Chrome Private Mode Not Quite Private 234
wiplash writes "Google Chrome appears to store at least some information related to, and including, the sites that you have visited when browsing in Incognito mode. Lewis Thompson outlines a set of steps you can follow to confirm whether you are affected. He has apparently reported this to Google, but no response has yet been received."
Addicted. (Score:5, Insightful)
Google is addicted to your information, and will do whatever they can to get more.
They cannot help themselves.
Resist.
Re: (Score:2)
and thus this is in no way surprising
Re: (Score:3, Interesting)
Basically, Google is the insatiable voyeur, we are all the neighbourhood children, and Chrome is the delicious sweety used to entice us into giving the smiling man what he really wants.
Re: (Score:2)
Re: (Score:3, Insightful)
WTF. This is obviously a browser bug. What on Earth does Google have to gain by letting the browser recall your zoom setting on the client-side? Stop trolling, please!
Google hasn't replied, but I assume that's because the stupid article author didn't even file a bug against this. I'm a complete nobody in Chrome development, but even I has done this in 2 minutes, an equivalent time period of composing a well formulated e-mail and sending it to Google.
Re: (Score:2, Funny)
Google is addicted to your information.
Just a few more kilobytes man, just a few more and I'm done!
The Phone Company (Score:2)
How is this addiction any different from, let's say, the phone company?
Re: (Score:2)
At least the phone company didn't listen in on your every call.
Re: (Score:2)
But how do you know that? And how do you know Google IS doing that?
Re:The Phone Company (Score:4, Informative)
The article shows that a per-site setting (page zoom) persists between incognito sessions. That's all. No mention or even speculation that Google is storing that information on their servers.
That said, Incognito was never meant to be private browsing from Google. Your search queries still get send to your search provider (imagine that!) and auto-suggest will still work. What Incognito mode is for is to prevent your wife/brother/sister/boss from seeing the sites you use. This has been discussed to death already.
Re: (Score:3, Informative)
Actually, according to the developer discussion, this isn't a bug. They did it on purpose. They actually saved all of the sites that you made site-specific settings changes to.
They thought that the "convenience" of a better UI would outway the privacy risk of having the sites you visited after explicitly selecting privacy-mode saved in plain text on the file system.
Re: (Score:3, Interesting)
Are you sure about that? Your voice communications are going over the wire unencrypted. Well, at least until it hits a digital circuit, but even that's not "safe", it's just obfuscated from sticking a speaker on the line.
They could be listening to some or all. And there's been enough information about the gov't doing it. You shouldn't believe that there are up to two listeners on any phone call. (Lowered to one when you're talking to the wife. She never listens to you, and
Re: (Score:2)
Google is addicted to your information, and will do whatever they can to get more.
They cannot help themselves.
No way, man, they can quit any time they want to - they've done it a hundred times!
Re: (Score:2)
And why do people continue to act surprised by it? The little seed of an idea which eventually grew to become Google was PageRank -- a DATA MINING ALGORITHM.
Oh my God, a company founded on data mining wants data to mine! I'm shocked!
Re:Addicted. (Score:4, Informative)
But while I did verify this, and can see some disk writes in ProcMon to a tmp file (which seems to be deleted on close), is it asking too much to have a little more info before running off and declaring it to be some additional nefarious way to collect info? Any packet sniffing, or even seeing if it can be replicated in chromium or Iron? Any effort to see ANYTHING AT ALL of whats going on, or whether that data is stored anywhere except the "magnify websites to this level" database?
I mean come on, I know Google is the new "cool to hate" company, but a 1 paragraph blog entry with NO technical details whatsoever makes REALLY poor outrage material.
Re:Addicted. (Score:4, Insightful)
Yes, it's the basis of their business model. They need all that information to serve their advertisers better. This means they're also constantly looking for new ways to get even more and more information. Even if some of their services currently aren't related to advertising (like their free DNS service), there's no guarantee that they cannot be in the future. They're awfully easy to integrate later when they have grown, and with publicly traded companies you never know what is going to happen in the future. Especially when they're looking for new ways to generate advertising revenue.
Notice that all of their services are related to obtaining information, usage statistics, datamining and serving advertisement. YouTube too is a great resource for advertisers, as soon as online video matures a little bit more (though they're already working on it).
