Microsoft Edge's Private Browsing Mode Isn't Actually Private

JustAnotherOldGuy writes: The forensic examination of most web browsers has proven that they don't have a provision for storing the details of privately browsed web sessions. However, in the case of Microsoft Edge, the private browsing isn't as private as it seems. Previous investigations of the browser have resulted in revealing that websites visited in private mode are also stored in the browser's WebCache file. The Container_n table stores web history, and a field named 'Flag' with a value of '8' shows that website was visited in private mode. An investigator can easily spot the difference and use this evidence against a person. The not-so-private browsing featured by Edge makes its very purpose seem to fail, and you can't help but ask how such a fundamental aspect of private browsing could be so fantastically borked. It beggars belief.

First Post?

[daive]

...on a 2-day-old article? Malfunction or sign of new ownership? Or some warm confection of the two..?

Re:First Post?

[blavallee]

I would say, it's just not a surprise anyone here. An antonym of privacy or security is Microsoft.

Re:First Post?

it's timothy at the helm, he probably forgot to push the publish button. seeing that he doesn't really edit summaries, i would say its another typical slashdot fuckup. YOU HAD ONE JOB... captcha: immature, you damn straight.

Re:First Post?

[I'm+not+evil.+See]

The rest of us have been here also, all along, but just in "Private Mode". There are actually 1203 "first posts" before yours. Look harder. :-)

Re:First Post?

Who is worse? bennett haselton, timothy, or jon katz?

Re: First Post?

Exactly, it wouldn't have surprised me if they sent private browsing data direclty to their Redmond office.

Re: First Post?

[red+crab]

You always need to have the "Internet Explorer Enhanced Security Configuration" feature turned on for your privacy you insensitive clods!!

Re:First Post?

[hairyfeet]

Considering how much spying is baked into Windows 10 frankly the thought that anything done in that OS is "private" is beyond belief.

Re:First Post?

They invented unsafe OS with user processes running in kernel mode.
They invented the mail-transported virus, when outlook auto-executed attachments received by email
They invented web vulnerabilities with activeX (Execute code found on web pages - no need to look for buffer overflows when this sort of thing is designed in.)

So indeed, no surprise from microsoft here.

Re: First Post?

You mean IE is just another Chrome clone this time with a s/google/microsoft/g et al?I refuse to believe it!

Last I heard, this Edge is a brand new browser! New engine! New code! New standards! Just like IE6, 8, 10, 11.. waaaiit a minute .

Re:First Post?

This comment comes from a guy who was shitting his pants daily at some point in his life.

Re:First Post?

They invented unsafe OS with user processes running in kernel mode.
They invented the mail-transported virus, when outlook auto-executed attachments received by email
They invented web vulnerabilities with activeX (Execute code found on web pages - no need to look for buffer overflows when this sort of thing is designed in.)

So indeed, no surprise from microsoft here.

I have to wonder if you're being ironic or joking.
Or are you just very young and don't know that everything you typed is a false statement?

Re:First Post?

[Lodlaiden]

Haven't we all been there at one time or another?

Re:First Post?

Before I started running Linux, yes.

Re:First Post?

"Or are you just very young and don't know that everything you typed is a false statement?"

A, hmmph. Pollyanna about MS, or youthful.

Active X, you really don't remember? An OCX is a DLL that IE used to run. Maybe still do...

Mail transported virus,
http://arstechnica.com/securit...
Wow, recent. I recall this was an issue back in the day.

User processes running in kernel mode.
Thru all of DOS, Windows 1, Windows 2, Windows 3, Windows 9x, and NT, this has never been true?

Well, they didn't lie...

[The+Atog+Lord]

So, InPrivate is to Private as InVisible is to Visible.

Re:Well, they didn't lie...

[sd4f]

Well, after all, flammable and inflammable mean the same thing so...

Re:Well, they didn't lie...

People don't know "inflammare" or "flamma", but they do know "flame" which means "fire".

Re:Well, they didn't lie...

[thunderclap]

So grammar nazi, you think you know ?. Well, you have no idea.

http://www.merriam-webster.com...

flammable

flamb()l/

adjective: flammable

        easily set on fire.

        "the use of highly flammable materials"

As for Flamma, its latin and is a verb there. Go ask them.

Why Do Flammable and Inflammable Mean the Same Thing?

There is a fairly clear reason for why both these words carry the same meaning: the prefix in- does not always function as a negative prefix.
Sometimes (and this is one of those times) it serves as an intensifier. It’s fairly obvious how this could lead to problems.

Surprisingly, both flammable and inflammable coexisted peacefully in English for hundreds of years before anyone decided to do something about it. Inflammable is the older of the two, with recorded use as far back as 1574. Flammable begins to appear in 1655, when Margaret Cavendish described oil as being “hot burning and flammable” in her Philosophical and Physical Opinions. One of the reasons there was little confusion about these words is that flammable was used much less often than inflammable.

But in the 1920s the self appointed, eagle-eyed language nazis of the National Fire Protection Association (NFPA) realized that many people were viewing the in- in inflammable as a negative prefix, and were at risk of consequently incinerating themselves at a much higher rate than was desirable. The NFPA advocated to have flammable used exclusively for warning labels (such as are found on mattresses, oil cans, and other things that will catch on fire if you put a match to them), and managed to slightly nudge our language toward a more sensible path. Though in the recent past flammable is used more often than inflammable, this pair still incites controversy—and clueless fools would want to look ignorant.

Re: Well, they didn't lie...

Check m-w.com. Flammable is extremely cromulent.

Re:Well, they didn't lie...

[jason777]

‘Inflammable’ means flammable? What a country!
-dr. nick

Re:Well, they didn't lie...

