
Google Chrome Incognito Mode Can Still Be Detected - nradov
https://www.bleepingcomputer.com/news/google/google-chrome-incognito-mode-can-still-be-detected-by-these-methods/
======
DenisM
Can this fight ever be won?

If you've been browsing the internet for more than 5 minutes you already have
cookies from some of the major ad networks. Therefore if you do not have
cookies from the major ad networks, you're either a brand-new device or an
incognito browser. All that is left to do is get in bed with the ad network to
ask them if they have good cookies for this session. As it so happens most of
the companies trying to bust the incognito mode are already in that crowded
bed.

The next loops in this spiral are: 1) an incognito mode that seeds good-
looking ad cookies 2) ML models trying to distinguish
synthetic/cloned/5-seconds-old cookies from genuine ones 3) matching ML models
trying to out-fox the models from step 2, and so on.

The last fit of madness will be a hidden session in Chrome browsing the web on
your behalf, building up a bogus profile for the ad networks, and the ad
networks trying to figure out if the clicks in your fake session are
sufficiently human-like.

And whoever wins in this war, the ad networks will end up collecting even more
data than they do now.

~~~
swebs
I remember around 10 years ago people were calling Stallman paranoid for this.
Now he seems more like a prophet:

>I generally do not connect to web sites from my own machine, aside from a few
sites I have some special relationship with. I usually fetch web pages from
other sites by sending mail to a program (see
[https://git.savannah.gnu.org/git/womb/hacks.git](https://git.savannah.gnu.org/git/womb/hacks.git))
that fetches them, much like wget, and then mails them back to me. Then I look
at them using a web browser, unless it is easy to see the text in the HTML
page directly. I usually try lynx first, then a graphical browser if the page
needs it (using konqueror, which won't fetch from other sites in such a
situation).

[https://stallman.org/stallman-computing.html](https://stallman.org/stallman-
computing.html)

~~~
shultays
Well, that is a bit paranoid.

~~~
mort96
It's not though? If your goal is to avoid having your every move online
tracked by companies hoping to earn money from spying on you, what Stallman
does is one of the few strategies which work.

~~~
shultays
You can take various actions to improve your privacy. At some point it becomes
a paranoia. If you are fetching web pages on a remote server and email stuff
to yourself then I would say it is becoming paranoia.

And I would say what Stallman does probably gives him a very unique
fingerprint (wget ting web pages from a unique server). I doubt he is doing
that for privacy.

------
madars
This is annoying so I just use fresh browser profile every time I encounter
such site, i.e. have a short-cut for:

    
    
      $ cat ~/bin/chrome-new 
      #!/bin/sh
      TMPDIR=`mktemp -d /dev/shm/chrome-XXXXX`
      google-chrome --user-data-dir=$TMPDIR --no-first-run --no-make-default-browser "$@"
      rm -rf $TMPDIR

~~~
aasasd
In FF, this seems to be solved with the mechanism of containers and extensions
like ‘Temporary Containers.’

~~~
envolt
Temporary Containers is a savior when it comes to paywalled articles.

------
adrianmonk
Workaround for now:

1\. Open the profile menu. (This is the icon in the top right, just to the
left of the three vertical dots.)

2\. Click "Manage people", click "Add person" (lower right).

3\. Type "Darned Newspapers!" and click "Add".

4\. When you get blocked, copy URL, use the profile menu to navigate to open a
new "Darned Newspapers!" window, paste URL.

It's a real profile, so it should behave quite closely and should be harder to
detect. Of course, unlike incognito mode, it will save your history, so be
aware of that.

~~~
thaumasiotes
Another workaround:

Disable javascript on the newspapers' sites. They load the full article and
then use JS to hide it. (They also use JS to do the incognito detection in the
first place.)

~~~
denkmoon
Often doesn't work, they now take a new approach by only loading in the extra
content if you pass their checks (using JS). Not using JS will get you the
first paragraph.

~~~
rococode
Downside of search engine indexers evolving over the years to execute JS on
crawled pages.

------
wintorez
Client tracking throw Browser Fingerprinting is a spooky tech. Check these two
websites to see for yourself. Try using different browsers, even aVPN
connection, and see how trackable you are:

1) [https://panopticlick.eff.org](https://panopticlick.eff.org) 2)
[https://amiunique.org](https://amiunique.org)

~~~
kristopolous
These things state I'm unique every time I go to them. That's the problem with
the tech, it can't _track_ very well.

~~~
TazeTSchnitzel
It's stable but not over a long period because your browser will change. But
it could be used to link two identifiers together, for example when your IP
address changes, to create a chain that can track you over time.

------
mark_l_watson
OK, this article was not what I expected. I use incognito mode whenever doing
online banking, searching for medical information, etc. I don’t care if a web
site knows I am in incognito mode. Indeed, I think it is a web site’s right to
know because they may need to enforce free access quotas, etc.

