Blog of Rights

How Private is Private Browsing?

By Chris Conley, Staff Attorney, ACLU of Northern California Technology and Civil Liberties Project at 1:46pm

(This post originally appeared on the ACLU of Northern California's technology blog, Bytes and Pieces.)

'Tis the season for private browsing, or so it seems. Apple's Safari Web browser led the pack in introducing a "private browsing mode" in 2005; in recent months, the other browsers on the market have finally followed suit, with Google's recently-released Chrome and beta versions of Mozilla Firefox and Microsoft Internet Explorer adding similar features.

What does "private browsing" mean, however? For the most part, these "private" modes are designed to protect your privacy only vis-a-vis other users of the same computer, whether you're at an Internet cafe or just trying to avoid letting your partner know what you're doing with their laptop (which earned these features the moniker "Porn Mode"). But do these "private" modes prevent Web sites from identifying you and tracking your actions? If so, how, and how effectively?

Private Browsing and Shared Computers

All of the browsers above offer features designed to protect your privacy vis-a-vis other users of the same computer — preventing others at an Internet cafe, library, or even your home from knowing which Web sites you visited or what information you provided. The mechanism in each browser differs, but the basic concept is the same: none of the sites you visit or the information you provide will be stored in your browser's history or cache, and any cookies that are generated will be deleted when you close the browser.

It's worth noting, however, that private modes offer only partial protection. Certain browser extensions, notably the Flash animation player, generate their own cookies when they are activated — and these cookies are outside of the browser's control. Thus, while a typical user may not be able to retrace your steps, a sophisticated user may be able to do so.

Private Browsing and Internet Sites

Of course, other users of the same computer are far from the only ones who might be interested in your online activities. Web sites and other Internet actors also track behavior for a wide range of purposes. Does private browsing keep their prying eyes away?

One way that Web sites track users is through the use of cookies. All of the new web browsers promise to discard any cookies accumulated while you surf in private mode — but what about the cookies that you've already collected before using private mode? Private mode in new versions of Firefox and Chrome both start "from scratch," ignoring any cookies you may have collected while browsing normally. IE and Safari, however, continues to share any cookies you collected before entering In Private mode.

In addition, sites can use scripts to gather information about Web users. Third-party scripts, which are often used for advertising purposes, pose a particular threat to user privacy, as they allow a single entity to track your behavior across a wide range of Web sites. The only browser to address this situation is the next version of Internet Explorer, which has a feature called "In Private Blocking" that will block scripts that it will block "third-party content that appears with a high frequency across sites you visit." IE users will also be able to subscribe to lists of scripts to block, providing an alternate method of identifying and addressing privacy threats.

However, none of these private browsing modes is capable of making your browsing completely "private" by preventing any site from recording your information. Your browser, and your computer, simply don't have that level of control. Web sites can still track you by using your IP address, they can still send and receive cookies within the context of the private browsing session (and many Web sites won't work at all without cookies), and they can still gather, store, and use data that you generate even while browsing "privately." Having a privacy setting on your browser is nice; having a privacy setting for the Web sites you use would be far better.

Private Browsing and User Control

We shouldn't have to "hide" our data from Web sites if we want to remain private; we should simply be able to tell them "don't record this session" and expect our request to be honored. While private browsing modes that use technical measures to protect personal information add value, they only take us so far. Getting Web sites and online businesses to respect our right to control our own personal information is the only way to truly browse privately.

There's a long road to get there, however, and in the meantime, privacy-enhancing techniques like those seen in some of the new browsers are a welcome feature. We hope you'll take the time to tell Apple, the developers behind Chrome, Microsoft, Mozilla, and other software developers to keep up the good work. And, of course,we hope you'll continue to support our efforts to upgrade the laws to reflect modern technology, so that "private mode" is the default setting on the Internet.

Statistics image