Google Chrome’s Incognito mode hasn’t been an impenetrable privacy shield: For years, it’s been a snap for web developers to detect when Chrome users are browsing in private mode and to block site visitors who use it.
Google’s known all about it. And finally, 9to5Google reports, it looks like the company plans to close the loophole that’s enabled sites to detect when you’re using Incognito mode.
That loophole: websites have detected Incognito mode by trying to use an API that the mode turns off.
There are many ways to detect Incognito mode: as 9to5Google suggests, if you search for “how to detect Incognito mode,” you’ll find that developers have contributed ways to do so on Stack Overflow.
One easy way has been to sniff out that API: a developer can simply try to use Chrome’s FileSystem API, which is disabled in Incognito mode. That API is used by apps to store files, be it temporarily or more permanently. Incognito shuts it off entirely so that the API won’t create permanent files that could jeopardize somebody’s privacy.
This is what some websites do, particularly if they’ve got content behind a paywall, as does the Boston Globe: they detect and block Incognito users, since such users can’t be tracked and have used the mode to bypass paid subscription requirements.
From a Stack Overflow commenter:
[The] site could detract value by detecting incognito. Boston Globe’s site won’t display its articles in incognito, preventing the user from circumventing their free articles quota.
“This is brilliant!” one dev said after the method was posted in January 2015. “Clean and elegant,” said another in October of that year.
Well, get ready to kiss it goodbye, said yet another developer on Saturday, pointing to a series of recent commits to Chromium’s Gerrit source code management.
The commits show that Google’s working on implementing a virtual file system for Chrome to present when it’s in Incognito mode and a site asks for one. The virtual file system will be created in RAM, to ensure it will be deleted once a user leaves Incognito. 9to5Google’s Kyle Bradshaw:
This should easily shut down all current methods for detecting if Chrome is Incognito.
The developer who’s handling the detection prevention feature said that he’s hoping that it will launch in Chrome 74, with the use of a flag. It should be enabled by default in Chrome 76.
According to Chromium Dash, Chrome 74’s stable release is scheduled for April 23. The stable release for Chrome 76 is slated for July 30.
This could all be just a stopgap, though, given that Google would eventually like to ditch the FileSystem API altogether. According to an internal design document obtained by 9to5Google, once the virtual file system is in place, Google is going to suss out “how many legitimate uses of it remain once the Incognito detection abusers move on.”
Bradshaw quoted from the internal document:
Since there’s no adoption of the FileSystem API by other browser vendors, it appears to be only used by sites to detect incognito mode. By making this harder, hopefully the overall usage of the API goes down to the point that we can deprecate and remove it.