Incognito mode detection still works in Chrome despite promise to fix

Google said last year that it would fix a bug that allowed sites to detect incognito mode, but no fix ever came.
Written by Catalin Cimpanu, Contributor

Websites are still capable of detecting when a visitor is using Chrome's incognito (private browsing) mode, despite Google's efforts last year to disrupt the practice.

There are several reasons why website operators like to block incognito mode users.

For example, some users employ incognito mode to bypass content paywalls and various content filters/limiters. In addition, current incognito (private browsing) modes in most browsers today also ship with aggressive anti-tracking features that block websites from tracking and fully monetizing their traffic.

Both issues -- and the inherent use of private browsing -- result in direct financial losses to websites and the primary reasons why scripts that detect incognito modes have become popular in recent years.

Google tried to fix it in 2019

In early 2019, Google decided to take a stance against such scripts. Chrome 76, released in July 2019, included an update that blocked websites from using the FileSystem API to detect if a user was using Chrome's normal browsing mode or its incognito mode.

Before Chrome 76, the FileSystem API was simply not available in incognito mode, and website operators only had to query this API to find out if a user was using incognito mode. With Chrome 76, Google activated the FileSystem API for incognito mode windows making previous detection scripts useless. However, this update wasn't foolproof. Google didn't fully activate the FileSystem API, but merely set up a hard limit to the amount of storage space that incognito mode windows could access, at 120 MB.

It took programmers under a week after the Chrome 76 release to discover what was happening, and develop scripts that probed the FileSystem API to determine the amount of storage space a website could access, and indirectly detect if the user was using incognito mode or not.

Two different scripts were released in August 2019 [1, 2], and one of them even made its way into the New York Times' website, confirming how popular these scripts are with many online content publishers.

No new patch, despite promise last year

Answering a question from tech news site Bleeping Computer, Google promised in August 2019 to fix the bypass and block incognito mode detections.

However, nine months later, it is still possible to detect incognito mode in Chrome, and all the other Chromium-based browsers, such as Edge, Opera, Vivaldi, and Brave, all of which share the core of Chrome's codebase.

Furthermore, developers have taken the scripts shared last year and have expanded support to non-Chrome browsers, such as Firefox and Safari, allowing sites to block users in incognito mode across the board.

Currently, there is no deadline for a new Chrome update to block incognito mode detections, however, today, Google might be interested more than ever in fixing this issue.

On Tuesday, the company has been named in a class-action lawsuit where its ad division has been accused of secretly tracking users even if they were navigating the web in incognito mode.

Advertisers like Google have a bevy of indicators to track users in both normal and incognito mode alike. Blocking incognito mode detection won't stop advertisers from tracking users in incognito mode, as both website operators and advertisers will still see information such as IP addresses and other traffic data. However, it will help Google earn some good faith with its users, many of which care about their privacy and don't like to be denied service by websites just because they're in incognito mode.

Editorial standards