
Is Private Browsing Really Private? - thmslee
https://spreadprivacy.com/private-browsing-9276d6d16ea4#.vmexmv7rb
======
throwaway2016a
"DuckDuckGo is the search engine that doesn’t track you." so obviously this
article has marketing lean.

While private browsing is not actually private I feel going so far as to say
it does not stop websites from collecting info on you is maybe a bit too far.

The site can still collect information about you, yes. But unless you sign in
while in private browsing or the site is using some sort of user-agent / IP
trickery it won't be automatically tied to your accounts. None of the cookies
or local storage are shared across private/non private browsing.

Personally, I use it mostly to see what websites look like when I'm not logged
in or if I want to access something that can only be accessed while logged out
without actually logging out which is surprisingly common.

~~~
AdamSC1
There are plenty of things a browser can see without being logged in.

Consider checking this page:
[http://webkay.robinlinus.com/](http://webkay.robinlinus.com/)

Private Browsing simply prevents cookies and nothing else, and for the average
person we find that is not what's expected from something defined as "private"
browsing.

~~~
mintplant
> Private Browsing simply prevents cookies and nothing else

Not true, at least for Firefox. In Private Browsing mode, Firefox will avoid
saving temporary files and other data to disk, keeping everything in RAM
instead, which is wiped when Private Browsing mode is exited. This includes
history, cookies, and cache data. I believe localStorage behaves differently
as well.

Firefox also makes an effort to block tracking scripts/servers in Private
Browsing mode, using Disconnect's filter list.

The Private Browsing new tab page explains this all pretty succinctly:
[https://i.imgur.com/MGp53eP.png](https://i.imgur.com/MGp53eP.png)

~~~
AdamSC1
You're right there. In this whitepaper we had different questions for each of
the browsers to make sure this distinction was noted.

However, users still in general think that private browsing modes do things
like prevent their IP address from being seen, or prevent a search engine from
recording their searches. So there is still a gap in their expectations.

------
camiller
Not really private, just keeps your local machine clean. Despite TeMPOraL's
labeling it "porn mode" my most common use case is if I need to log into my
Google account from my wife's laptop I'll use an Incognito mode window in
Chrome so that I don't have to log her out of her Google account.

~~~
eknight15
Is there a reason you don't use the people switcher?
[https://support.google.com/chrome/answer/2364824?co=GENIE.Pl...](https://support.google.com/chrome/answer/2364824?co=GENIE.Platform%3DDesktop&hl=en)

~~~
kedean
I don't use it because it requires that I switch back. My wife won't be
bothered to deal with learning the people-switcher (there's no reason she
should, it's really her laptop in question), so using incognito means that
once I close the window, it's clean again. It's a lot easier to remember to
close the window than it is to remember to switch back to her account.

The option I finally chose to go with, is to install firefox on her computer
as well. Firefox is for me, Chrome is for her. I'm an FF guy anyway. The main
UX problem stands, though, it's too easy to be the wrong person.

~~~
_coldfire
I'm in the same boat, well aware of chrome option to switch accounts, but the
simplicity of dual browsers wins when two people use the same login regularly.

Also I get to keep up to date with changes in firefox.

------
spaceboy
Probably relevant: "Google removes secret agent warning from Chrome’s
incognito mode"
[https://src.chromium.org/viewvc/chrome/trunk/src/chrome/app/...](https://src.chromium.org/viewvc/chrome/trunk/src/chrome/app/generated_resources.grd?r1=239201&r2=239282)

    
    
        “Pages you view in this tab won’t appear in your browser history
        or search history, and they won’t leave other traces, like cookies,
        on your device after you close all incognito tabs.
        Any files you download or bookmarks you create will be preserved,
        however. Going incognito doesn’t affect the behavior of other people,
        servers, or software. Be wary of surveillance by secret agents
        or people standing behind you.” 
      

