Private browsing may not protect you as much as you think
Originally Published: 23 JUL 22 06:48 ETBy Jennifer Korn, CNN Business
(CNN) -- For years, the most popular internet browsers have included options to search for and visit websites in "private" modes. Those options may now be viewed as vital tools for some in the wake of Roe v. Wade's demise, as abortion-seekers look to avoid having their personal data used against them in states where abortion is criminalized.
But clicking the "private" browsing option might not protect you as much as you think, some privacy experts say.
These options have different names — Private Browsing on Safari and Firefox, and Incognito mode on Chrome — but the functionality is similar on each. In these private modes, the chosen browser does not keep a log of sites visited, cached pages, or saved information like credit card numbers and addresses. It also prevents information from sessions from being stored in the cloud.
Although using these options does add a certain level of protection online, privacy experts say it stops short of preventing the user from being tracked altogether -- potentially limiting the protections it may afford women in this new legal landscape.
"We have to recognize that oftentimes simply toggling on a private mode does very little to prevent third-party tracking and especially law enforcement tracking," said Albert Fox Cahn, founder and executive director of the Surveillance Technology Oversight Project and a fellow at the New York University School of Law.
What does private browser mode do?
As designed, private browsing modes are best suited for protecting your web activity from other people who use the same device, according to experts, but it does little beyond offering that local shield.
"It can be helpful, for example, for trans and queer kids who are worried about being tracked by their parents and for people who may be in a situation where they can't securely separate their computer from other people who can access the browser history," says Fox Cahn.
The private mode can also help reduce tracking across websites. On Chrome, for example, users are told: "Websites see you as a new user and won't know who you are, as long as you don't sign in."
"People choose to browse the web privately for many reasons," said Parisa Tabriz, VP of Chrome Browser. "Some people wish to protect their privacy on shared or borrowed devices, or to exclude certain activities from their browsing histories. Incognito helps with these use cases."
Usually when a person browses online, companies will use tracking devices known as cookies to keep up with digital activity from one site to the next for better targeted advertising. Depending on the browser and user choices, private browsing mode can reduce that cross-site information sharing. But with some browsers, users must know to select these additional options, beyond simply opting for private mode.
Safari, for example, has a default Intelligent Tracking Prevention feature, which limits cross site tracking while enabling sites to continue to function normally. Its "Prevent Cross-Site Tracking" and "Block all cookies" optionsare extra steps to protect users, but these features are separate from private mode. Chrome, meanwhile, advises users that they have to choose to block third-party cookies, even in Incognito mode. Firefox added new default features last year, including "total cookie protection," to stop users from being tracked around the internet, as well as "smart block" to allow for third-party logins through sites like Facebook or Twitter while still working to prevent tracking.
Private modes are also limited in their effectiveness when it comes to IP addresses, which tie to the device and can be used to geo-locate the user.
"Whether you're in privacy mode or not, your IP address always has to be known by the recipient because when your browser sends the request to get data, the server that's receiving the request needs to know where to send that data back to," said Andrew Reifers, associate teaching professor at the University of Washington Information School. An internet service provider can also record a user's online activity regardless of their browser privacy setting.
Some browsers do offer additional protections to address this. Safari has a "Hide IP Address" selection separate from private browsing mode that, when enabled, sends user browser information to two different entities, with one getting the IP address but not the website being visited and the other getting the website but not IP address. In this way, neither has all the information on a user. Other browsers also have options to mask IP addresses, such as VPN extensions or "disable Geo IP" capabilities that stop browsers from sharing a user's location with websites.
What do private browser modes not protect?
Online browsing is stored in two places: on the local computer and by the sites visited. When a user in private browsing mode goes to Facebook, for example, there will not be a stored record of that visit on their device, but there will be a stored record of that visit in their Facebook account records and by Facebook's ad analytics.
The record users leave online, with or without enabling private browsing options, creates much uncertainty around how that data could be used as evidence by law enforcement in states that criminalize abortions. Tech companies have said little about how they would handle such requests. Groups promoting digital rights and reproductive freedoms are now warning people in these states to safeguard their digital footprints when seeking abortion information and resources online, and sharing tips for how to do so.
Moreover, if someone is working on a company or school-owned laptop, private browsing mode won't do much at all. "If you have a computer where somebody else is managing it, having privacy against that person is not really possible," said Eric Rescorla, CTO at Mozilla. "If an employer owns your computer, they can put any kind of monitoring software on the computer they want, and they can measure anything that you do. So, no, it doesn't protect you against that, but almost nothing would."
Google Chrome also warns users that Incognito Mode cannot offer total protection in these cases. "When in Incognito Mode, your activity might still be visible to websites you visit, your employer or school, or your internet service provider. We make this clear when opening Incognito Mode," said Tabriz.
Users should also keep in mind that the protections offered in private mode are exclusive to web browsing, leaving any activity on smartphone apps vulnerable. No matter how well private browsing mode works to protect user activity, it can't help anywhere else. "A lot of the applications that we use don't have a built-in incognito mode," said Reifers. "You don't really know what that application is storing."
What extra steps can you take to protect yourself online?
Beyond enabling private browsing modes, and selecting the additional privacy options offered by the companies in their settings, there are some additional steps users can take to try to maximize digital privacy,
A VPN, or virtual private network, conceals an IP address to make a user more anonymous online, effectively protecting both who and where a user is. "A good first step would be to use a private browsing mode and a VPN together," Rescorla said.
But using a VPN potentially allows the VPN operator access to your browsing activity. "Many of these will sell that information or certainly make it available to police if they provide a warrant," warns Fox Cahn.
Internet users can also consider turning to a browser like Tor, a secure and anonymous option that uses multiple intermediary servers to keep any single server from fully tracking activity, according to privacy experts.
Above all, experts stress that internet users should be aware that online activity is fundamentally just not private, regardless of browser setting. And while clearing browsing history and emptying cookie caches make data recovery harder for third parties, it is still not impossible with certain forensic tools and warrants.
Fox Cahn emphasizes that those concerned with data privacy like abortion seekers should take as many steps as possible, even buying a new device that is not traceable or using services like Tor. "It's cumbersome, but that provides a lot more protection," he said. "You have to keep in mind that all these things can do is reduce the amount of risk. None of them are absolutely perfect."
™ & © 2022 Cable News Network, Inc., a WarnerMedia Company. All rights reserved.