With the release of Chrome 76, Google attempted to put a stop to web developers and publishers detecting people using Chrome’s Incognito Mode. Unfortunately, it seems their efforts may be all for naught, as at least one major news outlet, The New York Times, has managed to put their hard paywall back up for those using Chrome Incognito.
We’ve been tracking Google’s effort to block Incognito Mode detection since February when we discovered a document laying out the Chrome development team’s intentions. Since then, Google rolled out the functionality to all devices with the release of Chrome 76.
Of course, since then multiple security researchers have discovered at least two new ways of detecting Incognito Mode, which can just as easily be copied to almost any website. Google knew this was inevitable, which is why they publicly explained their desire for user privacy and urged sites to consider not circumventing this Incognito Mode protection method.
We suggest publishers monitor the effect of the FileSystem API change before taking reactive measures since any impact on user behavior may be different than expected and any change in meter strategy will impact all users, not just those using Incognito Mode.
Predictably, this request fell on deaf ears, as The New York Times seems to have already resumed their practice of detecting Google Chrome’s Incognito Mode, as spotted by Techdows. Navigating to any of their articles in an Incognito window instead treats you to a prompt to log in to continue reading.
What’s interesting is that the page’s code doesn’t seem to feature either of the currently known solutions for spotting an Incognito window. All of the code the Times used to detect private browsing in other browsers (and older versions of Chrome) is still firmly in place but does not appear to feature any new solutions specific to Chrome 76.
With a major player like The New York Times going back to business as usual with detecting Incognito Mode, it’s only a matter of time before other publishers follow suit, making Google’s most recent effort an exercise in futility. However, if their new method still relies in any way on the FileSystem API that the original detection method used, there’s a glimmer of hope.
In the original plan for putting an end to Incognito detection, Google explained that they would like to “deprecate and remove” the FileSystem API altogether, assuming usage statistics show that few enough sites use it for legitimate reasons. Unfortunately, there’s no way to know how quickly Google would be able to make such a move, meaning paywalls will continue to reign for the foreseeable future.