In fewer words:
Flammable: will burn. EG paper, wood shavings, coal ...
Inflammable: easily ignited. EG gasoline vapor, ether, natural fabric fibres ...
In the presence of sufficient oxygen and at normal temperatures.

Re:Well, they didn't lie...

[Z00L00K]

And the prefix "In" to me feels more like it's a negation of "Flammable".

Re:Well, they didn't lie...

[piojo]

Are you using a different definition of "word" than I am? Because I've encountered "flammable" hundreds of times in technical documents and thousands of times in speech. Burden of proof is on you, and you're gonna need some strong proof.

And neither etymology nor Latin grammar has any bearing on whether a given word exists. (For example, I could look up "obtuse" and "argument" in Latin, but that doesn't mean your post would correctly be called an "argumentusus".)

Re:Well, they didn't lie...

[Livius]

Something is flammable if it can burn easily.

Something is inflammable if it can ignite easily.

Obviously lots of materials are both but they are different meanings.

Re:Well, they didn't lie...

[Zontar+The+Mindless]

Like "income" is a negation of "come", right.

I get it now. Thanks!

Re: Well, they didn't lie...

One moment. We are just going to test to see if you are flammable

Re:Well, they didn't lie...

Ha ha ha. Your stupid bitch ass got owned, hard.

Re:Well, they didn't lie...

[AthanasiusKircher]

This is on the right track, but a few clarifications:

As for Flamma, its latin and is a verb there. Go ask them.

No, "flamma" is not a verb. Flamma is a noun, meaning a "blazing fire." Flammo/flammare is a verb. (Well, technically I suppose "flamma" could be an imperative of the verb flammo -- "Be on fire, you heathen!" -- but the normal dictionary entry for the verb is under flammo or flammare.)

There is a fairly clear reason for why both these words carry the same meaning: the prefix in- does not always function as a negative prefix.

Sometimes (and this is one of those times) it serves as an intensifier. Itâ(TM)s fairly obvious how this could lead to problems.

That's not quite right. "In-" is NOT an intensifer. It's derived from the Latin prefix "in" which means "into" or sometimes "on/upon." Hence, in Latin "inflammare" means "to set INTO flames" or "to light on fire," whereas "flammare" simply means "to burn."

(For comparison, think of a word like "intimidate" -- it doesn't mean "more timid." It means to MAKE fearful, to force someone INTO timidity.)

This distinction hasn't really carried over into English in the case of flammable/inflammable, especially since the fire prevention folks started using "flammable" to mean "easily set on fire," which would be a better fit to "inflammable." (If we follow the Latin origin, "flammable" would be better suited to mean, "capable of being burned" (at all).)

Surprisingly, both flammable and inflammable coexisted peacefully in English for hundreds of years before anyone decided to do something about it.

It's not exactly surprising if you know anything about Latin or the history of English. As I just noted, most such pairs actually meant different things. And if you want to see real confusion, read the etymology page for "in-" at the link above. Centuries ago, you had examples like "implume" which mean "to put feathers on" (as in "tar and feathering" or something) from the "in-" = "into" meaning. But "implumed" generally meant "unfeathered," from the "in-" = "not" meaning. THAT was confusing since the same word meant two different things.

But in most cases "in-" was either used in one sense or the other, and when it was used to mean "into," it was generally clearly distinct in meaning from the form without the prefix. (E.g., note that "implume" didn't simply mean "feathered" -- it meant to ADD or put INTO feathers.) I think it's really the fire prevention folks who should be blamed on the confusion, since they took the word "flammable" (which was never popular, never had a clear meaning, and was basically obsolete in the early 1900s) and started using it commonly to mean something that "inflammable" properly should mean.

Re:Well, they didn't lie...

The intensifying use of prefix "in-" can be heard by the way it is pronounced. Or, at least I think so as a non-native speaker. You say inFLAMMable, not INflammable, right?

Re:Well, they didn't lie...

[AmiMoJo]

I prefer enflamable to avoid confusion.

Re:Well, they didn't lie...

The funny thing is, you have more or less the same construction in dutch. but there the intensifier prefix and the negation prefix are slightly different, I wonder if they used to be different in english/latin as well.

In dutch the prefixes are on- (negates) or ont- (intensifies). Onbrandbaar (non-flammable) v.s. ontbrandbaar (inflammable).

Re: Well, they didn't lie...

[bill_mcgonigle]

This is an intense debate. No need to flame the situation.

Re:Well, they didn't lie...

[jittles]

No they don't. "Inflammable" is a word. "Flammable" is not. "Non-inflammable" is a word. "Non-flammable" is not.

Inflammable comes from inflammare. Flammable is a fucked up piece of shit that some retard tried to shoe horn in. It comes from flamma.

Inflammare is the root word, and "inflammable" and "non-inflammable" are the words. Flamma isn't a fucking verb and should not be used as a root to create a word with the same meaning as "inflammable". Further, adding "flammable" only increases confusion (of which there was none among non-retards) because the already valid and correct "inflammable" exists, as well as the valid and correct non-inflammable.

Hmmm my dictionary seems to disagree with you. It lists flammable as an adjective, and not a verb.

Re:Well, they didn't lie...

[jbengt]

In fewer words:
Combustible: will burn. EG paper, wood shavings, coal ...
Flammable: easily ignited. EG gasoline vapor, ether, ...
In the presence of sufficient oxygen and at normal temperatures.

FTFY

For liquids, in more words:
Flammable: Defined as liquids having closed cup flash points below 100F (37C) and vapor pressures not exceeding 40 psi (276 kPa) (2.76 bar) at 100F (37C)
Combustible: Defined as liquids having closed cup flash points at or above 100F (37C)

Re:Well, they didn't lie...

[TsarB0mba]

And the prefix "In" to me feels more like it's a negation of "Flammable".

"infamous" does not mean "not famous".

Re:Well, they didn't lie...