Not that it's a bad business model - but if you value your privacy, you might want to consider forgetting freeloading for a moment and buying software. You know, the business model that is based on customers paying for the software instead of selling their soul for advertisers. Google is the new adware business, they have just hidden it better.
Re:Addicted. (Score:4, Insightful)
I'm not too worried about my privacy when it comes to corporations. Partly, it's because they already have a lot of data on me. Partly, it's because if they abuse it, I have at least a possible method of recourse.
What I am worried about is the government getting their hands on such data. Now that's a danger that far exceeds what a corporation can do. And, you have no method of recourse against the government.
Look at it this way: The worst a corporation could do is deny me a loan, because I buy a lot of junk online, and that means (by whatever twisted logic corporations employ) I'd be more likely to default on it.
The worst a government can do is pull me over for a traffic violation, and throw me into prison without a trial because the routine check brought up the fact that I frequent sites that advocate extreme or even locally unpopular views.
Which all leads to why I try to keep as anonymous as practically possible. Corporations don't have adequate data retention (or deletion) policy for my needs. And they cave easily to the government. Google is only slightly better in that they explicitly state how long they'll keep the data. But until every corporation adopts far more restrictive data retention policies whether by government regulation or by public outcry, I'm going to keep data on me from leaking out as much as possible.
And before anybody points out the obvious contradiction above, I'm just going to say that entities can work for you sometimes, and against you sometimes, neither of which precludes them from doing the complete opposite at the same time.
Re:Addicted. (Score:5, Interesting)
I sometimes forget that I am in the minority around here when it comes to trust of the government vs. trust of corporations(I trust the government more than I trust corporations, though I have a healthy wish for privacy). I am one of those that thinks Orwell is overrated(I like the stories, but I don't see them happening), with Huxley's Brave New World being my dystopian present/future to be feared.
Re: (Score:3)
It's funny also in light of the fact that many of them claim Jefferson as a hero and yet Jefferson was very much anti-corporation.
Its Not about Trust (Score:4, Insightful)
Re: (Score:3, Interesting)
Quite. Here in the UK the convention is that no Parliament may be bound by its predecessors, with the actual effect that we can change our "constitution" with a simple majority vote in the Commons. Considering the power of the party whips, and the tendency to one-party rule, we do effectively have an elected dictator.
Less so this time round, with the coalition, but even they have shown they can change the constitution with a simple majority vote and are willing to do so without an explicit mandate.
Re: (Score:3)
Re:Addicted. (Score:4, Informative)
Re: (Score:3, Insightful)
" Partly, it's because if they abuse it, I have at least a possible method of recourse."
then
"Now that's a danger that far exceeds what a corporation can do. And, you have no method of recourse against the government."
WOW. That is completely backwards.
You have a great many avenues of recourse against the government then you have against any corporation.
Why do people even think that?
Re: (Score:2)
Their DNS system is related to advertising. It allows them to tie a specific IP address to user activity which can be used to build a demographic profile useful to marketers and advertisers. This can be kept anonymous and aggregated or they can correlate the IP address with its use on existing Google accounts to merge in additional info like gender and approximate location in the world.
Re: (Score:2)
And how exactly do you know this for sure?
Have you ever heard a company say "We're earning enough money, we don't want any more"?
Re: (Score:2, Interesting)
Of course you don't know it for sure, but if they did that they would be risking their reputation too. It would be stupid to risk their main business just to get that extra one dollar. In the long run it would cost them a lot more. At most it would be an opt-in like thing.
I'm not saying all software you buy is like that, but since the base monetarization method is completely different, theres a much larger change for that. All of that is of course hidden in EULA or privacy policy.
Re: (Score:3, Interesting)
How, exactly, is "buying software" supposed to stop "customers selling their souls"?
You're not exactly selling your soul. You are only licensing it. Hope your DRM is up to date.
The problem is that nothing is stopping Google from copying your information between devices, unlike DRM. To be honest, I'd love to have my details protected by some DRM - every time a company makes any use of it, they have to contact my server first and ask for a one-time permission. Doesn't seem too likely, unfortunately.
Re: (Score:3, Informative)
Do you believe every piece of FUD that comes out of sopssa's mouth? By default yes, everything typed into the address bar is sent to google which is how their autocomplete for searches works. If you just don't want it sent to google, change your default search provider. if you don't want it sent anywhere simply uncheck 'use a suggestion service to help complete searches and URLs typed in the address bar' in the Under the Hood tab of Options.
