Chrome 76 blocks websites from detecting incognito mode

Credit to Author: John E Dunn| Date: Mon, 22 Jul 2019 13:24:56 +0000

Have you ever bypassed a website paywall using a browser’s privacy mode?

It used to be a simple hack to read an article without registering, paying, or logging in to the publisher’s website. But subscription-based websites caught on.

Now, for example, visit any article on The Washington Post news site while in Google Chrome’s Incognito mode, and you’ll get the following message:

We noticed you’re browsing in private mode. Private browsing is permitted exclusively for our subscribers. Turn off private browsing to keep reading this story, or subscribe to use this feature, plus get unlimited digital access.

This is annoying, not because it means the visitor can’t access the story (the publisher is, of course, within its rights) but because it seems to be imposing restrictions on the whole idea of private browsing.

If it’s up to publishers to decide when a visitor is allowed to remain private, is that mode really private?

Plans to remedy the loophole

As we reported earlier this year, Google agrees and has laid out its plans to “remedy the loophole” websites have been using to detect visitors using Chrome’s Incognito mode.

The loophole in question is Chrome’s FileSystem API, which is disengaged in Incognito mode to keep people’s browsing activity private. Eventually, websites twigged that receiving an error message when checking whether this was accessible was a simple giveaway that visitors had gone Incognito.

This doesn’t matter to sites that have ‘hard’ paywalls because a login is required regardless of browsing mode. The issue arises on sites that try to whet readers’ appetites by offering two or three free articles, which means they need to plug ways of beating this limit.

According to Google, starting with Chrome version 76 on 30 July 2019, publishers will no longer be able to detect Incognito mode by checking the FileSystem API. And just in case publishers look for other methods – the FileSystem API being far from the only giveaway – Google warns:

Chrome will likewise work to remedy any other current or future means of Incognito Mode detection.

The company’s advice to publishers is to adjust their settings to allow more or fewer free articles, or to ask users to log in – something that’s likely to have paywall site owners muttering under their breath.

Privacy illusion

Google is spot on with this move. Detecting when users of any browser are using Incognito mode goes against the spirit of privacy, even if it’s not being done to directly track people as such, and any information that some browsers share and others don’t helps add to a browser’s fingerprint.

Detecting Incognito mode is also a weak defence that’s easily bypassed by using different browsers in sequence, for instance Chrome followed by Firefox, Safari and  Opera.

Ironically, the real problem with private browsing or anonymity modes is they don’t actually do the job you think they do. They block web history from being recorded on a device but not the numerous parties watching web activity, such as ISPs, advertisers, and website owners.

No, private browsing doesn’t hide porn site visits

Unfortunately, a lot of people take the misleadingly named anonymity offered by private browsing too literally, assuming it’ll hide things like visits to porn sites.

It won’t, of course, as a recent study on the user tracking carried out by websites (including by companies such as Google and Facebook, no less), reminds us.

Never forget that on the internet, everyone can see you click.

http://feeds.feedburner.com/NakedSecurity

Leave a Reply