Over the years, Web browsing has become less anonymous, largely because of a system of tracking users' Web whereabouts that centers on the use of what we call cookies. Cookies enable websites to record a user's every action. Collecting information about someone as he or she surfs the Web, cookies are little data miners that send user information to a server.
Cookies are used for functions that help users -- such as remembering items that were in your shopping cart -- and that benefit website operators, like marketing or Web activity monitoring. You do not need to be Internet savvy to notice that, after visiting an online marketplace, the very products you were looking at previously start to appear in banners on other webpages.
To prevent websites from collecting information about users, browser makers developed what’s typically called “private browsing” mode, an optional setting to prevent the forwarding of identifiable user data, such as cookies. The conception, however, does not always match the reality, and many users are left with the question: Is private browsing really private?
Is private browsing really private?
Theoretically, private browsing enables individuals to surf the Internet without storing local data about their activities. The intended purpose of this option is to keep user browsing history confidential from others who may share or use the same machine. In order to accomplish this, browsers must either not create or dispose of history entries, cookies and cached items.
Safari, Firefox, Internet Explorer and Chrome are all popular browsers that offer a private browsing option. In fact, Chrome refers to it as “incognito mode” or “stealth mode,” conjuring up images of a clever spy in a trench coat ducking in and out of the Web’s back alleys. Ranging beyond the hype, private browsing can be extremely effective and beneficial for users who share a PC with others, or when using a public computer. By disabling browsing history and not keeping records of the searches or passwords used during a session, private browsing mode can prevent subsequent users of a machine from viewing potentially sensitive information.
Words such as “private,” “incognito” and “stealth” are misleading, and are giving users a false sense of security. Although private browsing may delete cookies and history from sites visited, information is still left behind in hidden caches, which are temporary storage spaces for saving frequently used data. Similarly, data may still be left in DNS logs, plug-ins and flash cookies, none of which are addressed by private browsers. Perhaps even more disconcerting is browsers do not protect users from being traced between private and non-private browsing sessions, due to their failure to properly isolate the two. Most browsers have plug-ins, which could contain their own tracking systems. Thus, even if the browser isn't revealing cookies, it does not mean a browser’s plug-ins are not. Additionally, if the browser does not disable browser extensions, which are computer programs that extend the browser’s functionality -- for example, automatically translating all pages into a specified language -- private browsing information can be leaked when switching back into non-private mode.
Also, enabling private browsing mode is no guarantee that data cannot be stolen outright. A user can be directed from a secure site to a malicious one without any warning. Once there, a script can be loaded during the browsing session onto the machine, which can enable attackers to help themselves to the user's personal data, regardless of whether it's stored in cookies. If the script is running when the user is logging into a trusted site, the hacker can gain login credentials and other authentication data.
While many users believe that add-ons such as Firefox’s No Script plug-in can provide them with extra security, in actuality, these add-ons can make a session even more susceptible to threats, increasing browser risk. First of all, most of Firefox’s plug-ins are not certified or even checked properly by Mozilla. In fact, on its Legal Disclaimers and Limitations page, Firefox states that, because it has not reviewed all of the material contained in such plug-ins, it cannot be held accountable for their content or any harm they might cause. This means that, while “protecting” you, these handy little security scripts could be collecting your data. Additionally, being open source, many of the add-ons may be poorly coded, which is a yet another potential security risk.
Through misleading terminology, end users, believing they are protecting themselves, may in fact be acting more carelessly than they originally would have. Although the fine print is there, albeit sometimes difficult to find, most individuals simply do not take the time to read it. Private browsing can offer some measure of security when utilized with other safe Web browsing practices, such as disabling Java applets, keeping systems patched and using a good antivirus program, all of which should be mandatory security procedures for most enterprises. These steps, in turn, serve to support an effective enterprise defense-in-depth security strategy. Private browsing should never be considered a replacement for good common sense, however, or as a valid security technique in and of itself for businesses concerned with risky employee Internet usage.
About the Authors:
Ashley Podhradsky, D. Sc., is an assistant professor in the Computing and Security Program at Drexel University. Dr. Podhradsky teaches and conducts research in digital forensics and information security. Her research has been recognized in academic conferences and journals within the U.S. and internationally.
Cindy Casey, Chris Lyn, and Anthony Lugo are currently enrolled in the Computing and Security Technology program at Drexel’s Goodwin College of Technology and Professional Studies.
This was first published in June 2011