Chrome Private Mode Not Quite Private

wiplash writes "Google Chrome appears to store at least some information related to, and including, the sites that you have visited when browsing in Incognito mode. Lewis Thompson outlines a set of steps you can follow to confirm whether you are affected. He has apparently reported this to Google, but no response has yet been received."

Addicted.

Google is addicted to your information, and will do whatever they can to get more.

They cannot help themselves.

Resist.

Re:Addicted.

[oldhack]

Yep, the default stance of Google is they'll snoop on you in some mode because it's what they feed on. Modulate your tinfoil hat accordingly.

Re:Addicted.

[Blue+Stone]

Is there any way to stop Chrome sending the info of the URLs you type into the address bar back to google, yet?

Re:Addicted.

[sopssa]

Yes, it's the basis of their business model. They need all that information to serve their advertisers better. This means they're also constantly looking for new ways to get even more and more information. Even if some of their services currently aren't related to advertising (like their free DNS service), there's no guarantee that they cannot be in the future. They're awfully easy to integrate later when they have grown, and with publicly traded companies you never know what is going to happen in the future. Especially when they're looking for new ways to generate advertising revenue.

Notice that all of their services are related to obtaining information, usage statistics, datamining and serving advertisement. YouTube too is a great resource for advertisers, as soon as online video matures a little bit more (though they're already working on it).

Not that it's a bad business model - but if you value your privacy, you might want to consider forgetting freeloading for a moment and buying software. You know, the business model that is based on customers paying for the software instead of selling their soul for advertisers. Google is the new adware business, they have just hidden it better.

Re:Addicted.

[Skal+Tura]

and thus this is in no way surprising

Re:Addicted.

[WrongSizeGlass]

Is there any way to stop Chrome sending the info of the URLs you type into the address bar back to google, yet?

Yes, stop using Chrome.

Re:Addicted.

Do you believe every piece of FUD that comes out of sopssa's mouth? By default yes, everything typed into the address bar is sent to google which is how their autocomplete for searches works. If you just don't want it sent to google, change your default search provider. if you don't want it sent anywhere simply uncheck 'use a suggestion service to help complete searches and URLs typed in the address bar' in the Under the Hood tab of Options.

Re:Addicted.

[WrongSizeGlass]

Whoever moderated this "insightful" may want to read the article first. Do you really think that it's Google's nefarious plan to record the magnification settings of the web pages that you visit?

It's Google's plan to record anything and everything about you that it can, which makes the difference between Google and Facebook simply a matter of spelling.

Re:Addicted.

[kdemetter]

"We are the Google , you will indexed " ?

Re:Addicted.

[16384]

And stop using firefox too

Re:Addicted.

[ObsessiveMathsFreak]

Basically, Google is the insatiable voyeur, we are all the neighbourhood children, and Chrome is the delicious sweety used to entice us into giving the smiling man what he really wants.

Re:Addicted.

[Ceriel+Nosforit]

You're not worried about the DNS servers?

Re:Addicted.

[gzipped_tar]

How, exactly, is "buying software" supposed to stop "customers selling their souls"?

Re:Addicted.

[Mordok-DestroyerOfWo]

Google is addicted to your information.

Just a few more kilobytes man, just a few more and I'm done!

Re:Addicted.

[Mordok-DestroyerOfWo]

Your informational distinction will be added to our own.

Re:Addicted.

[Mordok-DestroyerOfWo]

So Google is Herbert?

Re:Addicted.

[steelfood]

I'm not too worried about my privacy when it comes to corporations. Partly, it's because they already have a lot of data on me. Partly, it's because if they abuse it, I have at least a possible method of recourse.

What I am worried about is the government getting their hands on such data. Now that's a danger that far exceeds what a corporation can do. And, you have no method of recourse against the government.

Look at it this way: The worst a corporation could do is deny me a loan, because I buy a lot of junk online, and that means (by whatever twisted logic corporations employ) I'd be more likely to default on it.

The worst a government can do is pull me over for a traffic violation, and throw me into prison without a trial because the routine check brought up the fact that I frequent sites that advocate extreme or even locally unpopular views.

Which all leads to why I try to keep as anonymous as practically possible. Corporations don't have adequate data retention (or deletion) policy for my needs. And they cave easily to the government. Google is only slightly better in that they explicitly state how long they'll keep the data. But until every corporation adopts far more restrictive data retention policies whether by government regulation or by public outcry, I'm going to keep data on me from leaking out as much as possible.

And before anybody points out the obvious contradiction above, I'm just going to say that entities can work for you sometimes, and against you sometimes, neither of which precludes them from doing the complete opposite at the same time.

Re:Addicted.

[Tumbleweed]

Google is addicted to your information, and will do whatever they can to get more.

They cannot help themselves.

No way, man, they can quit any time they want to - they've done it a hundred times!

Re:Addicted.

[owlstead]

And they do this by storing some information on *my* PC where they cannot reach it? What's the point exactly? The freakin info is stored in the local preferences. Yes, it's a - relatively harmless - side channel and no this is not Google being evil.

Re:Addicted.

[Snarf+You]

Is there any way to stop Chrome sending the info of the URLs you type into the address bar back to google, yet?

Yes - use SRWare Iron. It's a fork of Chrome, without all the phone-home stuff.

Re:Addicted.

[blair1q]

"We are the Google. You have already been indexed."

Re:Addicted.

[AnotherUsername]

I was going to reply with comments related to the Constitution(specifically the Bill of Rights), how the court system works, the various court cases the Supreme Court has ruled on regarding protests and freedom of speech, and other facets of how the law protects you from government abuse related to freedom of speech and protest/demonstrations, but then I remembered that this is Slashdot, and the government is always bad, and corporations are always better than the government.

I sometimes forget that I am in the minority around here when it comes to trust of the government vs. trust of corporations(I trust the government more than I trust corporations, though I have a healthy wish for privacy). I am one of those that thinks Orwell is overrated(I like the stories, but I don't see them happening), with Huxley's Brave New World being my dystopian present/future to be feared.

Re:Addicted.

[TheLink]

What I noticed recently was when I clicked on the final "clear browser data" button, Google Chrome would make a http request or two back to Google. Not sure why this happen. I don't have "send usage statistics and crash reports" enabled, but I do have show suggestions, use suggestion service dns prefetching, phishing protection enabled.

Anyone else managed to reproduce this on their Google Chrome browser?

