Google disclosed the existence of a loophole in Chrome browser Incognito Mode and promised to close it by the end of July 2019. The move may undermine news publisher monetization by allowing users free and unlimited access to articles.
Google Chrome Privacy Loophole
Google’s announcement admitted there was a privacy loophole in Chrome’s Incognito mode. News publishers were able to detect if browsers were in incognito mode and use that information to give users a different experience. That is a violation of the currently evolving web standards for privacy mode.
According to Google:
“This will affect some publishers who have used the loophole to deter metered paywall circumvention…
Unlike hard paywalls or registration walls, which require people to log in to view any content, meters offer a number of free articles before you must log in. This model is inherently porous, as it relies on a site’s ability to track the number of free articles someone has viewed, typically using cookies.
Private browsing modes are one of several tactics people use to manage their cookies and thereby “reset” the meter count.”
What is the Chrome Privacy Loophole?
Chrome browser has a feature called a filesystem API. When Chrome is in incognito mode, this feature is disabled. News publisher were using that information to detect site visitors in incognito mode. News publishers would then force users to turn off incognito mode or to log in to their website.
The problem with that action is that it violates current web standards for browser privacy modes.
This is how Google explained it:
“With the release of Chrome 76 scheduled for July 30, the behavior of the FileSystem API will be modified to remedy this method of Incognito Mode detection.”
That means that news publishers offering metered articles will be unable to detect browsers in incognito mode, effectively granting users unlimited access to content.
Google claims that news publishers have options, but the suggestions do not seem to offer an actual solution to unfettered article access.
“Sites that wish to deter meter circumvention have options such as reducing the number of free articles someone can view before logging in, requiring free registration to view any content, or hardening their paywalls.”
Privacy Mode Web Standards
The web standard for browser privacy mode is clear that websites should not be able to detect that a visitor is in privacy mode.
“…the use of private browsing mode should not be detectable by websites.
When the differences in browser behavior between privacy and standard browsing modes can be detected because of standardization or implementation details, websites might choose to degrade browsing experience (for example, not displaying content) when they detect the users in private browsing modes. This is undesirable.”
Google Did not Address Tracking Protection
Firefox in June 2019 accused Chrome’s incognito mode of offering a false sense of security for allowing tracking while in privacy mode. According to Firefox:
“The feature might keep your spouse from knowing what you’re thinking about getting them for your anniversary by erasing your history, but it does not prevent third-party tracking.”
Todays announcement does not close that particular loophole. There is nothing in the web standards that requires closing the tracking loophole.
The W3C web standards acknowledges that browser makers can incorporate anti-tracking features on their own for competitive reasons. Rather than forbidding advertising trackers, the W3C is allowing the market and user demand to force browser to that point.
Here is what the official standards says:
“Web privacy is a field of competition between web browsers. For example some browsers enable stricter tracking protection and content blocking…”
Today’s announcement shows that Chrome is making a significant advancement in protecting consumers privacy. It will be interesting to see how Chrome reacts should Firefox’s arguably better privacy features begin to chip away at Chrome’s market dominance.