Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Microsoft Privacy Security

Microsoft Edge's Private Browsing Mode Isn't Actually Private (betanews.com) 159

JustAnotherOldGuy writes: The forensic examination of most web browsers has proven that they don't have a provision for storing the details of privately browsed web sessions. However, in the case of Microsoft Edge, the private browsing isn't as private as it seems. Previous investigations of the browser have resulted in revealing that websites visited in private mode are also stored in the browser's WebCache file. The Container_n table stores web history, and a field named 'Flag' with a value of '8' shows that website was visited in private mode. An investigator can easily spot the difference and use this evidence against a person. The not-so-private browsing featured by Edge makes its very purpose seem to fail, and you can't help but ask how such a fundamental aspect of private browsing could be so fantastically borked. It beggars belief.
This discussion has been archived. No new comments can be posted.

Microsoft Edge's Private Browsing Mode Isn't Actually Private

Comments Filter:
  • by The Atog Lord ( 230965 ) on Sunday January 31, 2016 @11:04PM (#51411917)

    So, InPrivate is to Private as InVisible is to Visible.

    • by sd4f ( 1891894 )
      Well, after all, flammable and inflammable mean the same thing so...
      • by Livius ( 318358 )

        Something is flammable if it can burn easily.

        Something is inflammable if it can ignite easily.

        Obviously lots of materials are both but they are different meanings.

        • by Jawnn ( 445279 )

          Something is flammable if it can burn easily.

          Something is inflammable if it can ignite easily.

          Obviously lots of materials are both but they are different meanings.

          [citation needed] Just sayin'...

    • by lhowaf ( 3348065 )
      The flammable/inflammable controversy will go away soon since neither is included in the up-goer list [splasho.com] of the ten-hundred most commonly-used words.
  • seems editors here used all knowing edge, which explains delay in accessing to this old story.

  • Be aware (Score:1, Offtopic)

    It's worth noting that other browsers' "private browsing" modes only hide the details of the session from the local machine. Using "incognito mode" in Google Chrome is not encryption and does not shield your privacy in any way from others on your network, your ISP, the NSA or Google themselves.
    • * And, I'm sure, neither does Edge, I just wouldn't touch Edge with a 10ft pole regardless.
    • by Anonymous Coward

      I don't know about other browsers, but Chrome on the desktop and mobile explains that as soon as you open a blank incognito window/tab.

    • Re:Be aware (Score:5, Informative)

      by Misagon ( 1135 ) on Monday February 01, 2016 @04:40AM (#51412637)

      Chrome's Incognito mode does have a separate set of cookies - which is empty when you open the first Incognito window and are deleted when the last window is closed.
      This means that web sites can't use cookies to track you between sessions. They could track you by your IP address, but the IP addresses are at a lower level than HTTP/HTTPS. If you are really paranoid then you would use something like Tor anyway.

      However, there is one big flaw: All incognito windows are in the same session. If you forget to close the last window then the session will linger: when you open a new link "In Incognito Window" then the new link will be attached to the old Incognito session instead of a new one.
      This could be remedied by supporting multiple Incognito sessions at once. I think that a straightforward model for the user would be to let each Incognito Window represent a separate session.

      Myself, I use Incognito mode primarily to be able to use gmail and Youtube with separate accounts. Commenting on cat videos requires much less security than my private emails.
      It is also convenient to log out just by closing the window.

      • You can drag tabs from one window to another. So any "per-window" statefulness that you propose will just be terribly confusing and inconsistent.

        • I'd be happy to have them disallow inter-window tab dragging in incognito mode (or to allow it but state that all session for the dragged tab will be tossed).
      • Myself, I use Incognito mode primarily to be able to use gmail and Youtube with separate accounts.

        google already has support for multi-account. i have 2 gmail tabs open to my 2 google accounts right now. hint: click on your avatar in the upper right. you can also setup multiple "profiles" in chrome and switch between them. i do not prefer this though since it everything is sandboxed (history, extensions, bookmarks, etc).

