Well, that was fast—websites have already found another end-around in Google's Chrome
browsers to detect when a user is running in a private session, otherwise known as Incognito mode. This is an obvious privacy
concern, though realistically, some users are simply ticked at not being able to easily thwart paywalled websites.
This was supposed to have been addressed in the recent Chrome 76 update
. For several years, websites have been able to leverage the FileSystem API in Chrome to detect if a user is running in Incognito mode. Sites requiring a subscription to access content—otherwise known as a paywall—could therefore block access during a private browsing session.
In Chrome 76, Google added a new flag that enables the FileSystem API in Incognito mode (rather than just during a regular browsing session), effectively closing the loophole and seemingly solving the problem. Google
celebrated the change in a blog post
and encouraged websites to play by the intended rules of privacy.
The request fell on deaf ears, however, as a security researcher wrote a piece detailing how websites are still detecting private browsing systems. Instead of leveraging a loophole in the FileSystem API, some sites have turned to the Quota Management API.
This newly used exploit looks at how temporary storage is being used in Chrome, as it works differently in Incognito mode compared to a regular browsing session. By tracking write speeds, a website can effective determine which mode a user is running.
So, what next? Well, Google could (and probably will) address this additional loophole in a future update. Whether that truly restores the concept of private browser remains to be seen. As it stands, it is starting to look like this is turning into a cat and mouse game between Google and websites.