Chrome Private Mode Not Quite Private

wiplash writes "Google Chrome appears to store at least some information related to, and including, the sites that you have visited when browsing in Incognito mode. Lewis Thompson outlines a set of steps you can follow to confirm whether you are affected. He has apparently reported this to Google, but no response has yet been received."

Look at Firefox as well

[Anonymous Coward]

Try running a strings against places.sqlite in Firefox as well after all the personal history has been cleared - I sometimes see URLs left in there.

this doesn't happen to me

[yincrash]

tried it in 5.0.375.38 beta. my hypothesis is that he had other incognito windows open as well (probably with porn in them) that kept the incognito session going while he was open and closing the elephants.com window.

all incognito windows share the same session

Re:Didn't work for me

[k_187]

Yeah, seems this only affects the beta versions from their Dev channel.

Re:Addicted.

[ObsessiveMathsFreak]

Basically, Google is the insatiable voyeur, we are all the neighbourhood children, and Chrome is the delicious sweety used to entice us into giving the smiling man what he really wants.

Re:Addicted.

[Snarf You]

Is there any way to stop Chrome sending the info of the URLs you type into the address bar back to google, yet?

Yes - use SRWare Iron [srware.net]. It's a fork of Chrome, without all the phone-home stuff.

Re:Addicted.

[AnotherUsername]

I was going to reply with comments related to the Constitution(specifically the Bill of Rights), how the court system works, the various court cases the Supreme Court has ruled on regarding protests and freedom of speech, and other facets of how the law protects you from government abuse related to freedom of speech and protest/demonstrations, but then I remembered that this is Slashdot, and the government is always bad, and corporations are always better than the government.

I sometimes forget that I am in the minority around here when it comes to trust of the government vs. trust of corporations(I trust the government more than I trust corporations, though I have a healthy wish for privacy). I am one of those that thinks Orwell is overrated(I like the stories, but I don't see them happening), with Huxley's Brave New World being my dystopian present/future to be feared.

I submitted this a while ago

[rcamans]

Submitted by rcamans on Friday October 23 2009, @01:21PM
rcamans writes "Visit a bunch of sites in Chrome incognito, and then look at your history in IE 7. Oh My God! A few of the sites you did not want in history are in IE history? How did they get there? A nasty in Windows XP OS. Oh, man...
These sites do not show in Opera history, Safari history, Chrome history, or FIrefox history. So maybe it has to do with IE integration into the Windows OS. Do not trust Chrome incognito until this bug is fixed. If it can be fixed.

Also, IE7 search history shows Chrome incognito search items. Oops

Simple explanation

[jeti]

Chrome is very likely to hold the DOM of visited pages in the cache so that f.e. hitting the back button will quickly render the previous page. That does not necessarily mean that the information gets persisted on the hard drive or is available to other pages. On the other hand it's not unlikely that the information sometimes gets paged out to the hard drive and persists until it gets overwritten.

Re:Addicted.

[TheLink]

What I noticed recently was when I clicked on the final "clear browser data" button, Google Chrome would make a http request or two back to Google. Not sure why this happen. I don't have "send usage statistics and crash reports" enabled, but I do have show suggestions, use suggestion service dns prefetching, phishing protection enabled.

Anyone else managed to reproduce this on their Google Chrome browser?

Re:Addicted.

[sopssa]

Of course you don't know it for sure, but if they did that they would be risking their reputation too. It would be stupid to risk their main business just to get that extra one dollar. In the long run it would cost them a lot more. At most it would be an opt-in like thing.

I'm not saying all software you buy is like that, but since the base monetarization method is completely different, theres a much larger change for that. All of that is of course hidden in EULA or privacy policy.

Re:Addicted.

[jason.sweet]

How, exactly, is "buying software" supposed to stop "customers selling their souls"?

You're not exactly selling your soul. You are only licensing it. Hope your DRM is up to date.

Most of these companies also have very strict privacy policies where they state that they wont sell or give your information to a third party or for advertising purposes.

The promise not to sell is usually followed by something like, "In order to help provide our services, we occasionally provide information to other companies that work on our behalf." Money and information changes hands, so the distinction is dubious at best.

Re:Pitchforks down, please, no story here

[Monty845]

From the google bug tracker: "we (the UI design team) made the choice to purposefully remember incognito zoom levels."

