Hopefully this means that Google is taking steps to better protect the privacy of users. I'm curious if there are other ways that a site can identify if you are in private mode.
You can see the script they currently use to detect incognito in different browsers + rules they use to allow browsers even if they haven't logged in (e.g. social browsers and their apps)
While I absolutely agree with Google's motivation to keep the incognito mode functional, I find their response somewhat nonsensical.
> Sites that wish to deter meter circumvention have options such as reducing the number of free articles someone can view before logging in, requiring free registration to view any content, or hardening their paywalls.
What use would reducing the free article count be if you cannot reliably count the articles in the first place?
And what is "hardening their paywalls" even supposed to mean? Supposedly, you'd like to make your paywall harder to circumvent. However if you allow any registrationless articles at all, that would necessarily require some kind of tracking - exactly the kind of tracking the incognito mode is supposed to prevent.
Turning into a strict registration-only site is likely also problematic because this could cause them to be downranked by - surprise! - Google, this time in their incarnation as a search engine.
For example, if you only allow one free article in the first hour (based on a cookie), someone using incognito mode has to close and reopen it after reading each article. It's a bit of a speed bump for browsing the newspaper reading many articles, versus following links posted somewhere else.
But you're right that if incognito mode works properly, the usual per-month paywall restriction doesn't work.
> Turning into a strict registration-only site is likely also problematic because this could cause them to be downranked by - surprise! - Google, this time in their incarnation as a search engine.
There is steps they can take to have a registration only website while allowing Googlebot to authenticate.
It's still detectable, this protection introduces a new side-effect which can be used to detect incognito. I Wrote a blog post[1] yesterday showing how to do that.
12 comments
[ 1.8 ms ] story [ 39.6 ms ] threadhttps://gist.github.com/jeroenvisser101/9f8119cfa91371dd6e1a...
Source: nytimes.com's sourcemaps
> Sites that wish to deter meter circumvention have options such as reducing the number of free articles someone can view before logging in, requiring free registration to view any content, or hardening their paywalls.
What use would reducing the free article count be if you cannot reliably count the articles in the first place?
And what is "hardening their paywalls" even supposed to mean? Supposedly, you'd like to make your paywall harder to circumvent. However if you allow any registrationless articles at all, that would necessarily require some kind of tracking - exactly the kind of tracking the incognito mode is supposed to prevent.
Turning into a strict registration-only site is likely also problematic because this could cause them to be downranked by - surprise! - Google, this time in their incarnation as a search engine.
But you're right that if incognito mode works properly, the usual per-month paywall restriction doesn't work.
There is steps they can take to have a registration only website while allowing Googlebot to authenticate.
There are options beyond what we have today. Abusing an API loophole to detect incognito browsing was never the right answer.
Come on NYT, I can clear your cookies and have the exact same effect as using incognito.
[1]http://mishravikas.com/articles/2019-07/bypassing-anti-incog...
- Click 'Application' tab
- Click 'Clear storage' in the righ column
- Click 'Clear site data' button
Now NYT or whoever, has lost all the cookies, localStorage etc. that they use to track your usage.