Private browsing mode, also known as incognito mode, is a way to surf the web without your activity being recorded in your browsing history.
However, private browsing isn’t as “private” as you may think it is. Here’s why.
How does private browsing work?
When you open a private browsing window, the browser will only retain information whilst the window is open.
Key bits of information stored by browsers include the websites you’ve visited, usernames, passwords and information from forms, all of which are stored as “cookies” or small pockets of data.
Once your browsing window is closed, these cookies are cleared and if someone else uses your computer they won’t see what you were viewing.
However, private browsing doesn’t provide you completely anonymity online.
Various parties can still monitor your internet traffic depending on your network. This could include your employer (or school), your internet service provider, government agencies or even random members of the public if you’re on public WiFi.
Digital forensic experts can also often find “artifacts” on a person’s computer that indicate recent web history, even in private browsing mode. These can include file downloads, bookmarks and other tiny bits of information indicating web use.
There is also the potential that software exists on your computer designed to snoop on your activities, this could include key loggers (which record what you type on your keyboard) or other spyware applications.
The “privacy” obtained through a private browser is simply that someone who uses the computer after you isn’t necessarily going to see recent history. It’s not, nor is it necessary advertised to be, a complete solution to privacy online.
When can law enforcement access your private data?
Both Federal and NSW law enforcement have extensive powers to access data, search premises and seize computers as part of a criminal investigation, if they obtain a search warrant.
Depending on the type of warrant law enforcement can access data from internet service providers, personal computers and other entities that may have relevant online activity data.
In NSW, a search warrant will be issued if a court is satisfied there are reasonable grounds to believe the search is necessary to obtain evidence of a “searchable offence”.
Section 46A of Law Enforcement (Powers and Responsibilities) Act 2002 (NSW) (the LEPRA) states that a “searchable offence” includes:
- an indictable offence,
- a firearms or prohibited weapons offence,
- a narcotics offence,
- a child abuse material offence,
- an offence involving a thing being stolen or otherwise unlawfully obtained,
- a computer offence
For a general search warrant, NSW police will usually have to inform you that your property or data is being searched. However, if police apply for and obtain a covert search warrant or obtain a (recently created) digital evidence access order you can be searched, have your data accessed or have spyware planted on your computer, all without your knowledge.
Section 47(3) of the LEPRA states that NSWPolice can apply for a covert warrant if they:
- suspect on reasonable grounds that there is, or within 10 days will be, in or on the premises a thing of a kind connected with a searchable offence in relation to the warrant, and
- consider that it is necessary for the entry and search of those premises to be conducted without the knowledge of any occupier of the premises.
A “searchable offence” for a covert warrant includes a “serious offence” encompassing child exploitation material (“child pornography”) offences, hacking offences, illicit drug supply and manufacture offences and other indictable offences punishable by imprisonment for a period of 7 years or more.
A digital evidence access order allows police to undertake an array of spying and hacking activities without having to notify you. Section 76AA of the LEPRA states that a digital evidence access order may be issued in relation to any search or crime scene warrant, as well as several other pieces of legislation. Similar search powers also exist for the Australian Federal Police.
A range of laws make it easy for law enforcement and other agencies to access your private data
A number of recent law reforms have increased the extensiveness of data capable of being discovered following the execution of a search warrant. These include:
- Meta-data retention laws requiring telecommunications companies and internet service providers to retain “metadata” on consumers for a minimum of two years, and release that information to a range of law enforcement and other agencies without them even having to obtain a warrant. These laws were marketed by the government as necessary to catch terrorists. However, as we foreshadowed even before they came into effect, the laws have been used for a range of other purposes – including by local councils in an attempt to catch those who unlawfully dump rubbish, by police to identify cadets who were sleeping with one another or faking sick days, by the taxation office to identify alleged tax avoiders, and even to identify and persecute whistleblowers and journalists.
- Data access orders compelling individuals to give access to computer networks and other devices.
- Data disruption warrants which allow police to add, copy or delete data to stop or inhibit crimes.
- Network activity warrants and account takeover warrants which gives police access to devices and networks belonging to suspected criminals, as well as the capacity to take over online accounts to gather evidence.
- International data sharing arrangements allowing access to data found through searches conducted overseas.
Given extensive police powers to surveil, hack and monitor computer networks, it’s fair to say that there isn’t a definitive way to ensure complete anonymity whilst online.
What about VPNs?
Virtual Private Network (VPN) technology is often sold as a means to conceal one’s internet activity and location, by establishing a secure, encrypted connection to a private network.
When you use a VPN, your online traffic is routed through a VPN server before it reaches the Internet. This means that your online activities are shielded from your Internet Service Provider and other third-party entities, such as websites and advertisers, which makes it more difficult for them to track your online activities or intercept your data.
However, VPNs are not a fool proof mechanism to evade the eyes of law enforcement. Depending on the VPN, there may still be logs of user activity retained by the company or data sharing arrangements with third parties, including government agencies.
Police can obtain a warrant to search or access data stored on VPN servers just like any other private company. Depending on the location of the VPN, they may be compelled to comply with any data sharing requests issued.
Even if communications on a VPN are fully encrypted there may still be data logged by VPN companies or Internet Service Providers than can ultimately indicate recent internet activity.
Ultimately, there is no bullet proof way to “privately browse” the internet.