Your input is invaluable

Re:Well, they didn't lie...

[lhowaf]

The flammable/inflammable controversy will go away soon since neither is included in the up-goer list of the ten-hundred most commonly-used words.

Re:Well, they didn't lie...

[Imrik]

No, but it does mean negatively famous.

Re:Well, they didn't lie...

[Kjella]

You come then it negates your income for the next 18 years.

Re:Well, they didn't lie...

Obviously lots of materials are both but they are different meanings.

There is no difference in meaning between flammable and inflammable. Both describe things that are capable of burning or easy to ignite, but in all modern varieties of English, flammable is preferred.

I could find plenty more sources. Every single reference I found searching for "flammable vs inflammable" says they are exactly the same. In fact, flammable is just new shortened version of inflammable.

Re:Well, they didn't lie...

[Jawnn]

Something is flammable if it can burn easily.

Something is inflammable if it can ignite easily.

Obviously lots of materials are both but they are different meanings.

[citation needed] Just sayin'...

Re:Well, they didn't lie...

Flammable begins to appear in 1655, when Margaret Cavendish described oil as being “hot burning and flammable” in her Philosophical and Physical Opinions.

This is why we don't let women do science.

Re:Well, they didn't lie...

[jason777]

You guys never saw that simpsons episode?

Re:Well, they didn't lie...

[bunbun68]

Flammable comes from flammo, flammare, flammavi, flammatus. First conjugation verb. To burn. You also have conflammare, deflammare but these sadly didn't make it into the English language. Wouldn't it be nice to have deflammable fire blankets?

Perhaps next time you might want to consult a Latin dictionary first before posting?

Lewis and Short is available on line.

Re:Well, they didn't lie...

Ah the wikipedian protester.

https://xkcd.com/285/

They really did not care

Thats the best reason I can think of.

Re:They really did not care

[unrtst]

I'm not sure why I'm feeding the trolls (troll being the summary itself).

I'd appreciate an actual "private" mode, but none of the browsers do what I'd expect from that. My expectation would be that the browser would behave as if it is a clean slate, not store anything to disk, possibly encrypt or at least attempt to hide memory contents, and possibly attempt to hide other identifying details (screen resolution, "agent" header string, plugin list, etc).
Personally, I find little benefit to the make believe "private" mode in that it hides its actions from my own computer. I am not worried about other legitimate users of my computer finding out secrets about me (and if I was, I'd use something much more hidden than "private" mode - another vm with encrypted drives, powered off or in hibernate when I'm not using it).

With that in mind, this info seems to be quite an exaggerated diff between the various private mode expectations. Not that I care much as long as the behavior is what it is, but what I'd want to know is:
* can normal, unprivileged user accounts access these history records?
If not, then it's doing its job just about as well as any of the others.

Re:They really did not care

[gl4ss]

well private mode is starting to be just "adblock disabled" mode for them...

Re:They really did not care

They can't promise too much though or they risk getting sued when someone's "private" browsing data gets exposed. And let's face it: they could do all of the above and route the lot through tor and it's still quite likely that there's a hole or 10 that could leak information.

Re:They really did not care

[Hognoxious]

It's private in the sense that they know that that they're tracking you and you don't.

Re:They really did not care

[castionsosa]

Sadly, with LSOs, various browser fingerprinting mechanisms, and many other items, the only thing that might might equate to a "private mode" would be to turn on automatic rolling back of a VM when it shuts down, or perhaps having a VM which uses a provisioning script to auto-install the browser and generate a new machine ID every so often, fetching and reloading one's bookmarks and other essential add-ons from a provisioning server. At least with Vagrant, cracking off a new VM configured how you like it for browsing isn't too bad.

all knowing edge delayed access to this old story

[sittingnut]

seems editors here used all knowing edge, which explains delay in accessing to this old story.

Be aware

[Travis+Mansbridge]

It's worth noting that other browsers' "private browsing" modes only hide the details of the session from the local machine. Using "incognito mode" in Google Chrome is not encryption and does not shield your privacy in any way from others on your network, your ISP, the NSA or Google themselves.

Re:Be aware

[Travis+Mansbridge]

* And, I'm sure, neither does Edge, I just wouldn't touch Edge with a 10ft pole regardless.

Re:Be aware

I don't know about other browsers, but Chrome on the desktop and mobile explains that as soon as you open a blank incognito window/tab.

Re:Be aware

That's a weird strawman, nobody said anything about encryption or interception.

Your parents, partner, employer, librarian, the Law - the list of local chuckleheads you don't want viewing your browser history is endless - and now they get your browsing history. Being so dangerously unfit for purpose is a pretty fucking big deal.

We now live in a world where your browser choice will be used against you. Thanks Microsoft!

Re:Be aware

[Blaskowicz]

That's a weird strawman, nobody said anything about encryption or interception.

There is a problem with Firefox's new private browsing window. It says protection against tracking is enabled. That's true as it does something like Privacy Badger does (although there's little indication of what is done) but you still leave your IP and browser fingerprint (afaik) everywhere and if you go on facebook or logged in google etc. you're of course tracked about everything you do since that is exactly what they are for.

People are at large non technical or not technical enough and are easily deluded into believing private mode browsing is safer. Like some tell me that your position isn't tracked when you use a dumb phone, which is entirely false.

Re:Be aware

parents, partner

If your parents and partner can use this against you, you're already fucked.

employer

Your employer is already recording your traffic, and private browsing will not stop them from knowing exactly what you're browsing.

librarian

Will probably be safe even if you don't use "private" browsing, because librarians are motherfucking hardcore about privacy.

the Law

Will just go directly to your ISP.

"Private" browsing, outside the use case of browsing without previously retained cookies, is a gimmick. Nothing more, nothing less.

