Tips & Advice

The Secret’s Out: Reports of the privacy of private browsing have been greatly exaggerated

Reuters Plus and Avast, 31 July 2018

Unless you take precautions, the secrets of your private browsing sessions are bound to be exposed.

Sure, surfing the web in “incognito” or “private” mode might seem more secure than doing it with a totally unsecured browser—the phrases imply an air of security—but recent research and an overwhelming amount of anecdotal evidence from security experts indicates that so-called private browsing isn’t nearly as private as it’s cracked up to be. In fact, it’s not really private at all: routers, firewalls, proxy servers, RAM chips or the Domain Name System (DNS) cache all could have a record of your browsing history.

The lesson, of course, is that without appropriate add-on tools or apps, such “secret” browsing methods may not achieve the desired outcome at all. Here’s a primer on how to change the game.

Private Browsing 101

No discussion of private browsing can begin without first explaining what it is. In a nutshell, at least with most browsers, the private or incognito mode is designed to minimize the digital footprints you leave behind when you surf the web.  Most of the leading web browsers, including Google Chrome, Apple Safari, Mozilla Firefox, Microsoft Edge, Internet Explorer and Opera offer some version of private browsing. Chrome, for example, calls it incognito browsing, while Safari calls it private browsing mode.

The easiest way to enable private browsing mode on desktop is with the keyboard shortcut “Control+Shift+N” on a PC, or “Command+Shift+N” on a Mac. Android users can activate Incognito Mode by tapping the three dots in the top right corner of the Chrome app and then selecting New Incognito Tab. iOS users on Safari can simply select the tabs icon at the bottom right then tap private.

With the ostensibly confidential mode engaged, your browser won’t record any temporary data on the device you’re using. This means that none of the pages you visit will display in your search history after you close the window. Any information put into a data-entry field will also be forgotten; this includes usernames and passwords that might otherwise be documented as autofill information. In theory, all first-party (created by the website you’re visiting) and third-party cookies (created by third parties such as advertising displaying content on the page) are also erased as you browse the web.

Not-so-private browsing 101

Still, because the browser isn’t the only thing that reads the data you send and receive over the internet, it’s impossible to delete this search information completely.

The truth is that copies of the data likely reside in a number of spots in the network, from the router to the firewall to any proxy servers or the DNS cache.

Some browsers even explicitly indicate that your web history and personal information is not entirely protected during or after a private session. Google Chrome, for example, includes a disclaimer noting that web activity may still be visible to internet service providers, employers and schools.

you-ve-gone-incognitoGoogle Chrome’s disclaimer notice

Technically, private browsing just prevents search history from being saved locally and stops websites and third-party advertisers from accessing browsing data during those sessions. It does not function as an internet black hole. A record of your browsing history still exists, and it can still be tied back to you. The bottom line is that most users have very little control over which organization actually end up seeing their browsing history.

More importantly, private browsing does nothing to protect against cyberattacks. Malware, spyware, keyloggers, phishing scams and other threats to your privacy and data security can still affect you during an incognito session. Remember: You’re still connected to other web servers when you’re on the web. That much is unavoidable, and as long as it’s the case, any server-side threat can still harm your computer.

In short, the information you thought you were protecting by browsing in private/incognito mode actually hasn’t been protected at all, which means your information is still visible to entities other than yourself, and could be vulnerable to attacks from browser hijackers, or worse.

Understanding misconceptions

Private browsing is useful for a variety of purposes. Yes, it stops websites and advertisers from collecting data during the session. Yes, it can be quite handy when logging onto public computers or someone else’s device since your usernames and passwords won’t be saved.

But it is not, for all intents and purposes, private. And one of the biggest problems with private browsing is the fact that users think it is.

According to a recent study from Avast, 65 percent of 10,000 responding consumers mistakenly believed that incognito/private browsing modes offered by today’s browsers will anonymize their identity and obscure their browsing habits from governments, businesses and advertisers.

What’s more, the same study indicated that 77 percent had misplaced expectations that their browser would alert them to potential web-based threats such as malicious extensions or unauthorized cryptomining.

Juxtapose these numbers with the fact that only 21 percent of private/incognito users consider these browsing modes safe, and it’s clear there’s an information gap at work. In short, users are utterly misinformed and probably putting way too much trust into browser modes that aren’t nearly as safe as they think they are.

Truly private browsing

What, then, can facilitate truly private browsing? In recent months a handful of new apps and browser overlays have hit the market to meet this very need. This technology takes extra steps to make sure data earmarked to be private stays that way.

Take the newest offering from Avast: the Avast Secure Browser. According to reviews, not only does the technology natively protect against web-based attacks such as ransomware, phishing and other malware, it also has features to protect users from mass surveillance, profile building and other invasions of consumer privacy.

The Avast tool also has a “Bank Mode” to lock down financial information, and it ships with Adblock, Anti-Tracking, and Anti-Fingerprinting switched on to keep a user’s online life private.

Other solutions on the horizon—such as a pilot project called Veil developed at the Massachusetts Institute of Technology—set up “blinding” servers that effectively whitewash all identifying data from headers that can be traced back to the original user.

Conclusion

However a browser works to keep data private, one thing is certain: current “private” and “incognito” modes on their own aren’t doing enough. The best solution to this problem is a one-two punch of new technology to sit on top of the browser with a Virtual Private Network (VPN) that is bulletproof enough to withstand common vulnerabilities and attacks.

While reports of the privacy of private browsing have been greatly exaggerated, users find themselves in a situation they can change for the better by adding a much-needed extra layer of privacy protection.

Previously published on Reuters' Plus.  Updated on 4/9/19 by Avast.