~~~
zzo38computer
I think they would have no right to USE YOUR COMPUTER to enforce such quotas,
please.

------
NickGerleman
I’m a bit surprised Chrome developers went the route of an in memory
filesystem instead of trying to sandbox and clear real disk access. Silently
using up to 120MB without realizing sounds pretty bad.

~~~
foota
You can't allow for bytes to sit around on disk in case of crash.

Maybe they could encrypt with a key kept in memory? That'd still allow
detection of use though.

~~~
Reason077
> _" You can't allow for bytes to sit around on disk in case of crash."_

Just check periodically (at startup?) for orphaned temporary storage data. I'm
sure there are other parts of the browser that need to do this sort of thing
anyway - expired cache data, for example.

~~~
foota
Sure, but those are a different use case.

------
NKCSS
The dutch cable company 'Ziggo' (owned by Liberty Global) also does Incognito
mode detection in their web-based tv player and does not allow streaming.

[https://imgur.com/a/TacdDRm](https://imgur.com/a/TacdDRm)

You can check it yourself here:
[https://www.ziggogo.tv/](https://www.ziggogo.tv/)

~~~
Mindwipe
I don't believe that's actually their fault, HTML5 EME implementations don't
work in incognito mode in Chrome.

But that is another way in which newspaper sites could do this detection is
they wanted to, send an HTML5 EME clearkey to a one pixel video in the corner
and get back the error response.

I think Google are on to a complete loser here tbh, and I'm not sure why
they're wasting development resource. As much as using incognito mode to
bypass soft paywalls might be fun for a user, there's no real moral
justification. There's no privacy issue here in a newspaper giving a clear and
unambiguous statement before you enter that you've got to disable incognito,
and a user can either choose or refuse to do it. It's probably the clearest
consent screen in the world.

~~~
tomjen3
The moral justification could just as easily be turned around: a website does
not get to run arbitrary code on my computer, so I can (and do, by default)
turn of javascript.

~~~
Mindwipe
If you want to you're very welcome to.

That's really not the same thing as Google actively developing a tool to block
soft paywalls, that will primarily be used by people to just not pay for
things who really don't give a stuff about people running things on their
computer or not.

------
ridaj
Partly for this reason I use Firefox with its "delete cookies when quitting"
mode instead.

~~~
auslander
Why not use Permanent browsing mode?

~~~
auslander
I meant Always use Private browsing checkbox.

~~~
ridaj
I don't really care about tracking within a session and private browsing had
other downsides (e.g. limited history support). It's the cross session stuff
that tends to be creepier in my experience.

------
git-pull
They can paywall / block incognito all they want.

Just delist the (paywall'd) articles. That's the annoying thing - when
articles come up on Google and you can't read them. Please fix this.

If people want to pay, that's fine. Perhaps ISP's should pay for these
websites via their plans so there's no more need to login.

I don't want to login to something just to browse a feed. I believe people
would be happy to pay for these websites, but in a convenient way, ahead of
time. Allow IP ranges, create a browser plugin that reauthorizes the site
session even in incognito / w/o password saving. Innovate like Spotify did.

Annoying and badgering the user is 101 UX antipattern. One reason some don't
buy is they don't want to encourage it.

It's fair to hold them to a high standard because many of these websites are
articles and presentation is supposed to be a forte. You don't battle the
adblockers and incognito modes - you fight to make it easier and more
convenient for your readership.

------
nikolay
Yes. I just open an incognito window in Chrome and go to www.instagram.com and
then it prompts me to log in via a list of Instagram accounts I've ever logged
in in the non-incognito Window.

~~~
toper-centage
If you use Chrome, did you really expect any kind of privacy to be respected?

~~~
nikolay
Well, they should be sued for false advertising. I know Google slices and
dices all my info, but I expect them to honor my privacy when in _incognito_
mode.

------
caf
Seems like the TWTF is that in normal browsing mode, sites are allowed to use
considerably more than 120MB of "temporary" storage on the filesystem.