Re:Be aware

[Misagon]

Chrome's Incognito mode does have a separate set of cookies - which is empty when you open the first Incognito window and are deleted when the last window is closed.
This means that web sites can't use cookies to track you between sessions. They could track you by your IP address, but the IP addresses are at a lower level than HTTP/HTTPS. If you are really paranoid then you would use something like Tor anyway.

However, there is one big flaw: All incognito windows are in the same session. If you forget to close the last window then the session will linger: when you open a new link "In Incognito Window" then the new link will be attached to the old Incognito session instead of a new one.
This could be remedied by supporting multiple Incognito sessions at once. I think that a straightforward model for the user would be to let each Incognito Window represent a separate session.

Myself, I use Incognito mode primarily to be able to use gmail and Youtube with separate accounts. Commenting on cat videos requires much less security than my private emails.
It is also convenient to log out just by closing the window.

Re: Be aware

Employers are easily circumvented by bringing your own device with its own connection separate from their network. If your job actively prohibits this without a serious actual reason for it, your employer is broken and you need a new one.

Law enforcement can be thwarted by proper use of actual secure VPNs (No free crap) this hiding data from your ISP. Which brings us back to you don't want your device holding evidence against you. Since absolutely everything is a crime these days, absolutely everyone should be taking personal data protection seriously.

Re: Be aware

[Entrope]

Today on Oprah: People butthurt that web browsers' "private mode" does not install TOR to send all your data through FBI-controlled entry and exit nodes.

Re:Be aware

Just FYI: You can create multiple user profiles in Chrome that allow you to have multiple accounts for gmail/youtube/anything, and all browsing history, cookies, web data, etc are all kept separate. You can switch between them easily, or have multiple shortcuts on the desktop (at least, on Windows).

Re:Be aware

[null+etc.]

You can drag tabs from one window to another. So any "per-window" statefulness that you propose will just be terribly confusing and inconsistent.

Re:Be aware

[sacrilicious]

I'd be happy to have them disallow inter-window tab dragging in incognito mode (or to allow it but state that all session for the dragged tab will be tossed).

Re:Be aware

[farble1670]

Myself, I use Incognito mode primarily to be able to use gmail and Youtube with separate accounts.

google already has support for multi-account. i have 2 gmail tabs open to my 2 google accounts right now. hint: click on your avatar in the upper right. you can also setup multiple "profiles" in chrome and switch between them. i do not prefer this though since it everything is sandboxed (history, extensions, bookmarks, etc).

Re: From the people who brought us 10

[guruevi]

Proof? I think security researchers looking into this would've noticed packets going out encrypted or not during privacy mode.

Beggars Belief

It "beggars belief" why this editor still works at /.

Re:Beggars Belief

Eh? What's wrong with the expression "it beggars belief"?

Re: Beggars Belief

Nothing. "It beggars belief" is valid English.

Isn't this illegal in some states or countries?

[davidwr]

By "illegal" I mean a civil violation of warranty- and false-advertising laws that say products are supposed to meet their intended purpose, as a common everyday consumer would understand the term "intended purpose."

Re:From the people who brought us 10

[GrahamCox]

Wrong. I don't know about Google, but I do know about Safari. When it's in private mode, all of the data that is normally saved to disk for any purpose is stored in encrypted memory, so within a private session, you get the benefit of caching, go forward/back, etc. But once you close the private window, all that encrypted memory is erased and released. Apps using the NSURLSession APIs can do exactly the same thing.

Indifference

[rakslice]

I've concluded in the past couple of years that large parts of Microsoft as an organization have stopped being able to coherently sell to the end user market, and whatever people in the management that would have in the past noticed this sort of thing and taken steps to correct it have left or moved on to other roles.

Signs of things slipping I've personally noticed in recent years:
- The faulty Microsoft web-based store (do they expect developers whose first experience with Microsoft is a web site that can't even sell a Windows upgrade are going to turn around and want to build things on ASP.net?)
- Contradictory descriptions of the different Windows SKUs (with respect to use as upgrades, new machine installs, usability by end users vs. system integrators, etc.)
- Software with seriously flakiness in features that worked in previous versions (e.g. Windows 10 Start Menu search and keyboard navigation), with broken help links, without an integrated installer (e.g. Lync, Sharepoint)

Re:Indifference

I've concluded in the past couple of years that large parts of Microsoft as an organization have stopped being able to coherently sell to the end user market, and whatever people in the management that would have in the past noticed this sort of thing and taken steps to correct it have left or moved on to other roles.

It smells more to me like they've made a concerted decision that the end user is no longer the target market. The end user is now the product. Microsoft's "business partners" are advertisers and law enforcement agencies, that's where the revenue is coming from.

The Edge behavior described in this article is very hard to explain away as laziness or incompetence. Intentional decisions were made during all phases of design and development to continue storing the user's history even when in private browsing mode. That isn't clueless management or devs taking the easy way out. That's purposely turning the end user's computer into a tool to be used against him.

Microsoft is now actively hostile to the end user and folks would do well to remember it.

Re:Indifference

[AmiMoJo]

The Edge behavior described in this article is very hard to explain away as laziness or incompetence.

To the contrary, that's the most likely explanation. Either a bad spec that someone followed, or maybe some debug code that was supposed to be removed later.

The end user is now the product.

If that were the case then this would screw them, because there are many other free browsers and most of them are more popular than Edge. To get users to sell to advertisers they need to produce a good browser.

Re:Indifference

Those other free browsers don't have something Edge has: installed by default. How long have we, as an internet community, suffered under the scourge of IE? Decades. And why? Because it is "the web" to 99% of folks out there. I don't pretend to think for a second that sloppy code or malicious code will drive away the userbase of Edge anymore than I think the sloppy code and malicious code that has been present in Windows will drive away the userbase. Because Windows is "the computer" and Edge is "the web." Folks who do know better might not care. I'll bet a substantial portion of the readership of ./ runs Windows 10 despite the numerous stories of baked-in spyware and the preceding versions with utter instability.

