CyLab study finds users may be over-confident in protections of private browsing

Is private browsing the holy grail of surfing the net securely and un-detected? Of course not, but some people may think it is.

A team of researchers from the CyLab Usable Privacy and Security Lab analyzed 450 consenting users' browsing behaviors over a three-year period. Their study was presented at last month's Symposium on Usable Privacy and Security in Baltimore.

"We were interested in reasons people had for using private browsing mode, and whether it was actually protecting them from their primary concerns," says CyLab researcher Hana Habib, a Ph.D. student in Societal Computing in the School of Computer Science. "We found that sometimes people over-estimated protections."

The study was conducted utilizing the Security Behavior Observatory, a panel of users consenting to researchers watching their daily computing behaviors "in the wild" through software monitoring. The study's participants were monitored between 2014 and 2017.

"Some people were doing online shopping in private browsing mode because they thought their credit card information would be transferred more securely," says Habib. "But that's not actually the case – there is no difference between normal browsing and private browsing in relation to the security of that information transfer."

Other misconceptions were related to the use of social media. Many participants used private browsing to use social media because they thought their employer or whoever's network they were using would not be able to see their use of social media.

"If your employer has the ability to monitor your activity, they can still see which websites you're going to even if you're using private browsing," Habib says.

We were interested in reasons people had for using private browsing mode, and whether it was actually protecting them from their primary concerns.

Hana Habib, Ph.D. student, Societal Computing

Many participants said they used private browsing to avoid targeted ads that use internet cookies collected by websites based on your browsing behavior. Indeed, private browsing does not use cookies collected previously during normal browsing, but cookies are still collected during a private browsing session.

"There are mechanisms that allow websites to track you over the course of a private browsing session and use that information to make targeted ads during that session," Habib says. "If you use the same private browsing session long enough, it sort of turns into normal browsing because you'll eventually accumulate the same cookies."

These observations may help inform the design of private browsing platforms in the future.

"One layer of protection that we thought could protect users is having the private browsing window time-out after a certain amount of time, similar to how your banking website logs you out after some time of inactivity," Habib says.

Other authors on the study included Societal Computing Ph.D. student Jessica Colnago, CyLab research alumna Vidya Gopalakrishnan, CyLab researchers Sarah Pearman and Jeremy Thomas, and CyLab professors Alessandro Acquisti, Nicolas Christin, and Lorrie Cranor.