Private Browsing Modes Not So Private After All, Report Says
Cnet's Seth Rosenblatt published a story about privacy risks in private browsing modes of modern web browsers today.
He summarized the findings of a soon-to-be published report of researchers at Stanford University's Computer Science Security Lab. The researchers analyzed the private browsing modes of Google Chrome, Mozilla Firefox, Microsoft Internet Explorer and Apple Safari and came to the conclusion that the modes are not as private as many users think they are.
First problem, the report is not online yet. Cnet linked to an old report that contained limited information on the subject, as it was published in August 2009. Only an abstract of the new report is available on the USENIX website.
We study the security and privacy of private browsing modes recently added to all major browsers. We first propose a clean definition of the goals of private browsing and survey its implementation in different browsers. We conduct a measurement study to determine how often it is used and on what categories of sites. Our results suggest that private browsing is used differently from how it is marketed. We then describe an automated technique for testing the security of private browsing modes and report on a few weaknesses found in the Firefox browser. Finally, we show that many popular browser extensions and plugins undermine the security of private browsing. We propose and experiment with a workable policy that lets users safely run extensions in private browsing mode.
So, what are the findings of the report according to Seth? The private browsing modes of Firefox, Google Chrome, Internet Explorer and Safari are not necessarily as private as developers claim.
Why is that? Because add-ons may undermine the mode. While the browsers do not store data in private browsing mode, add-ons or extensions may very well do so. There are simply no control mechanisms yet to prevent them from doing so.
But that's something that Mozilla has already recognized in February, 2010.
But even if add-ons record activity it may not mean that privacy is compromised. That largely depends on the data that is stored and how it is stored and made accessible in the browser.
Another consideration is that Google Chrome for instance, disables all extensions by default, but gives the user the controls to enable them in private browsing mode.
Lastly, the study did not include the Opera web browser which it should have. What does this all mean for users who use the private browsing mode? That depends: first on the add-ons that they use, and if some store records of private browsing sessions, and second on the dedication and technical knowledge of users who want to spy on someone's web browsing sessions.
Browser developers like Mozilla should consider adding a no-extensions policy to the private browsing mode of Firefox, to prevent data leaks in the mode. A more sophisticated solution, like only enabling extensions that are known not to record data in private browsing mode, should be the ultimate goal though.Advertisement