Re:Indifference

They coded mechanisms to store records of private browsing activities! You can not do that accidentally!

And no, they don't need a browser to sell you to advertisers, they have total access to everything you do on Win10! They can sell your Chrome and Firefox history if they want. Your local documents, etc.

Re:Indifference

That's purposely turning the end user's computer into a tool to be used against him.

A good point. Using Windows 10 is like sitting in a police interview room. Everything you do on your computer is subject to being recorded, and it can and will be used against you. Getting people to care is an uphill battle, because "ooh, shiny and new and free!"

Re:Indifference

[farble1670]

It smells more to me like they've made a concerted decision that the end user is no longer the target market. The end user is now the product.

ah yes, no /. article would be complete without a "you are the product" post now would it?

Windows 10, Edge, Intel Skylake.

New features all the time baby! Just don't try to turn it off.

I'm shocked

[frovingslosh]

Microsoft Edge's Private Browsing Mode Isn't Actually Private

I'm shocked! Shocked, I tell you!

On the other hand, it has been obvious to me for a long time that if you want privacy, you don't use Microsoft products.

Re:I'm shocked

[rtb61]

It is not really all that funny. Not only is it not private it is marked as pretended to be so on analysis they can find out exactly what you wanted to keep private. That looks really, really bad, not only a failure of privacy but seemingly purposeful gathering of data for extortion purposes, obviously not run of the mill people but selected individuals via the scatter gun method, hide the invasiveness by targeting everyone so that the specific targets are unaware. Then there is how long they will keep the data for ie target every potential politician in high school and university so that decades down the track they can be extorted in compliance or destroyed. It is one thing to screw up privacy, it is quite another to specifically mark data as private and keep it.

Re:I'm shocked

[CodeArtisan]

On the other hand, it has been obvious to me for a long time that if you want privacy, you don't use Microsoft products.

Or anything connected to the internet.

Re:I'm shocked

[frovingslosh]

Using Microsoft products and expecting privacy is like hiring a Catholic priest to babysit your little boy and expecting him to be safe.

It's an APP, what did you expect?

Modern app appers know that only apps can app apps, and privacy is something only LUDDITES use, so apps like Edge app everything you app so every apper can app your apps while apping other apps!

Apps!

Feature...

[Livius]

not a bug.

This is Microsoft we're talking about. Misrepresentation about their products is what they do.

doesn't fit the criteria

[raymorris]

You're thinking of "implied warranty of fitness for a particular purpose ", as it's called in the Uniform Commercial Code. There's also warranty of merchantability. Let's look at each in turn.

The terms and conditions can explicitly and clearly disclaim the warranty of fitness for a particular purpose, and I'm sure Microsoft's terms do so. They can't disclaim warranty of merchantability so easily. If they do disclaim fitness for a particular purpose, that's the end of that. If they didn't disclaim the warranty, UCC has two conditions. First, the seller must have reason to know what purpose the buyer intends to use it for - browsing porn without having the address bar later autocomplete xvideos.com? National security level espionage? Secondly, the seller must habe reason to know that the buyer is relying on the seller's expertise to recommend an appropriate product.

Microsoft doesn't know whether you intend to use it to avoid having autocomplete accidentally embarrass you or if you're trying to foil expert forensic investigators. Since they don't know which purpose(s) you might use it for, there is no warranty of fitness for a particular purpose.

On to warranty of merchantability. This applies even when the seller does NOT know what purpose you plan to use it for. Because the seller doesn't know, he warrants only that it's useable for SOME purpose. If the mode successfully avoids accidental embarrassment from autocomplete, accidentally hitting the back button down-arrow, etc, then it is useful for SOME purpose and therefore the warranty of merchantability is met.

Suppose some warranty was NOT met (and not successfully disclaimed). Then you could sue Microsoft for actual damages. If you prove that an accidental autocomplete during a business presentation got you fired, they would need to compensate you for the lost pay.

Lastly, you mentioned false advertising. What exactly do Microsoft's ads say about the feature? I suspect they do not say "prevents forensic examiners from determining anything about your browsing history".

Re:doesn't fit the criteria

And another one with too much time on their hands.

Private mode and forensics

[Tony+Isaac]

Locard's exchange principle (https://en.wikipedia.org/wiki/Locard%27s_exchange_principle) says that the perpetrator of a crime will always bring something into the crime scene, and leave something behind. This is one of the foundational principles of forensics.

Although private browsing doesn't equate to criminal activity, the principle applies. Electronically, you will always bring something with you, and leave something behind. There is not, and never will be, a truly "private" browsing experience, regardless of browser. There will always be trace evidence that can lead to discovery of what you were browsing, and what you did while there.

More broadly, this principle is true in all of life.

Re:Private mode and forensics

[vux984]

Even so, if you put the safety on on your gun, that doesn't make the weapon truly and completely safe and nobody is suggesting it does.

But can you imagine if putting the safety on merely lowered the muzzle velocity by 5%?

Or a door lock that simply turned a red LED on some dashboard somewhere labelled locked, and nothing else.

There is not, and never will be, a truly "private" browsing experience, regardless of browser.

But some browsers actually do a little more than next to NOTHING to remove the session history from the local PC.

Re:Private mode and forensics

[jason777]

Thats why I do my really serious browsing in a new VM that is read-only. After, I delete the vm. Then light the computer on fire.

Re:Private mode and forensics

[Livius]

Obviously the web site you visit knows you were there, but if a browser implies it erases its end of the session then it should do so.

Re:Private mode and forensics

>>Then light the computer on fire
Good job your computer is flammable. No, inflammable. Damn!

