Google Fixing Chrome API To Prevent Incognito Mode Detection

AmiMoJo writes: When browsing the web with Google Chrome, some sites are using a method to determine if a visitor is in a regular browsing session or in incognito mode. As this can be considered a breach of privacy, Google will be changing how a particular API works so that web sites can no longer utilize this technique.

Chrome supports the FileSystem API, which allows sites to create a virtual file system that lives within the sandbox of the browser. This allows sites that utilize large assets, such as online games, to download these assets to a virtual file system so that they do not have to download them each time they are needed. Currently the FileSystem API is not available in incognito sessions, because it leaves files behind and could be considered a privacy risk. Currently the API doesn't work in incognito mode, offering sites a way to check for it. In a Chrome Gerrit post started this week and updated earlier this morning, Google has stated that they are changing the FileSystem API so that it can be used in incognito mode, without the risks to privacy.

Re:

[AHuxley]

Allowing more ads does not improve privacy.

Re:

[AmiMoJo]

Maybe why Google is also starting to block the worst ads by default anyway. Chrome has a built-in ad blocker now.

Re:

[DontBeAMoran]

Oh, come on now. We're all adults here. We know this is just stories we tell children. Schnapps doesn't really exist.

Re:

[AmiMoJo]

"Here's a tool that lets you review all the data we have, which you explicitly opted in to allowing us to collect and which is used to provide the services you enjoy. Here is a button to disable collecting it, and here is a button to delete it."

"OMG mah privacy!!1"

Re:

[Anonymous Coward]

Google's mistake with it's incognito mode was actually having it behave differently rather than having it behave the same and just sandboxing -everything-

There's another thing that incognito mode destroys your privacy with, and that is the browser history if you've visited the site before without incognito. try it, go to google.com and then open an incognito window and start typing google.com, it will auto-fill it. If you open the browser history, it will then toss you back to the non-incognito mode.

That's

Re:

[petermgreen]

Companies are neither inherently good or inherently evil, they just do what they think will help their bottom line and/or strategic goals, and yes keeping up a good PR face can be part of that.

This fix probablly hurts google's competitors more than it hurts google. Google can probablly make a pretty damn good guess whether someone is in incognito mode without resorting to tricks (if a browser shows up with no google cookies it's a pretty good bet it's in incognito mode). Smaller sites will find it harder to

Written by?

[hcs_$reboot]

TFA "Since the data is kept in memory in the browser process, a malicious website could try to exhaust the memory of the browser process and make it more likely to crash"

Google is the best at algorithms, how could they miss checking such an obvious trait and ensure the FS does not go over x MB?

Re:

[GuB-42]

TFA "Since the data is kept in memory in the browser process, a malicious website could try to exhaust the memory of the browser process and make it more likely to crash"
Google is the best at algorithms, how could they miss checking such an obvious trait and ensure the FS does not go over x MB?

They didn't miss it, quite the opposite, it is a potential problem they identified for a solution that isn't out yet.
As for limiting to x MB, it is exactly what they intend to do, but while it is an obvious solution, finding the value of x isn't.

Re:

[bluefoxlucid]

Alternatively, they could generate an encryption key and keep it in the incognito browser's memory. Use operating system APIs to pin that page to memory (standard for encryption keys) so it doesn't go to swap. Encrypt and encode filenames, and stream the files to disk encrypted. Mark the whole thing as temporary.

It leaves evidence that you used incognito mode, but only gibberish about what actually happened in incognito mode.

Other methods to check

[guruevi]

This has been known for several years (https://stackoverflow.com/questions/2909367/can-you-determine-if-chrome-is-in-incognito-mode-via-a-script)

There are plenty of other methods to check whether or not you're in incognito mode (http://www.collinjackson.com/research/private-browsing.pdf)

Re:

[AmiMoJo]

You will note that after this fix none of the methods outlined in either of your links work any more. The CSS visited link hack was fixed years ago, for example. The paper suggests testing things like SMB links, which are only supported in Internet Explorer anyway.

Re: Other methods to check

[Anonymous Coward]

I browse in âoeprivate modeâ on my iPhone exclusively, and I see a lot of ads for Ashley Madison. I had always assumed this was because they knew I was in private mode. And no, I have never visited that site!

News Sites

[crow]

Many news sites let you have a few free articles every month. The number gets reset if you clear your cookies, but if you read in incognito mode, you start fresh every time. Taking this into account, I've hit one news site that simply blocks incognito mode. I'll be happy if this breaks their block.

Of course, with the vast number of APIs available now, fingerprinting is just about as good as cookies. Browsers reveal far too much information.

Re:

[cshay]

There are cookie related add-ins that will delete cookies after a certain amount of time away from the site. On Chrome I use Vanilla Cookie Manager and on Firefox I use Self-Destructing Cookie (pre-extension apocalypse)

If websites focus their efforts on incognito mode, I would just use one of those extensions.

MIT Technology Review's tracking blocker blocker

[tepples]

Many news sites let you have a few free articles every month. The number gets reset if you clear your cookies, but if you read in incognito mode, you start fresh every time. Taking this into account, I've hit one news site that simply blocks incognito mode.

Was it MIT Technology Review? If so, I think it was testing for existence of third-party analytics/advertising ID cookies, not any file system API. I don't use incognito per se, but I have encountered that message while using Firefox built-in tracking protection, which blocks URLs known to be involved in cross-site interest gathering. (It uses the same list as the Disconnect extension.)

I'll be happy if this breaks their block.

If a paywalled site doesn't detect a third-party analytics/advertising ID cookie, it may require the user to log in through

If any Chrome devs reading this

[Billly Gates]

Can you please put the option to put the tabs and blinding white off back to where it was at version 70?

I still use that version as I get migraines easily and it's hard to differentiate tabs with my multiple monitors

There is no such thing as "anonymous"

[Tony Isaac]

If you want to browse the web anonymously, forget it. No matter what tricks you use, you can be tracked. Sure, some methods of going incognito are better than others, but when it comes down to it, don't ever, ever trust that what you are doing on the Web can't be found out.

A Potentially Dumb But An All Seriousness Inquiry

[osswmi]

If Chrome has plans to remove the FileSystem API if it sees no legitimate use outside of the aforementioned discovery technique, would this have any impact on the FileReader API in any way shape or form? I only ask this as the FileReader API is key component of a major web project of mine.

Re:

[osswmi]

Subsequently I saw this article that seem to indicate there was a stance to potentially remove the API all together if Chrome sees fit. https://www.theverge.com/2019/... [theverge.com]