Your private browsing isn’t as incognito as you want it to be

Your computer can store clues.

There’s no shame in firing up a private browsing window from time to time, whether it’s to visit a NSFW website or just to protect your personal information while checking your email on a public computer. But while private browsing modes do their best to erase your tracks, they can also leave digital clues behind.

The virtue of a feature like Chrome’s Incognito Mode, of course, is that whoever uses that computer after you shouldn’t be able to see the sites you’ve visited, because the browser doesn’t record your history. But traces of your browsing can still remain on your computer after you’ve closed that Incognito window, a phenomenon that can happen in a couple different ways, says Frank Wang, a computer science doctoral candidate at MIT.

One vulnerability has to do with something called a domain name service (or DNS) request. When a browser connects to a website—say,—it needs to translate those letters into numbers, and that process can leave footprints in your operating system, Wang says, in a place called the DNS cache. If a knowledgeable person got access to your machine, they could exploit this vulnerability to figure out what sites you’ve visited. “It’s not very hard actually,” he says.

That’s because just closing your browser after private browsing doesn’t clear that cache, he notes. “The browser doesn’t have enough privilege or access to do that,” Wang says.

Another vulnerability is that your operating system could write information to your hard drive while you’re browsing in private mode to help manage memory efficiently. That happens, Wang says, when your machine starts running out of memory. The result is that images or HTML code from the sites you were visiting could wind up on your hard drive, which the browser would not delete later. The issue in both of these cases is that your browser doesn’t have access to these parts of the operating system to clean up after itself. “Chrome doesn’t have control over how Windows works, or how my macOS X works,” he notes—nor would you necessarily want to give an application that kind of control.

So Wang is proposing a new system, called Veil, that would address these problems. The idea is that instead of going straight to the website you want to visit, or even launching an Incognito window, you’d first navigate to a special Veil website, and then access the other sites you wanted to visit through that one. From there, the system “sends a request to what we call ‘blinding servers,'” which would be hosted by volunteers, Wang says.

The service is currently theoretical, but it would mean that your internet service provider wouldn’t know what website you’re actually visiting—it would only see the connection to the blinding server, which hosts the actual content. The idea, which also makes use of encryption, has additional appeal because it means not using a Google-made service to shield your browsing history. “We don’t want to rely on Chrome for private browsing,” he says.

Hana Habib, a doctoral student in the societal computing program at Carnegie Mellon University, points out another potential flaw in the way private browsing works: If a browser crashes in the middle of a private session, that could interrupt a process that some browsers use in which they only delete information after the session has been properly closed, she says. She also recommends a way that the private browsing feature could be improved: a “time-out function” to auto-close a window that was accidentally left open, just like the way your bank logs you out if you haven’t been active in that tab for a while.

Don’t forget that with private browsing, your internet service provider still knows what sites you’ve connected to, she points out, and if you’re using a machine at work, your employer probably will, too.

But even though private browsing isn’t perfect, it all depends on what your goal for using it is. “A lot of people use private browsing just to hide their activity from other people who might use their computer later,” she says. “And for that, private browsing does a pretty good job of protecting users against that particular threat.”