PS, I've always understood both words to mean the same thing. What's with the suggestion that they have subtly different meanings. No,forget it. I couldn't care less. :-)

Re: Private mode and forensics

That is true. A sufficiently determined opponent can find out things about your browsing because it ultimately involves sending information to and receiving information from specific endpoints.

However, you can severely raise the bar on the level of determination required to obtain that information. The idea is to raise it past the level of skill, visibility, or authority your opponent has. Private browsing is one tool out of many that should be used for that. By itself it is effective only at hiding data from cross-site advertisers and other such marketing bad actors, and just barely at that. Other techniques must be used in conjunction because browser makers are inherently untrustworthy too.

That said, it appears this particular browser is broken by design, and that gives a whole new definition to the term 'untrustworthy'.

Re:Private mode and forensics

[c]

Thats why I do my really serious browsing in a new VM that is read-only. After, I delete the vm. Then light the computer on fire.

When it comes to furry porn, one can't be too careful.

Re:Private mode and forensics

[The-Ixian]

And yet, no browser that I am aware of flushes the DNS cache on the system (even though they could if they were truly trying to make a "private" experience).

Re: Private mode and forensics

[The-Ixian]

Yeah, because inspecting the browser's cache file is within the skill level of so many people....

Re:Private mode and forensics

They do have their own internal DNS caches, which are flushed in incognito/private mode. The internal DNS cache can be an issue with local web development. Does microsoft expose an API for flushing the system cache? Because I don't think that would be possible on Linux.

Re:Private mode and forensics

[The-Ixian]

Yeah, you are right. After thinking about if for 2 seconds (which I apparently didn't do when I posted...) you would need to be running as an administrative user in order to flush the system DNS cache. On a shared system this could also lead to unexpected results.

Still, this highlights the point, no browsing is truly private.

Re:Private mode and forensics

[desdinova+216]

well with that, I think the appropriate reaction is to nuke it from orbit, just to be sure.

Re:Private mode and forensics

[IronChef]

I was doing this for a while, but realized that a sufficiently advanced attacker could learn things from the combustion products. I now throw the computer into a volcano.

Re:Private mode and forensics

[avandesande]

I was going to suggest throwing it into a black hole, but hawking readers are easy to get on newegg.

impossibru!

[Gravis+Zero]

you're telling me that a corporation that is notorious for their flawed software has made a flawed browser?! impossibru!

I always browse in private mode

Yes.

GEE WHIZ WHAT A BIG SURPRISE!

[kheldan]

Microsoft has gone full-blown Big Brother/1984; is anyone at all surprised that their newest browser is also spying on you?

Go right ahead and mod me down to negative one troll, Microsoft shills, I expect it of you; wouldn't want your corporate masters to be angry with you, now would you? By the way I'm going to just keep on lambasting Microsoft ad infinitum, and anyone that doesn't like it can, quite frankly, suck my dick.

Re:GEE WHIZ WHAT A BIG SURPRISE!

Hey man, I was a Microsoft sympathizer for the longest time (and a *BSD fanboy, but that's beside the point). However, I installed Windows 10 last week, and it impressed me so much that I downgraded back to Windows 7 after a couple of days, never to return. After using the UI that's worse than GNOME's wildest hallucinations and having to edit group policy and stop services to get the system where I want it to be, I had enough.

Honestly, compared to Win7, Win10 feels like Windows 3.11 with a factory-provided backdoor.

Re:GEE WHIZ WHAT A BIG SURPRISE!

Honestly, compared to Win7, Win10 feels like Windows 3.11 with a factory-provided backdoor.

Really? They brought back the best feature in Windows 3.11? "File -> Exit Windows".

Re:GEE WHIZ WHAT A BIG SURPRISE!

[The-Ixian]

The browser knows which pages you are browsing to and writes that information to a cache file. BIG BROTHAR GET OUT OF MY COMPATUR!

Re:GEE WHIZ WHAT A BIG SURPRISE!

[kheldan]

Apparently you haven't been reading the rest of the story. Their 'telemetry' can give them access to any file on your computer. Therefore they can get your entire browsing history. It's more spyware plain and simple.

Re:From the people who brought us 10

[WaffleMonster]

It isn't a surprise.

But in MS's credit Google and Apple both do the same thing too

How does other people doing "the same thing too" work to Microsoft's credit or speak in any way to merits of underlying issues?

This line of argument is nothing more than bandwagon fallacy. It's completely worthless.

Re:From the people who brought us 10

[Solandri]

Chrome Incognito mode is the same. One of the drawbacks being that if you accidentally close a tab, you can't undo it. That tab is gone for good. I don't think it's encrypted in memory though, so if Windows pushes it to the pagefile it could (temporarily) be written to disk.

Working as designed?

[Antony+T+Curtis]

Sounds like, from the description, that it is working as designed.

Re:Working as designed?

I'm with you, I don't see this as a big deal. As a whole Edge lacks a lot in basic function anyway so I would just avoid it.

Re:Working as designed?

[The-Ixian]

Pretty much. Edge is very immature at this point. It is the classic "release it!" software distribution mentality.

Now, if they don't fix it, that's another issue.

Internet Exploder

Can't say I'm surprised that IE (or whatever MS is calling it now) is not half the browser that other companies provide. Almost seems like this article warrants an "I told ya so." from the net nerds.

Re:From the people who brought us 10

"One of the drawbacks being that if you accidentally close a tab, you can't undo it."

Excelent, an extra reason to browse only in private mode. This undo nonsense it taking up way too much memory.

As the saying goes

One man's cache is another man's treasure.