Re: (Score:3, Interesting)
Anyone else managed to reproduce this on their Google Chrome browser?
Re: (Score:3, Informative)
You know, that's embedded into most of the browsers.
Firefox was a little more polite about it, but it's still pretty deep in there. I was setting up an embedded machine with Firefox (local web browsing, no Internet connection). I was really surprised how many things were in there on a clean install of it. It's not just url completion. There's "safe browsing", SSL cert verification, updates.. Well, just do an about:config and search for http:/// [http] and then https://./ [.] There ar
Re: (Score:2)
You're not worried about the DNS servers?
Re: (Score:3, Interesting)
Is there any way to stop Chrome sending the info of the URLs you type into the address bar back to google, yet?
Yes - use SRWare Iron [srware.net]. It's a fork of Chrome, without all the phone-home stuff.
There always was. (Score:3, Informative)
Did you even look in options? Turn off "search suggestions". That's the feature that relies on this information being sent to Google.
Please, please stop spreading Microsoft's FUD.
Re:Addicted. (Score:4, Informative)
Just for the sake of putting this stupid argument to rest, I tested it with wireshark, and yes, unchecking that box immediately causes chrome to cease sending URLs to google. In fact, with all the boxes unchecked, it appears that the only traffic sent is directly to the websites that you are fetching.
I like how your "yet" implies that that hasnt been there from practically the start, though, or that you cant just use chromium if you are really that worried about it.... really some quality FUD there.
Re: (Score:3, Funny)
Re: (Score:3, Interesting)
[...]Each time Firefox checks in with the third party provider to download a new blacklist, Non-Personal Information and Potentially Personal Information, such as the information that the browser sends every time you visit a website as well as the version number of the blacklist on your system, is sent to the third party provider. In order to safeguard your privacy, Firefox will not transmit the complete URL of web pages that you visit to anyone. While it is possible that a third party service provider may determine the actual URL from the hashed URL sent, [...]
Re: (Score:2, Insightful)
Whoever moderated this "insightful" may want to read the article first. Do you really think that it's Google's nefarious plan to record the magnification settings of the web pages that you visit?
It's Google's plan to record anything and everything about you that it can, which makes the difference between Google and Facebook simply a matter of spelling.
Re: (Score:2)
And they do this by storing some information on *my* PC where they cannot reach it? What's the point exactly? The freakin info is stored in the local preferences. Yes, it's a - relatively harmless - side channel and no this is not Google being evil.
Re: (Score:3, Insightful)
I'm not following you. Why can't they reach the info on your PC that is put there by their program? Your computer is free storage for them. It may not be reachable for most of the time but Chrome will tell them when it is available.
Re:Addicted. (Score:5, Funny)
"We are the Google , you will indexed " ?
Re: (Score:3, Funny)
Re: (Score:2)
"We are the Google. You have already been indexed."
Barebacking the internet (Score:2, Funny)
Cool (Score:2, Funny)
Didn't work for me (Score:5, Informative)
using 4.1.249.1064 on Win7.
Re: (Score:3, Interesting)
Re:Didn't work for me (Score:5, Funny)
Yeah, seems this only affects the beta versions from their Dev channel.
Man that's evil! Putting bugs in their betas so they can spy on us...
Look at Firefox as well (Score:2, Interesting)
Try running a strings against places.sqlite in Firefox as well after all the personal history has been cleared - I sometimes see URLs left in there.
Re: (Score:2)
I think that the clearing of private data in Firefox is a bit counter-productive, because deleting from SQLite databases merely marks the rows' storage space as being reclaimable within the file.
I once cleared private data for a day when my places.sqlite was around 70 MiB, then checked the file size and saw that it hadn't even changed by one byte. It wouldn't surprise me if the URLs were still in there -- all of them, intact, until you visit other pages to make Firefox overwrite the reclaimable pages in pla
Re: (Score:2)
Firefox would have to shred(1) or zero out the file.
And then there's journals.
Still, truncating the file makes recovery much more difficult, and makes it so that any process can reclaim it, not just Firefox. Fortunately, it's not that difficult to do it yourself -- just run VACUUM in sqlite.
this doesn't happen to me (Score:5, Interesting)
all incognito windows share the same session
Re: (Score:3, Informative)
I just reproduced it in the exact same beta on Ubuntu. Steps are:
And people, please. What happened to "never ascribe to malice"? Chromium is an open-source project -- if you have to, fix it yourself, I have little doubt that patch would make it into the official Google Chrome.