    • Today on Oprah: People butthurt that web browsers' "private mode" does not install TOR to send all your data through FBI-controlled entry and exit nodes.

  • by Anonymous Coward

    It "beggars belief" why this editor still works at /.

  • By "illegal" I mean a civil violation of warranty- and false-advertising laws that say products are supposed to meet their intended purpose, as a common everyday consumer would understand the term "intended purpose."

    • by raymorris ( 2726007 ) on Monday February 01, 2016 @12:00AM (#51412107) Journal

      You're thinking of "implied warranty of fitness for a particular purpose ", as it's called in the Uniform Commercial Code. There's also warranty of merchantability. Let's look at each in turn.

      The terms and conditions can explicitly and clearly disclaim the warranty of fitness for a particular purpose, and I'm sure Microsoft's terms do so. They can't disclaim warranty of merchantability so easily. If they do disclaim fitness for a particular purpose, that's the end of that. If they didn't disclaim the warranty, UCC has two conditions. First, the seller must have reason to know what purpose the buyer intends to use it for - browsing porn without having the address bar later autocomplete xvideos.com? National security level espionage? Secondly, the seller must habe reason to know that the buyer is relying on the seller's expertise to recommend an appropriate product.

      Microsoft doesn't know whether you intend to use it to avoid having autocomplete accidentally embarrass you or if you're trying to foil expert forensic investigators. Since they don't know which purpose(s) you might use it for, there is no warranty of fitness for a particular purpose.

      On to warranty of merchantability. This applies even when the seller does NOT know what purpose you plan to use it for. Because the seller doesn't know, he warrants only that it's useable for SOME purpose. If the mode successfully avoids accidental embarrassment from autocomplete, accidentally hitting the back button down-arrow, etc, then it is useful for SOME purpose and therefore the warranty of merchantability is met.

      Suppose some warranty was NOT met (and not successfully disclaimed). Then you could sue Microsoft for actual damages. If you prove that an accidental autocomplete during a business presentation got you fired, they would need to compensate you for the lost pay.

      Lastly, you mentioned false advertising. What exactly do Microsoft's ads say about the feature? I suspect they do not say "prevents forensic examiners from determining anything about your browsing history".

  • Indifference (Score:5, Insightful)

    by rakslice ( 90330 ) on Sunday January 31, 2016 @11:32PM (#51412017) Homepage Journal

    I've concluded in the past couple of years that large parts of Microsoft as an organization have stopped being able to coherently sell to the end user market, and whatever people in the management that would have in the past noticed this sort of thing and taken steps to correct it have left or moved on to other roles.

    Signs of things slipping I've personally noticed in recent years:
    - The faulty Microsoft web-based store (do they expect developers whose first experience with Microsoft is a web site that can't even sell a Windows upgrade are going to turn around and want to build things on ASP.net?)
    - Contradictory descriptions of the different Windows SKUs (with respect to use as upgrades, new machine installs, usability by end users vs. system integrators, etc.)
    - Software with seriously flakiness in features that worked in previous versions (e.g. Windows 10 Start Menu search and keyboard navigation), with broken help links, without an integrated installer (e.g. Lync, Sharepoint)

    • Re:Indifference (Score:5, Insightful)

      by Anonymous Coward on Monday February 01, 2016 @12:03AM (#51412115)

      I've concluded in the past couple of years that large parts of Microsoft as an organization have stopped being able to coherently sell to the end user market, and whatever people in the management that would have in the past noticed this sort of thing and taken steps to correct it have left or moved on to other roles.

      It smells more to me like they've made a concerted decision that the end user is no longer the target market. The end user is now the product. Microsoft's "business partners" are advertisers and law enforcement agencies, that's where the revenue is coming from.

      The Edge behavior described in this article is very hard to explain away as laziness or incompetence. Intentional decisions were made during all phases of design and development to continue storing the user's history even when in private browsing mode. That isn't clueless management or devs taking the easy way out. That's purposely turning the end user's computer into a tool to be used against him.

