Google Chrome 76 will close a loophole that websites use to detect when people use the browser’s Incognito Mode.
Over the past couple of years, you may have noticed some websites preventing you from reading articles while using a browser’s private mode.
The Boston Globe began doing this in 2017, requiring people to log in to paid subscriber accounts in order to read in private mode. The New York Times, Los Angeles Times, and other newspapers impose identical restrictions.
Chrome 76—which is in beta now and is scheduled to hit the stable channel on July 30—prevents these websites from discovering that you’re in private mode. Google explained the change yesterday in a blog post titled, “Protecting private browsing in Chrome.”
Today, some sites use an unintended loophole to detect when people are browsing in Incognito Mode. Chrome’s FileSystem API is disabled in Incognito Mode to avoid leaving traces of activity on someone’s device. Sites can check for the availability of the FileSystem API and, if they receive an error message, determine that a private session is occurring and give the user a different experience.
With the release of Chrome 76 scheduled for July 30, the behavior of the FileSystem API will be modified to remedy this method of Incognito Mode detection.
Using the Chrome 76 beta today, I confirmed that the Boston Globe, New York Times, and Los Angeles Times were unable to detect that my browser was in private mode. However, all three sites were able to detect private mode in Safari for Mac and Chrome 75.
Google acknowledged that websites might find new loopholes to detect private mode, but it pledged to close those, too. “Chrome will likewise work to remedy any other current or future means of Incognito Mode detection,” Google’s blog post said.
Change affects publisher paywalls
Google also acknowledged that this change will make it harder for publishers to enforce paywalls. Many news sites limit readers without subscriptions to a certain number of articles per month, but entering private mode can bypass these article limits.
Google noted that the article-limit model “is inherently porous, as it relies on a site’s ability to track the number of free articles someone has viewed, typically using cookies.” Google recommended that publishers monitor Chrome 76’s impact on readership before making changes:
Sites that wish to deter meter circumvention have options such as reducing the number of free articles someone can view before logging in, requiring free registration to view any content, or hardening their paywalls. Other sites offer more generous meters as a way to develop affinity among potential subscribers, recognizing some people will always look for workarounds. We suggest publishers monitor the effect of the FileSystem API change before taking reactive measures since any impact on user behavior may be different than expected and any change in meter strategy will impact all users, not just those using Incognito Mode.
Incognito Mode is not a full privacy system
While Google said it “recognize[s] the goal of reducing meter circumvention,” it also said that “any approach based on private browsing detection undermines the principles of Incognito Mode.”
“Some wish to protect their privacy on shared or borrowed devices, or to exclude certain activities from their browsing histories. In situations such as political oppression or domestic abuse, people may have important safety reasons for concealing their Web activity and their use of private browsing features,” Google said.
Google’s blog post did not mention that Incognito Mode has only limited uses for protecting privacy and that Incognito Mode wouldn’t do much for someone trying to evade “political oppression.” When using Incognito Mode, “Chrome won’t save your browsing history, cookies and site data, or information entered in forms,” a Google support page notes. This is useful for keeping browsing activity private from other users of the same device or Google account but not for hiding your location or identity from websites and network operators.
In Incognito Mode, “Your activity isn’t hidden from websites you visit, your employer or school, or your Internet service provider,” the same Google support page says. For more comprehensive privacy protection, there are systems like Tor and VPNs—but finding a VPN that is both private and secure requires a bit of research.