Do We Need A Better Private Browsing Mode?

Network World's Alan Zeichi recently argued "We need a better Private Browsing mode." Slashdot reader Miche67 writes: As this writer says, Chrome's Incognito Mode "doesn't offer strong protection at all." [Incognito mode "only prevents Chrome from saving your site visit activity. It won't stop other sources from seeing your browsing activity."] And Firefox's Private Browsing with Tracking Protection -- while stronger than Chrome -- is an all-or-nothing option. "You can't turn it off for sites you trust, but have it otherwise enabled by default."
The submission ends, "Every single link to non-trusted websites should open, by default, in a Private/Incognito window. C'mon, browser makers, get this done." This raises two questions. How do Slashdot's readers browse? And do you think we need a better private mode for web browsing?

No, we need to stop doing illicit things online

If you don't want people to know you're watching porn online, don't watch porn online. If you don't want people to know you're accessing illicit content online, don't access illicit content online. Don't have anything to hide and you won't have any problems. The paranoia is from perverts, criminals, and other losers who feel the need to access illicit things online that they don't want others to know about. Modify your own behavior and you'll have no problems with needing to keep secrets.

Re:No, we need to stop doing illicit things online

If you don't want people to know you're watching porn online, don't watch porn online. If you don't want people to know you're accessing illicit content online, don't access illicit content online. Don't have anything to hide and you won't have any problems. The paranoia is from perverts, criminals, and other losers who feel the need to access illicit things online that they don't want others to know about. Modify your own behavior and you'll have no problems with needing to keep secrets.

If I weren't also an anonymous coward I would mod this +1 Funny.

I salute you for your masterful satire!

Re:No, we need to stop doing illicit things online

[BitterOak]

This may be good advice in a relatively free country where people are allowed to criticize their government as well as investigate bad behavior by those in power, but in many countries in the world people don't have those freedoms which we take for granted. People living in oppressive regimes may need to rely more on technological means to protect their rights to organize and to criticize their government. An essential part of a participatory democracy is that people can be critical of their government, and if we want more countries to follow that model, people need to be free to exchange ideas without fear of reprisal.

Re:No, we need to stop doing illicit things online

[KiloByte]

What's that "free country" you're talking about? While in countries other than North Korea, Russia, China, Saudi Arabia you can often get away with criticizing the government on superficial matters, there isn't a single country that won't punish you for revealing news that truly hurts those in power.

Case in point: Assange -- Sweden tries to pass as a free country. Or, show me those "free countries" supporting Snowden; Ecuador and Russia stepped up because of a grudge against USA rather than of good will.

Re:No, we need to stop doing illicit things online

Protip: Get rid of all your online accounts, except for one: Facebook. Do everything from your facebook account

Re:No, we need to stop doing illicit things online

[fustakrakich]

Nope, nobody on the internet gets my name. I'm "John Smith". I only give personal info in person.

Re:No, we need to stop doing illicit things online

[Alumoi]

Oppressive regimes? That's funyy, last I looked, US and UK were champions when trying to track every user accessing the net.

Guys - I got this one

How do Slashdot's readers browse?

Sat in our parents basements in our underwear.

And do you think we need a better private mode for web browsing?

Yes, my parents get suspicious when I lock the door.

i use tor

Common everybody knows that the private browsing mode is just a porn mode that hides your history from other users of your Computer, nothing more.

I just use Tor if i want real privacy.

Re:i use tor

[maorb]

I've used private browsing mode to allow my friend to check his email without making me log out of my own email (from the same service of course). From my perspective, it just lets me open a "guest" mode browser that doesn't have all my URL autocompletes, usernames, passwords, etc automatically filling in. It's not to be confused with a security feature when used like that of course, all someone has to do to get back into my side of things is open a new windows, but it's still convenient.

Re:i use tor

[mlts]

With browser fingerprinting (check it out on EFF's Panopticlick), it really doesn't matter if you use Tor or not.

What I do if I want a stateless session is vagrant up a virtual machine, have it provisioned with a web browser, usual ad blocker software, my bookmarks as a clicky HTML file locally, and use that. When done, destroy the VM. This way, any changes or stuff saved to the VM are toast, and there will always be a different fingerprint every session.

As for protecting my IP, I just use a VPN service. For me a simple proxy is good enough so that ad companies and behavior tracking sites are blocked/stymied.

Re:i use tor

[AmiMoJo]

Have you actually tried browser fingerprinting with the TOR Browser? If you set it up right (I recommend Tails) it doesn't work. It can't separate you from many, many other TOR Browser users.

Go try it right now, with the Trails live CD. They fixed this years ago.

