The incognito myth: how private browsing really works

The incognito myth: how private browsing really works

Anonymous

Ask anyone how to protect your privacy online, and they’ll probably mention private browsing. Every major browser has it, although the names differ: it’s Incognito in Chrome, InPrivate in Edge, Private Window/Tab in Firefox, and Private Browsing in Safari. All these names evoke a sense of security — even invisibility: like you could browse the web safely and in full anonymity. Alas, this mode is far from being “incognito” in reality, although it is still helpful if you understand how it works and supplement it with anti-surveillance security.

How incognito mode works

In private mode, your browser doesn’t save your browsing history, remember information you enter in web forms, or store the graphics and code of the websites you visit in its cache. The tiny text files called cookies in which websites save your settings and preferences are only stored for as long as the private window stays open, and are deleted when you close it. This way, no traces of your browsing activity are left on your computer.

However, your actions are still visible from the outside. The websites you visit, your browser itself, browser extensions, your ISP, the office or school system administrator, and various advertising and analytics systems — such as those owned by Google — can all still track you.

Some browsers, such as Firefox, include additional privacy measures in private mode. These may include disabling browser extensions and blocking known analytics sites that track users and third-party cookies that weren’t set by the website you’re opening. However, even this doesn’t guarantee complete invisibility.

Five billion’s worth of incognito data

To get an idea of how much information can be collected about incognito users, look no further than the Brown v. Google lawsuit, which ended in the internet giant’s defeat. The company was ordered to destroy “billions of data records” pertaining to the activities of users who were browsing in incognito mode, and collected up until the end of 2023. Data that won’t be deleted immediately must be further de-identified, for example by removing part of each user’s IP address from the records. The court estimated the monetary value of the data to be deleted plus the data that will no longer be collected at a staggering $5 billion. However, affected plaintiffs will have to seek monetary compensation individually, so Google isn’t likely to lose much money.

More significantly for all users though, Google was ordered to start blocking third-party cookies in Incognito mode and generally provide a clearer description of how Incognito works. While Google’s methods for collecting information in Incognito mode weren’t fully disclosed to the public during the legal proceedings, some of the techniques were mentioned publicly: gathering data through Google Analytics, recording IP addresses, and collecting HTTP header data.

None of the above is news or a secret: any website on the internet can collect and use the same data, and this data gets sent out in private mode just fine.

How websites track incognito visitors

By login. If you enter your email, phone number or username, and password on a website, your browser configuration no longer matters: you’ve announced your identity to the website.

Cookies. Although the website can’t read “regular” cookies from your browser as long as it’s running in private mode, it can still set new ones. If you use a private browsing window day in, day out, without closing it, there’ll be plenty of information gathered about your movements around the web.

The IP address. Private browsing doesn’t hide your IP address in any way.

Digital fingerprinting. By combining information transmitted from your browser in HTTP headers with data that the webpage can collect with JavaScript (such as screen resolution, battery level for mobile devices, and the list of installed fonts), the website can generate a digital fingerprint for the specific browser on the specific device and use that later to identify you. Private browsing mode has no effect on this.

All of the above. Advanced analytics and tracking systems try to use a number of techniques to track you. Even if old cookies are unavailable due to private browsing, you can be remembered with an auxiliary method, such as digital fingerprinting. This means that even if you visit an online store in a private browsing mode without logging in, you might still see products you were interested in during previous sessions in your search history.

What you should and shouldn’t do in private browsing mode

  • Search for a birthday present for a family member. Private mode will come in handy, as the keywords that could spoil the surprise won’t come up in the browsing and search history. It also will reduce the likelihood of the context ads that permeate today’s web, giving away your plan with banners about the subject. However, private mode will be of no help if you sign in to your account at the online store or marketplace and make a purchase, as the website will remember both you and the purchase. The search history and “recently viewed” items also may display on other devices where you’re logged in to the same account, so there’s still a chance of that surprise getting ruined. To sum it up, logging in to any account is a bad idea when browsing in private mode.
  • Look for a new job or secretly check medical symptoms. The computer will retain no traces of the activity, but your ISP will, and so will your office network’s system administrator. This isn’t something you should do at work for example, as you can’t rely on private browsing to help.
  • Download illegal content. Don’t. And if you do download something like that in private mode, your ISP will still have recorded this activity under your account.
  • Sign in to your account on someone else’s or a public computer. In this case, private browsing is the least you can do to protect yourself. It prevents you from leaving any undesired traces like an account name, web form data, a saved password, or locally stored cookies or personal files — unless you save something manually. That’s a start, but it doesn’t guarantee complete security: public computers are often infected with malware that can steal any data from the browser, with private browsing or not. So if you have to use someone else’s computer, it’s best to make sure it has reliable malware protection. If you’re not sure, we recommend changing your password for each account that you signed in to on that computer and enabling two-factor authentication after you log off and get back to your usual device.
  • Sign in to two accounts with the same site. Most browsers make this possible: you can sign in to one of the accounts in regular mode, and to the other — in private mode. This is about convenience rather than privacy, so private mode doesn’t really have any drawbacks when used this way.

What’s better than private browsing?

Private browsing mode is helpful, and there’s no reason to shun it entirely. For maximum privacy though, it should be combined with other measures:

  • An encrypted data channel (VPN) keeps your ISP and (work) system administrator from tracking your online wanderings, and allows you to change your IP address when visiting websites.
  • Tracking and ad blockers reduce the likelihood of your being identified by your digital fingerprint. Every browser supports anti-surveillance extensions, available from the official browser extension marketplace.
  • For maximum security in Do Not Track (DNT) mode, turn on Private browsing in Kaspersky StandardKaspersky Plus, or Kaspersky Premium.
  • For added secrecy, you can set up a separate browser with the most rigorous tracking protection settings, which our guide can help you select.