Skip to main content

Websites Evade Google Chrome's Incognito Protections

(Image credit: Shutterstock)

Google announced in July that Chrome 76 would remove loopholes that publishers exploited to figure out if website visitors were using Incognito mode. The company made good on its promise, but researchers discovered that site operators could simply use other methods to detect Incognito visitors. Bleeping Computer reported on Saturday that The New York Times is among the list of publishers taking advantage of these new loopholes.

The obvious question is why publishers would care if people visit their sites using Incognito mode. Isn't that feature just supposed to make sure their, ahem, favorite adult video platforms aren't revealed by Chrome's autocomplete? Not really. Incognito mode also blocks cookies, which limits the amount of information website operators can gather from their visitors. Publishers rely on these cookies for the common "soft paywall" monetization tactic.

These soft paywalls let people read a certain number of articles in a given timeframe without having to pay. (Bloomberg, for example, lets people read three articles per month before requiring them to subscribe.) Other sites use a "hard paywall" that requires visitors to subscribe if they want to read anything. Publishers offering a limited number of free articles hope they're demonstrating enough value that people will be willing to pay for more.

The sites track how many articles someone has read with--you guessed it--cookies. That means Incognito users could read as many free articles as they like. This led publishers to use the FileSystem API, which Google deprecated in Chrome 76, to detect when visitors were using the privacy-protecting browsing mode. They could then display a custom message informing any Incognito users that they need to sign into their accounts to read articles.

Google said it closed these loopholes to make Incognito mode feel more private. But a researcher named Vikas Mishra quickly discovered that website operators could simply use the Quote Management API instead of the FileSystem API to detect if someone's using Incognito mode. Then a former Edge product manager, Eric Lawrence, tweeted on August 9 that The New York Times used Mishra's code to prevent Incognito users from reading articles.

This probably won't be the last time publishers work around Google's efforts to make Incognito mode truly private. (Or at least as private as it can be, given that it only protects data in the browser.) They can't afford to give away their products for free, and even if most Incognito users simply want to protect their privacy, its ability to pierce soft paywalls makes it a target for publishers. There's only so much Google can do to prevent these efforts.