~~~
zzo38computer
I agree; by default it shouldn't be so much. (Maybe the user could configure
it (to any range between zero and 4 GB, perhaps), but even then, the limit
should not differ for incognito mode unless the user configures it the same.)

------
anilakar
Keeping local storage in memory might make sense if Incognito Mode had
separate storage for every tab. However, it's just another browser session
that gets wiped when the the last tab gets closed – you cannot have multiple
parallel ephemeral sessions. I remember having to install Chrome Canary
because I needed four separate Chrome sessions simultaneously.

~~~
mdaniel
Your workflow is your workflow, but as an FYI Chrome profiles _also_ get their
own everything, plus each profile also gets its own incognito session

There is an added benefit to using profiles in that if any other window is
open from a separate profile, then all profile context menus acquire an "Open
link in ..." menu item which will then list all the other profile names.
Unknown why it doesn't do that context menu modification all the time.

If your other profiles are only used for development-time scenarios, you can
also choose to "Clear Browsing Data..." on them at will, since you won't be
losing anything valuable

------
mirimir
They can track Mirimir all they like. Not that it'll do them much good.
Because Mirimir only does stuff that I'm OK with everyone knowing about
Mirimir. And none of it is connected to my meatspace identity, or to other
personas.

Unless you're really paranoid, all you need is a VM, which hits the Internet
through a VPN service. You use the host machine for meatspace stuff, and the
VM for private stuff.

------
martin-adams
If Google really wants to fix this, they could always have Incognito mode
detection as a negative ranking factor.

~~~
Traster
I wonder if it's occured to these sites that essentially they're poking the
bear. Sure, Chrome can slowly patch these issues, but there's always a
possibility that Google just turns around and says "Hey guys! I search engine
crawler looks like incognito chrome! Fuck you!"

------
Reason077
Seems like it was a mistake to use a RAM disk to back the storage API in
incognito mode?

Why not just create a new "real" storage db on disk, deleting it when the
incognito window/tab is closed? It seems like this approach would defeat all
of this class of attacks.

------
morgengold
Why not just forbid the storage of user data? It would solve most problems.
Why needs a whole society to be taken hostage for the profit of some
companies?

I seriously do not understand.

------
Rapzid
Pretty embarrassing TBH. Both of those detection methods immediately come to
mind when reading about their in-memory solution to the storage API problem. I
can only imagine Google phoned it in on this one.

~~~
rasz
in a galaxy far far away Opera 12.x offered fully customization local storage,
with per domain/subdomain enable/disable/quota/delete on exit options. Google
owns our browsers and wont let us do anything crazy like configure away stuff
useful for ad targeting.

------
Lukesys
Well duh, it is Google we are talking about!

------
420codebro
I believe google has cut a deal with advertisers to ensure they can always
identify incognito.

------
crb002
So do random cookies?

------
crazygringo
Is this a cat-and-mouse game that's worth playing for Chrome?

Browsers are so complex that I imagine incognito mode is always going to leave
_some_ kinds of statistical signatures that can be detected and exploited
through merely moderate cleverness, but will be much harder to hide on
Chrome's side.

Is it worth it for Chrome? Or would resources be better spent on other parts
of the browser?

It's not really a privacy/security problem or anything as far as I can tell --
just a way to bypass paywalls, right? "Sites not detecting my incognito mode"
never felt like part of the web's "contract" to me.

~~~
PeterisP
One part of the "web's contract" is that googlebot and other scrapers should
get what the users get. And vice versa - if you're telling googlebot that
there's a particular text available to the public; I'd expect to get the same
content that you just gave googlebot and not something else, thank you very
much.

~~~
jacquesm
That used to be the case. But Google has long ago given certain sites a pass
on that.

~~~
Forge36
Did they? This fight against Incognito mode suggests otherwise

~~~
kpozin
Ever try to click on a LinkedIn profile from a search result? Most of them
just show a LinkedIn login screen, and none of the text from the search
result's snippet.

------
redleggedfrog
"Can this fight ever be won?"

No, the point is to make the people subverting this for their own nefarious
gains (looking at you, NYT) put so much effort, money, and time into it, that
eventually they die a slow horrible death and, maybe, just maybe, something
better and more relevant and less evil comes along (or maybe NYT changes their
ways - either works).

I mean, look at this thread, so may great undermining methods! Beautiful.

~~~
BurningFrog
After all the newspapers die a slow horrible death, I think the world will
figure something better out.

But it might take a few decades of uninformed confusion.

