Most people open an incognito tab with a reasonable sense of relief. The little spy icon appears, the screen dims slightly, and there’s a quiet reassurance that what happens here stays here. That feeling is almost entirely wrong.
Incognito mode and private browsing are features that allow you to surf the web without saving a record of your search history, cookies, or other temporary data on your device, making your session invisible to others who may use your device later. That part is real. The rest, however, is where the illusion begins. Research shows that roughly half of all incognito users rely on private browsing to protect themselves from websites they visit, which is not something the feature was ever designed to do.
What Incognito Mode Actually Does (And Does Not Do)
The gap between expectation and reality here is genuinely striking. According to Google’s own Chrome Help documentation, incognito mode “provides local privacy on your device,” meaning browsing data is not stored on your computer. However, it “does not affect how Google collects data when you use other products and services,” meaning your data is still collected.
All the data is still visible to the outside world, since incognito mode doesn’t hide your IP address, encrypt your internet traffic, or stop websites, ISPs, and network administrators from tracking your activity. It’s a tool for keeping your browsing off your device’s local storage, nothing more. Chrome’s incognito disclaimer was even quietly updated from “browse privately” to “browse more privately,” a small but legally meaningful change.
Entity #1: Google Itself
Chrome’s incognito mode only provides privacy in the client by not keeping a locally stored record of the user’s browsing history. It does not shield website visits from Google. This distinction is critical. Going incognito in Chrome is not the same as going invisible to the company that built the browser.
For years, Google simply informed users that “you’ve gone Incognito” and “now you can browse privately,” without disclosing what bits of data the company had been harvesting. According to a 2020 class-action lawsuit, the tech giant continued to scrape searches by hoovering up data about users who browsed in incognito mode through advertising tools used by websites. Google then used this data to measure web traffic and sell ads.
Websites you visit, including Google sites, and organizations that manage your network, may be able to observe your activity in incognito. Websites that use Google services also share information about your activity with Google, including for advertising purposes. That’s a direct acknowledgement, written into Chrome’s own support documentation.
The $5 Billion Lawsuit That Changed the Conversation
Google said it would delete millions of records of users’ browsing activities as part of a settlement of a class-action lawsuit that alleged it tracked people without their knowledge. The case, filed in 2020, alleged the company surreptitiously collected data from people using Chrome in a private browsing mode. While that function lets users turn off data collection in the browser, other Google tools used by websites, such as advertising technology, scoop up their data anyway.
As part of the settlement, Google must delete “billions of data records” that reflect the private browsing activities of users in the class action suit, according to court documents filed in San Francisco federal court. The class of affected people was estimated to number around 136 million.
The company did not pay monetary damages to consumers but was required to update the incognito landing screen and privacy policy to clarify that Google and other websites can still collect data during private sessions. The internal candor was more striking than the legal outcome. Google employees themselves described Chrome’s Incognito Mode as “misleading,” “effectively a lie,” a “confusing mess,” and a “problem of professional ethics and basic honesty.”
Entity #2: Your Internet Service Provider
Your Internet Service Provider can still see your online activity, including the websites you visit, even in incognito mode. While incognito mode prevents websites from storing cookies or site data locally on your device, they can still track your IP address and other information to identify and monitor your activity.
Your ISP acts as the gateway to the internet. It logs every IP address you connect to, regardless of your browser settings. These logs often persist for several months to comply with data retention laws. In practical terms, every site you visit in incognito mode still passes through your ISP’s infrastructure, fully visible.
In the United States, ISPs can legally sell this browsing data to advertisers. Incognito mode changes nothing about this reality. For actual protection from ISP surveillance, a VPN that encrypts your traffic is required. This is one of the most overlooked facts about private browsing, even among technically informed users.
Entity #3: Your Employer or School Network Administrator
While using private or incognito browsing can prevent your browser from saving your history on your device, it does NOT prevent your employer from tracking your browsing history if you’re using their devices or network. Monitoring tools used by employers can log your activity regardless of the mode or browser settings.
On a corporate network, privacy is even more limited. IT departments use sophisticated firewalls and DNS logs to track traffic. If you’re using a company-owned device or office Wi-Fi, your activity is fully transparent to your employer. Systems often flag specific keywords or restricted domains in real time, making private browsing modes irrelevant for avoiding workplace monitoring.
A 2023 survey by Spiceworks found that 76% of organizations monitor employee internet usage. Some employee monitoring software even records internet activity when a user is browsing in incognito or private mode, or clears their web browser history. The incognito window simply does not interact with network-level surveillance in any meaningful way.
