Google Plans To Remedy Loophole in Incognito Mode — But Some Publishers Aren't Happy

Google has announced plans to remedy a loophole in its private browsing mode that can allow websites to detect when Incognito Mode is being used. 

This change comes a few months after Mozilla’s Firefox browser released an update that better locks down privacy protections for its users — directly calling out Google and Facebook for “misleading” users into believing that their private sessions are truly private. 

There are many valid reasons that people choose to use private browsing modes online. As Google points out in the announcement, in cases of domestic abuse or political oppression, it’s important to ensure that these sessions are truly airtight when browsers are claiming to offer privacy. 

For Google, who has come under fire several times about its shortcomings in protecting users in Incognito Mode, this is a step in the right direction. Chrome is one of the most popular internet browsers, so taking steps to make its policies more closely aligned with emerging web standards for private browsing modes sets a strong precedent for other browsers to follow suit. Though you could argue that Firefox got the ball rolling on this one. 

However, this solution could negatively affect publishers who are using this loophole to “catch” users trying to dodge paywalls by using Incognito Mode sessions. 

Chrome’s Incognito Mode loophole

The loophole that allowed sites to see who’s browsing in Incognito Mode stems from the ability to detect Chrome’s FileSystem API. 

When you start a session in Incognito Mode, Chrome disables the FileSystem API in order to avoid leaving any traces of the session activity on someone's device. That’s what keeps the session “private” for users. 

However, Google discovered that some sites found a loophole in the system by checking for the availability of the FileSystem API in a user’s session. If the search comes back with an error, then they can determine that a private session is being used, and give users a different experience. 

For example, if your site uses cookies to track certain features (like blogs viewed, webinars watched, or resources downloaded), websites can choose to block those features for Incognito sessions using this loophole. 

So, while your data may not be tied back to your personal email, Facebook, or device, sites can still pick up on the fact that you’re using an Incognito session. 

By fixing this loophole, Google is able to ensure that Chrome users can freely access private browsing, and their choice to do so will remain private as well.  

How this may affect publishers 

If you have a business blog with the purpose of posting free content to gain organic traffic and educate potential prospects, this change won’t affect you. 

Publishers that will feel the effects of this update are the ones that use metered paywalls to limit users' access to content. 

A “metered paywall” allows publishing websites to offer a limited number of free articles before users need to either create an account or get a monthly subscription to read more. 

For example, I hit one on Inc’s website earlier this week: 

Of course, like most people who get these metered paywalls, I just went into Incognito Mode to read the article. For Inc, this seems to work fine — so it's not one of the sites taking advantage of the loophole. 

Because these metered paywalls rely heavily on cookies to track how many articles a user has read, they use the FileSystem API mode to “catch” users trying to get around the limitations.  

While I understand why websites have used this loophole, it doesn’t change the fact that it is invading the privacy of users who have specifically relayed they don’t want to be tracked. 

Furthermore, by blocking access to all users browsing in Incognito Mode, publishing companies risk alienating audiences who may not be taking advantage of the metered paywall, but just browsing in Incognito Mode for other reasons. For example, some marketers use Incognito Mode to avoid skewing cookie traffic data when testing websites or paid ads. 

By locking down this information, you could actually lose an interested customer who may have otherwise subscribed to your content. 

So, if you’re a publishing company that relies on this loophole to convert subscribers, you may want to consider who you could be losing out on in the process. 

Still, Google is sympathetic to the concerns of these publishers, and offers the following advice: 

“Sites that wish to deter meter circumvention have options such as reducing the number of free articles someone can view before logging in, requiring free registration to view any content, or hardening their paywalls. Other sites offer more generous meters as a way to develop affinity among potential subscribers, recognizing some people will always look for workarounds.

However, Google suggests that publishers don’t make any substantial changes just yet. Instead, they recommend monitoring how the initial change affects overall metrics, then craft a plan for moving forward:

“We suggest publishers monitor the effect of the FileSystem API change before taking reactive measures since any impact on user behavior may be different than expected and any change in meter strategy will impact all users, not just those using Incognito Mode.”

Essentially, this will help eliminate multiple variables when determining what changes affected user traffic and conversions, allowing publishers clearer insights into the best changes to make. 

Final thoughts 

We have access to nearly an infinite amount of free information online. As such, many are turned off by any paywalls at all. 

If you have a user that will attempt to circumvent metered paywalls using Incognito Mode, it’s unlikely they’ll convert to a paying customer. 

As Google recommends, it may be a better approach to offer a set of free content, and also a selection of articles that live under a hard paywall — meaning you need a paid subscription to access that group of premium content no matter what. 

For example, TechCrunch’s “Extra Crunch Exclusive” subscription: 

With this model, you can still produce content for your audience to enjoy while also offering a premium product, without needing messy tracking workarounds to do so. 

This approach helps TechCrunch gain a loyal following of people that read its free content each day. Avid fans who want more can upgrade to Extra Crunch based on really wanting the content, not because they’re being forced to subscribe. 

Google is flipping the switch to remedy this loophole on July 30th, so publishers should start thinking about how they want to approach access to the content they produce.