Re:From the people who brought us 10

It's not a logical argument. It's a PR argument. It's something like the dead cat strategy that the various conservative groupings have deployed with great success worldwide. Because we're all talking about how this is illogical we aren't talking about the fact that anyone who uses Microsoft solutions should have expected something like this simply because Microsoft's interests (to monetize their operating system through advertising) are not aligned with your interests (to browse privately).

You've blown it Microsoft

[DrXym]

How am I meant to browse for gifts and flowers for my wife (WHICH IS ALL ANYONE EVER DOES WITH PRIVATE BROWSING) if its not actually private? Oh and in case the wife does find traces of activity, yes cumgarglingsluts.com is a site that sells flowers and gifts. Way to ruin the surprise Edge.

Re:You've blown it Microsoft

Is it really so hard to clear your browser cookies? I am amazed at how people think that private browsing is such a magic shield. Your DNS lookups and your public IP are still being logged. Nothing private about that. If all you are after is hiding from your wife that you are looking at porn than just clear all the cookies when you are done. There is no reason to keep either the cookies or your history after you close the browser anyway.

Re:You've blown it Microsoft

[castionsosa]

It depends on who you are trying to protect from. If worried about another person on that machine, browse in a VM with encrypted filesystems [1], roll it back when done, and occasionally force a TRIM on the SSD to ensure any data on there is -gone-. With tools like Vagrant, one can even have the browsing VM be installed and provisioned, with one's bookmarks fetched/synced from another source.

If wanting to keep data away from ad-mongers, do your browsing in separate VMs and browsers. Banking goes into Firefox, everything else goes into a VM in Chrome that uses a VPN so IPs can't be correlated. Privacy-sensitive stuff, put it in a VM, or use a separate physical box so things like battery status can't be passed across the hypervisor barrier.

Edge is a terrible browser

Edge lacks in so many areas, but it appears from stats its pretty much being avoided anyway.

income

Like "income" is a negation of "come", right.

I get it now. Thanks!

Your post just made me income.

https://www.youtube.com/watch?v=kFToDbD9gUw

[teac2019]

https://www.youtube.com/watch?...

Microsoft invading even on Android OS of Google

Not just Win10. I am always reviewing the logs of my Router (a home brewed Ubuntu server box), and I was surprised when Android also connects to Redmond HQ of Microsoft. Here's the IP being contacted by Android but there are a bunch of other MSFT IPs.

some MS IP being contacted by by Android device:
40.113.87.220
111.221.77.144
23.102.224.202
204.79.197.200

WHOIS Source: ARIN
IP Address : 40.113.87.220
Country : USA - Washington
Network Name: MSFT
Owner Name : Microsoft Corporation
From IP : 40.74.0.0
To IP : 40.125.127.255
Allocated : Yes
Contact Name: Microsoft Corporation
Address : One Microsoft Way, Redmond
Email : IOC@microsoft.com
Abuse Email : abuse@microsoft.com
Phone : +1-425-882-8080

Makes one wonder why Microsoft keeps on connecting to Android devices 24/7 even at 2 am when everybody is asleep.

Re:Microsoft invading even on Android OS of Google

This is very likely specific to your phone or some app you have installed (neither of which did you mention). Without context your assertion means nothing.

Re:Microsoft invading even on Android OS of Google

Have you checked your router logs too? Did you notice why all Apple products connects to Apple Inc.. servers 24/7 ? While Android connects to Google and MS 24/7 ? Seems Snowden was not talking bullcrap. It's real and it's here.

Re:Microsoft invading even on Android OS of Google

Check all your Samsung devices with Android OS and check all TCP connections of your Apple devices. Android OS phones home to MS and Google 24/7 while all Apple devices connects to Apple servers 24/7 too. Better if you can do this at the router level because I have not checked it on the device itself as it is possible that the OS can conceal all outbound connections (hide its phone home activity). I checked it myself thru a Linux box converted into a router.

Re:Microsoft invading even on Android OS of Google

Not specific to a single phone. I have also checked all Android devices connected to my network and all of them does the same. Same with all Apple products, they connect (phone home?) to Apple servers 24/7. Checked this TCP connections at the router level as the Android OS or some malware can conceal their TCP connections.

Re:Microsoft invading even on Android OS of Google

This will happen if you have set up an Outlook email account on your Android and your company uses hosted Exchange services.

Re:Microsoft invading even on Android OS of Google

[Lotharus]

Did you notice why all Apple products connects to Apple Inc.. servers 24/7 ?

Yes, this is how push notifications work and is openly documented here: https://developer.apple.com/li... Relevant section:

Each device establishes an accredited and encrypted IP connection with APNs and receives notifications over this persistent connection.

(Emphasis added)

Re:Microsoft invading even on Android OS of Google

[farble1670]

I was surprised when Android also connects to Redmond HQ of Microsoft

You don't say what type of phone you have, or what apps you have installed. it's a very, big stretch to say this has anything to do with Android proper.

But anyway, step 1: disable the Exchange services app that's pre-installed on many devices (my Nexus 6P doesn't have it any longer, good riddance). I've seen it in the logs spewing connection failed messages even though I've never configured or used it.

Re:Microsoft invading even on Android OS of Google

[farble1670]

Check all your Samsung devices with Android OS and check all TCP connections of your Apple devices. Android OS phones home to MS and Google 24/7 while all Apple devices connects to Apple servers 24/7 too.

Sigh. They aren't "phoning home". How do you think things like push notifications work? They keep a persistent connection open.

The only thing that still baffles me

[koan]

Is why anyone believes things like MS's browser not being "private" is a mistake, or Apples "goto" fail was a bug (some of many fails for both corps) or that there isn't an obvious collusion between the gov and the tech sector, and all the spying and dirty tricks you see are not "bugs" or "mistakes" they were planned all along.

Eisenhower warned us, we didn't listen, it came to be, now we are "proper fucked".

No shit ...

[gstoddart]

So, Microsoft came out with brand new technology ... tells us how awesome, secure, and private it is.

