Why Private Browsing Modes Do Not Deliver Real Privacy∗

Over the past few years, all of the major web browser vendors have embraced the concept of Privacy Enhancing Technologies (PETs), and added “private browsing” modes to their products. Publicly, the companies describe this feature as useful for consumers “shopping for a gift on a family PC” [14] or someone wishing to “to plan surprises like gifts or birthdays” [7]. The private browsing features are widely promoted, and have even been featured in TV advertising campaigns [12, 13]. Unfortunately, the browser vendors have adopted a very narrow threat model of attacks from which they will protect users. Private browsing modes primarily protect users from a local adversary, who sits down at a user’s computer, and attempts to look through their browsing history. Most importantly, the private browsing modes are not intended to effectively protect users from online tracking by third parties [4], from adversaries with access to or control over the user’s network connection, such as their ISP or employer, or from a motivated attacker (e.g. a suspicious spouse) willing to install spyware on their computer. When a user initiates a private browsing session, each of the browsers display some form of text dialog to users. This text details the kinds of data, such as cookies and