The new version is:

    
    
        Pages you view in incognito tabs won’t stick around in your browser’s
        history, cookie store, or search history after you’ve closed all of your
        incognito tabs. Any files you download or bookmarks you create will be kept.
        Going incognito doesn’t affect the behavior of other people, servers, software,
        or people standing behind you.

~~~
ams6110
_sigh_ nobody has a sense of humor anymore.

~~~
gowld
It's not humor. Secret agents are a real problem.

~~~
InitialLastName
So are people standing behind you.

------
TeMPOraL
Personally I always believed the porn mode browsing gives two benefits:

\- sites don't get recorded in browser history

\- by not exposing your regular browsing cookies, it significantly reduces the
likelihood an "embarrassing" site will somehow end up on your Facebook wall

I hope I'm not wrong about the second one.

~~~
gcp
This is correct at least for Firefox.

The new Container Tabs feature works similarly: it splits cookies.

------
ddito
I really don't understand why anyone would expect private browsing to be
completely anonymous. I suppose they could change the name to something better
but seeing as how I only use it to browse _khm_ websites which I don't want in
my browsing history and I know other people use it only for the same reason as
whell. In any case I suppose that anyone who really needs anonymity is aware
what browsers mean by "private browsing". I even have to block Firefoxes
tracking protection to browse my favorite "website"

~~~
neotek
Of course you understand, you know as well as any of us that the average user
knows next to nothing about how the Internet, their computer, or their browser
works, either physically or conceptually.

It's not unreasonable for a user to take Google or Mozilla or whoever at their
word when they call the feature "incognito mode", or "private browsing" etc.
They don't know the first thing about how their privacy is breached in the
first place, so why would they know how their browser mitigates potential
breaches?

------
gcp
The "Most common misconceptions about Private Browsing" part is actually
misleading for Firefox users, because that _does_ apply Tracking Protection in
private browsing mode. So some of the top misconceptions aren't, at least not
if you use Firefox.

(Yes, yes, it can never be perfect, but I don't believe that invalidates the
point)

~~~
AdamSC1
DuckDuckGo employee here - I ran the survey we used in this.

We had a separate question for users who noted that they used Firefox that
spoke to the specific cases for that browser.

The final whitepaper is browser agnostic, and these are the top misconceptions
overall, but results were split out in the research phase to account for this.

------
awinter-py
FF tracking protection helps.

Disabling JS from iffy marketing companies mostly solves the problem. (From a
legal standpoint, not a security standpoint). It's illegal under wiretapping
rules to share communication with a third party. (but if the user's browser
hits a third-party data collection endpoint, that's somehow okay. See 'in re
doubleclick'). Firefox tracking protection uses the disconnect.me list
[https://disconnect.me/trackerprotection/blocked](https://disconnect.me/trackerprotection/blocked)
to get rid of all of these it can.

If the adversary isn't a marketing firm that has to comply with the law,
ignore the above. Then you're looking at browser flaws (canvas fingerprinting)
and session inference (using client IP, URL, browser-agent, & timestamps to
reconstruct identity from behavior).

------
samat
Is it actually a misconception that private browsing prevents search engines
from knowing my searches?

I do search for some nasty stuff in private mode and it never pops up in ads
for my main account.

I do understand there might be conspiracy in Google to gather that data and
link it to my account but never use it in the way I notice, but that looks
like conspiracy theory to me.

~~~
twblalock
> Is it actually a misconception that private browsing prevents search engines
> from knowing my searches?

Of course the search engine knows what you searched for! You sent the search
string from your computer to one of their servers.

You'd need a way to prevent the search engine from knowing your IP address,
like a proxy or Tor, in order to hide your identity.

------
konceptz
Title is a little misleading but a good article.

"Surveys done on users perceptions of private browsing" or at they titled the
paper "A Study on Private Browsing: Consumer Usage, Knowledge, and Thoughts"

------
sjbase
This all seems likely to be true, but the source being Duck Duck Go calls the
results & methodology into question. I'd love to see an independent researcher
confirm these findings.

