In a word: no.
You're both right, and you're both wrong.
Private browsing, also known as Incognito mode, protects your privacy to a point. And it's typically not the point most people think it is.
Beyond that point, private browsing does exactly nothing to keep you more private.
Become a Patron of Ask Leo! and go ad-free!
Private browsing
Private browsing (or Incognito mode) only affects data stored on your computer, like cookies, history, and cache files. It doesn't hide your online activity from others like ISPs or websites. Private browsing is useful for keeping your activities private from others using the same computer, but it doesn't offer broader online privacy or security. For more extensive privacy, you'll need tools like VPNs or more.
The private browsing line
Private browsing affects only the information stored on your computer. Nothing else.
Information stored or seen elsewhere is completely unaffected by private browsing. If it's not on your computer, it's not affected by private browsing.
What private mode actually does
When you open a private (or incognito) window:
- Any cookies present in your normal session are not made available. This is why you might have to sign in to a service again.
- Extensions are disabled. Typically, browsers allow you to specify individual extensions that are allowed in private mode, but the default is none.
- Some browsers that support various levels of tracking protection may set that to the highest level for the private window.
When you close a private mode window:
- Any cookies it collected are deleted.
- Any history accumulated is erased.
- Any cache files are removed.
That means that anyone walking up to your computer should, in theory, see no evidence of the sites you visited, except for any files you explicitly downloaded yourself.
That's it, and that's all.
What private mode does NOT do
It does not hide what you're doing from other entities.
- Your network traffic is unaffected. Your ISP can still see what you're up to.
- The websites you visit have no idea you're incognito. They can still identify you by various means not limited to cookies, and they can still keep a record of your visit.
- The search history saved online, such as Google's, is not affected if you've signed into your Google account in the private window.
- Any malware on your machine can see what you're up to.
- Files deleted when you exit private mode might still be recoverable after your session.1
The bottom line is that private mode is great at preventing anyone with access to your computer from easily finding your activities there -- but it does nothing to protect your online privacy.
So what good is private mode?
Given that list of all the things it doesn't do, you might wonder why you'd use private browsing at all.
There are at least a couple of scenarios where it's useful.
- You're signed into a site, but you also need to visit that site either not signed in at all or signed in with a different account. Private mode launches with you signed out of everything.2
- You're using a computer that itself isn't secure -- for example, a computer at a public place such as a library.3 If you do all of your work within a private window, when you close that window, all of your tracks on that computer will be removed.
Do this
Don't assume that Private or Incognito modes give you any additional privacy or security online. They're only about what's preserved on the computer you're using and nothing else.
Use them for what they make sense for, but if you need more, you'll need to look into other tools like VPNs, TOR, or even dedicated machines and bare-bones operating systems and browser installations.
In Incognito, Private, In-Private, something else, or no mode at all, use your browser to subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Footnotes & References
1: This is highly implementation-dependent. Different browsers do things in different ways, ranging from not creating “files” at all but keeping things in memory to attempting a secure delete. The latter is not something I’d count on if it matters to you.
2: I do this all the time with Ask Leo!. I'm constantly signed in with my administration account, but sometimes need to see what happens when I'm signed in as someone else or not signed in at all.
3: Or a computer at home that someone else has access to.
Speaking about privacy, after seeing an ad for the Duck Duck Go browser, I downloaded it and tried it out. I found it useless. It’s similar to incognito/in-private mode, but it’s very poor for security as it doesn’t allow extensions and doesn’t allow password managers. You’d think a company that touts security has no clue as to protecting your computer.
Mark, I’ve never seen DuckDuckGo advertised as security. I’ve always seen it for privacy. Just like you found out, their browser essentially works like Incognito mode in Chrome. And their search engine apparently doesn’t report back to advertisers like other search engines do.
I’d put up with a few targeted ads rather lose the security of a password manager. When installing an extension, most browsers ask you if you want to allow it in Incognito/Private mode.
CBC News’ Marketplace program did a test a few years ago. They had several shoppers go online shopping and they all got different prices because the online websites were juggling the prices based on your browsing history (like the way the advertisers seem to know all about you). However, when the shoppers went into Private or Incognito, they got the better deal because the online websites knew nothing about the shoppers.
Wow!! I think it’s even worse than we thought. Private is actually the opposite of Private. “Google settles $5 billion privacy lawsuit over tracking people using ‘incognito mode'”
https://www.npr.org/2023/12/30/1222268415/google-settles-5-billion-privacy-lawsuit
Very interesting, as usual.
I will now be able to help mom download her library books to her Kindle from my computer using private browsing, and not need to log out of my account first etc.
Question though. You wrote it will delete any cookies from the session upon closing the private browsing window … does that include super cookies / ever cookies, the hard to get rid of cookies?
Depends on the technology used by those hard-to-delete cookies, so there’s really no single answer. I suspect the answer is “some” or even “most”.