Google Chrome Incognito Mode has a flaw
A new report out of Vanderbilt University has cast a shadow over one of Google’s most sensitive features: Incognito Mode, the private browsing mode in Google Chrome.
Google’s incognito mode promises no saving of browsing history, cookies or site data, and information entered in forms, but says your activity may still be visible to websites you visit as well as your internet service providers or employer.
But the report by computer science professor Douglas C. Schmidt, published by trade group Digital Content Next, found that Google has the ability to associate anonymous data, the type of data connected in Incognito Mode, with people’s actual identified accounts under certain conditions.
Google has said that it doesn’t do this and has called the study “misleading,” citing what it calls conflicts of interest, but it’s still an important reminder that Incognito Mode may not be the foolproof way to have anonymity online that many think it is.
Anonymous tracking could be de-anonymized
Google’s advertising tools collect data by using unique semi-permanent, anonymous identifiers to associate with different users.
“Google, however, has the ability to associate these IDs with a user’s personal information,” Schmidt writes. Schmidt points out that Google’s privacy policy “insinuates” this when it asks users if they want to “Include Chrome browsing history and activity from websites and apps that use Google services.” Yes is checked by default.
Android mobile devices also ferry data to Google, and some of this data comes not only with identifiers but with actual Gmail addresses, linking the two.
Since Google’s ad technology knows the unique identifiers, it could know who you are even in Incognito Mode, Schmidt demonstrates in the report.
Schmidt’s experiment involved opening a new Incognito window, visiting a third-party website that uses Google’s popular DoubleClick ad network, and then signing into a Google account. During the sign-in process, Google sent data that contained both the anonymous identifier from the third-party website and the user credentials.
“Therefore, if the users do not clear browser cookies regularly, their browsing information on 3rd-party web pages that use DoubleClick services could get associated with their personal information on Google Account,” Schmidt writes.
Google has been clear to say it does not do this — without saying that it is not able to — but criticizes the report as “commissioned by a professional DC lobbyist group, and written by a witness for Oracle in their ongoing copyright litigation with Google.”
“So, it’s no surprise that it contains wildly misleading information,” a Google spokesperson added.
For quick incognito sessions — to look at a LinkedIn without it notifying the person whose profile you’re looking at, for example — this may not be a big deal. But if a person is using Incognito Mode to have a separate browsing session, using a separate Gmail account for example, Google may be able to associate their browsing activity to the account and their identity.
For more complete anonymity, if you need to log into a Google account during an incognito session, clear your cookies.
–
Ethan Wolff-Mann is a writer at Yahoo Finance focusing on consumer issues, retail, personal finance, and more. Follow him on Twitter @ewolffmann.
The most and least affordable U.S. metro areas to buy a house
The top 10 innovations that could shape the next decades: Citi