data than Google’s offering.