Understanding Browser Incognito Mode: Limitations, Detection Techniques, and Fingerprinting

This article provides a comprehensive overview of browser incognito (private‑browsing) modes from both a popular‑science and a technical perspective, outlining what these modes hide, what they do not, and how they can be detected.

What Private‑Browsing Is

Modern browsers offer a privacy mode (Chrome calls it Incognito, others call it Private Browsing) that hides the browsing session from the local computer: cookies, history, form data, and passwords are not retained after the window is closed. However, the mode does not make the user anonymous on the network; IP address, device type, and timing information remain visible to websites and ISPs.

Common Misconceptions

Many users mistakenly believe private browsing protects against malware, tracking scripts, or ISP monitoring. In reality, it only prevents the local machine from storing session data; it does not block third‑party tracking, fingerprinting, or network‑level surveillance.

How to Enable Incognito Mode

In Chrome, open a new incognito window via the three‑dot menu or Ctrl+Shift+N . Third‑party cookies are disabled by default.

Practical Demonstration

The site Nothing Private shows that a hidden finger field is sent with each request, allowing the server to recognize a user even in incognito mode.

Technical Detection Techniques

Before Chrome 76, sites could detect incognito mode by attempting to use the FileSystem API, which is disabled in private mode. Example code:

const fs = window.RequestFileSystem || window.webkitRequestFileSystem;
if (!fs) {
  console.log('check failed?');
} else {
  fs(window.TEMPORARY, 100,
    console.log.bind(console, 'not in incognito mode'),
    console.log.bind(console, 'incognito mode'));
}

Later, detection shifted to two other methods:

File‑system size detection using navigator.storage.estimate : if ('storage' in navigator && 'estimate' in navigator.storage) { const { usage, quota } = await navigator.storage.estimate(); console.log(`Using ${usage} out of ${quota} bytes.`); if (quota < 120000000) { console.log('Incognito'); } else { console.log('Not Incognito'); } } else { console.log('Can not detect'); }

Timing attacks on the temporary file system: Chrome stores writes in memory during incognito, making them faster than disk writes. Measuring write speed can reveal the mode.

Browser Fingerprinting

Even when incognito hides local data, browsers still expose a rich set of attributes that can be combined into a fingerprint. Basic fingerprint data include User‑Agent, screen resolution, color depth, installed plugins, language, timezone, cookies, etc. Advanced fingerprinting adds Canvas, WebGL, AudioContext, WebRTC, and font data.

Combining basic and advanced data yields a "composite" fingerprint with >99% uniqueness.

ClientJS Example

ClientJS gathers many attributes and hashes them with MurmurHash via the getFingerprint function. The data points are:

user agent, screen print, color depth, current resolution, available resolution, device XDPI, device YDPI, plugin list,
font list, local storage, session storage, timezone, language, system language, cookies, canvas print

FingerprintJS Example

FingerprintJS is a lightweight pure‑JavaScript library that returns a 32‑bit integer identifier. Basic usage:

import FingerprintJS from '@fingerprintjs/fingerprintjs';
const fpPromise = FingerprintJS.load();
(async () => {
  const fp = await fpPromise;
  const result = await fp.get();
  const visitorId = result.visitorId;
  console.log(visitorId);
})();

Canvas Fingerprinting Implementation

A simple Canvas fingerprint can be generated by drawing text and shapes, extracting the PNG data URL, and hashing the last bytes. Example code:

function bin2hex(s) {
  let n, o = '';
  s += '';
  for (let i = 0, l = s.length; i < l; i++) {
    n = s.charCodeAt(i).toString(16);
    o += n.length < 2 ? '0' + n : n;
  }
  return o;
}
function getUUID(domain) {
  let canvas = document.createElement('canvas');
  let ctx = canvas.getContext('2d');
  ctx.textBaseline = 'top';
  ctx.font = "14px 'Arial'";
  ctx.fillStyle = '#f60';
  ctx.fillRect(125, 1, 62, 20);
  ctx.fillStyle = '#069';
  ctx.fillText(domain, 2, 15);
  ctx.fillStyle = 'rgba(102, 204, 0, 0.7)';
  ctx.fillText(domain, 4, 17);
  let b64 = canvas.toDataURL().replace('data:image/png;base64,', '');
  let crc = bin2hex(atob(b64).slice(-16, -12));
  return crc;
}
console.log(getUUID('https://www.baidu.com/'));

Protecting Personal Privacy

Incognito mode is useful for shared devices, avoiding local history, and preventing casual snooping, but it does not protect against sophisticated tracking. To mitigate fingerprinting, users can employ browser extensions that spoof or block data collection, or use privacy‑focused browsers (e.g., the "Owl" browser) that modify low‑level APIs.

Additional defenses include disabling third‑party cookies, using VPNs to hide destination sites from ISPs, and employing the Tor Browser for stronger anonymity.

References

Is Private Browsing Really Private? – https://spreadprivacy.com/is-private-browsing-really-private/

Google Chrome Incognito Detection Methods – https://www.bleepingcomputer.com/news/google/google-chrome-incognito-mode-can-still-be-detected-by-these-methods/

FingerprintJS Documentation – https://fingerprintjs.com/

ClientJS Project – http://clientjs.org/