Re:Addicted.

[mwvdlee]

And how exactly do you know this for sure?

Have you ever heard a company say "We're earning enough money, we don't want any more"?

Re:Addicted.

[sopssa]

Of course you don't know it for sure, but if they did that they would be risking their reputation too. It would be stupid to risk their main business just to get that extra one dollar. In the long run it would cost them a lot more. At most it would be an opt-in like thing.

I'm not saying all software you buy is like that, but since the base monetarization method is completely different, theres a much larger change for that. All of that is of course hidden in EULA or privacy policy.

Re:Addicted.

[wiredlogic]

Their DNS system is related to advertising. It allows them to tie a specific IP address to user activity which can be used to build a demographic profile useful to marketers and advertisers. This can be kept anonymous and aggregated or they can correlate the IP address with its use on existing Google accounts to merge in additional info like gender and approximate location in the world.

Re:Addicted.

[pclminion]

And why do people continue to act surprised by it? The little seed of an idea which eventually grew to become Google was PageRank -- a DATA MINING ALGORITHM.

Oh my God, a company founded on data mining wants data to mine! I'm shocked!

Re:Addicted.

[Lunix+Nutcase]

It's funny also in light of the fact that many of them claim Jefferson as a hero and yet Jefferson was very much anti-corporation.

Re:Addicted.

[bratgitarre]

Use Iron , which is sort of like Chrome for the privacy-conscious. Note that the bug from the article is present in SRWare Iron 4.0.275.2 (Developer Build 35171) as well, though so this appears to be a Chromium issue(?).

Re:Addicted.

Wrong, google makes no effort whatsoever to hide the fact that their income comes from targeted advertising. Given the price of software, which can dwarf the price of the hardware it runs on, it's not too bad of a deal. The sell your soul comment was tongue in cheek, I'm assuming, since my soul consists of a lot more than my online browsing habits.

Re:Addicted.

[ABCC]

In chromium this is possible on the Options > Under The Hood tab as the "Use suggestion service..." option.

Re:Addicted.

[T-Bone-T]

I'm not following you. Why can't they reach the info on your PC that is put there by their program? Your computer is free storage for them. It may not be reachable for most of the time but Chrome will tell them when it is available.

Re:Addicted.

It's Google's plan to record anything and everything about you that it can, which makes the difference between Google and Facebook simply a matter of spelling.

So somebody, while designing the secret browsing mode, made sure to wipe at the URL you visited, the IP addresses, cookies, but maliciously and deceptively left in the recording of magnification settings, so at least Google could spy on THAT?

Is that really what you're saying? That doesn't trigger ANY internal fear that you may be paranoid?

Re:Addicted.

[geekoid]

" Partly, it's because if they abuse it, I have at least a possible method of recourse."
then
"Now that's a danger that far exceeds what a corporation can do. And, you have no method of recourse against the government."

WOW. That is completely backwards.

You have a great many avenues of recourse against the government then you have against any corporation.

Why do people even think that?

Re:Addicted.

[jason.sweet]

How, exactly, is "buying software" supposed to stop "customers selling their souls"?

You're not exactly selling your soul. You are only licensing it. Hope your DRM is up to date.

Most of these companies also have very strict privacy policies where they state that they wont sell or give your information to a third party or for advertising purposes.

The promise not to sell is usually followed by something like, "In order to help provide our services, we occasionally provide information to other companies that work on our behalf." Money and information changes hands, so the distinction is dubious at best.

Re:Addicted.

[cc1984_]

I was going to reply with comments related to the Constitution(specifically the Bill of Rights), how the court system works, the various court cases the Supreme Court has ruled on regarding protests and freedom of speech, and other facets of how the law protects you from government abuse related to freedom of speech and protest/demonstrations, but then I remembered that this is Slashdot, and the government is always bad, and corporations are always better than the government.

Sorry, I must have missed the bit where the GP said he was a US citizen.

Re:Addicted.

[erroneus]

That was supposed to be the promise of Cable TV... that cable TV subscriptions would mean more channels and no commercials. Definitely not the case. Most cable-only channels make you watch advertisement. Other commercial activities also cannot resist selling their customers.

Re:Addicted.

[thePowerOfGrayskull]

Google is addicted to your information, and will do whatever they can to get more.

They cannot help themselves.

Resist.

Don't ever kid yourself that you are Google's customer . You are the audience who consumes a subset of their products, but the *customer* is always the advertiser. What they sell is whatever information they can gather about you -- not directly (I hope), but indirectly in terms of advertising. That's the price you agree to when using their products -- including the ones you're using without being aware of it (as you are also consuming web sites that use adwords, analytics, etc).

Re:Addicted.

[obarel]

How, exactly, is "buying software" supposed to stop "customers selling their souls"?

You're not exactly selling your soul. You are only licensing it. Hope your DRM is up to date.

The problem is that nothing is stopping Google from copying your information between devices, unlike DRM. To be honest, I'd love to have my details protected by some DRM - every time a company makes any use of it, they have to contact my server first and ask for a one-time permission. Doesn't seem too likely, unfortunately.

Re:Addicted.

[jabithew]

Quite. Here in the UK the convention is that no Parliament may be bound by its predecessors, with the actual effect that we can change our "constitution" with a simple majority vote in the Commons. Considering the power of the party whips, and the tendency to one-party rule, we do effectively have an elected dictator.

Less so this time round, with the coalition, but even they have shown they can change the constitution with a simple majority vote and are willing to do so without an explicit mandate.

Re:Addicted.

[JWSmythe]

    You know, that's embedded into most of the browsers.

    Firefox was a little more polite about it, but it's still pretty deep in there. I was setting up an embedded machine with Firefox (local web browsing, no Internet connection). I was really surprised how many things were in there on a clean install of it. It's not just url completion. There's "safe browsing", SSL cert verification, updates.. Well, just do an about:config and search for http:/// and then https://./ There are 29 http URL's, and 22 https URL's. That may not include remote resources that may be embedded into the code. I didn't review it to find out, but I did have a packet sniffer running while I was working to make sure there wasn't anything extra going out.

    This wasn't looked at because my tinfoil hat was on too tight. These are for offline embedded machines, but they may (just may) be up on some sort of Internet connection occasionally, and that may be ungodly slow. I may not have the luxury of a few extra bytes going over the wire, if that's all I have to work with. (yes, we're talking very slow connections). And yes, it's a Linux platform, so you don't have everything and then some creating unwanted network traffic. :)

Re:Addicted.

