Private browsing isn’t that private

Martin Shelton

Principal Researcher

Screenshot: Incognito mode in Google’s Chrome browser.

(Freedom of the Press Foundation)

Happy new year! It’s the Digital Security Training team at Freedom of the Press Foundation (FPF), with security news that keeps you, your sources, and your devices safe. If someone has shared this newsletter with you, please subscribe here.

Let’s give a round of applause to my colleague David Huerta, who steered the newsletter while I managed to fit in over a month of travels. Take your PTO days — you earned them!

In the news

Google agreed in late December to settle a $5 billion class action lawsuit filed in 2020, alleging the company collected browsing data on users when using Google Chrome’s “incognito” private browsing mode, including via Google services embedded in third-party websites such as Google Analytics and Ad Manager. The company’s lawyers argue, "Google also makes clear that 'Incognito' does not mean 'invisible,' and that the user's activity during that session may be visible to websites they visit, and any third-party analytics or ads services the visited websites use.” The limitations of Incognito are indeed stated prominently on its landing page, including the possibility that the websites you visit will still be able to track you when using private browsing mode. It’s a reminder to understand the limitations of private browsing mode. Read more here.

What you can do

  • I used to conduct privacy and security research for Google Chrome, so I spent a lot of time steeped in this topic: On all major browsers, research suggests many users overestimate the privacy promises of private browsing mode, with many believing that it allows them to hide their IP address, encrypt their web traffic, browse anonymously, and more. That’s why you’ll want to read about what private browsing mode does and doesn’t do. In short, when using private browsing, you are only deleting browsing history on your device. As soon as you connect to any other website, that website has a record of your visit.
  • Journalists looking to keep their browsing private should know that your newsroom IP address might tip off the targets of your investigation. If you are interested in hiding your IP address from websites or encrypting your browsing traffic, what you want is a “virtual private network.” A VPN encrypts and tunnels your web connection through a remote computer before you visit online services. Because VPN providers can retain logs of your activity, it’s worth paying for a reputable VPN with a no-logging policy. Read our guide to choosing a VPN.
  • Tor Browser can also help connect to the web more safely by encrypting and tunneling your traffic through remote servers. And it’s free!

Updates from our team

  • We’re now redesigning our website,, and would really appreciate your feedback. To help us improve our website, fill out our short, anonymous survey.

Our team is always ready to assist journalists with digital security concerns. Reach out here, and stay safe and secure out there.



Donate to support press freedom

Your support is more important than ever.

Read more about Digital Security Digest

Mozilla breaks into the anti-data broker game

Hundreds of data brokers aggregate and sell access to personal data, such as phone numbers, emails, addresses, and even purchasing habits collected through loyalty card programs, social media sites, apps, trackers embedded in websites, and more. Mozilla has a new monthly subscription service which automatically scans for your personal data on data broker websites, but there are other ways to make your data less easily searchable. Read more from the Digital Security Team.

Moving from passwords to passkeys

Instead of traditional passwords, where you log into a website with credentials that you know or store in a manager, a passkey is a credential that you store on your device, registered with an online account. Read more in our newsletter.

Journalists targeted with Pegasus yet again

Mercenary spyware firm NSO Group’s Pegasus spyware, designed to remotely access targeted smartphones, is marketed to governments around the world for the purposes of law enforcement and counterterrorism. But in the wild, we’ve seen governments repeatedly abuse this and similar spyware tools to infect journalists, spying on their most sensitive files, communications, and sources.