Re: (Score:2)
I just did it with 5.0.375.38 beta on Ubuntu and it worked, even after closing all chrome instances, restarting Chrome and starting a new incognito window.
Persists across restarts, too (Score:5, Informative)
So, since the example in TFA didn't restart Chrome between incognito windows, I decided to see what happened when I followed the steps with "4.5 Exit chrome completely, then restart", and can confirm that even when Chrome fully exits and is restarted, it remembers the zoom level used in a URL only ever visited in an incognito window.
Re: (Score:2)
I should mention this is with google-chrome-unstable 6.0.401.1-r47050 on Linux. YMMV.
Re: (Score:3, Interesting)
No way! (Score:2)
Reproduced it here just fine (Score:5, Informative)
Exactly as reported.
I'm using 5.0.375.29 beta on an Air running 10.6.3 over wifi.
Went to cheese.com [cheese.com] (the #1 resource for cheese!) and the zoom held.
Additionally, when I opened a new tab in non-incognito mode, the zoom STILL held, so there is definitely some communication between regular and incognito windows.
I'm devastated that my secret cheese browsing is now public.
Re: (Score:2, Funny)
Re: (Score:2)
Bwah, so we eat Cracker Barrel for a week. This is about our pr0n privacy!
Excellent comeback, my compliments.
The bug (Score:5, Informative)
http://code.google.com/p/chromium/issues/detail?id=43107 [google.com]
Seems like someone looked at it, prioritized and classified it (eg pri-2, internals-cookies).
What's the big deal? It's just a bug that needs to get fixed, not a huge conspiracy by Google.
Re:The bug (Score:5, Funny)
Look, we're trying to do some rabble rousing here and you are not helping.
Um no (Score:4, Insightful)
There are many ways to finger print something that are not reversible. For instance, this is just page viewing preference data about a site you visited. What if it takes a hash of the url and uses that to store settings like current zoom and scroll location. There is almost no way this violates the idea of 'incognito' mode.
Re:Um no (Score:5, Funny)
So I jump on your computer and browse to red-hot-midget-porn.net and find that the zoom level isnt the default value...
Do I conclude that (A) you don't like red-hot-midget-porn?, or (B) you do like red-hot-midget-porn?
Well in any case, I'm pretty sure that everyone likes red-hot-midget-porn, so maybe this is a bad example.
Re: (Score:3, Funny)
It depends on whether it's zoomed in or out.
Pitchforks down, please, no story here (Score:3, Informative)
Re: (Score:3, Interesting)
From the google bug tracker: "we (the UI design team) made the choice to purposefully remember incognito zoom levels."
Sounds like the intentionally gutted the security of the incognito mode for the zoom levels... Its one thing if its an oversight, but to do it intentionally reveals a total disregard for the privacy someone using incognito expects.
Re:Pitchforks down, please, no story here (Score:4, Insightful)
Re:Pitchforks down, please, no story here (Score:4, Informative)
If it remembers zoom levels for particular websites, it must remember the websites themselves. That also means someone can potentially obtain a list of URLs you visited in incognito mode.
That defeats the entire point of incognito mode. It's not supposed to remember anything.
I've said it before, I'll say it again (Score:2)
Google is a marketing/sales/advertising company. They can only be trusted to a certain point. Their motives are not those of a generous and altruistic organization. Their motives are consistent with those of the type of business they are. It is as simple as that.
for those that cannot reproduce this... (Score:3, Informative)
Be aware of the version you're using. Chrome v4 *may* not save the zoom level, so it wouldn't show it anyway. I'm on the dev channel, and thus am using the newly-released v6, and it's definitely reproducible.
I submitted this a while ago (Score:4, Interesting)
Submitted by rcamans on Friday October 23 2009, @01:21PM
rcamans writes "Visit a bunch of sites in Chrome incognito, and then look at your history in IE 7. Oh My God! A few of the sites you did not want in history are in IE history? How did they get there? A nasty in Windows XP OS. Oh, man...
These sites do not show in Opera history, Safari history, Chrome history, or FIrefox history. So maybe it has to do with IE integration into the Windows OS. Do not trust Chrome incognito until this bug is fixed. If it can be fixed.
