Private browsing isn’t that private

Martin Shelton

Principal Researcher

Screenshot: Incognito mode in Google’s Chrome browser.

(Freedom of the Press Foundation)

Happy new year! It’s the Digital Security Training team at Freedom of the Press Foundation (FPF), with security news that keeps you, your sources, and your devices safe. If someone has shared this newsletter with you, please subscribe here.

Let’s give a round of applause to my colleague David Huerta, who steered the newsletter while I managed to fit in over a month of travels. Take your PTO days — you earned them!

Get Notified. Take Action.

In the news

Google agreed in late December to settle a $5 billion class action lawsuit filed in 2020, alleging the company collected browsing data on users when using Google Chrome’s “incognito” private browsing mode, including via Google services embedded in third-party websites such as Google Analytics and Ad Manager. The company’s lawyers argue, "Google also makes clear that 'Incognito' does not mean 'invisible,' and that the user's activity during that session may be visible to websites they visit, and any third-party analytics or ads services the visited websites use.” The limitations of Incognito are indeed stated prominently on its landing page, including the possibility that the websites you visit will still be able to track you when using private browsing mode. It’s a reminder to understand the limitations of private browsing mode. Read more here.

What you can do

  • I used to conduct privacy and security research for Google Chrome, so I spent a lot of time steeped in this topic: On all major browsers, research suggests many users overestimate the privacy promises of private browsing mode, with many believing that it allows them to hide their IP address, encrypt their web traffic, browse anonymously, and more. That’s why you’ll want to read about what private browsing mode does and doesn’t do. In short, when using private browsing, you are only deleting browsing history on your device. As soon as you connect to any other website, that website has a record of your visit.
  • Journalists looking to keep their browsing private should know that your newsroom IP address might tip off the targets of your investigation. If you are interested in hiding your IP address from websites or encrypting your browsing traffic, what you want is a “virtual private network.” A VPN encrypts and tunnels your web connection through a remote computer before you visit online services. Because VPN providers can retain logs of your activity, it’s worth paying for a reputable VPN with a no-logging policy. Read our guide to choosing a VPN.
  • Tor Browser can also help connect to the web more safely by encrypting and tunneling your traffic through remote servers. And it’s free!

Updates from our team

  • We’re now redesigning our website, freedom.press, and would really appreciate your feedback. To help us improve our website, fill out our short, anonymous survey.

Our team is always ready to assist journalists with digital security concerns. Reach out here, and stay safe and secure out there.

Best,

Martin

Donate to support press freedom

Your support is more important than ever.

Read more about Digital Security Digest

Indicted NYC mayor forgets phone passcode

Eric Adams allegedly claimed that he had changed the passcode and told the FBI he did not remember it.

Discord boosts private call encryption

Discord announced its rollout of end-to-end encryption for voice and video calls in one-to-one and group direct messages, voice channels, and Go Live streams.

Apple seeks dismissal of NSO Group lawsuit

Apple has filed a motion to withdraw a lawsuit against NSO Group, an Israeli spyware company.