4 Ways You Can Be Tracked When In Private Browsing

Private browsing is private, right? It’s in the name. Private browsing.

Well, in 99% of cases, it is. You open a special window in your chosen web browser, and use it for stuff you’d much rather wasn’t stored in your browsing history. When you’re finished, simply close it, and everything will be forgotten.

Except, that isn’t always the case. There are severals ways in which private browsing can be defeated. Some of them don’t even need all that much work.

Nvidia GPUs Never Forget

Two years ago, Canadian student Evan Andersen fired up Diablo III after an evening spent watching adult videos. But instead of seeing the popular hack-and-slash role playing game, he ended up seeing the raunchy movies he’d been watching earlier.

“When I launched Diablo III, I didn’t expect the pornography I had been looking at hours previously to be splashed on the screen. But that’s exactly what replaced the black loading screen. Like a scene from Hollywood, the game temporarily froze as it launched, preventing any attempt to clear the screen.”

An Electrical and Computer Engineering Student, Andersen immediately knew something was amiss. Not least because he’d been looking at YouPorn through the supposed shield of Google’s Incognito Mode. So, he started digging.


Ads by Google

It turns out, there’s a serious flaw with how Nvidia’s graphics drivers handles memory. On his blog, Andersen says:

“When the Chrome incognito window was closed, its framebuffer was added to the pool of free GPU memory, but it was not erased… When Diablo requested a framebuffer of its own, NVIDIA offered up the one previously used by Chrome. Since it wasn’t erased, it still contained the previous contents. Since Diablo doesn’t clear the buffer itself – as it should – the old incognito window was put on the screen again.”

Andersen told Nvidia and Google about the bug in 2014, but didn’t hear back from them. After almost two years of waiting for their respective security teams to issue a fix, Andersen took matters into his own hands published it on his own blog. That’s pretty standard for anyone practicing responsible disclosure.

At the time of writing, Nvidia is yet to issue a fix.

Canvas Fingerprinting

Cookies can be wiped. You can install AdBlock. You can use a VPN which blocks advert trackers, like SurfEasy does. You can turn on Incognito mode. You can use your laptop in a cave, while crouched under a Faraday cage. But canvas fingerprinting can demolish all that without breaking a sweat.

So, how does it work? Well, by using HTML5’s Canvas API (Application Programming Interface), it creates a hidden line or image that identifies that particular computer. The kicker is that each identifying token is virtually unique to each computer, although it’s totally possible for collisions to occur.

This uniqueness comes from a series of calculations which take into account various attributes of the computer. Everything from the GPU configuration, to the browser, to what plugins are installed, makes up the token.

The only sure-fire way to defeat it is to prevent the web-page you’re on from using the Canvas element. To do that, you’ll either have to install an older browser (you can still download Internet Explorer 6, bizarrely), or to disable JavaScript. This will have a negative impact on your browsing experience, however, as most sites are hopelessly dependent on JavaScript, and will fail to work properly without it. It is for this reason why James Bruce described it as part of his Trifecta of Internet evils.

The Man in the Middle Sees Everything

Incognito Browsing is only really effective within the browser. Once the packet leaves your computer, and starts to snake its way through the vast expanse of the Internet to its eventual destination, all bets are off.

If someone’s sitting on the same local network as you, they can intercept your traffic in real-time. The software required to do isn’t especially exotic. It’s just Wireshark.


Another threat is the potential for someone to act as a node on the path your packet takes from your computer, to its eventual destination. One of the most common manifestations of this is in rogue hotspots, where people create wireless networks with the intention to get people to connect to them, so they can capture and analyze all traffic that goes through the network. This is called a Man in the Middle attack.

There’s a few things you can do to mitigate against this. Firstly, install the HTTPS Everywhere plugin, available for Chrome and FireFox. As the name suggests, this forces SSL connections where possible. While it’s not a sure-fire solution, it helps. It’s worth noting that HTTPS Everywhere can have some adverse effects on some websites. I know that on this particular website, it can introduce some visual glitches.

Secondly, you can use a VPN. These essentially tunnel your connection through a secure connection, preventing anyone on your network from seeing what you’re doing.

Malware and Browser Extensions

I’m going to briefly touch on the software side of how Incognito mode can be defeated. Partly, because much of it is obvious. If your computer is a festering slag-heap of malware and viruses, no amount of Incognito Mode will keep you secure.

If each keystroke is being tracked by a keylogger, pressing CTRL-SHIFT-N isn’t going to suddenly improve your privacy or security. Your best bet is to simply wipe your machine, and start afresh. This is something that’s been made much simpler in newer versions of Microsoft Windows.

One potential attack vector against incognito mode is through browser extensions. If you’re using an extension that records what you do online, and you activate it in Incognito mode, you undermine any privacy advantages that you get from using incognito mode.


Incognito Mode: Know Your Limits

Incognito mode is great if you want to browse the Internet without leaving a trace, locally. But remember that it’s not a sure-fire way to stay shrouded online. It can be undermined quite easily; from a dodgy GPU driver, to a rogue Chrome extension, to even a man in the middle attack.

Has private browsing ever let you down? Tell me about it in the comments below.

Photo Credits: WireShark (Linux Screenshots)