Chrome is patching a bug that lets sites detect and block private browsing mode, declares war on incognito-blocking

The next version of Chrome will patch a bug that lets websites detect users who are in incognito mode by by probing the Filesystem API; they've also pledged to seek out and block any other vulnerabilities that will let servers detect users in incognito mode.

This will cause problems for sites operating "soft paywalls" that allow you to visit a limited number of times for free before blocking you, such as the New York Times and LA Times (disclosure: I am a book reviewer for the LA Times and have written editorials and articles for the New York Times). Users who hit the limit can bypass it by flipping to incognito mode and reloading the page.

Google acknowledges that this will cause problems for these soft paywalls and proposes that sites who rely on these can adapt by "reducing the number of free articles someone can view before logging in, requiring free registration to view any content, or hardening their paywall" and points out that blocking browsers that don't respond to Filesystem API would catch lots of different kinds of users, not just those using private browsing mode.

Any concern from paywall operators is difficult to credit in any event, as users who hit the limit on soft paywalls always had the option to simply delete their existing cookies from the site. On that note, can anyone recommend an advanced cookie-manager for Firefox that allows you to accept cookies from soft paywall sites, but delete them when the browser closes? Firefox's cookie management panel implies that it can do this natively, but it doesn't work for me (e.g. adding "*.wired.com" to the list of accept-but-delete-on-close list doesn't actually purge cookies from Wired).

A timely reminder: private browsing mode doesn't protect you from snooping by your ISP or by the trackers the sites you visit embed, including trackers from Facebook, Google, and Oracle.

While Google said it "recognize[s] the goal of reducing meter circumvention," it also said that "any approach based on private browsing detection undermines the principles of Incognito Mode."

"Some wish to protect their privacy on shared or borrowed devices, or to exclude certain activities from their browsing histories. In situations such as political oppression or domestic abuse, people may have important safety reasons for concealing their Web activity and their use of private browsing features," Google said.

Google's blog post did not mention that Incognito Mode has only limited uses for protecting privacy and that Incognito Mode wouldn't do much for someone trying to evade "political oppression." When using Incognito Mode, "Chrome won't save your browsing history, cookies and site data, or information entered in forms," a Google support page notes. This is useful for keeping browsing activity private from other users of the same device or Google account but not for hiding your location or identity from websites and network operators.

Chrome 76 prevents NYT and other news sites from detecting Incognito Mode [Jon Brodkin/Ars Technica]