[16384]

BTW, I wasn't trying to be funny. From http://www.google.com/intl/en_us/privacy_browsing.html

[...]Each time Firefox checks in with the third party provider to download a new blacklist, Non-Personal Information and Potentially Personal Information, such as the information that the browser sends every time you visit a website as well as the version number of the blacklist on your system, is sent to the third party provider. In order to safeguard your privacy, Firefox will not transmit the complete URL of web pages that you visit to anyone. While it is possible that a third party service provider may determine the actual URL from the hashed URL sent, [...]

Re:Addicted.

[teko_teko]

"We are the Google, you will indexed"

Robots.txt is futile.

Re:Addicted.

[fustakrakich]

All that is only true for the smaller companies, at levels where there might be real competition. When dealing with Google, Facebook, Microsoft, your service provider, the government, etc all bets are off. You should assume the worst. The small print indicates what's yours is theirs...

Re:Addicted.

[HBoar]

OK, I'm from one of your colonies, so I'm not 100% up to speed with the UK's system, but can't the Queen dissolve the government in extreme circumstances (at least in theory)? I'm pretty sure she can actually dissolve our government, which IMO is quite a sensible precaution to have in place....

Re:Addicted.

[fustakrakich]

...throw me into prison without a trial...

That's how a government protects a corporation...

You can't not buy from a corporation when the government gives them the monopoly over production of food and shelter, and finance.. and everything else

What we can do is vote in a different government.. You need to want to.. Complaining about it, and then voting the same people back in doesn't count..

Re:Addicted.

[LordLimecat]

Um, yes, and AFAIK you have been able since almost the beginning. Wrench-->options-->under the hood --> "Use suggestion service...".

Just for the sake of putting this stupid argument to rest, I tested it with wireshark, and yes, unchecking that box immediately causes chrome to cease sending URLs to google. In fact, with all the boxes unchecked, it appears that the only traffic sent is directly to the websites that you are fetching.

I like how your "yet" implies that that hasnt been there from practically the start, though, or that you cant just use chromium if you are really that worried about it.... really some quality FUD there.

Re:Addicted.

[LordLimecat]

So, maybe Im just being an apologist here...
But while I did verify this, and can see some disk writes in ProcMon to a tmp file (which seems to be deleted on close), is it asking too much to have a little more info before running off and declaring it to be some additional nefarious way to collect info? Any packet sniffing, or even seeing if it can be replicated in chromium or Iron? Any effort to see ANYTHING AT ALL of whats going on, or whether that data is stored anywhere except the "magnify websites to this level" database?

I mean come on, I know Google is the new "cool to hate" company, but a 1 paragraph blog entry with NO technical details whatsoever makes REALLY poor outrage material.

Re:Addicted.

[steelfood]

Sure, I know all about those things. And when in the hands of reasonable, educated, and principled people, those are effective in keeping the government from being too confident in its own power over the populace, just as if those same type of people are running a corporation (publicly traded companies aside).

But I've also seen the government willing to throw one or several of them away or sweep them aside when convenient. Yes, eventually, things will go back to normal, and you will have your day. But that's eventually. Until then, you're going to be locked away in jail for an indeterminate amount of time while reasonable, educated, principled people may or may not succeed in righting your injustice. And worse, if there's the death penalty at play, well, you're pretty screwed if you can't get that appeal through or conviction overturned.

Whereas a corporation can deny you a few material luxuries by bankrupting you and ruining your credit score, the government can deny you your humanity. Government abuse of power is several orders of magnitude more destructive than anything a corporation can do to you.

Besides which, you should be wary of your government, because your government is no longer is afraid of you.

Re:Addicted.

[TheLink]

OK it doesn't send HTTP requests again if you do the clearing more than once in a browser session.

But if you restart chrome then only do the clear, it will send an HTTP HEAD to Google and Google will naturally set a cookie(s). It's not the same cookie each time.

Re:Addicted.

[Thinboy00]

OK, I'm from one of your colonies, so I'm not 100% up to speed with the UK's system, but can't the Queen dissolve the government in extreme circumstances (at least in theory)? I'm pretty sure she can actually dissolve our government, which IMO is quite a sensible precaution to have in place....

I'm not from the UK either, but from what I've read, that sort of thing is about as likely as the Vice President of the U.S. and a majority of the cabinet members writing to Congress claiming that the President was unable to carry out his duties, thus making the VP acting President, the President then declaring himself fit to carry out said duties, and the VP reiterating his claim, thus forcing Congress to figure it out.

In other words, it won't happen unless the PM goes completely batshit insane.

Re:Addicted.

[Thinboy00]

You have a great many avenues of recourse against the government then you have against any corporation.

Why do people even think that [corporations are less dangerous than government]?

Those avenues exist at the pleasure of the government. So do corporations.

Re:Addicted.

[HBoar]

That's the point -- the Queen can't just step in because she doesn't like the current government, it's only if the shit really hits the fan, as a last resort. For example, if an elected government tried to turn itself into a perpetual dictatorship without the support of the public, she could go in and kick some ass.

Re:Addicted.

[Thinboy00]

RTFA, particularly the comments. A lot of people report that killing chrome.exe at the appropriate time (when it says to "close the window") makes this unreproducible, suggesting magnification data is stored in session data, not persistently.

Re:Addicted.

[yuhong]

Yea, that artificial scarcity business model. It happens that in high school, I am doing an assignment of building a web site using tables for the navigation bar. It happens that the topic I chose is about how digital goods are easily copyable, and the flaws of artificial scarcity and attempts to create it, including how copyright, copy protection and DRM was used in the attempts. It is not even limited to software, the record and movie industries have the same problem too. And now thanks to E-books, the publishing industry have the same problem too. I will probably toward or after the end of the school year publish the index page and the 12 sub-topics that talks about this onto my blog (without the navigation, of course) and submit it to Slashdot, Reddit and Techdirt.

Re:Addicted.

[Jugalator]

WTF. This is obviously a browser bug. What on Earth does Google have to gain by letting the browser recall your zoom setting on the client-side? Stop trolling, please!

Google hasn't replied, but I assume that's because the stupid article author didn't even file a bug against this. I'm a complete nobody in Chrome development, but even I has done this in 2 minutes, an equivalent time period of composing a well formulated e-mail and sending it to Google.

