Forgot your password?
typodupeerror
Privacy

Chrome Private Mode Not Quite Private 234

Posted by CmdrTaco
from the what-if-i-wear-a-hat dept.
wiplash writes "Google Chrome appears to store at least some information related to, and including, the sites that you have visited when browsing in Incognito mode. Lewis Thompson outlines a set of steps you can follow to confirm whether you are affected. He has apparently reported this to Google, but no response has yet been received."
This discussion has been archived. No new comments can be posted.

Chrome Private Mode Not Quite Private

Comments Filter:
  • Didn't work for me (Score:5, Informative)

    by TimHunter (174406) on Tuesday May 18, 2010 @12:34PM (#32254324)

    using 4.1.249.1064 on Win7.

  • by emag (4640) <slashdot AT gurski DOT org> on Tuesday May 18, 2010 @12:35PM (#32254344) Homepage

    So, since the example in TFA didn't restart Chrome between incognito windows, I decided to see what happened when I followed the steps with "4.5 Exit chrome completely, then restart", and can confirm that even when Chrome fully exits and is restarted, it remembers the zoom level used in a URL only ever visited in an incognito window.

  • Re:Addicted. (Score:3, Informative)

    by Anonymous Coward on Tuesday May 18, 2010 @12:44PM (#32254488)

    Do you believe every piece of FUD that comes out of sopssa's mouth? By default yes, everything typed into the address bar is sent to google which is how their autocomplete for searches works. If you just don't want it sent to google, change your default search provider. if you don't want it sent anywhere simply uncheck 'use a suggestion service to help complete searches and URLs typed in the address bar' in the Under the Hood tab of Options.

  • by droopus (33472) * on Tuesday May 18, 2010 @12:47PM (#32254528)

    Exactly as reported.

    I'm using 5.0.375.29 beta on an Air running 10.6.3 over wifi.

    Went to cheese.com [cheese.com] (the #1 resource for cheese!) and the zoom held.

    Additionally, when I opened a new tab in non-incognito mode, the zoom STILL held, so there is definitely some communication between regular and incognito windows.

    I'm devastated that my secret cheese browsing is now public.

  • Re:Not surprised. (Score:5, Informative)

    by drinkypoo (153816) <martin.espinoza@gmail.com> on Tuesday May 18, 2010 @12:53PM (#32254592) Homepage Journal

    There's always Chromium; I run it on Ubuntu [hyperlogos.org]. For Windows there's SRWare Iron [srware.net]. I'm not sure which is the preferred build for OSX; perhaps Crossover Chromium [codeweavers.com]. TFA doesn't say whether Chromium is affected. Some comments under TFA state that the effect lasts only until Chrome is restarted, suggesting that the information is stored only in the memory cache.

  • The bug (Score:5, Informative)

    by trazan (667537) on Tuesday May 18, 2010 @12:58PM (#32254650)
    Here's the bug in question, filed about 2 weeks ago:
    http://code.google.com/p/chromium/issues/detail?id=43107 [google.com]
    Seems like someone looked at it, prioritized and classified it (eg pri-2, internals-cookies).
    What's the big deal? It's just a bug that needs to get fixed, not a huge conspiracy by Google.
  • by Anonymous Coward on Tuesday May 18, 2010 @12:58PM (#32254652)

    The remember zoom was added to the 5.x Beta / Dev channels some time ago, and isn't a part of the current Chrome stable build. [ Google Blog Link : http://googlesystem.blogspot.com/2010/05/10-things-to-try-in-google-chrome-5.html ] Nevertheless, I doubt this is sending any information to Google. You forget Chromium is open source.

  • by TerrenceCoggins (1601371) on Tuesday May 18, 2010 @01:06PM (#32254766)
    TFA only mentions zoom levels as being stored -- not any other info from users' porn-mode browsing session, just zoom levels. Chrome recently began saving users' zoom levels (if I'm not mistaken) so that pretty much explains that (while conveniently also accounting for why users of earlier versions may not experiencing this phenomenon as well.) We're all waiting for google to slip up monumentally (or "pull a facebook," if you will,) but unfortunately we'll have to wait another day.
  • by Tumbleweed (3706) on Tuesday May 18, 2010 @01:21PM (#32255018)

    Be aware of the version you're using. Chrome v4 *may* not save the zoom level, so it wouldn't show it anyway. I'm on the dev channel, and thus am using the newly-released v6, and it's definitely reproducible.

  • There always was. (Score:3, Informative)

    by SanityInAnarchy (655584) <ninja@slaphack.com> on Tuesday May 18, 2010 @01:47PM (#32255396) Journal

    Did you even look in options? Turn off "search suggestions". That's the feature that relies on this information being sent to Google.

    Please, please stop spreading Microsoft's FUD.

  • by SanityInAnarchy (655584) <ninja@slaphack.com> on Tuesday May 18, 2010 @02:00PM (#32255560) Journal

    I just reproduced it in the exact same beta on Ubuntu. Steps are:

    1. Open new Incognito window
    2. Visit brand-new website
    3. Change zoom level dramatically
    4. Close Incognito window (all of them)
    5. Visit website in a non-Incognito window

    And people, please. What happened to "never ascribe to malice"? Chromium is an open-source project -- if you have to, fix it yourself, I have little doubt that patch would make it into the official Google Chrome.

