What Big Tech Doesn’t Want You to Know About Incognito Mode

There’s something quietly satisfying about clicking that incognito icon. The little spy figure, the darkened browser window, the implicit promise that what happens here stays here. Millions of people open private browsing tabs every single day to shop for gifts, to research embarrassing symptoms, to look up an ex, to read news behind a paywall. The assumption underneath all of it is the same: nobody’s watching.

That assumption is wrong. Not slightly wrong. Fundamentally, structurally wrong in ways that the companies building these browsers have never been eager to explain.

The Gap Between What It Says and What It Does

When you open an incognito window in Chrome, you’re greeted with a disclaimer that most people skim past. It says, essentially, that your browsing won’t be saved on your device no history, no cookies that persist after you close the tab, no form data. That part is technically accurate.

What that screen doesn’t foreground is the longer list of who can still see everything you do. Your internet service provider. Your employer, if you’re on a work network. The websites you visit. And in Chrome’s case specifically: Google itself, depending on how your account and sync settings are configured.

The framing matters enormously here. The incognito screen talks about what it protects you from your roommate opening your laptop, your kid scrolling through your browser history. It says almost nothing about the far more consequential audiences: the advertising infrastructure, the data brokers, the platform that built the browser in the first place.

Google Knew, and Said Very Little

In2020, Google faced a class-action lawsuit alleging that the company continued to collect user data even when people were browsing in incognito mode through Google Analytics, Google Ads, and other tracking tools embedded across the web. The lawsuit argued that users had a reasonable expectation of privacy when they activated private browsing.

Google’s initial defense was, in a sense, revealing: the disclaimer screen told users their data could still be visible to websites and services. Legally, that’s a disclosure. Practically, it’s buried under the more prominent message about privacy protection.

The case eventually settled in 2024. As part of the resolution, Google agreed to delete billions of data records collected from incognito users and to make certain disclosures more explicit. The settlement didn’t require admitting wrongdoing. The incognito mode still exists. The tracking infrastructure it sits on top of largely still exists too.

That episode didn’t get nearly the cultural attention it deserved, partly because the story requires understanding a few layers of technical architecture that most people find abstract. But the core of it isn’t abstract at all: a company built a “private” browsing mode, continued collecting behavioral data from people using it, and the main defense was that the terms said they could.

How the Tracking Actually Works

To understand why incognito provides so little protection against commercial surveillance, you need to understand what cookies actually are and more importantly, what they aren’t.

Cookies are small text files stored on your device. Blocking third-party cookies (which incognito mode does for the duration of your session) stops one specific mechanism of tracking. But it doesn’t stop your IP address from being logged by every server you connect to. It doesn’t stop browser fingerprinting, where advertisers build a unique profile based on your device’s screen resolution, fonts, installed plugins, time zone, and dozens of other attributes that together identify you with surprising precision. It doesn’t stop a website from recognizing you through a login if you open Gmail in incognito and then browse to a news site that has a Google sign-in widget embedded in it, the threads are still there.

Fingerprinting has become especially important to the ad industry precisely because of growing pressure on cookies. As privacy regulations tightened and browsers started blocking third-party cookies more aggressively, the tracking ecosystem adapted. It always does. The techniques get more sophisticated, more invisible, more difficult for any individual to opt out of and the “privacy features” in browsers tend to lag behind by a generation or two.

The Business Model Problem

Here’s the structural issue that rarely gets named plainly: the companies most capable of building genuinely private browsers are the same companies whose revenue depends on behavioral advertising.

Google makes the world’s most-used browser. Google’s core business is selling targeted ads. These two facts are not in conflict they’re part of the same strategy. Chrome is not primarily a product Google makes for users. It’s a product Google makes to extend its surface area across the web. Incognito mode exists within that product. Its limits are features, not bugs.

Apple’s Safari is meaningfully better on privacy, partly because Apple doesn’t sell ads against your browsing behavior the same way. That’s not altruism it’s a different business model. Apple monetizes hardware and services. Protecting your privacy, or at least being seen to protect it, is a competitive differentiator for them. The privacy is real, but it’s also a product.

Mozilla’s Firefox is built by a nonprofit and has historically prioritized privacy more aggressively. Brave is built specifically around blocking trackers. These alternatives exist. They work better. Most people don’t use them, partly because defaults are extraordinarily sticky and partly because most people don’t know there’s a meaningful difference.

What Private Browsing Is Actually Good For

None of this means incognito is useless. It does exactly what it says on the device-local level, and that’s genuinely valuable in certain contexts.

Shared computers are the obvious case. If you’re using a library computer, a hotel kiosk, or a family laptop, incognito prevents your session from being stored locally. That’s real protection against a real threat. It also helps with things like signing into a second account without logging out of the first, or checking how a webpage looks to a logged-out visitor, or preventing a retail site from jacking up prices based on your browsing history for that item (a real tactic that several major travel and retail sites have used).

For people in genuinely dangerous situations someone researching domestic violence resources, a journalist communicating with a source, a person in an authoritarian country trying to access blocked information incognito mode alone is dangerously insufficient protection. For these use cases, a VPN at minimum, and ideally the Tor Browser, is closer to necessary. The gap between what incognito implies and what it provides isn’t just a consumer annoyance; in extreme cases, it can be a safety issue.

The Language of Reassurance

What ties this all together is something worth sitting with for a moment: the deliberate use of language that creates a feeling of privacy without delivering the substance of it.

“Private browsing.” “Incognito.” The spy icon. The darkened interface. These are design choices. They were made by teams of designers and product managers who understood what associations they’d create. The experience of opening an incognito window feels like stepping behind a curtain. The technical reality is that you’re standing in the same room, and most of the same people can see you they’re just not writing it down on your side of the table.

That gap between the emotional experience of privacy and the technical reality of exposure is where a lot of the confusion lives. And it persists not because users are unsophisticated, but because the interfaces are designed to not correct the misunderstanding.

The next time that dark browser window opens, it’s worth remembering: the only party that can’t see where you’re going is the person sitting next to you.