Are you expecting to have complete privacy when you enable incognito mode or private browsing within your web browser? Think again.
Even if you are using a secure browser and enabling either incognito mode or private browsing, you are probably still getting tracked when you go online. In other words, your internet browser alone is not giving you much privacy.
In this article, we’re going to take a quick walk through all the internal and external flaws of these “privacy” modes that web browsers include. Then, we’ll discuss situations where these modes make sense and where they don’t. Finally, we’ll wrap up with some advice on how to get real privacy when using your favorite web browser.
Why private browsing and incognito modes aren’t enough
Virtually all web browsers now offer some kind of enhanced privacy mode. They are usually called private browsing mode, incognito mode, secret mode, or something along those lines. With names like these, you might expect them to allow you to use the internet with privacy.
Unfortunately, they are not very private at all. While there are variations in the way each web browser implements its own mode, the main function of these modes is twofold:
- Erase cookies from your browser
- Erase your browsing history from your browser
They do a good job of this – but it takes a lot more to make your web browsing private. Erasing cookies from your browser and erasing your browsing history are fine to mitigate some tracking online. However, many people are being misled when using “private” or “incognito” browsing. Just ask Google.
Google sued for tracking “incognito” Chrome users.
And while the average user thinks that incognito offers tangible protection, the browser companies seem to see things differently. There is currently a $5 billion lawsuit against Google for tracking users while in the Google Chrome incognito mode.
Google Chrome warns users about the limits of incognito mode… but is still being sued for big bucks.
Note: Google is discontinuing cookies, but will still be tracking users with a new method. See this article on Google’s FLoC and the privacy issues that it entails.
Depending on the browser you are using, in most cases, files you download, and bookmarks you save will not be deleted when you close the incognito window.
Another problem is that your browser is not the only place where your browsing history could be seen. Your internet service provider (ISP) can still see everything you are doing online, and they can pass this data along to anyone that asks for it. This also applies to your network administrator, which could be concerning on a work or school network. Additionally, various spy agencies and anyone monitoring unencrypted traffic who can tap into the connection.
Private browsing and incognito modes do not hide your IP address
Every device that connects to the internet has a unique IP address, which also reveals your location. Whenever you go online, you broadcast this unique IP address to the world. Therefore, for basic privacy, you will want to hide your IP address.
Unfortunately, incognito and private browsing modes do not hide your IP address. And because of this, your browsing history is tied right back to your device. This information is pretty well known these days, which is why most people hide their IP address when going online. But it gets worse.
Less well-known private browsing problems
Beyond the issues we’ve just covered, it turns out that there are several other ways that your “private” browsing information can be found outside of the control of your web browser. Here’s a quick summary:
Logging in to a service
You probably already know this, but a surprising number of people still don’t make the connection. If you log into a website or service, even in incognito mode, they of course will know who you are. Log in to Amazon, Facebook, or Netflix, and they will know your identity. It doesn’t matter what browser you are browsing with. Logging in gives them all the information they need.
The same goes for logging into any Google service. Log into one of them and Google can track you across all of them. (Also see this guide on alternatives to Google products.)
Leaving traces in your DNS cache
When you visit a website, your device does a DNS search to look up the proper address. The device then may store the results of these searches in a cache. The cache serves to speed up navigation and reduce the load on the big servers that store DNS data. This data doesn’t remain there forever, which is helpful. Each device has a TTL setting (Time To Live) that controls how long data is preserved in the cache before being deleted.
The problem arises when someone has access to your device. With the right skills (it isn’t too hard), and access to your device, a bad guy can get access to the DNS cache and see all the sites you have visited.
Staying in private mode too long
It might sound counterintuitive, but you don’t want to stay in your browser’s privacy mode for too long. Why? Remember that these modes work by deleting your browsing history and cookies when you log out of the incognito window.
Until that happens, this data is available in the private window of the browser. To mitigate this problem, it makes sense to close the window and open a new one every so often.
When private browsing modes make sense
Given all the ways that private browsing modes are compromised, it might seem like they are useless. In fact, there are several situations where it makes sense to use them. Here are some examples:
- When you are using someone else’s device. By using a private browsing mode you can prevent your browsing history and cookies from getting mixed up with the other person’s.
- When you are gift shopping on the family computer. You don’t want a record of your gift shopping to remain on the computer or influence the ads that appear, possibly giving away the surprise.
- When you are researching a medical issue or other private topics. Researching in a private browsing mode (and closing the incognito window afterward) could prevent embarrassing or confidential information from being exposed to the next person who uses the device.
Going beyond incognito or private browsing modes
We’ve just looked at some situations where private browsing / incognito modes can be useful. But none of those use cases requires keeping technically sophisticated snoops at bay, or preventing the websites you visit from seeing your IP address (thus identifying the device you are using). For the hardcore privacy cases, you will need more security and privacy muscle.
Use a secure browser that protects your privacy
A browser can be a good tool to browse the web with privacy. Or, it can be a surveillance and data collection tool for advertising networks. Consequently, you will need to choose your browser carefully. See our list of secure browsers that protect your privacy.
We also have a good guide on Firefox privacy modifications that goes above and beyond the default settings. Another thing to consider is browser fingerprinting and how this can be used for tracking your online activities.
Use a VPN (virtual private network)
Another important privacy tool is a VPN, which stands for virtual private network. A high-quality VPN addresses the problems that make incognito modes vulnerable. A VPN:
- Creates an encrypted tunnel through the internet. This keeps snoops from violating your privacy by intercepting the traffic flowing between your device and the internet.
- Encrypts your DNS searches. Instead of using the DNS your Internet Service Provider runs, the VPN encrypts your DNS searches and sends them to their own secure DNS. That means your ISP can’t use those searches to record where you go on the internet, and there’s no DNS cache on your device for anyone to hack into either.
- Hides your IP address from the sites you visit. The VPN substitutes one of its own IP addresses for yours. These IP addresses are shared by many people, instead of being uniquely assigned to you. So the websites you visit can record what pages you visit, but they won’t know who that record applies to. All they’ll know is that someone used a VPN to visit their site.
- Provides protection against trackers and malvertising attacks that could give hostile entities direct access to your device and obliterating any privacy steps you might take. Some even include VPN ad blockers that can block malware domains, trackers, ads, and more.
Navigating the world of VPNs can be challenging, simply because there is a lot of information out there on the topic. From VPN kill switches to streaming support, a VPN has many functions and uses. We have tested and reviewed many of the top VPN services. Our latest recommendations can be found in our best VPN report here.
Use an ad blocker
Even with private browsing and incognito modes enabled, ads and trackers may still be loading on your browser. This will vary depending on the browser you are using and the preferences you have enabled. So to protect yourself against advertising networks and their invasive trackers, use a good ad blocker.
Where private browsing modes shine
Interestingly, those incognito and private browsing modes really shine when used together with a VPN. That’s because they do two things that VPNs don’t do.
They erase the cookies and the browsing history when you close a private browsing session. So while the VPN protects your privacy from the device out to the internet, the private mode features protect your privacy within the device. It makes for a nice one-two punch. Simply start up your VPN, then open a new incognito window and start browsing.
While incognito mode, private browsing mode, and all the other “privacy” modes built into today’s web browsers have their place, they are nowhere near as private as they seem and they won’t allow you to surf the web incognito.
That said, they are fine tools for certain low-security uses. And if you really want to browse privately, combine private browsing mode with a strong VPN for comprehensive protection. Knowing when to use them (and when not to) puts you way ahead of most internet users when it comes to protecting your privacy online.