"Private Browsing." "Incognito." "Porn mode." Since 2005, every web browser has added a feature that automatically erases any record of visited websites, cookies or images. For the most part, these modes do effectively hide user Internet habits from other people using the same computer. But new evidence shows that dedicated attacks can retrieve the information.
Experts say this isn't something most people have to worry about, though: Any person or computer program with the skills to access that information could probably find the same material in another fashion. So even though private browsing mode isn't totally private, it still protects information well enough for its main uses.
"For a common user, it should not be that big of an issue," said Gaurav Aggarwal, a computer science researcher at Stanford University and coauthor of a recent paper on private browsing security. "But when we looked at the various [private modes in different browsers], there are a number of differences, and there are no standards amongst them. There is no agreed notion of what this mode is trying to protect against."
Ease vs. security
To save users from the tedium of retyping every URL, remembering every password and waiting for each picture to load, Internet browsers save that information on the computer's hard drive in a cache. This cache speeds up browsing, but it also leaves a history of what websites were viewed and when.
"Normally, Firefox remembers a fair bit about where you've been and what you've done online so that it can make your life easier: auto-filling Web forms, making it easy to get back to sites you've visited recently, caching frequently loaded content to speed up sites," said Johnathan Nightingale, Mozilla's Director of Firefox Development.
But as people began to use the Internet for more and more sensitive tasks, like looking up medical records or performing financial transactions, users became increasingly paranoid about sharing computers. Software companies added the ability to erase any information about what a browser had accessed to alleviate those fears, but it was an all-or-nothing affair.
The introduction of private browsing mode in Safari 2.0 in 2005 gave users the ability to pick and choose what the browser saved, and what the browser deleted, Nightingale told TechNewsDaily. However, this new mode did slow down the speed of the browsers, forcing users to choose between ease and security.
"There's a tradeoff between functionality and security that's present in every software system," said Danny Quist, a computer security expert and founder of Offensive Computing, LLC. "If they didn't keep history browsing previously viewed items would be much more difficult, and for the most part users want to be able to access that information."
What's to hide?
When Apple first released Safari 2.0, it was marketed the function as a way to buy surprise gifts for loved ones without revealing their online shopping activity. And today, Internet Explorer markets its private browsing function as a way to conceal financial strategies and healthcare information when using public computers, according to a Microsoft spokesperson.
However, studies show that people actually use private browsing mode to obscure very different kinds of content.
"As I understand it, the mode was made to protect users who want to do 'sensitive surfing' without having their privacy affected. The Pollyanna reason is for online banking, but most people I know refer to it as porn mode," Quist of Offensive Computing told TechNewsDaily.
To uncover what people actually used the private browsing function for, Stanford University's Aggarwal and his team embedded a search program in online advertising. The results, presented in the Usenix Security Conference 2010 paper titled "An analysis of private browsing modes in modern browsers," show that the majority of users, for all browsers, really were looking at adult content.
As demonstrated by Aggarwal's ability to track traffic with online ads, administrators and hackers using other computers can not only follow someone using private browsing mode, but they even know whether or not the user is deploying the function. Of course, since private browsing mode was designed to only conceal that information from other people physically accessing the same computer as the user, that doesn't qualify as a failure of the program.
But private browsing modes do fail when paired with add-ons like Flash or Java players, Quist said.
When a user runs one of those programs in a browser, it creates snippets of tracking code called cookies and saves them to an area on the computer's hard drive not regulated by private browsing mode. By searching out the cookies left by those add-on programs, someone dedicated to discovering a browser's Internet history could piece together a list of at least some of the sites visited.
Additionally, browsers change the information on files located in the "profile" folder of the program. While these changes don't directly record what URLs the browser opens, they do keep track of which digital security certificates the browser recently approved. By linking those security certificates to specific websites, someone could reconstruct the browsing history even if the program operated in private browsing mode, Aggarwal said.
However, compared to the sheer volume of remote threats on the Internet, the security capabilities of private browsing mode barely effects the ultimate safety of online information.
"There's a lot more at stake from violating the protections put in place by the browser through exploits and remote code execution," Quist said.
"Then it doesn't matter if you have private browsing enabled, you're going to have all your information exposed."