~~~
AdamSC1
Hey there, DuckDuckGo employee here.

Would love to know why you feel our affiliation calls that into question?

In the the whitepaper we disclose the full methodology, and each statistic has
a margin of error calculated and added in. Feel free to review it - we're
happy to answer questions!

~~~
sjbase
I have to confess I didn't see the link to the whitepaper in my first read
through - shame on me for commenting before I did :) I think you all did a
pretty good job putting this together overall after reading through it, and I
applaud the effort. That said, the critical HNer in me sees some bias in the
questions and answers. Specifics:

* The results on page 17 jumped out at me the most. There are 4 specific options for negative emotional reactions, and one generic positive option. It's easy to underestimate the powerful effect this has on pushing the responder to a specific answer. Imagine if your answer options were only "content, secure, informed, protected, neutral, misled" and how different your results might be.

* The question for the above, specifically the tone of "[...] does not offer any additional protection [...]" is also a form of leading the responder to an answer. While the statement is mostly true, there's some contention on the point esp. regarding cookies (see the other comments on this thread). Either way, you'd get a more honest answer if you strictly list the things private browsing does, and the things it does not do in a way that's as objective and incontrovertible as possible.

* It would be useful to see the benefits underlying the "correctly identified" category on page 13. I couldn't find those anywhere which was a bit suspicious.

In consulting, I used to survey users on their personal security practices
(password strength, adherence to policies, secure disposal, etc.) and gained a
huge appreciation for how powerful bias and misinterpretation can be in
surveys, and how hard it is to control. But to reiterate, I think this is
overall pretty well done and has some really interesting results, esp. the
usage data in the first few sections.

~~~
AdamSC1
Great questions and valid points. Every bit of data should be taken with a
great of salt as no study is perfect. We've done the best possible to be
statistically sound and disclose anything that may bias that.

Initially we started this survey out of our own interest so a few of those
decisions are rooted from there.

1) Agreed, however we've already divided out the people who previously learned
about private browsing. This leaves us with a cohort of users who have used
private browsing, thought it protected them more and learned that it was
wrong. It's very unlikely in any case that there would be positive emotions
experienced. In our background research before the final survey we were only
focusing on if users had a positive or negative experience. In this final
major survey we wanted to get a better understanding of what those negative
emotions were and so teased it out more.

I agree that a skewed set of options can bias a question but it is case-by-
case. Example if I ask "how do you feel when your ice cream falls on the
floor?" and the options are "Happy, Joyful, Amazing, Wonderful, Excited, Sad"
you'll still likely pick sad.

2) A good point. This question is one that is linguistically challenging. We
want to use phrases like "it _only_ does X" to stress limits, but those can be
misinterpreted. I agree you may see some shift if you ask the question as a
feature list, but I think in the question we're looking at it would still fall
well within the margin of error. I'm curious to run some tests on it either
way!

3) We didn't release those in the whitepaper as they were broken down by
browser since each browser has different feature sets. We wanted to keep this
report agnostic of browser. We're not looking to shame anyone, we're trying to
support the conversation around the education gap for the average non-
technical internet user. They are telling us they want more privacy, and don't
feel that it is being provided or explained well enough.

Overall, I really appreciate the feedback - it is more important than ever to
question and discuss the things we see online. Hope this sheds some light on
why we made the various decisions we did! :)

------
unstatusthequo
As an attorney who does digital forensics, it's most certainly not

------
throwaway235689
Can the use of private browsing + a 3rd-party VPN at the same time be
considered reasonably private?

------
simplehuman
Sad that a DDG blog is on medium.com :/

~~~
RileyKyeden
What's wrong with Medium? I used to run my own blog software. I don't
recommend it unless you really need to micromanage the implementation. Most
people do not. This is why I let Medium handle all the intricacies of
publishing my blog so I can just write.