Also, IE7 search history shows Chrome incognito search items. Oops
Storage location (Score:2)
I have the Chrome 5.0.375.38 beta from Ubuntu 10.04. Browsing Incognito appears to still change a number of files on disk, though I haven't investigated what is changed or stored. Finding the zoom problem is straightforward, though:
Per-site zoom levels are stored in a Preferences file (.config/google-chrome/Default/Preferences for me) in a "per_host_zoom_levels" section. It appears that the key is the domain name and the value is the zoom level. These seem to be saved when Chrome exits and, at least in my v
Simple explanation (Score:4, Interesting)
Chrome is very likely to hold the DOM of visited pages in the cache so that f.e. hitting the back button will quickly render the previous page. That does not necessarily mean that the information gets persisted on the hard drive or is available to other pages. On the other hand it's not unlikely that the information sometimes gets paged out to the hard drive and persists until it gets overwritten.
Probably a bug (Score:2)
This issue has been fixed. (Score:3, Informative)
http://code.google.com/p/chromium/issues/detail?id=43107 [google.com]
Re:WHAT (Score:4, Funny)
Re: (Score:2, Funny)
One assumes that Mrs. Coward has seen enough of your posts over the years. I'd be surprised if she
even uses the internet anymore.
Re: (Score:2)
Re: (Score:2)
Honest mistake just like the WIFI data collection ordeal? yeah sure ...
There's no mistakes like that happening with Google, only closing data collection after public outrage and blaming it as a mistake
Re: (Score:2)
Re: (Score:2)
Terrible example. Collecting wifi ssids doesn't require connecting to the wifi point at all.
It's like recording people's door numbers from a distant except you only know that number is around that area.
Also it IS useful as it allows you to do geolocation in areas where you can't get gps or you want a more accurate gps coord.
Never ascribe to malice... (Score:2)
Come on, people -- we even take a sane position towards Microsoft these days.
Chromium is an open-source project. Write a patch and see what happens.
And if you really insist it must be deliberate, please explain how spying on your fucking zoom level, and storing it in a local file which is never sent over any network, is so dangerous.
Re: (Score:2, Insightful)
This and many other things about privacy concern me. I work at MIT and google and other big companies hang around, and both within academia and industry there are not enough people advocating privacy and information ownership. Trust me, or not, but Big companies lust over personal information.
Re: (Score:2)
If someone's dick ends up in your ass, would consider the possibility that it was an honest mistake?
Re: (Score:2)
If someone's dick ended up in my rectum, I also wouldn't consider the possibility that it's in any way analogous to someone maybe spying on my fucking zoom levels.
Not an issue of trust (Score:2, Insightful)
This isn't even an issue of trust. It's not a question of whether Google is stealing information about you, or even privacy. It's an error or a possible bug wherein the mode where the browser is in essentially *no history* mode isn't working 100% w/o history.
If this is true, then it raises issues of quality control, not trust
Re: (Score:2)
If this is true, then it raises issues of quality control, not trust
You trust companies with shitty quality control.... when they make quality claims?
Re: (Score:2)
Re:Not surprised. (Score:5, Informative)
There's always Chromium; I run it on Ubuntu [hyperlogos.org]. For Windows there's SRWare Iron [srware.net]. I'm not sure which is the preferred build for OSX; perhaps Crossover Chromium [codeweavers.com]. TFA doesn't say whether Chromium is affected. Some comments under TFA state that the effect lasts only until Chrome is restarted, suggesting that the information is stored only in the memory cache.
Re: (Score:2)
Re: (Score:2)
The SRWare Iron link is dead.
Re: (Score:2)
I just tested it and it works here... in Chromium on Ubuntu Lucid x64, FWIW (not much)
Re: (Score:2)
Yeah, it's back up now, was giving a PHP error.
Re: (Score:2, Informative)
Re: (Score:2)
Re: (Score:2)
There are also posts that it *does* work on later versions.
Hopefully you will now get modded into oblivion showing that the modding system actually works, so I can truly say:
Well done Slashdot!
Re: (Score:2)
It's because chrome retrieves a list of popular web addresses matching your search. The same thing happens on the google main page with auto complete.
Re: (Score:2)
Same on my Windows machine. Looks like an oversight in a new feature. That's the risk of using the beta channel, I guess.