Websites Evade Google Chrome's Incognito Protections

(Image credit: Shutterstock)

Google announced in July that Chrome 76 would remove loopholes that publishers exploited to figure out if website visitors were using Incognito mode. The company made good on its promise, but researchers discovered that site operators could simply use other methods to detect Incognito visitors. Bleeping Computer reported on Saturday that The New York Times is among the list of publishers taking advantage of these new loopholes.

The obvious question is why publishers would care if people visit their sites using Incognito mode. Isn't that feature just supposed to make sure their, ahem, favorite adult video platforms aren't revealed by Chrome's autocomplete? Not really. Incognito mode also blocks cookies, which limits the amount of information website operators can gather from their visitors. Publishers rely on these cookies for the common "soft paywall" monetization tactic.

These soft paywalls let people read a certain number of articles in a given timeframe without having to pay. (Bloomberg, for example, lets people read three articles per month before requiring them to subscribe.) Other sites use a "hard paywall" that requires visitors to subscribe if they want to read anything. Publishers offering a limited number of free articles hope they're demonstrating enough value that people will be willing to pay for more.

The sites track how many articles someone has read with--you guessed it--cookies. That means Incognito users could read as many free articles as they like. This led publishers to use the FileSystem API, which Google deprecated in Chrome 76, to detect when visitors were using the privacy-protecting browsing mode. They could then display a custom message informing any Incognito users that they need to sign into their accounts to read articles.

Google said it closed these loopholes to make Incognito mode feel more private. But a researcher named Vikas Mishra quickly discovered that website operators could simply use the Quote Management API instead of the FileSystem API to detect if someone's using Incognito mode. Then a former Edge product manager, Eric Lawrence, tweeted on August 9 that The New York Times used Mishra's code to prevent Incognito users from reading articles.

This probably won't be the last time publishers work around Google's efforts to make Incognito mode truly private. (Or at least as private as it can be, given that it only protects data in the browser.) They can't afford to give away their products for free, and even if most Incognito users simply want to protect their privacy, its ability to pierce soft paywalls makes it a target for publishers. There's only so much Google can do to prevent these efforts.

Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

  • nufelevas
    Google show allow the user to exclude paywalled sites from search and news.
  • Olle P
    I don't see a problem with websites being able to detect wether a visitor is "incognito" or "public".
    What matters is what other information they can extract when a user is "incognito".
  • AllanGH
    I suppose that, if a person wanted to be truly "incognito" while browsing news sites, it would be a simple expedient to simply create a separate user account and login through that account and brows such sites from there. I doubt that there's much of a work-around for that.....unless windows leaks information more readily than I originally thought.

    Of course, publishers could just start popping up their paywalls after x number of visits from a particular IP addy.

    For my part in the whole browsing news sites matter, once I discover that a news site uses paywalls, I never go back. TheGuardian has become my goto site for such information, though.