      Microsoft is now actively hostile to the end user and folks would do well to remember it.

      • by AmiMoJo ( 196126 )

        The Edge behavior described in this article is very hard to explain away as laziness or incompetence.

        To the contrary, that's the most likely explanation. Either a bad spec that someone followed, or maybe some debug code that was supposed to be removed later.

        The end user is now the product.

        If that were the case then this would screw them, because there are many other free browsers and most of them are more popular than Edge. To get users to sell to advertisers they need to produce a good browser.

      • It smells more to me like they've made a concerted decision that the end user is no longer the target market. The end user is now the product.

        ah yes, no /. article would be complete without a "you are the product" post now would it?

  • I'm shocked (Score:5, Insightful)

    by frovingslosh ( 582462 ) on Sunday January 31, 2016 @11:38PM (#51412045)

    Microsoft Edge's Private Browsing Mode Isn't Actually Private

    I'm shocked! Shocked, I tell you!

    On the other hand, it has been obvious to me for a long time that if you want privacy, you don't use Microsoft products.

    • Re:I'm shocked (Score:5, Insightful)

      by rtb61 ( 674572 ) on Monday February 01, 2016 @12:45AM (#51412219) Homepage

      It is not really all that funny. Not only is it not private it is marked as pretended to be so on analysis they can find out exactly what you wanted to keep private. That looks really, really bad, not only a failure of privacy but seemingly purposeful gathering of data for extortion purposes, obviously not run of the mill people but selected individuals via the scatter gun method, hide the invasiveness by targeting everyone so that the specific targets are unaware. Then there is how long they will keep the data for ie target every potential politician in high school and university so that decades down the track they can be extorted in compliance or destroyed. It is one thing to screw up privacy, it is quite another to specifically mark data as private and keep it.

    • On the other hand, it has been obvious to me for a long time that if you want privacy, you don't use Microsoft products.

      Or anything connected to the internet.

    • Using Microsoft products and expecting privacy is like hiring a Catholic priest to babysit your little boy and expecting him to be safe.
  • by Anonymous Coward
    Modern app appers know that only apps can app apps, and privacy is something only LUDDITES use, so apps like Edge app everything you app so every apper can app your apps while apping other apps!

    Apps!
  • by Livius ( 318358 ) on Sunday January 31, 2016 @11:52PM (#51412079)

    not a bug.

    This is Microsoft we're talking about. Misrepresentation about their products is what they do.

  • impossibru! (Score:2, Offtopic)

    by Gravis Zero ( 934156 )

    you're telling me that a corporation that is notorious for their flawed software has made a flawed browser?! impossibru! [twimg.com]

  • Microsoft has gone full-blown Big Brother/1984; is anyone at all surprised that their newest browser is also spying on you?

    Go right ahead and mod me down to negative one troll, Microsoft shills, I expect it of you; wouldn't want your corporate masters to be angry with you, now would you? By the way I'm going to just keep on lambasting Microsoft ad infinitum, and anyone that doesn't like it can, quite frankly, suck my dick.
    • Re: (Score:2, Informative)

      by Anonymous Coward

      Hey man, I was a Microsoft sympathizer for the longest time (and a *BSD fanboy, but that's beside the point). However, I installed Windows 10 last week, and it impressed me so much that I downgraded back to Windows 7 after a couple of days, never to return. After using the UI that's worse than GNOME's wildest hallucinations and having to edit group policy and stop services to get the system where I want it to be, I had enough.

      Honestly, compared to Win7, Win10 feels like Windows 3.11 with a factory-provided

    • The browser knows which pages you are browsing to and writes that information to a cache file. BIG BROTHAR GET OUT OF MY COMPATUR!