  • Re:Not surprised. (Score:2, Informative)

    by bratgitarre (862529) on Tuesday May 18, 2010 @02:06PM (#32255644)
    Iron works on Linux [srware.net] as well, not just Windows. I run it on Ubuntu 9.10. As I mentioned above, 4.0.275.2 (Developer Build 35171) of Iron is affected by the bug from the article.
  • by Artem Tashkinov (764309) on Tuesday May 18, 2010 @02:09PM (#32255680)

    Run Firefox or Google Chrome for a few days, click "Clear Recent History", select "Forever", exit them.

    Now go to a directory where they store profile data and discover SQLite files containing information from all the web sites you've visited (`man strings`).

    Both browsers 'forget' to run VACUUM on SQLite databases they are using. However it would be even better to zero fill all the files containing your traces, then delete 'em, then recreate them.

  • by jonnythan (79727) on Tuesday May 18, 2010 @02:36PM (#32255978) Homepage

    If it remembers zoom levels for particular websites, it must remember the websites themselves. That also means someone can potentially obtain a list of URLs you visited in incognito mode.

    That defeats the entire point of incognito mode. It's not supposed to remember anything.

  • Re:The Phone Company (Score:4, Informative)

    by Sancho (17056) * on Tuesday May 18, 2010 @02:47PM (#32256152) Homepage

    The article shows that a per-site setting (page zoom) persists between incognito sessions. That's all. No mention or even speculation that Google is storing that information on their servers.

    That said, Incognito was never meant to be private browsing from Google. Your search queries still get send to your search provider (imagine that!) and auto-suggest will still work. What Incognito mode is for is to prevent your wife/brother/sister/boss from seeing the sites you use. This has been discussed to death already.

  • Re:Addicted. (Score:3, Informative)

    by JWSmythe (446288) <jwsmythe@jws[ ]he.com ['myt' in gap]> on Tuesday May 18, 2010 @04:34PM (#32257682) Homepage Journal

        You know, that's embedded into most of the browsers.

        Firefox was a little more polite about it, but it's still pretty deep in there. I was setting up an embedded machine with Firefox (local web browsing, no Internet connection). I was really surprised how many things were in there on a clean install of it. It's not just url completion. There's "safe browsing", SSL cert verification, updates.. Well, just do an about:config and search for http:/// [http] and then https://./ [.] There are 29 http URL's, and 22 https URL's. That may not include remote resources that may be embedded into the code. I didn't review it to find out, but I did have a packet sniffer running while I was working to make sure there wasn't anything extra going out.

        This wasn't looked at because my tinfoil hat was on too tight. These are for offline embedded machines, but they may (just may) be up on some sort of Internet connection occasionally, and that may be ungodly slow. I may not have the luxury of a few extra bytes going over the wire, if that's all I have to work with. (yes, we're talking very slow connections). And yes, it's a Linux platform, so you don't have everything and then some creating unwanted network traffic. :)

  • Re:The Phone Company (Score:3, Informative)

    by Fareq (688769) on Tuesday May 18, 2010 @06:51PM (#32259012)

    Actually, according to the developer discussion, this isn't a bug. They did it on purpose. They actually saved all of the sites that you made site-specific settings changes to.

    They thought that the "convenience" of a better UI would outway the privacy risk of having the sites you visited after explicitly selecting privacy-mode saved in plain text on the file system.

  • Re:Addicted. (Score:4, Informative)

    by LordLimecat (1103839) on Tuesday May 18, 2010 @08:34PM (#32259694)
    Um, yes, and AFAIK you have been able since almost the beginning. Wrench-->options-->under the hood --> "Use suggestion service...".

    Just for the sake of putting this stupid argument to rest, I tested it with wireshark, and yes, unchecking that box immediately causes chrome to cease sending URLs to google. In fact, with all the boxes unchecked, it appears that the only traffic sent is directly to the websites that you are fetching.

    I like how your "yet" implies that that hasnt been there from practically the start, though, or that you cant just use chromium if you are really that worried about it.... really some quality FUD there.
  • Re:Addicted. (Score:4, Informative)

    by LordLimecat (1103839) on Tuesday May 18, 2010 @08:52PM (#32259800)
    So, maybe Im just being an apologist here...
    But while I did verify this, and can see some disk writes in ProcMon to a tmp file (which seems to be deleted on close), is it asking too much to have a little more info before running off and declaring it to be some additional nefarious way to collect info? Any packet sniffing, or even seeing if it can be replicated in chromium or Iron? Any effort to see ANYTHING AT ALL of whats going on, or whether that data is stored anywhere except the "magnify websites to this level" database?

    I mean come on, I know Google is the new "cool to hate" company, but a 1 paragraph blog entry with NO technical details whatsoever makes REALLY poor outrage material.
  • Re:Addicted. (Score:4, Informative)

    by HBoar (1642149) on Tuesday May 18, 2010 @11:15PM (#32260644)
    That's the point -- the Queen can't just step in because she doesn't like the current government, it's only if the shit really hits the fan, as a last resort. For example, if an elected government tried to turn itself into a perpetual dictatorship without the support of the public, she could go in and kick some ass.

(1) Never draw what you can copy. (2) Never copy what you can trace. (3) Never trace what you can cut out and paste down.

Working...