4 Ways You Can Be Tracked When In Private Browsing

Affiliate Disclosure: By buying the products we recommend, you help keep the lights on at MakeUseOf. Read more.


Private browsing is private, right? It’s in the name. Private browsing.

Well, in 99% of cases, it is. You open a special window in your chosen web browser, and use it for stuff you’d much rather wasn’t stored in your browsing history. When you’re finished, simply close it, and everything will be forgotten.

Except, that isn’t always the case. There are several ways in which private browsing can be defeated. Some of them don’t even need all that much work.

Nvidia GPUs Never Forget

Two years ago, Canadian student Evan Andersen fired up Diablo III after an evening spent watching adult videos. But instead of seeing the popular hack-and-slash role playing game, he ended up seeing the raunchy movies he’d been watching earlier.

“When I launched Diablo III, I didn’t expect the pornography I had been looking at hours previously to be splashed on the screen. But that’s exactly what replaced the black loading screen. Like a scene from Hollywood, the game temporarily froze as it launched, preventing any attempt to clear the screen.”

An Electrical and Computer Engineering Student, Andersen immediately knew something was amiss. Not least because he’d been looking at YouPorn through the supposed shield of Google’s Incognito Mode. So, he started digging.


It turns out, there’s a serious flaw with how Nvidia’s graphics drivers handles memory. On his blog, Andersen says:

“When the Chrome incognito window was closed, its framebuffer was added to the pool of free GPU memory, but it was not erased… When Diablo requested a framebuffer of its own, NVIDIA offered up the one previously used by Chrome. Since it wasn’t erased, it still contained the previous contents. Since Diablo doesn’t clear the buffer itself – as it should – the old incognito window was put on the screen again.”

Andersen told Nvidia and Google about the bug in 2014, but didn’t hear back from them. After almost two years of waiting for their respective security teams to issue a fix, Andersen took matters into his own hands published it on his own blog. That’s pretty standard for anyone practicing responsible disclosure Full or Responsible Disclosure: How Security Vulnerabilities Are Disclosed Full or Responsible Disclosure: How Security Vulnerabilities Are Disclosed Security vulnerabilities in popular software packages are discovered all the time, but how are they reported to developers, and how do hackers learn about vulnerabilities that they can exploit? Read More .

At the time of writing, Nvidia is yet to issue a fix.

Canvas Fingerprinting

Cookies can be wiped. You can install AdBlock. You can use a VPN which blocks advert trackers, like SurfEasy does Protect Your Mobile Data and Network Usage With SurfEasy VPN [Giveaway] Protect Your Mobile Data and Network Usage With SurfEasy VPN [Giveaway] In the Google Play Store, you'll find a whole lot of VPN clients for Android devices, but few of them are as up-to-date and robust as SurfEasy. SurfEasy offers a 3-tier account structure: Free, Mobile... Read More . You can turn on Incognito mode. You can use your laptop in a cave, while crouched under a Faraday cage. But canvas fingerprinting Canvas Fingerprinting Will Track You Everywhere You Go. Here's Why You Should Be Worried Canvas Fingerprinting Will Track You Everywhere You Go. Here's Why You Should Be Worried Read More can demolish all that without breaking a sweat.

So, how does it work? Well, by using HTML5’s Canvas API (Application Programming Interface What Are APIs, And How Are Open APIs Changing The Internet What Are APIs, And How Are Open APIs Changing The Internet Have you ever wondered how programs on your computer and the websites you visit "talk" to each other? Read More ), it creates a hidden line or image that identifies that particular computer. The kicker is that each identifying token is virtually unique to each computer, although it’s totally possible for collisions to occur.

This uniqueness comes from a series of calculations which take into account various attributes of the computer. Everything from the GPU configuration, to the browser, to what plugins are installed, makes up the token.

The only sure-fire way to defeat it is to prevent the web-page you’re on from using the Canvas element. To do that, you’ll either have to install an older browser (you can still download Internet Explorer 6 How to Download Internet Explorer 6 (If You Really Need To) How to Download Internet Explorer 6 (If You Really Need To) There are still some people who use Internet Explorer 6 to this day, and they've got some valid reasons. Here's how you can use it if you need to. Read More , bizarrely), or to disable JavaScript. This will have a negative impact on your browsing experience, however, as most sites are hopelessly dependent on JavaScript, and will fail to work properly without it. It is for this reason why James Bruce described it as part of his Trifecta of Internet evils AdBlock, NoScript & Ghostery - The Trifecta Of Evil AdBlock, NoScript & Ghostery - The Trifecta Of Evil Over the past few months, I've been contacted by a good number of readers who have had problems downloading our guides, or why they can't see the login buttons or comments not loading; and in... Read More .

The Man in the Middle Sees Everything

Incognito Browsing is only really effective within the browser. Once the packet leaves your computer, and starts to snake its way through the vast expanse of the Internet to its eventual destination, all bets are off.

If someone’s sitting on the same local network as you, they can intercept your traffic in real-time. The software required to do isn’t especially exotic. It’s just Wireshark.


Another threat is the potential for someone to act as a node on the path your packet takes from your computer, to its eventual destination. One of the most common manifestations of this is in rogue hotspots, where people create wireless networks with the intention to get people to connect to them, so they can capture and analyze all traffic that goes through the network. This is called a Man in the Middle attack What Is a Man-in-the-Middle Attack? Security Jargon Explained What Is a Man-in-the-Middle Attack? Security Jargon Explained If you've heard of "man-in-the-middle" attacks but aren't quite sure what that means, this is the article for you. Read More .