      • Apparently you haven't been reading the rest of the story. Their 'telemetry' can give them access to any file on your computer. Therefore they can get your entire browsing history. It's more spyware plain and simple.
  • by Antony T Curtis ( 89990 ) on Monday February 01, 2016 @01:59AM (#51412359) Homepage Journal

    Sounds like, from the description, that it is working as designed.

  • by Anonymous Coward

    One man's cache is another man's treasure.

  • by DrXym ( 126579 ) on Monday February 01, 2016 @04:08AM (#51412561)
    How am I meant to browse for gifts and flowers for my wife (WHICH IS ALL ANYONE EVER DOES WITH PRIVATE BROWSING) if its not actually private? Oh and in case the wife does find traces of activity, yes cumgarglingsluts.com is a site that sells flowers and gifts. Way to ruin the surprise Edge.
  • Is why anyone believes things like MS's browser not being "private" is a mistake, or Apples "goto" fail was a bug (some of many fails for both corps) or that there isn't an obvious collusion between the gov and the tech sector, and all the spying and dirty tricks you see are not "bugs" or "mistakes" they were planned all along.

    Eisenhower warned us, we didn't listen, it came to be, now we are "proper fucked".

  • So, Microsoft came out with brand new technology ... tells us how awesome, secure, and private it is.

    And, shockingly, it isn't.

    Why anybody is surprised that Microsoft hasn't really got a mature enough product to know how secure it is makes no sense.

    Why anybody would believe that after all these years Microsoft suddenly wrote a secure browser is beyond belief.

    Did anybody believe Edge was magically safe and secure just because Microsoft said so?

    • It seems to me as though the "private" browsing bit has been an afterthought in every browser to date and it is left as an exercise of the developer to define what "private browsing" even means.

      What doesn't surprise me is that every browser does private browsing differently.

      MS made a mistake and mingles private cache data with non-private cache data. I can see how that could be a simple "efficiency bug". As we all know, most developers are not security experts, we see it over and over again.

      The real questio

      • I have no doubt they'll fix it, or do something to it ... my point is Microsoft, or any other company, when introducing a piece of software makes the claims of how safe, and secure, and fast, and private, and awesome it is.

        But until that's proven in the real world, it's just marketing claims.

        So, I don't care who it is ... come out with your new product and claim all those things, and it's a wait and see.

        But in the case of Microsoft, whose track record with security doesn't make me automatically think I beli

      • Considering they record browsing mode along with the cached data, that doesn't look like a mistake.

  • I'm not sure if it's Android in general or Samsung specifically but I've noticed that my Galaxy S6 Edge uses word-completion suggestions culled from browser usage in incognito mode.

  • There are a lot of posts talking about what an incognito mode should do. Normally we refer to it as 'porn mode' here on /. which does seem to be the intended use case. There's a lot of reverse-engineered information out there about what these modes actually do. In reality, it's insane to trust any closed-source browser with this type of task. If you really care about this feature, you'll want to use an open-source browser where the source code can be audited to determine exactly what it was *intended* t
    • ^^^ this.

      private mode is good for keeping pr0n sites out of your web history.
      private mode is not so good for hiding your illegal activities from determined law enforcement agencies.

      the sooner people figure that out, the better.

  • by Anonymous Coward

    its microsoft, enough said, TOTAL FAIL

  • Is why are you relying on your web browser to provide you with the security to break laws, that's not what private/incognito are for.

    It's to prevent other users on the machine from seeing your browser history...

  • I put in the little effort to setup classic IE on my win10 tablet because edge was basically unusable due to the fact it doesn't have an ad blocker. I really have no idea how people can surf the modern internet without an ad blocker, the auto-playing videos and popups everywhere make it completely insane.

  • At Microsoft the security badge logo goes on the package before the security is added, comrade.

    Trust in the computer!

  • > The not-so-private browsing featured by Edge makes its very purpose seem to fail, and you can't help but ask how such a fundamental aspect of private browsing could be so fantastically borked. It beggars belief

    > Microsoft

    I think I found the problem.

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...