Slashdot Mirror
Chrome Private Mode Not Quite Private
wiplash writes "Google Chrome appears to store at least some information related to, and including, the sites that you have visited when browsing in Incognito mode. Lewis Thompson outlines a set of steps you can follow to confirm whether you are affected. He has apparently reported this to Google, but no response has yet been received."
using 4.1.249.1064 on Win7.
So, since the example in TFA didn't restart Chrome between incognito windows, I decided to see what happened when I followed the steps with "4.5 Exit chrome completely, then restart", and can confirm that even when Chrome fully exits and is restarted, it remembers the zoom level used in a URL only ever visited in an incognito window.
"The urge to save humanity is almost always a false front for the urge to rule." --H.L. Mencken
Do you believe every piece of FUD that comes out of sopssa's mouth? By default yes, everything typed into the address bar is sent to google which is how their autocomplete for searches works. If you just don't want it sent to google, change your default search provider. if you don't want it sent anywhere simply uncheck 'use a suggestion service to help complete searches and URLs typed in the address bar' in the Under the Hood tab of Options.
Exactly as reported.
I'm using 5.0.375.29 beta on an Air running 10.6.3 over wifi.
Went to cheese.com (the #1 resource for cheese!) and the zoom held.
Additionally, when I opened a new tab in non-incognito mode, the zoom STILL held, so there is definitely some communication between regular and incognito windows.
I'm devastated that my secret cheese browsing is now public.
"The pie shall be cut in half and each man shall receive.....death. I'll eat the pie."
There's always Chromium; I run it on Ubuntu. For Windows there's SRWare Iron. I'm not sure which is the preferred build for OSX; perhaps Crossover Chromium. TFA doesn't say whether Chromium is affected. Some comments under TFA state that the effect lasts only until Chrome is restarted, suggesting that the information is stored only in the memory cache.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Here's the bug in question, filed about 2 weeks ago:
http://code.google.com/p/chromium/issues/detail?id=43107
Seems like someone looked at it, prioritized and classified it (eg pri-2, internals-cookies).
What's the big deal? It's just a bug that needs to get fixed, not a huge conspiracy by Google.
The remember zoom was added to the 5.x Beta / Dev channels some time ago, and isn't a part of the current Chrome stable build. [ Google Blog Link : http://googlesystem.blogspot.com/2010/05/10-things-to-try-in-google-chrome-5.html ] Nevertheless, I doubt this is sending any information to Google. You forget Chromium is open source.
TFA only mentions zoom levels as being stored -- not any other info from users' porn-mode browsing session, just zoom levels. Chrome recently began saving users' zoom levels (if I'm not mistaken) so that pretty much explains that (while conveniently also accounting for why users of earlier versions may not experiencing this phenomenon as well.) We're all waiting for google to slip up monumentally (or "pull a facebook," if you will,) but unfortunately we'll have to wait another day.
Be aware of the version you're using. Chrome v4 *may* not save the zoom level, so it wouldn't show it anyway. I'm on the dev channel, and thus am using the newly-released v6, and it's definitely reproducible.
Did you even look in options? Turn off "search suggestions". That's the feature that relies on this information being sent to Google.
Please, please stop spreading Microsoft's FUD.
Don't thank God, thank a doctor!
I just reproduced it in the exact same beta on Ubuntu. Steps are:
And people, please. What happened to "never ascribe to malice"? Chromium is an open-source project -- if you have to, fix it yourself, I have little doubt that patch would make it into the official Google Chrome.
Don't thank God, thank a doctor!
Iron works on Linux as well, not just Windows. I run it on Ubuntu 9.10. As I mentioned above, 4.0.275.2 (Developer Build 35171) of Iron is affected by the bug from the article.
Run Firefox or Google Chrome for a few days, click "Clear Recent History", select "Forever", exit them.
Now go to a directory where they store profile data and discover SQLite files containing information from all the web sites you've visited (`man strings`).
Both browsers 'forget' to run VACUUM on SQLite databases they are using. However it would be even better to zero fill all the files containing your traces, then delete 'em, then recreate them.
The article shows that a per-site setting (page zoom) persists between incognito sessions. That's all. No mention or even speculation that Google is storing that information on their servers.
That said, Incognito was never meant to be private browsing from Google. Your search queries still get send to your search provider (imagine that!) and auto-suggest will still work. What Incognito mode is for is to prevent your wife/brother/sister/boss from seeing the sites you use. This has been discussed to death already.
You know, that's embedded into most of the browsers.
Firefox was a little more polite about it, but it's still pretty deep in there. I was setting up an embedded machine with Firefox (local web browsing, no Internet connection). I was really surprised how many things were in there on a clean install of it. It's not just url completion. There's "safe browsing", SSL cert verification, updates.. Well, just do an about:config and search for http:/// and then https://./ There are 29 http URL's, and 22 https URL's. That may not include remote resources that may be embedded into the code. I didn't review it to find out, but I did have a packet sniffer running while I was working to make sure there wasn't anything extra going out.
This wasn't looked at because my tinfoil hat was on too tight. These are for offline embedded machines, but they may (just may) be up on some sort of Internet connection occasionally, and that may be ungodly slow. I may not have the luxury of a few extra bytes going over the wire, if that's all I have to work with. (yes, we're talking very slow connections). And yes, it's a Linux platform, so you don't have everything and then some creating unwanted network traffic. :)
Serious? Seriousness is well above my pay grade.
Actually, according to the developer discussion, this isn't a bug. They did it on purpose. They actually saved all of the sites that you made site-specific settings changes to.
They thought that the "convenience" of a better UI would outway the privacy risk of having the sites you visited after explicitly selecting privacy-mode saved in plain text on the file system.
Um, yes, and AFAIK you have been able since almost the beginning. Wrench-->options-->under the hood --> "Use suggestion service...".
Just for the sake of putting this stupid argument to rest, I tested it with wireshark, and yes, unchecking that box immediately causes chrome to cease sending URLs to google. In fact, with all the boxes unchecked, it appears that the only traffic sent is directly to the websites that you are fetching.
I like how your "yet" implies that that hasnt been there from practically the start, though, or that you cant just use chromium if you are really that worried about it.... really some quality FUD there.
So, maybe Im just being an apologist here...
But while I did verify this, and can see some disk writes in ProcMon to a tmp file (which seems to be deleted on close), is it asking too much to have a little more info before running off and declaring it to be some additional nefarious way to collect info? Any packet sniffing, or even seeing if it can be replicated in chromium or Iron? Any effort to see ANYTHING AT ALL of whats going on, or whether that data is stored anywhere except the "magnify websites to this level" database?
I mean come on, I know Google is the new "cool to hate" company, but a 1 paragraph blog entry with NO technical details whatsoever makes REALLY poor outrage material.
http://code.google.com/p/chromium/issues/detail?id=43107
That's the point -- the Queen can't just step in because she doesn't like the current government, it's only if the shit really hits the fan, as a last resort. For example, if an elected government tried to turn itself into a perpetual dictatorship without the support of the public, she could go in and kick some ass.