Re:Addicted.

You're missing something. If the government is so much scarier than the corporations, then your data data isn't safe with the corporations either. What happens when the gov decides to order/ pay google to hand over all information they have about you?

Data mined by the corporations == data available to the government.

Re:Addicted.

[owlstead]

My computer is free storage for them? They can get to my browser preferences whenever they want to? Gods, I hope not.

Re:Addicted.

[TheRaven64]

It's a question of levels of indirection. In an ideal world, you would pay the developers directly. If you need a feature, you (and everyone else who needs that feature) would contribute something towards that feature. If there is sufficient demand for it, someone will provide it in exchange for money.

In a slightly less ideal world, you'd pay a company, which would collect feature requests and pay developers to implement the most common ones, then release the improved software in exchange for money from users.

In Google's world, there is a second layer of indirection between the money and the developers. Google pays the developers, the advertisers pay Google, and the users pay the advertisers (by buying their products). This means that there is a much bigger disconnect between what the users want and what the developers are told to write.

In the first model, the customer is the user, and the features are set by the customer. In the second model, the customer is some abstract archetypal user, and the features are set based on the company's understanding of what the archetypal user wants. In the third model, the customer is the advertiser and the features are set based on what the advertiser wants, with some tweaks to try not to alienate too many of the users.

Barebacking the internet

[qwerty8ytrewq]

If only we could observe something, without effecting it. Oh well.....

Cool

[DaleCooper82]

My girlfriend is using Facebook in Incognito mode...

WHAT

[Some.Net(Guy)]

You mean someone knows when I put my browser in Porn Mode?

Re:WHAT

[Minwee]

How else do you think Chrome gets to be so fast? The Chocolate Factory knows your entire browsing history so it just pre-loads your favourite pages before you even realize that you want them. Why shouldn't it keep track of your favourite kinds of porn, offshore gambling web sites, and that hotmail.com email address that you thought you were keeping to yourself?

Re:WHAT

[game+kid]

The Chocolate Factory knows your entire browsing history ... Why shouldn't it keep track of your favourite kinds of porn ...

Wait, is this a fudge-packing joke?

Re:WHAT

[PitaBred]

Man, I'd love it if I didn't have to click through so many shitty images to find the pr0n I wanted... wait, what was the question?

Didn't work for me

[TimHunter]

using 4.1.249.1064 on Win7.

Re:Didn't work for me

[k_187]

Yeah, seems this only affects the beta versions from their Dev channel.

Re:Didn't work for me

Yeah, seems this only affects the beta versions from their Dev channel.

Man that's evil! Putting bugs in their betas so they can spy on us...

Look at Firefox as well

Try running a strings against places.sqlite in Firefox as well after all the personal history has been cleared - I sometimes see URLs left in there.

Re:Look at Firefox as well

[gzipped_tar]

You may find this helpful. There's also a comment there about cleaning up places.sqlite using the built-in javascript console.

http://code.activestate.com/recipes/576843-firefox-sqlite-files-cleaner-linux/

I tried it and it appears to have cleaned the residual urls there. What's left in the strings output seems to be related to bookmarks.

Re:Look at Firefox as well

[Looce]

I think that the clearing of private data in Firefox is a bit counter-productive, because deleting from SQLite databases merely marks the rows' storage space as being reclaimable within the file.

I once cleared private data for a day when my places.sqlite was around 70 MiB, then checked the file size and saw that it hadn't even changed by one byte. It wouldn't surprise me if the URLs were still in there -- all of them, intact, until you visit other pages to make Firefox overwrite the reclaimable pages in places.sqlite.

Even if Firefox truncated places.sqlite when the user clicked "delete everything", the URLs would still be readable on the underlying storage device. Firefox would have to shred(1) or zero out the file. I doubt that's going to happen.

Re:Look at Firefox as well

[gzipped_tar]

That's the beauty of having multiple user accounts:

1) create pr0n user
2) browse pr0n
3) shred everything under $HOME/pr0n
4) profit!!!1

Re:Look at Firefox as well

[gzipped_tar]

Sorry by $HOME/pr0n I actually meant ~pr0n.

Re:Look at Firefox as well

[SanityInAnarchy]

Firefox would have to shred(1) or zero out the file.

And then there's journals.

Still, truncating the file makes recovery much more difficult, and makes it so that any process can reclaim it, not just Firefox. Fortunately, it's not that difficult to do it yourself -- just run VACUUM in sqlite.

Re:Look at Firefox as well

[makomk]

I *think* Firefox should be using the secure deletion mode of SQLite, so even if the file size doesn't change the data should be erased from it (though not necessarily from the disk completely). You might want to double-check this for yourself, though.

Re:Look at Firefox as well

[JWSmythe]

    For the truly paranoid, you could use a ramdrive while you're browsing, and then blow it away when you're done.

    Paranoia only protects you so far, since you're working on the Internet. It's good from Point A to Point A, but not beyond that. Serious paranoids won't ever get this advice though, since they're living in a cabin way out in the wood, with no electricity, phones, no computer. But their tinfoil hat is firmly affixed to their head. :) Then again, they're also wasting ammo shooting at trees that they are sure are watching them.

Re:Good thing my wife doesn't read Slashdot.

[just_another_sean]

One assumes that Mrs. Coward has seen enough of your posts over the years. I'd be surprised if she
even uses the internet anymore.

this doesn't happen to me

[yincrash]

tried it in 5.0.375.38 beta. my hypothesis is that he had other incognito windows open as well (probably with porn in them) that kept the incognito session going while he was open and closing the elephants.com window.

all incognito windows share the same session

Re:this doesn't happen to me

[__aasqbs9791]

I just did it with 5.0.375.38 beta on Ubuntu and it worked, even after closing all chrome instances, restarting Chrome and starting a new incognito window.

Re:this doesn't happen to me

[SanityInAnarchy]

I just reproduced it in the exact same beta on Ubuntu. Steps are:

1. Open new Incognito window
2. Visit brand-new website
3. Change zoom level dramatically
4. Close Incognito window (all of them)
5. Visit website in a non-Incognito window

And people, please. What happened to "never ascribe to malice"? Chromium is an open-source project -- if you have to, fix it yourself, I have little doubt that patch would make it into the official Google Chrome.