Entity #4: The Websites You Visit
Websites may use techniques like device fingerprinting to identify and track your device, regardless of whether you’re using incognito mode. Search engines may still track your searches, although they won’t be saved in your browsing history. Your searches may still be used to personalize search results and ads, even in incognito mode.
Fingerprinting is particularly hard to avoid because it doesn’t rely on cookies at all. Instead of relying on cookies, fingerprinting collects data like browser type, operating system, screen resolution, installed plugins, and other system details to create a unique profile. According to the Electronic Frontier Foundation, roughly 83.6% of browsers have a unique fingerprint that can be used to track users across the web, even when they think they’re anonymous.
Simple privacy measures like incognito mode, clearing cookies, or using a VPN are completely ineffective against modern fingerprinting techniques. Websites can identify you through Canvas rendering, WebGL capabilities, audio processing, installed fonts, and dozens of other parameters that these basic tools can’t address. Incognito mode has no mechanism to prevent any of this.
The Misconception Gap Is Enormous
According to the University of Chicago, roughly seven in ten users overestimate incognito’s protections, falsely believing it anonymizes them against ISPs and employers. That’s a majority of users operating with a fundamentally incorrect model of how private browsing actually works.
A 2024 industry report indicated that nearly 40 percent of users believe private mode hides their physical location from websites, which is factually incorrect. Location is tied to your IP address, and incognito mode does nothing to encrypt your traffic. Any data you send to websites remains visible to eavesdroppers, for example on public Wi-Fi networks, unless you use HTTPS or a VPN for end-to-end encryption.
What Incognito Mode Is Actually Good For
None of this means private browsing is useless. It genuinely serves its intended purpose well. Incognito mode offers practical benefits beyond privacy, including managing multiple accounts, bypassing paywalls, and safeguarding sensitive information.
Only roughly 42% of incognito users actually use it for its primary design purpose: preventing traces from being saved on the local device. That’s the use case it was built for, and it works. Shared computers, surprise gift shopping, or keeping a work browser clean are all entirely valid reasons to go incognito.
The problem isn’t the tool. It’s the misplaced confidence it inspires. Incognito mode is a useful tool for maintaining local privacy while browsing, but it is often mistaken for a security solution. While it does prevent certain data from being stored on your device, it doesn’t provide full anonymity or encryption.
How the Browser Landscape Is Slowly Responding
In the latest Chrome 142 Canary build, Google is testing an experimental feature that blocks websites from reading pixel data via the Canvas API in incognito mode, preventing user identification. Once enabled, the browser rejects such read requests and returns an error, effectively cutting off canvas fingerprint collection at the source. Although subtle, this change directly targets one of the most common browser fingerprinting techniques.
Other browsers are taking bolder steps. Edge and Safari block known fingerprinters based on block lists, and Firefox is working on a behavioral blocking system that alerts you if a site tries to perform actions that look like fingerprinting, for example, trying to extract your hardware specs using the HTML Canvas feature. Brave has adopted fingerprint randomization. Rather than blending all users into identical profiles, it prevents the creation of consistent tracking identifiers.
What Actually Protects You
An incognito session may be enough if you only want to hide your browsing data from others on the same device. But if your priority is comprehensive, day-to-day protection, including against ISPs, data brokers, and advanced trackers, then a fully private browser with a VPN is the way to go.
With a court order, authorities can request ISP logs that reveal a user’s full browsing activity, even in private mode. That’s worth sitting with for a moment. Incognito mode offers no protection against law enforcement with legal authority. True anonymity requires more advanced tools like a VPN combined with a Tor browser.
Effective privacy requires layered controls: privacy-focused browsers, encrypted DNS, VPNs, and careful authentication practices. No single tool does it all. That complexity is real, and anyone who tells you otherwise is selling something.
Conclusion: The Icon Is Not a Shield
The spy-in-a-hat icon is one of the more quietly misleading design choices in mainstream software. It signals secrecy while delivering something closer to tidiness. Google settled its incognito lawsuit in late 2023, agreeing to delete or anonymize billions of user records gathered during incognito sessions. The company did not pay monetary damages but was required to update its incognito landing screen and privacy policy to clarify that Google and other websites can still collect data during private sessions.
The four entities that see through incognito every single time, Google, your ISP, your employer or network administrator, and the websites you visit, aren’t doing anything hidden or unusual. They’re operating exactly as the internet’s infrastructure was designed to work. Incognito mode simply was never built to stop them.
Privacy online is achievable, but it takes deliberate tools, not a darkened browser window. The first step is knowing exactly what that window actually does.