Private browsing isn’t that private

Martin Shelton

Principal Researcher

Screenshot: Incognito mode in Google’s Chrome browser.

(Freedom of the Press Foundation)

Happy new year! It’s the Digital Security Training team at Freedom of the Press Foundation (FPF), with security news that keeps you, your sources, and your devices safe. If someone has shared this newsletter with you, please subscribe here.

Let’s give a round of applause to my colleague David Huerta, who steered the newsletter while I managed to fit in over a month of travels. Take your PTO days — you earned them!

Get Notified. Take Action.

In the news

Google agreed in late December to settle a $5 billion class action lawsuit filed in 2020, alleging the company collected browsing data on users when using Google Chrome’s “incognito” private browsing mode, including via Google services embedded in third-party websites such as Google Analytics and Ad Manager. The company’s lawyers argue, "Google also makes clear that 'Incognito' does not mean 'invisible,' and that the user's activity during that session may be visible to websites they visit, and any third-party analytics or ads services the visited websites use.” The limitations of Incognito are indeed stated prominently on its landing page, including the possibility that the websites you visit will still be able to track you when using private browsing mode. It’s a reminder to understand the limitations of private browsing mode. Read more here.

What you can do

  • I used to conduct privacy and security research for Google Chrome, so I spent a lot of time steeped in this topic: On all major browsers, research suggests many users overestimate the privacy promises of private browsing mode, with many believing that it allows them to hide their IP address, encrypt their web traffic, browse anonymously, and more. That’s why you’ll want to read about what private browsing mode does and doesn’t do. In short, when using private browsing, you are only deleting browsing history on your device. As soon as you connect to any other website, that website has a record of your visit.
  • Journalists looking to keep their browsing private should know that your newsroom IP address might tip off the targets of your investigation. If you are interested in hiding your IP address from websites or encrypting your browsing traffic, what you want is a “virtual private network.” A VPN encrypts and tunnels your web connection through a remote computer before you visit online services. Because VPN providers can retain logs of your activity, it’s worth paying for a reputable VPN with a no-logging policy. Read our guide to choosing a VPN.
  • Tor Browser can also help connect to the web more safely by encrypting and tunneling your traffic through remote servers. And it’s free!

Updates from our team

  • We’re now redesigning our website,, and would really appreciate your feedback. To help us improve our website, fill out our short, anonymous survey.

Our team is always ready to assist journalists with digital security concerns. Reach out here, and stay safe and secure out there.



Donate to support press freedom

Your support is more important than ever.

Read more about Digital Security Digest

When data brokers break

We often talk to newsrooms about dealing with data brokers — companies that aggregate and sell data from commercial and public records. According to recent reporting from TechCrunch, an alleged breach of a U.S. data broker impacted at least 300 million people. Their reporting suggests “mixed results” verifying the authenticity of the data.

Apple's password app

In the hope of simplifying how customers can log into apps and websites, Apple has announced it will offer a new Passwords app in its upcoming versions of iOS 18, iPadOS 18, and macOS 15.

Oops, all breaches!

Data breach notification service “Have I Been Pwned?” has added the login information associated with 361 million email addresses. Have I Been Pwned owner Troy Hunt says as many as 151 million of these unique email addresses have never been seen in his database before. The website boasts tracking over 13.5 billion breach accounts. Some of these credentials are reportedly harvested from users’ devices infected with information-stealing malware.