Re:this doesn't happen to me

[oever]

Works here in 5.0.342.9 (43360) Ubuntu when having only one incognito window open, visiting userfrienly.org, zooming, closing chromium completely, then reopening chromium, visiting dilbert.com to make sure the zoom level is not a general setting and then going to userfrienly.org. So yes, chromium must have save the zoom level associated with the website somewhere.

Persists across restarts, too

[emag]

So, since the example in TFA didn't restart Chrome between incognito windows, I decided to see what happened when I followed the steps with "4.5 Exit chrome completely, then restart", and can confirm that even when Chrome fully exits and is restarted, it remembers the zoom level used in a URL only ever visited in an incognito window.

Re:Persists across restarts, too

[emag]

I should mention this is with google-chrome-unstable 6.0.401.1-r47050 on Linux. YMMV.

Re:Persists across restarts, too

[thePowerOfGrayskull]

'course, it *could* be storing a hash (salted or not) of the domain name and not the domain name itself. The test suggested in TFA is pretty poor, and doesn't prove anything about whether the actual domain name is kept.

Re:Persists across restarts, too

[MrJones]

Confirmed, persist across restart. Chrome 5.0.375.38 beta

Re:Not surprised.

[sonicmerlin]

Maybe it's an honest mistake. Maybe. We'll find out with how Google reacts to this discovery.

Tried it...

[dcmoebius]

And like many of the comments in TFA, it didn't work for me (using 4.1.249.1064) once I completely closed out chrome.

It seems that the issue only affects certain versions of Chrome... I'm guessing this is an honest bug, but since it's google, everyone freaks the hell out.

No way!

[theVP]

A Google App that collects information, even if you ask it not to? Say it isn't so!

Reproduced it here just fine

[droopus]

Exactly as reported.

I'm using 5.0.375.29 beta on an Air running 10.6.3 over wifi.

Went to cheese.com (the #1 resource for cheese!) and the zoom held.

Additionally, when I opened a new tab in non-incognito mode, the zoom STILL held, so there is definitely some communication between regular and incognito windows.

I'm devastated that my secret cheese browsing is now public.

Re:Reproduced it here just fine

[theVP]

Great, you now took down the #1 resource for cheese with the Slashdot effect. Good going.

Re:Reproduced it here just fine

[droopus]

Bwah, so we eat Cracker Barrel for a week. This is about our pr0n privacy!

Excellent comeback, my compliments.

Re:Reproduced it here just fine

[pwnies]

Works here as well. 5.0.342.5 dev running on Ubuntu.

Not an issue of trust

[Saishuuheiki]

This isn't even an issue of trust. It's not a question of whether Google is stealing information about you, or even privacy. It's an error or a possible bug wherein the mode where the browser is in essentially *no history* mode isn't working 100% w/o history.

If this is true, then it raises issues of quality control, not trust

Re:Not an issue of trust

[Rockoon]

If this is true, then it raises issues of quality control, not trust

You trust companies with shitty quality control.... when they make quality claims?

Re:Not an issue of trust

[Beelzebud]

Sorry, I don't trust companies that have poor quality control either.

Then again, Chrome never was private...

[carlhaagen]

...I'm sure enough people already know exactly what information of your doings the browser sends back to Google.

Re:Not surprised.

[Skal+Tura]

Honest mistake just like the WIFI data collection ordeal? yeah sure ...
There's no mistakes like that happening with Google, only closing data collection after public outrage and blaming it as a mistake

Re:Not surprised.

[drinkypoo]

There's always Chromium; I run it on Ubuntu. For Windows there's SRWare Iron. I'm not sure which is the preferred build for OSX; perhaps Crossover Chromium. TFA doesn't say whether Chromium is affected. Some comments under TFA state that the effect lasts only until Chrome is restarted, suggesting that the information is stored only in the memory cache.

Re:Not surprised.

This and many other things about privacy concern me. I work at MIT and google and other big companies hang around, and both within academia and industry there are not enough people advocating privacy and information ownership. Trust me, or not, but Big companies lust over personal information.

Re:Not surprised.

[Beelzebud]

There's always Firefox, too.

The bug

[trazan]

Here's the bug in question, filed about 2 weeks ago:
http://code.google.com/p/chromium/issues/detail?id=43107
Seems like someone looked at it, prioritized and classified it (eg pri-2, internals-cookies).
What's the big deal? It's just a bug that needs to get fixed, not a huge conspiracy by Google.

Re:The bug

[EvolutionsPeak]

Look, we're trying to do some rabble rousing here and you are not helping.

Re:The bug

[ChienAndalu]

not a huge conspiracy by Google.

Admit it, you're one of them!

Re:The bug

[Jugalator]

The bug even makes sense, if you've followed Chrome development, since this is one of the latest features. It's not abnormal that it'll have a few oversights here and there. :p

I'm amazed by Slashdot's ability to move from client-side recollection of your zoom setting to "sniffing out user data for advertiser revenues and general baby-killing". Slashdot must not have masturbated to their JPG's yet today.

Known "feature" from Chrome 5 Beta

The remember zoom was added to the 5.x Beta / Dev channels some time ago, and isn't a part of the current Chrome stable build. [ Google Blog Link : http://googlesystem.blogspot.com/2010/05/10-things-to-try-in-google-chrome-5.html ] Nevertheless, I doubt this is sending any information to Google. You forget Chromium is open source.

Um no

[coolsnowmen]

There are many ways to finger print something that are not reversible. For instance, this is just page viewing preference data about a site you visited. What if it takes a hash of the url and uses that to store settings like current zoom and scroll location. There is almost no way this violates the idea of 'incognito' mode.

Re:Um no

[Rockoon]

You are kidding, right?

So I jump on your computer and browse to red-hot-midget-porn.net and find that the zoom level isnt the default value...

Do I conclude that (A) you don't like red-hot-midget-porn?, or (B) you do like red-hot-midget-porn?

Well in any case, I'm pretty sure that everyone likes red-hot-midget-porn, so maybe this is a bad example.

Re:Um no

[elmodog]

Do I conclude that (A) you don't like red-hot-midget-porn?, or (B) you do like red-hot-midget-porn?

It depends on whether it's zoomed in or out.

Re:Um no

[Ben174]

Not only that, but you *zoom in* on red-hot-midget-porn. Presumably because midgets are smaller and must be enlarged to show texture.

Re:Um no

[halcyon1234]

So I jump on your computer and browse to red-hot-midget-porn.net and find that the zoom level isnt the default value...