There’s a few things you can do to mitigate against this. Firstly, install the HTTPS Everywhere plugin Encrypt Your Web Browsing With HTTPS Everywhere [Firefox] Encrypt Your Web Browsing With HTTPS Everywhere [Firefox] HTTPS Everywhere is one of those extensions that only Firefox makes possible. Developed by the Electronic Frontier Foundation, HTTPS Everywhere automatically redirects you to the encrypted version of websites. It works on Google, Wikipedia and... Read More , available for Chrome and FireFox. As the name suggests, this forces SSL connections where possible. While it’s not a sure-fire solution, it helps. It’s worth noting that HTTPS Everywhere can have some adverse effects on some websites. I know that on this particular website, it can introduce some visual glitches.

Secondly, you can use a VPN What A VPN Tunnel Is & How To Set One Up What A VPN Tunnel Is & How To Set One Up Read More . These essentially tunnel your connection through a secure connection, preventing anyone on your network from seeing what you’re doing.

Malware and Browser Extensions

I’m going to briefly touch on the software side of how Incognito mode can be defeated. Partly, because much of it is obvious. If your computer is a festering slag-heap of malware and viruses, no amount of Incognito Mode will keep you secure.

If each keystroke is being tracked by a keylogger, pressing CTRL-SHIFT-N isn’t going to suddenly improve your privacy or security. Your best bet is to simply wipe your machine, and start afresh. This is something that’s been made much simpler How to Factory Reset Windows 10 or Use System Restore How to Factory Reset Windows 10 or Use System Restore Learn how System Restore and Factory Reset can help you survive any Windows 10 disasters and recover your system. Read More in newer versions of Microsoft Windows.

One potential attack vector against incognito mode is through browser extensions. If you’re using an extension that records what you do online, and you activate it in Incognito mode, you undermine any privacy advantages that you get from using incognito mode.


Incognito Mode: Know Your Limits

Incognito mode is great if you want to browse the Internet without leaving a trace, locally. But remember that it’s not a sure-fire way to stay shrouded online. It can be undermined quite easily; from a dodgy GPU driver, to a rogue Chrome extension, to even a man in the middle attack.

Has private browsing ever let you down? Tell me about it in the comments below.

Photo Credits: WireShark (Linux Screenshots)

Explore more about: Browser Extensions, Online Privacy.

Whatsapp Pinterest

Enjoyed this article? Stay informed by joining our newsletter!

Enter your Email

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Prithvi
    May 31, 2017 at 8:18 am

    I tried to open theaPizzarIHutIndia website through Google and clicked an ad. The website asked me to visit in normal mode and said you maybe visiting in private mode.

    I don't understand why Pizza Hut would care. But maybe they their offers only for newer customers.

    I was using Chrome on my iPhone 7 Plus.

  2. bee mayer
    April 24, 2017 at 1:38 am

    I used to think I was doing at least an above-average job controlling when the sites I visited saw my location. That it until 4 minutes ago while using my Galaxy S5, using Google Chrome version 57.0.2987132, within an incognito window, WITH LOCATION SERVICES OFF, when Leafly.com informed me there was no Durban Poison to be found in my city. Of course not...I was merely researching for a friend whose girlfriend wanted to know about what her cousin was talking about, duh. My next search was to hopefully find a discussion kind of like this one. But seriously, WTF!? Maybe I'm a "conspiracy theorist," but I have this "idea" my government has a direct-fiber optic tap into our entire communications infrastructure, and it is an impossibillity to be "incongnito, but come on Google! You could at least do a better job of helping think that someone is looking out for the sheep and not strengthening the chains of control we already have to endure. Alright, back to my research....

  3. MD
    July 31, 2016 at 12:16 pm

    is it possible to download VPN without admin password ?

    • FlamingEssence
      July 25, 2017 at 1:09 am

      Windows 10 comes with a VPN

  4. JamesPotter
    May 24, 2016 at 1:54 pm

    It is right, just using private browsing is not enough. Even if your browsing history is not available you are still giving much data to advertisers. It's better to make a combo with tools like Ivacy VPN to be completely anonymous on the internet while browsing.

  5. Aibek Esengulov
    February 10, 2016 at 10:50 am

    You forgot to mention the ISP. These guys can see everything regardless of the incognito mode unless you're using using a VPN

  6. Anonymous
    January 19, 2016 at 5:01 pm

    How can you block cookies effectivly from all web sites if you are using Safari of FairFox?


    • Matthew Hughes
      January 21, 2016 at 10:38 pm
    • Sally G
      November 23, 2016 at 3:34 pm

      I use an add-on that “self-destructs” cookies when I leave a page; it enables an easier experience while I am on the page, but without traces remaining for later data-mining. It also clears out LSOs when I end the browser session. Because I am a bit obsessive*, I also have NoJava enabled, so I approve each piece of JavaScript on each site I go to (one can also set it up to allow JS from bookmarked pages, or white list frequently used sites).
      *I joke about having CDO—Obsessive-Compulsive Disorder, properly alphabetized! (I know, politically incorrect, but I am more obsessive than average!)