And, shockingly, it isn't.

Why anybody is surprised that Microsoft hasn't really got a mature enough product to know how secure it is makes no sense.

Why anybody would believe that after all these years Microsoft suddenly wrote a secure browser is beyond belief.

Did anybody believe Edge was magically safe and secure just because Microsoft said so?

Re:No shit ...

[The-Ixian]

It seems to me as though the "private" browsing bit has been an afterthought in every browser to date and it is left as an exercise of the developer to define what "private browsing" even means.

What doesn't surprise me is that every browser does private browsing differently.

MS made a mistake and mingles private cache data with non-private cache data. I can see how that could be a simple "efficiency bug". As we all know, most developers are not security experts, we see it over and over again.

The real question here is: now that MS knows about the flaw, will they fix it? Let's hold the pitchforks at bay until we know the answer to that, shall we?

Re:No shit ...

[gstoddart]

I have no doubt they'll fix it, or do something to it ... my point is Microsoft, or any other company, when introducing a piece of software makes the claims of how safe, and secure, and fast, and private, and awesome it is.

But until that's proven in the real world, it's just marketing claims.

So, I don't care who it is ... come out with your new product and claim all those things, and it's a wait and see.

But in the case of Microsoft, whose track record with security doesn't make me automatically think I believe them, I'm going to assume even more that there's no reason to trust the claims. Because over and over we see security is done as an afterthought, falls short, and then people act surprised.

If Adobe suddenly said tomorrow that Flash was now safe and secure, I'd not believe them either, because they have a rather long history of not knowing how to make Flash secure.

Re:No shit ...

[SharpFang]

Considering they record browsing mode along with the cached data, that doesn't look like a mistake.

Re:Because Microsoft are the new NSA

[LVSlushdat]

Call me a conspiracy nut, I don't care, but *somebody* has got to step up to the plate to fill that giant NSA datacenter in Utah.. I suspect MS has partnered with the NSA to do that very thing, and the way MS is trying to shove Windows 10 down the throats of all of the poor schlubs who still use Windows makes this "conspiracy theory" damn near a sure thing. Given that and the way they're force-feeding the telemetry crap on Windows 7/8/8.1.... Sooooooooooooooo glad I quit sucking on the MS teat...

Windows 10 is adware

MS should just come out and say that Windows 10 is ad-supported. Not ads in the traditional sense, but the "Get Office" advertising app that gets reinstalled with each Windows update, along with Candy Crush Saga and Skype, all of which have some sort of revenue motive. Half of the "live tiles" on the Start menu even look like ads (Xboxxy, Microsoft Solitaire Collection).

Samsung/Android incognito mode fails, too

[leroybrown]

I'm not sure if it's Android in general or Samsung specifically but I've noticed that my Galaxy S6 Edge uses word-completion suggestions culled from browser usage in incognito mode.

Think Linux is any better?

strings ~/.local/share/gvfs-metadata/*

Re:From the people who brought us 10

[The-Ixian]

As a matter of fact, isn't the browsing history the basis for the (in)famous crashsafari dot com?

It's a closed-source browser

[edtice1559]

There are a lot of posts talking about what an incognito mode should do. Normally we refer to it as 'porn mode' here on /. which does seem to be the intended use case. There's a lot of reverse-engineered information out there about what these modes actually do. In reality, it's insane to trust any closed-source browser with this type of task. If you really care about this feature, you'll want to use an open-source browser where the source code can be audited to determine exactly what it was *intended* to do. (New security issues pop up all the time WRT things not behaving as intended, but that's a separate issue). And the behavior should be documented so you can decide if it meets your need.

Re:It's a closed-source browser

[farble1670]

^^^ this.

private mode is good for keeping pr0n sites out of your web history.
private mode is not so good for hiding your illegal activities from determined law enforcement agencies.

the sooner people figure that out, the better.

Tor

The best "privacy mode" seems to be Torbrowser,https://www.torproject.org/projects/torbrowser.html.en. Note that it runs fine under Windows (probably be more secure under Linux).

its microsoft

its microsoft, enough said, TOTAL FAIL

The real question...

[bfpierce]

Is why are you relying on your web browser to provide you with the security to break laws, that's not what private/incognito are for.

It's to prevent other users on the machine from seeing your browser history...

Lawsuit

So the bet's on when the first class action lawsuit against Microsoft regarding Windows 10 and it's shenanigans is. Between the hoovering up of data, regardless of your choice, the unauthorized changing of windows update settings on 7, 8 and 10, and now blatantly lying about privacy settings.

Does anyone actually use edge?

[bored]

I put in the little effort to setup classic IE on my win10 tablet because edge was basically unusable due to the fact it doesn't have an ad blocker. I really have no idea how people can surf the modern internet without an ad blocker, the auto-playing videos and popups everywhere make it completely insane.

I have a question about private browsing

I posted this as a question: slashdot.org/submission/5518507/what-do-you-think-about-icab-browser-for-mac
There's a Kiosk mode also a way to record sessions. this is a lot for me to learn about. Has anyone tried it? Like it

I am flunking the I AM HUMAN?! wtf?! My daily news letter isn't coming either :/ is this all due to the new owners?!

At MSFT the security badge goes in before

[WillAffleckUW]

At Microsoft the security badge logo goes on the package before the security is added, comrade.

Trust in the computer!

You verge on retarded if you use.

Windows.

Found the problem

[hoggoth]

> The not-so-private browsing featured by Edge makes its very purpose seem to fail, and you can't help but ask how such a fundamental aspect of private browsing could be so fantastically borked. It beggars belief

> Microsoft

I think I found the problem.

Some of their hosts aren't too well secure, either

[BoogieChile]

Apparently....https://urlquery.net/report.php?id=1454188045917