Then I would ask "If you end up zooming in on the midgets anyways, why not just go with regular-sized porn?"

The Phone Company

[MrEricSir]

How is this addiction any different from, let's say, the phone company?

Re:The Phone Company

[ObsessiveMathsFreak]

At least the phone company didn't listen in on your every call.

Re:The Phone Company

[MrEricSir]

But how do you know that? And how do you know Google IS doing that?

Re:The Phone Company

[T-Bone-T]

1. Phone companies don't have the resources to listen in on every call.
2. I thought the whole point of the article is that Google IS listening in on your browsing.

Re:The Phone Company

[MrEricSir]

1. Neither does Google, unless you define "listening in" as something else entirely.
2. Clearly you didn't RTFA. The story is that Google Chrome's "incognito" mode has a bug where it occasionally leaves traces behind on YOUR computer.

Re:The Phone Company

[Sancho]

The article shows that a per-site setting (page zoom) persists between incognito sessions. That's all. No mention or even speculation that Google is storing that information on their servers.

That said, Incognito was never meant to be private browsing from Google. Your search queries still get send to your search provider (imagine that!) and auto-suggest will still work. What Incognito mode is for is to prevent your wife/brother/sister/boss from seeing the sites you use. This has been discussed to death already.

Re:The Phone Company

[JWSmythe]

    Are you sure about that? Your voice communications are going over the wire unencrypted. Well, at least until it hits a digital circuit, but even that's not "safe", it's just obfuscated from sticking a speaker on the line.

    They could be listening to some or all. And there's been enough information about the gov't doing it. You shouldn't believe that there are up to two listeners on any phone call. (Lowered to one when you're talking to the wife. She never listens to you, and you know it. {grin})

Re:The Phone Company

[Fareq]

Actually, according to the developer discussion, this isn't a bug. They did it on purpose. They actually saved all of the sites that you made site-specific settings changes to.

They thought that the "convenience" of a better UI would outway the privacy risk of having the sites you visited after explicitly selecting privacy-mode saved in plain text on the file system.

Re:The Phone Company

[pete_norm]

Auto-suggest does not work in Incognito mode. The only thing that is searched is the history of your browsing while in Normal browsing mode.

Re:Not surprised.

[roman_mir]

If someone's dick ends up in your ass, would consider the possibility that it was an honest mistake?

Pitchforks down, please, no story here

[TerrenceCoggins]

TFA only mentions zoom levels as being stored -- not any other info from users' porn-mode browsing session, just zoom levels. Chrome recently began saving users' zoom levels (if I'm not mistaken) so that pretty much explains that (while conveniently also accounting for why users of earlier versions may not experiencing this phenomenon as well.) We're all waiting for google to slip up monumentally (or "pull a facebook," if you will,) but unfortunately we'll have to wait another day.

Re:Pitchforks down, please, no story here

[Monty845]

From the google bug tracker: "we (the UI design team) made the choice to purposefully remember incognito zoom levels."

Sounds like the intentionally gutted the security of the incognito mode for the zoom levels... Its one thing if its an oversight, but to do it intentionally reveals a total disregard for the privacy someone using incognito expects.

Re:Pitchforks down, please, no story here

[McDutchie]

You're missing the point. If Chrome records zoom levels for particular sites, each such record is proof by implication that you visited the site. The Incognito mode is supposed to prevent recording of what sites you visit.

Re:Pitchforks down, please, no story here

[jonnythan]

If it remembers zoom levels for particular websites, it must remember the websites themselves. That also means someone can potentially obtain a list of URLs you visited in incognito mode.

That defeats the entire point of incognito mode. It's not supposed to remember anything.

Re:Pitchforks down, please, no story here

[Nerdfest]

You could remember a hash of the url ... just a thought.

Re:Pitchforks down, please, no story here

[owlstead]

Nope, can't do that. There are two reasons: the hash can be restored to an URL by guessing (brute forcing) the URL, calculating the hash and comparing. And as others pointed out, it can also be found by simply visiting the site.

So it's a thought, but it's not a particularly good one.

Re:Pitchforks down, please, no story here

You are completely misinterpreting that comment and the history of this behavior.

I have left a final comment on the bug to try and spell things out in detail for the Slashdot crowd.

--Peter Kasting, Chromium developer and author of the zoom level memory code

Re:Pitchforks down, please, no story here

I read your final comment.

That's nice, but you still deliberately developed a piece of code called "Incognito Mode" and advertised that it wouldn't remember anything about the sites you visit -- and then silently recorded information about the sites you visit.

There's no getting around the fact that your team deliberately lied to users. You specifically told them that you wouldn't do something -- and then you did it. On purpose.

I've said it before, I'll say it again

[erroneus]

Google is a marketing/sales/advertising company. They can only be trusted to a certain point. Their motives are not those of a generous and altruistic organization. Their motives are consistent with those of the type of business they are. It is as simple as that.

Re:Not surprised.

[gzipped_tar]

Incompetence. Malice. Sufficiently advanced. Blah blah blah.

Re:*Sigh* not true.

[owlstead]

There are also posts that it *does* work on later versions.

Hopefully you will now get modded into oblivion showing that the modding system actually works, so I can truly say:

Well done Slashdot!

Re:Not surprised.

[severoon]

I don't get the flap over the wifi collection thing. It was publicly open wifi stuff they were collecting. If I stick a bullhorn out my window and I yell, I'm eating breakfast now, I'm showering now, I'm going to work, is it reasonable to reserve the right to be offended when people know about the particulars of my day?

Re:Not surprised.

[Beelzebud]

Troll rated? Really?

for those that cannot reproduce this...

[Tumbleweed]

Be aware of the version you're using. Chrome v4 *may* not save the zoom level, so it wouldn't show it anyway. I'm on the dev channel, and thus am using the newly-released v6, and it's definitely reproducible.

I submitted this a while ago

[rcamans]

Submitted by rcamans on Friday October 23 2009, @01:21PM
rcamans writes "Visit a bunch of sites in Chrome incognito, and then look at your history in IE 7. Oh My God! A few of the sites you did not want in history are in IE history? How did they get there? A nasty in Windows XP OS. Oh, man...
These sites do not show in Opera history, Safari history, Chrome history, or FIrefox history. So maybe it has to do with IE integration into the Windows OS. Do not trust Chrome incognito until this bug is fixed. If it can be fixed.

