Incognito Mode Isn’t Doing What You Think It’s Doing

There is an urban myth that says online shoppers who doggedly search for certain items on the web get tagged by algorithms that then cause them to see higher prices than others shopping for those same items.

The solution for many people: They choose private mode on their web browsers, believing that cloaking their identity can help them get better prices.

But while such “private” settings as Google Chrome’s Incognito mode or Apple’s Safari private browsing mode do offer some benefits, getting a better price isn’t one of them.

“All these private modes do for shoppers is basically erase your search history from the device you’re on and prevent the browser from using your cookies to see your browsing activity across different sites,” says Benjamin Barrontine, vice president of executive services at 360 Privacy, a company that specializes in protecting clients’ digital identity. This is a great feature if you share a laptop with your children and you want to hide the presents you’re purchasing for them, but companies’ pricing is typically based on a number of factors—timing, location, how much an item in that category’s company paid to rise to the top of your search results—that don’t have to do with you personally or how often you search for a product.

A Google spokesperson confirms that cookies, or information stored on your device, are remembered in the current Chrome browsing session while in Incognito mode but then deleted immediately after closing out the session. If you return in Incognito mode to make the purchase, the websites will see you as a new user and won’t remember what you left in your cart. You essentially have to start your search anew, but with the benefit of blocking anyone who shares that device from seeing what you were researching.

Ultimately, experts say, private modes give shoppers a false sense of anonymity and a feeling that they are gaming the system, when all they are doing is hiding past searches. “You should know that your internet-service provider and even your network administrator at work, if you’re searching on a work device or network, may still see what you’re searching,” says Barrontine. “Private mode is not so private, after all.”

In fact, the big tech companies most likely know with near certainty who it is that is doing this supposedly secret searching, even in private mode.

“When you go on to Amazon.com in private mode and search for a bathrobe, even if you’re not logged into the site, Amazon is 99.9% sure of who you are because of the digital fingerprint they’ve developed for you over time,” says Ken Carnesi, chief executive and co-founder of DNSFilter, a software firm that protects companies from attacks at the domain name system level. That’s because Amazon would still know how you arrived at its site based on the link you clicked, your IP address, your ZIP Code, many of your preference settings and loads of other device-specific attributes. A company spokesman declined to comment.

The tech firms may not know that it is specifically you scouring their sites, but they’d know the search came from your home, which operating system you’re using, which language is your default and other details that point to you.

“That’s why, even when you’re not in private mode later on, if you didn’t close out that private window, you may still see bathrobes being pitched to you,” Carnesi says. “All the tracking is likely still passed through to the company who paid for the ad you clicked on.”

Contrary to popular belief, pricing for highly fluctuating, big-ticket items isn’t impacted by private searches, says Kevin Williams, an associate professor at the Yale School of Management who recently published a paper looking at airlines’ methods of dynamic pricing. Williams says in the case of plane tickets, “Airline pricing doesn’t take into account any of your personal information except location,” as in the country of origin. Using a virtual private network (VPN) can obfuscate your device’s physical location, and may turn up a better fare, but might require some trial and error, Williams says.

There are some additional benefits for shoppers to using private mode, beyond hiding your searches from prying eyes. The search bar won’t auto-fill with prior searches, so you can start anew every time you open a new private window and not fall down an old rabbit hole. You can keep your searches private on a public device or borrowed computer. And you can use a credit card that will later be wiped so your children won’t have access to funds without permission.

For true privacy, consider shopping through a search engine like Brave.com, which doesn’t ever track your searches or your clicks. “Unlike with other search engines, you and your data are not the product here,” Carnesi says. And your partner will never know about that bathrobe you forgot to actually purchase.

As tech leaders race to bring Windows systems back online after Friday’s software update by cybersecurity company CrowdStrike crashed around 8.5 million machines worldwide, experts share with CIO Journal their takeaways for preparing for the next major information technology outage.

Be familiar with how vendors develop, test and release their software

IT leaders should hold vendors deeply integrated within IT systems, such as CrowdStrike , to a “very high standard” of development, release quality and assurance, said Neil MacDonald , a Gartner vice president.

“Any security vendor has a responsibility to do extensive regression testing on all versions of Windows before an update is rolled out,” he said.

That involves asking existing vendors to explain how they write software, what testing they do and whether customers may choose how quickly to roll out an update.

“Incidents like this remind all of us in the CIO community of the importance of ensuring availability, reliability and security by prioritizing guardrails such as deployment and testing procedures and practices,” said Amy Farrow, chief information officer of IT automation and security company Infoblox.

Re-evaluate how your firm accepts software updates from ‘trusted’ vendors

While automatically accepting software updates has become the norm—and a recommended security practice—the CrowdStrike outage is a reminder to take a pause, some CIOs said.

“We still should be doing the full testing of packages and upgrades and new features,” said Paul Davis, a field chief information security officer at software development platform maker JFrog . undefined undefined Though it’s not feasible to test every update, especially for as many as hundreds of software vendors, Davis said he makes it a priority to test software patches according to their potential severity and size.

Automation, and maybe even artificial intelligence-based IT tools, can help.

“Humans are not very good at catching errors in thousands of lines of code,” said Jack Hidary, chief executive of AI and quantum company SandboxAQ. “We need AI trained to look for the interdependence of new software updates with the existing stack of software.”

Develop a disaster recovery plan

An incident rendering Windows computers unusable is similar to a natural disaster with systems knocked offline, said Gartner’s MacDonald. That’s why businesses should consider natural disaster recovery plans for maintaining the resiliency of their operations.

One way to do that is to set up a “clean room,” or an environment isolated from other systems, to use to bring critical systems back online, according to Chirag Mehta, a cybersecurity analyst at Constellation Research.

Businesses should also hold tabletop exercises to simulate risk scenarios, including IT outages and potential cyber threats, Mehta said.

Companies that back up data regularly were likely less impacted by the CrowdStrike outage, according to Victor Zyamzin, chief business officer of security company Qrator Labs. “Another suggestion for companies, and we’ve been saying that again and again for decades, is that you should have some backup procedure applied, running and regularly tested,” he said.

Review vendor and insurance contracts

For any vendor with a significant impact on company operations , MacDonald said companies can review their contracts and look for clauses indicating the vendors must provide reliable and stable software.

“That’s where you may have an advantage to say, if an update causes an outage, is there a clause in the contract that would cover that?” he said.

If it doesn’t, tech leaders can aim to negotiate a discount serving as a form of compensation at renewal time, MacDonald added.

The outage also highlights the importance of insurance in providing companies with bottom-line protection against cyber risks, said Peter Halprin, a partner with law firm Haynes Boone focused on cyber insurance.

This coverage can include protection against business income losses, such as those associated with an outage, whether caused by the insured company or a service provider, Halprin said.

Weigh the advantages and disadvantages of the various platforms

The CrowdStrike update affected only devices running Microsoft Windows-based systems , prompting fresh questions over whether enterprises should rely on Windows computers.

CrowdStrike runs on Windows devices through access to the kernel, the part of an operating system containing a computer’s core functions. That’s not the same for Apple ’s Mac operating system and Linux, which don’t allow the same level of access, said Mehta.

Some businesses have converted to Chromebooks , simple laptops developed by Alphabet -owned Google that run on the Chrome operating system . “Not all of them require deeper access to things,” Mehta said. “What are you doing on your laptop that actually requires Windows?”