Re:i use tor

[lambsonic]

Fingerprinting is defeated. Randomly rotate common values. Non-unique signal with noise. Using a VM is actually a more unique signal, and would easily let you be identified with known techniques involving a small fingerprint with an IP netmask. Better hope you aren't the only one doing deploying that VM-browser combination on your VPN service. Just because you are resetting your state doesn't mean you don't have state. It actually makes your profile more stateful in the long run.

Let's revise that quote

[brwski]

Rather than, ""Every single link to non-trusted websites should open, by default, in a Private/Incognito window," it should read, ""Every single link should open, by default, in a Private/Incognito window." In fact, there should be no way for a website to determine where else you've been. Sandbox everything; it's the only way to force advertisers and tracking companies to do things differently.

Re:Let's revise that quote

[mark-t]

Better yet, the default behavior should be a configurable option in browser preferences. Make it an end-user choice.

We dont need a better private mode--

[wierd_w]

We need a better social dynamic where the forces of greed and graft aren't out to secure everyone's dirty laundry for big profit. (you know. Extortion, blackmail, protection rackets, basically what the NSA is out for, along with the basic "Oh, you like porno with big giant dicks in it? We offer a wide assortment of novelty giant dildos for you to buy! Isn't that GREAT!?" that seems to have infested the internet lately.)

I may be a greybeard by today's standards, but I remember when the internet was more about community, sharing news and jokes, and intellectual pursuits. Eternal September was the death of the internet. What we have now is a superhighway of advertisements directed into your eyeballs, and automated grabber arms reaching for your banking information.

Re:We dont need a better private mode--

[Voyager529]

Eternal September was the death of the internet. What we have now is a superhighway of advertisements directed into your eyeballs, and automated grabber arms reaching for your banking information.

In a somewhat-amusing irony, Usenet is much more usable now and has basically-no spam anymore.

Re:We dont need a better private mode--

[mlts]

I would disagree for the most part. The only real gain we have had would be plain English search engines like Google.

Twitter? That's what IRC is for.
Someone's wall? That is what a .plan file is for and finger.
A blog? Web page.
Local stuff? NNTP groups.
Stuff worldwide? More NNTP groups.
Pr0n? alt.sex.cthulhu

Social networks don't give much other than being one place with a consistant UI. Even worse, unlike USENET where even if someone is a total asshole, their voice is read until people stuff them in the killfile, private social networks have free reign to allow or stifle discussions as they see fit, to the point of trying to affect elections.

Oh, can't forget ads. Before Eternal September, websites had no problem existing without requiring full page, Flash ads which often served up malvertising. Now, so many site owners wring their hands when someone security-minded uses an ad blocker (other than Trojans, malvertising is the #1 source of infections, so it is a matter of security not freeloading.)

tl;dr, there really have not been that many advances since Eternal September that have been actual groundbreaking items. Search engines and analytics coupled with Big Data is the only thing. Everything else is just reinventing the wheel to treat subscribers as the product.

It's More Complicated Than That

[bheerssen]

Better private mode browsing would be a great help, but there's more to that when protecting your identity online. For one thing, private mode browsing is meant to protect your history on your local machine, not across the internet. Secondly, unless you are willing to browse without the aid of javascript and cookies, there's no way to stop web site operators from tracking you. Sure, you can stop cross site scripting, but you can't stop one website from sharing your cookie data with another website, or any other data they can garner.

So do you want to be truly anonymous? Use the Tor Browser, never use javascript, turn off cookies, and enjoy your sterile internet.

Or, you can accept a certain amount of risk and enjoy a rich, vibrant internet experience.

(I don't mean to disparage the Tor browser, it's a great product and I use it for some things.)

I'm Covered

[Voyager529]

NoScript with only first party scripts allowed by default, and a handful of CDNs whitelisted. CCleaner Pro cleans up all of my browser activity every time I close it. Untangle denies connections to ad servers and trackers at the firewall level.

Am I still being tracked? Probably...but the information obtained is much less juicy. I haven't seen an ad 'follow me' around the internet in quite some time.

This Article is Ignorant

[The+Raven]

Chrome Incognito and FireFox's Private Browsing are functionally identical. The caveat that the author highlights is how the Internet works. Of course sites have a record of your visit... they have to, to feed you the page! The disclaimer is to make sure that people know Incognito mode is like wearing an Anonymous mask, not like being invisible. And if you go up to an ATM dressed like V, but get money out of your credit card, then obviously the bank knows who visited the ATM despite the mask.

This basic ignorance of how cookies work is pervasive.

Private browsing opens your browser in a blank-slate mode. Generally, no plugins, no cookies. That means Amazon doesn't know who you are, so you can't one-click buy. Your news-reader makes you log in again. It takes longer to access your email because Gmail makes you log in and re-affirm your authenticator. Your ad blocker is disabled. Your CSS fixing plugin is blocked.