Also, IE7 search history shows Chrome incognito search items. Oops

Re:Not surprised.

[Jaysyn]

The SRWare Iron link is dead.

Storage location

[blueg3]

I have the Chrome 5.0.375.38 beta from Ubuntu 10.04. Browsing Incognito appears to still change a number of files on disk, though I haven't investigated what is changed or stored. Finding the zoom problem is straightforward, though:

Per-site zoom levels are stored in a Preferences file (.config/google-chrome/Default/Preferences for me) in a "per_host_zoom_levels" section. It appears that the key is the domain name and the value is the zoom level. These seem to be saved when Chrome exits and, at least in my version, are set and accessed from both regular and Incognito mode.

So, anyone who can read this file knows on what domains you have set non-default zoom levels, regardless of whether you accessed the site in Incognito mode.

linux config file

[Rubedo]

In linux, the zoom preferences are stored in the file ~/.config/chromium/Default/Preferences . Making the default directory non-writable by the user will prevent the zoom level (and whatever else) from being stored.

Re:linux config file

[andrewbaldwin]

I confess that I have not [yet] looked in Preferences but this may be of interest...
in .config/google-chrome/Default
link /dev/null to the following files
ln -s /dev/null xxx where xxx is

• History
• History Index
• Thumbnails
• Web Data

Chrome will complain when you start up but will still work. This stops it creating new tabs with a list of 'favourite pages' and removes the history stored on your machine. It obviously will not store any tracked data held by sites visited.

Re:linux config file

[Slashcrap]

If you can do it on Linux, you can do it better on Windows due its superior complex ACL support :

1. Click through a number of complicated windows some of which look identical but aren't.
2. Oh fuck this shit.

I hope this is of help to Windows users. It should be equally easy to reverse, unless you fuck up and remove your own ability to make changes, which you probably will. Fortunately there are a number of Windows focused help forums full of experts who will quickly guide you to a sol.. ahahahaha holy shit I can't even finish that one.

Simple explanation

[jeti]

Chrome is very likely to hold the DOM of visited pages in the cache so that f.e. hitting the back button will quickly render the previous page. That does not necessarily mean that the information gets persisted on the hard drive or is available to other pages. On the other hand it's not unlikely that the information sometimes gets paged out to the hard drive and persists until it gets overwritten.

Re:Not surprised.

[drinkypoo]

I just tested it and it works here... in Chromium on Ubuntu Lucid x64, FWIW (not much)

Re:Not surprised.

[LingNoi]

Terrible example. Collecting wifi ssids doesn't require connecting to the wifi point at all.

It's like recording people's door numbers from a distant except you only know that number is around that area.

Also it IS useful as it allows you to do geolocation in areas where you can't get gps or you want a more accurate gps coord.

There always was.

[SanityInAnarchy]

Did you even look in options? Turn off "search suggestions". That's the feature that relies on this information being sent to Google.

Please, please stop spreading Microsoft's FUD.

Re:There always was.

[JWSmythe]

    It's funny when people complain about the competition (Chrome & Firefox), but they're just as guilty of it (Microsoft). :) How much does MSIE check in with outside resources. I guarantee it's greater than 0.

   

Re:Not surprised.

[Jaysyn]

Yeah, it's back up now, was giving a PHP error.

Re:browser bar privacy issue

[LingNoi]

It's because chrome retrieves a list of popular web addresses matching your search. The same thing happens on the google main page with auto complete.

Probably a bug

[matt4077]

I've noticed that previously visited sites still flash up as suggestions immediately after purging the history. These seems to go away after a page refresh. There's probably some caching going on that isn't deleted correctly.

Never ascribe to malice...

[SanityInAnarchy]

Come on, people -- we even take a sane position towards Microsoft these days.

Chromium is an open-source project. Write a patch and see what happens.

And if you really insist it must be deliberate, please explain how spying on your fucking zoom level, and storing it in a local file which is never sent over any network, is so dangerous.

Re:Not surprised.

[SanityInAnarchy]

If someone's dick ended up in my rectum, I also wouldn't consider the possibility that it's in any way analogous to someone maybe spying on my fucking zoom levels.

Re:the zoom level gets stored in the preferences f

[jeti]

Same on my Windows machine. Looks like an oversight in a new feature. That's the risk of using the beta channel, I guess.

Re:Not surprised.

[bratgitarre]

Iron works on Linux as well, not just Windows. I run it on Ubuntu 9.10. As I mentioned above, 4.0.275.2 (Developer Build 35171) of Iron is affected by the bug from the article.

That's just a tip of an iceberg

[Artem+S.+Tashkinov]

Run Firefox or Google Chrome for a few days, click "Clear Recent History", select "Forever", exit them.

Now go to a directory where they store profile data and discover SQLite files containing information from all the web sites you've visited (`man strings`).

Both browsers 'forget' to run VACUUM on SQLite databases they are using. However it would be even better to zero fill all the files containing your traces, then delete 'em, then recreate them.

Re:Not surprised.

[roman_mir]

Oh really? I think it makes perfect sense for someone to spy on your zoom levels to adjust the timing of the next event accordingly.

Its Not about Trust

[hax0r_this]

I think you're missing the GPs point. Although many around here might well hold the beliefs you allude to (I don't think its a significant population on Slashdot, as victimized as you might feel by them), the GPs point is that the cost of betrayal by the Government far exceeds the cost of betrayal by a Corporation. In fact, the worst a Corporation can do do you is really limited by what the Government will allow it to do - if you are really so afraid of what a Corporation can do to you, you are implicitly afraid of what the Government will let it do.

No problem on Chrome 4.1.249.1064 (45376) / Win7

[Thundersnatch]

...when I completely exit chrome and re-visit the same site.

Re:Not surprised.

[drinkypoo]

Unless iron is using beta code these days you'll need chromium for proper javascript blocking support. That should be in mainline soon enough, though. Or hell, it might be already, my news is a couple days old now :/

Worked for me

[holiggan]

Using Windows 7 32bits, Chrome version 6.0.401.1

Re:*Sigh* not true.

[thePowerOfGrayskull]

Not only that, but just because it remembers settings does not prove it remembers the actual domain name. (sha1 of URL name would take care of that...)

Re:Bullshit Mr. Coward.

[coolsnowmen]

That would have been a way better blog post (from a technical aspect). That being said, there are easy ways to fix that.

