If you don’t read what’s under the heading, it’s easy to think that Incognito mode allows you to browse the web without being tracked.
But as we now know, that’s 100% not the case. Google recently agreed to settle a $5 billion lawsuit alleging it tracked users’ activity, including IP addresses, device data, and browsing history, while they were using Chrome in Incognito mode.
So, what does Incognito mode do? And is browsing the internet anonymously a total pipe dream?
Private Browsing is Not So Incognito
Incognito mode keeps your browsing private from other people who use the same device.
It does not prevent:
Websites from monitoring your activity while you’re on them.
Your ISP/employer from seeing the sites you visited.
It’s not just Chrome’s Incognito. The same is true for pretty much every other browser’s “private” mode.
Google has now updated its disclaimer in Incognito mode to say that using Incognito won’t change how the websites you visit and services they use (including Google) collect data.
There’s more than one way to track someone online
And you don’t even have a choice as to which method you’re being tracked through. Most websites use a variety of web tracking methods, including:
Cookies. These are small files downloaded onto your device when you visit a website. They are designed to remember your activities on that site.
Third-party cookies. Same as above, but these cookies are created and placed by a website other than the one you’re visiting. Some browsers, like Firefox and Safari, already block third-party cookies by default, and Google Chrome plans to eliminate them by the end of this year. Sounds great, except that another technology, the Privacy Sandbox, will replace these cookies. Writing for the Electronic Frontier Foundation, Security and Privacy Activist Thorin Klosowski said, “Google referring to any of this as “privacy” is deceiving. Even if it’s better than third-party cookies, the Privacy Sandbox is still tracking, it’s just done by one company instead of dozens.”
IP address tracking. Every device has a unique IP address that identifies it to the internet, and websites use IP tracking to understand what geographic location their visitors are coming from, if they’re repeat visitors, and so on.
Fingerprinting. Described by PCMag as a “secret, insidious way” of tracking, fingerprinting involves websites making a unique profile about you based on your device’s technical information.
Web beacons. These are tiny, invisible images that monitor your website activity, like how you interact with a web page and can follow you through a series of pages.
Why You’re Tracked
Data is valuable for advertisers, and the more data someone has about you, the more targeted they can make their advertisements aimed at you.
Besides advertisers and tech companies, government agencies are also interested in your browsing history. Documents released by Senator Ron Wyden show that the NSA buys Americans’ browsing data without warrants from data brokers.
At least your sensitive data – like your medical searches – is protected, right? Not quite. Health websites like Healthline and WebMD share sensitive data (including symptoms and drug names, plus keywords like “considering abortion”) with advertisers. According to a 2022 news investigation, even hospital websites track you. Many hospital websites have third-party trackers that collect patients’ sensitive data (like medical conditions) and send it to Facebook.
Is Anonymous Web Browsing a Myth?
Even with the most private browsers in the world, perfect anonymity online is a myth. However, that doesn’t mean you can’t improve your privacy.
Here are 3 easy steps you should take now for more private web browsing:
Install a privacy extension. For example, Privacy Badger prevents advertisers and other third-party trackers from tracking you, whereas uBlock Origin stops popup ads from appearing and sending your data to advertisers.
Use a (more) private browser. Potential options here include Brave, LibreWolf, and Tor. PCMag has a list of the best private browsers for 2024. Try testing out a few over a period of time to see which one works best for you.
Use a (more) private search engine. DuckDuckGo, Brave Search, and Startpage are probably the most well-known.
To reduce how much Facebook knows about you when you go away from its site/app, do the following:
Click on your profile icon in the upper right of your screen.
Click “Settings & privacy” and then “Settings.”
On the left, scroll down to “Your information.”
Click “Off-Facebook activity.”
From here, you can see recent activity, disconnect specific activity, clear previous activity, and manage future activity.
If you click “Manage future activity,” you can toggle “Disconnect future activity” to stop Facebook from tracking your activity on other websites and apps.
A Note on Trade-offs
Of course, as is (unfortunately) so often the case with privacy, there’s usually a trade-off.
A more private search engine might not track you online, but it might not return the results you want, either. The same goes for browsers: Tor is pretty good for keeping you anonymous online, but it’s not exactly fit for everyday use.
How much inconvenience are you willing to put up with to be more private on the web? Are you willing to uninstall Windows and use Linux instead? DeGoogle your life? Harden Firefox?
Designing your threat model (i.e., who is your adversary and what you want to protect) can help you decide how far you want to go.
We’d Love to Hear Your Privacy Stories, Advice and Requests
Do you have any privacy stories you’d like to share or ideas on what you’d like to see in Incognito?
Troy Hunt of Have I Been Pwned discovered a massive data dump. Unlike most data dumps, which repackage previously shared passwords, this one contains about 25 million credentials that hadn’t been leaked before. On a similar note, researchers also discovered the “Mother of all breaches,” containing 26B records from previous breaches all in one place.
New Hampshire and New Jersey Pass Consumer Data Privacy Legislation
New Jersey passed a comprehensive consumer privacy law in mid-January following Governor Phil Murphy’s signing of Senate Bill 332. The law will come into force in January 2025. A few days later, New Hampshire passed a state consumer privacy law. If signed by Governor Chris Sununu as it is now, this law will also come into force in January 2025.
Ring No Longer to Allow Warrantless Police Requests for User Footage
Amazon’s Ring will no longer allow US law enforcement to request footage from users. Previously, law enforcement could seek individual users’ voluntary assistance through a “request for assistance” feature via the company’s Neighbors app. Going forward, law enforcement will need to get a warrant.
FTC Bans Data Brokers From Selling Precise Location Data
In early January, the FTC prohibited the data broker X-Mode Social (now known as Outlogic) from selling or sharing sensitive location data. The settlement also ordered the broker to delete and/or destroy all location data it previously collected and any products created from it. Later that month, the FTC banned another broker from selling location data.
You Asked, We Answered
Here are some of the questions our readers asked us last month.
Q: I’m in the process of deleting all the online accounts I don’t use, but I heard that it’s not a good idea to delete old email accounts. Is that true?
A: What you’re thinking of is probably Yahoo’s practice of freeing up inactive Yahoo email addresses about a decade ago.
Instead of deactivating Yahoo email IDs that hadn’t been used in a year, Yahoo gave inactive account IDs to people who wanted them. As you can probably imagine, this quickly turned into a privacy nightmare. Even if people weren’t signing into their Yahoo emails, in many cases, their Yahoo IDs were still linked to other services, which meant that sensitive emails were suddenly going to complete strangers.
It also made it possible for bad actors to take people’s Yahoo IDs and steal their identities through password resets.
Yahoo no longer appears to be recycling email IDs. Other major email providers also do not recycle email IDs, though to be 100% sure, check with your email service before you delete your account.
If recycled email addresses are not a risk you face with your email provider, it is generally considered a good idea to delete your email account as it minimizes your exposure to breaches.
Q: How easy is it to doxx someone online?
A: Very. Depending on your digital footprint, simply googling your personal details (full name/username/phone number, etc.) could bring up a ton of results.
Beyond Google, someone could also use:
Data brokers and people search sites (of course).
Username search engines to see where else on the web a username is in use.
Email permutators and validators to guess your email address and then see if that address exists.
Hacked database search engines like HaveIBeenPwned to see which of your accounts have been breached (and therefore validate that you have those accounts).
Reverse image search to see where photos of you have been posted.