This is not how I want to use my computer, logging in to every single site every single time I visit despite being on a trusted device. We have plugins and cookies for a reason, because they make the Internet a more useful tool. They also have nefarious uses, but saying that the Internet should throw out all convenience to maximize security is ignorant of the reality that people will just switch to the more convenient browser.

What we need is not a better incognito mode, but for tech journalists to stop pontificating about technology they do not understand.

If you really want to improve your anonymity online there are plugins that allow you to whitelist 'safe' cookies, and trash or block all the others. That plus plugins to block third-party widgets allow you to get 99% of the functionality from the Internet with only 1% of the spying. But these plugins take work on your part, to identify what sites and cookies you trust. Most people are too lazy. And the browser has no way of knowing for you. For example, I may want Amazon to remember me so I can buy with one click... you may not because you don't trust Amazon's tracking of what products you look at. The browser shouldn't be deciding that for you, but making choices like that for every site is a pain few users will bother with.

Re:This Article is Ignorant

[Zumbs]

Private browsing opens your browser in a blank-slate mode. Generally, no plugins, no cookies.

Then you need a better browser :-) When I use Firefox for private browsing, NoScript, AdBlock and Ghostery are still very much active.

This is not how I want to use my computer, logging in to every single site every single time I visit despite being on a trusted device. We have plugins and cookies for a reason, because they make the Internet a more useful tool.

I mostly agree there. However, private browsing does allow me to start a session, e.g. to search for regular goods on the internet (because many webshops do require that I allow javascript to run), and clear any cookies and history during that session when I close it.

Ghostery does this

[DogDude]

If you're concerned about tracking, just install the Ghostery extension. It takes care of this.

I Use Multiple Profiles

FWIW:

I have about 10 different firefox profiles and a menu widget to launch them individually. Most are divided by task - one for all my banking, another for managing utility bills, one for "window shopping," another just for making purchases when I know exactly what I want, another for gmail (actually two different profiles for different gmail accounts), another that has no disk cache configured and wipes everything on exit. I also have two profiles for completely fake identities that I have very lax security on so that they are deliberately tracked. They are like "cover identities" - better to give the trackers something that they think is real than to look suspicious by trying too hard to avoid tracking.

All the profiles have different sets of extensions (although 90% of the extensions are common across all my profiles). Beyond the basics like Adblock, NoScript, Requestpolicy, and Self-Destructing Cookies I also use extensions like Random Agent Spoofer and Canvas Defender to give each profile a different "fingerprint."

Also I use the PrivateInternetAccess VPN because it lets me switch IP addresses at will, so whenever I fire up a new profile I also switch to a new IP address. I am looking into setting up a bunch of outbound proxy servers, each one bound to a different VPN tunnel so that each profile can get a persistent but unique IP address. I've just been too lazy to put that together yet.

All in all it is a PITA to set up, but once everything is in place it is pretty easy to use. The one thing that really increased usability was to set each profile to have a different theme, so that it is hard to make the mistake of using one profile when I thought I was using a different one.

Re:I Use Multiple Profiles

[Misagon]

That's how it should work. And yes, the problem is making it easy to create a new profile.

I have long requested that each private browsing window be its own private session, with no sharing of cookies between them.
What if we would start with that, and create new "profiles" from "private browsing" sessions: a single button could be used for "saving" a temporary session.

We try to make it better

[isj]

<plug>
We (privavore) are creating a fork for Firefox. (privafox.) By default we change all cookies into session-only. But with twists:
  - persistent cookies are allowed for sites that you provide a password to. The assumption is that if you log into a site the you probably want your shopping cart retained, and that by logging in you realize that the site will keep track of you. But we don't allow 3rd-party cookies.
  - workarounds for the EU cookie consent (in progress). By disallowing cookies by default you will get the "we use cookies to improve your experience" prompt.
  - user-agent is fixed (in-progress). That makes it a lot more difficult to distinguish different users behind the same ip (NAT).
</plug>
Both firefox' and chrome's private browsing mode leaves something to be desired. But that's ok.Their developers focus on creating the best browser. We just provide "after-market" customizations. Not for you, but for your less tech-savvy parents.

Re: No, we need to stop doing illicit things onlin

Or close your eyes when you browse, nobody can see you.

Privacy Badger is better

[mister_playboy]

Ghostery's business model is that they prevent other trackers from tracking their users so that the tracking data gathered by Ghostery itself is more valuable.

There is no need to compromise with commercial interests on this subject. Use EFF's Privacy Badger instead.