Re:Not surprised.

[Psx29]

I'm running chromium on OS X. There is native os x daily build. This is what I use.

That is not the half of it

[whosaidanythingabout]

Also notice that incognito mode leaves a trail of other content on the system and does not delete it after you close the browser session. For instance say you are looking for videos on "how to prepare meat" and find this fine cooking site. You decide to watch the sample video and it is the perfect meal choice for your surprise for that "significant other". Later on "significant other" happens to look in the /tmp directory. There are video files there and when played reveal the secret meal you are going to prepare. In fact all of the temporary content from your incognito session is neatly stored in one place.

Re:Not surprised.

[Simetrical]

There's always Chromium; I run it on Ubuntu. For Windows there's SRWare Iron. I'm not sure which is the preferred build for OSX; perhaps Crossover Chromium. TFA doesn't say whether Chromium is affected. Some comments under TFA state that the effect lasts only until Chrome is restarted, suggesting that the information is stored only in the memory cache.

Chromium is the exact same code as Chrome. Of course it will be affected, unless you patch it out.

And seriously, people, get a grip. It's not like this tells Google what sites you visited. It just stores it on your computer. It has nothing to do with Google wanting your information, that's a complete non sequitur here. Geez.

Re:Easy to demonstrate that incognito doesn't work

[dltaylor]

find -type f -exec grep -i {} /dev/null \;

This also shows the file name.

Iron 5.0.377 for Linux

[negated]

Iron 5.0.377 for Linux: http://www.srware.net/forum/viewtopic.php?f=18&t=1502

Re:*Sigh* not true.

[owlstead]

No it would not take care of it since it is relatively easy to generate SHA-1 hashes of URL's. You can then just compare with the one used for the settings. For a wife it would be pretty simple to prove that somebody went to the www.verynastypron.com by simply generating the correct hash. It's obfuscation at best. Of course, it's still not so bad as banks claiming they don't know the PIN of a bank card because they only stored the hash, but it's easy to brute force.

Re:Not surprised.

[Windwraith]

But that's what you use Twitter for!

Affects latest dev version on Windows

[josath]

Just reproduced it with Chrome 6.0.401.1 dev on windows. It remembers your zoom level even if you close chrome completely, making sure there are no chrome.exe processes running, then start chrome back up. Just because it doesn't affect some older versions does not mean this story is false.

bad summary.

[pat+sajak]

half of the people posting here probably didn't read the article and are going off about google when all that is stored is the zoom level. how can anyone genuinely be concerned about this?

Re:bad summary.

[Slashcrap]

Because it's obviously stored along with the domain, you fucking retard.

How fucking stupid do you have to be to be told that it stores certain settings for sites and think that it can do that without storing a reference to the actual site? The answer is unbelievably fucking stupid. Look above for the comment about how it's all stored together on Linux.

And because you're fucking stupid, let me spell out the other risk - a non-default zoom level is proof of visiting that site. Don't you remember that site that could tell you what sites you had visited using CSS to see which link colours had changed? Oh of course you don't, you're an idiot.

And I'm not going off on Google, I don't use their browser and don't give a shit what they do. Idiots on the other hand are incredibly dangerous because they don't realise they're idiots. Please track down a copy of the famous paper "Incompetent and unaware of it". Get someone to read it out to you and point at you when they reach the relevant parts.

Re:Not surprised.

[drinkypoo]

Chromium is the exact same code as Chrome. Of course it will be affected, unless you patch it out.

Chrome is Chromium plus even more monitoring code. Er, I mean, integration, of course. Heh heh.

This issue has been fixed.

[Paxtez]

http://code.google.com/p/chromium/issues/detail?id=43107

Re:*Sigh* not true.

[thePowerOfGrayskull]

Let's credit them with salting the URL...

Careful about SRWare Iron

[oddfox]

Everyone mentioning SRWare Iron should know about this little tidbit: The story of Iron. The article and the linked IRC log tell a very interesting story about a guy less concerned with having a good reason to fork and more concerned with making money off of adsense and publicity for creating a "privacy-respecting" Chrome which is basically a perpetually outdated Chromium with a few checkboxes in "Under the Hood" defaulting to off.

The guy who runs that blog does not try to hide the fact that he's a Chrome developer, and he admits that there is the highly unlikely possibility that the person who was asking these questions was not the person who went on to release Iron. I was skeptical as well until I checked out the log file itself and quite honestly it would have to be an incredible coincidence for this guy to be asking such questions and providing the information that he does in his attempts to glean information on the right way to advertise his product as well as how to go about renaming the executable. There's more that makes it very reasonable to believe this is the guy who went on to release Iron, so please don't dismiss it until you've checked out the log file in detail. If this was a supremely unnecessary and elaborate hoax it sure is pulled off convincingly.

Using Iron after reading this information made me feel like I was supporting the wrong guy here and I couldn't do it anymore, it was just too uncomfortable seeing that this guy was looking for adsense revenue and to make a name for himself. The attitude of this developer is not one I would encourage at all.

Re:Not surprised.

[zdepthcharge]

I use Iron, but not as a general browser. I "firewall" my email and bank web access to the Iron browser and NEVER use it to access any other site. Converesly use Firefox for everything else and NEVER access my email or bank sites with it.

Re:*Sigh* not true.

[owlstead]

That does not help against brute force attacks that just calculate the hashes, it only helps against attacks that use rainbow tables. The salt must be available, so you can still calculate the hash result.

Anyway, you can still see the difference when you simply visit the page, as others have pointed out.

Re:Not surprised.

[drinkypoo]

You could instead (or additionally) use a portable "install" of Iron for each site, preventing any bugs which might leak information to other sites.

Re:*Sigh* not true.

[thePowerOfGrayskull]

Anyway, you can still see the difference when you simply visit the page, as others have pointed out.

True, though less useful if you've infiltrated or seized a hard drive and are trying to find history through read-only operations. Also not useful if someone has only visited a site but not customized it -- assuming it still gets an entry then.

That does not help against brute force attacks that just calculate the hashes, it only helps against attacks that use rainbow tables. The salt must be available, so you can still calculate the hash result.

I suppose the determined hacker could extract the salt from the chrome executable; which would allow brute force as an option. However, it would at least foil the casual family snoop - I suppose that's misleading, as you would think that "incognito mode" is 100% incognito.