Sounds like the intentionally gutted the security of the incognito mode for the zoom levels... Its one thing if its an oversight, but to do it intentionally reveals a total disregard for the privacy someone using incognito expects.

Re:Addicted.

[obarel]

How, exactly, is "buying software" supposed to stop "customers selling their souls"?

You're not exactly selling your soul. You are only licensing it. Hope your DRM is up to date.

The problem is that nothing is stopping Google from copying your information between devices, unlike DRM. To be honest, I'd love to have my details protected by some DRM - every time a company makes any use of it, they have to contact my server first and ask for a one-time permission. Doesn't seem too likely, unfortunately.

Re:Persists across restarts, too

[thePowerOfGrayskull]

'course, it *could* be storing a hash (salted or not) of the domain name and not the domain name itself. The test suggested in TFA is pretty poor, and doesn't prove anything about whether the actual domain name is kept.

Re:Addicted.

[jabithew]

Quite. Here in the UK the convention is that no Parliament may be bound by its predecessors, with the actual effect that we can change our "constitution" with a simple majority vote in the Commons. Considering the power of the party whips, and the tendency to one-party rule, we do effectively have an elected dictator.

Less so this time round, with the coalition, but even they have shown they can change the constitution with a simple majority vote and are willing to do so without an explicit mandate.

Re:The Phone Company

[JWSmythe]

    Are you sure about that? Your voice communications are going over the wire unencrypted. Well, at least until it hits a digital circuit, but even that's not "safe", it's just obfuscated from sticking a speaker on the line.

    They could be listening to some or all. And there's been enough information about the gov't doing it. You shouldn't believe that there are up to two listeners on any phone call. (Lowered to one when you're talking to the wife. She never listens to you, and you know it. {grin})

Re:Addicted.

[16384]

BTW, I wasn't trying to be funny. From http://www.google.com/intl/en_us/privacy_browsing.html [google.com]

[...]Each time Firefox checks in with the third party provider to download a new blacklist, Non-Personal Information and Potentially Personal Information, such as the information that the browser sends every time you visit a website as well as the version number of the blacklist on your system, is sent to the third party provider. In order to safeguard your privacy, Firefox will not transmit the complete URL of web pages that you visit to anyone. While it is possible that a third party service provider may determine the actual URL from the hashed URL sent, [...]

Re:Pitchforks down, please, no story here

[Anonymous Coward]

You are completely misinterpreting that comment and the history of this behavior.

I have left a final comment on the bug to try and spell things out in detail for the Slashdot crowd.

--Peter Kasting, Chromium developer and author of the zoom level memory code

Re:Pitchforks down, please, no story here

[Anonymous Coward]

I read your final comment.

That's nice, but you still deliberately developed a piece of code called "Incognito Mode" and advertised that it wouldn't remember anything about the sites you visit -- and then silently recorded information about the sites you visit.

There's no getting around the fact that your team deliberately lied to users. You specifically told them that you wouldn't do something -- and then you did it. On purpose.

Careful about SRWare Iron

[oddfox]

Everyone mentioning SRWare Iron should know about this little tidbit: The story of Iron [neugierig.org]. The article and the linked IRC log [neugierig.org] tell a very interesting story about a guy less concerned with having a good reason to fork and more concerned with making money off of adsense and publicity for creating a "privacy-respecting" Chrome which is basically a perpetually outdated Chromium with a few checkboxes in "Under the Hood" defaulting to off.

The guy who runs that blog does not try to hide the fact that he's a Chrome developer, and he admits that there is the highly unlikely possibility that the person who was asking these questions was not the person who went on to release Iron. I was skeptical as well until I checked out the log file itself and quite honestly it would have to be an incredible coincidence for this guy to be asking such questions and providing the information that he does in his attempts to glean information on the right way to advertise his product as well as how to go about renaming the executable. There's more that makes it very reasonable to believe this is the guy who went on to release Iron, so please don't dismiss it until you've checked out the log file in detail. If this was a supremely unnecessary and elaborate hoax it sure is pulled off convincingly.

Using Iron after reading this information made me feel like I was supporting the wrong guy here and I couldn't do it anymore, it was just too uncomfortable seeing that this guy was looking for adsense revenue and to make a name for himself. The attitude of this developer is not one I would encourage at all.