As many websites make their money from tracking and advertising, especially advertising targeted to individuals based on their web activity, Google Chrome’s Incognito Mode can help give users a sense of privacy by temporarily disconnecting from their Google, Facebook, and Amazon accounts. For those who use Incognito this way, you may be shocked to know that Chrome has long had a flaw that can be abused by web developers to detect whether you’re using Incognito Mode. According to a set of new code changes, Google is finally looking to fix this issue.
Unfortunately, it’s been no secret among web developers that there’s a very simple trick to determine whether or not a user is in Incognito Mode. A simple search for “how to detect Incognito mode” returns results from Stack Overflow, where developers have shared the best ways to do so.
The currently accepted answer is to simply attempt to use the “FileSystem” API, typically used by applications to store files in, either temporarily or more permanently. While in Incognito Mode, this API is entirely disabled, as it can be used to create permanent files that would stay behind after leaving Incognito, defeating one of its main purposes.
Some websites, including major outlets with a paywall like The Boston Globe, use this trick to block detected Incognito users altogether as they cannot be tracked.
Obviously, being able to so easily detect whether a Chrome user is currently Incognito was not Google’s intention. A series of recent commits to Chromium’s Gerrit source code management reveal that Google is finally looking to solve this issue, after years of being aware of it.
Essentially, when asked for a file system while in Incognito, Chrome will create a virtual one using RAM, to fully ensure it’s deleted once you leave Incognito. This should easily shut down all current methods for detecting if Chrome is Incognito.
According to an internal design doc obtained by 9to5Google, once this protection is in place, Google’s ultimate goal is to remove the FileSystem API altogether, based on how many legitimate uses of it remain once the Incognito detection abusers move on.
Since there’s no adoption of the FileSystem API by other browser vendors, it appears to be only used by sites to detect incognito mode. By making this harder, hopefully the overall usage of the API goes down to the point that we can deprecate and remove it.
As for when Chrome’s Incognito detection prevention feature is expected to launch, the developer responsible for the project says he intends for it to arrive in Chrome 74 behind a flag, before being enabled by default “2 milestones” later (or Chrome 76). Should this stay true, you’ll be able to properly disguise Incognito mode from being detected by using the flag #enable-filesystem-in-incognito starting with Chrome Canary builds in the coming days.