Incognito mode myths: what private browsing actually hides (and what it doesn't)

Incognito mode is the single most misunderstood feature in modern browsers. Surveys repeatedly find that most people believe it hides their IP address or makes them anonymous to the websites they visit. It does neither. This article explains exactly what private browsing does, what it leaves wide open, how the different browsers differ, and when reaching for it is genuinely the right tool.

What incognito mode actually does

Private browsing is a local privacy feature. Its job is to stop your own device from keeping a record of the session. When you close the last private window, the browser discards the data it accumulated during that session. Concretely, in a private window the browser does not persist:

  • Browsing history. Visited URLs are not written to your history database.
  • Cookies and site data. Cookies, local storage, and IndexedDB created during the session are held in memory and wiped on close, so you start logged out and end logged out.
  • Form and search autofill. Text you type into forms and the address bar is not saved for later autocomplete.
  • Cached files. Downloaded page resources are not kept after the session.

Files you deliberately download and bookmarks you create are kept, because those are explicit actions. Everything else is meant to vanish. That is the whole feature. It is essentially a clean, temporary profile that throws itself away.

It is worth being precise about when the cleanup happens. The data is discarded only when you close the last private window, not each tab. If you leave a private window open for days, the cookies and history it accumulated persist in memory the whole time, and any site you logged into stays logged in. Open a second private window and it shares the same temporary session, so the two are not isolated from each other. Browser extensions, if you allow them to run in private mode, also see your activity normally, which means an extension that logs or transmits data is just as active in incognito as anywhere else.

What incognito mode does not do

This is where the myths live. Private browsing changes nothing about how your traffic travels across the network or how you appear to the sites you visit.

Your ISP, employer, and network still see everything

Private browsing does not encrypt or reroute your traffic. The DNS lookups and connections your device makes are identical to a normal session. That means:

  • Your internet service provider still sees which domains you connect to and can log them.
  • Your employer or school, if you are on their network or managed device, still sees and can log your activity through their gateway, proxy, or monitoring agent. Incognito offers zero protection from workplace monitoring, despite being the place people most often hope it helps.
  • The Wi-Fi operator at a cafe or airport sees the same metadata it always would.

Your IP address is unchanged

Every site you visit in incognito receives your real public IP address, exactly as in a normal window. From that IP a website knows your approximate location and ISP. Private browsing has no relationship to your IP whatsoever. If you want to change how the network sees you, that is the job of a VPN or Tor, not incognito.

The same applies to several other identity signals people assume incognito resets. Your DNS lookups still go to the same resolver and are still visible to whoever controls it. If your browser has WebRTC enabled, a site can still probe your local and public IP addresses through it in a private window exactly as in a normal one. And any account you are already signed into through a different mechanism, such as a single sign-on session a corporate site recognises, can still tie the private session back to you. Incognito resets the cookie jar and the local history; it resets nothing about the network path your traffic takes.

Your fingerprint is unchanged

This is the most important and least understood point. A private window uses the same browser build, the same screen resolution, the same fonts, the same graphics hardware, the same time zone, and the same language settings as your normal browser. So the device fingerprint a site can compute from those properties is essentially identical in incognito and out of it. A tracking script that fingerprints you can recognise the same device across both modes. Incognito clears the cookie jar; it does not change the device.

This is exactly why privacyscore.dev typically returns a very similar score whether you run it in a normal window or a private one. The score is driven largely by fingerprinting surface and network exposure, and private browsing barely touches either. If you expected incognito to dramatically improve your result, the unchanged score is the clearest possible demonstration of what the feature really is.

Consider what a fingerprint is actually built from: the exact browser version, the operating system, the rendering of a hidden canvas element by your specific graphics driver, the list of installed fonts, the screen and window dimensions, the time zone, the preferred languages, and the way your audio stack processes a test tone. Not one of those values is altered by opening a private window. The same hardware and the same software produce the same fingerprint. A tracking company that recorded your fingerprint last week recognises the identical device this week whether or not you are in incognito, and it can do so without ever setting a cookie, which is precisely the kind of cookieless identification that private mode does nothing to prevent.

You are not anonymous to the websites

Within a single private session, cookies still work normally. If you log into an account, the site knows exactly who you are for the rest of that session. Logged-in services, browser fingerprinting, and IP-based correlation all still identify you. Private browsing only prevents persistence between sessions on your own machine; it does not make you a stranger to the sites themselves.

How the browsers differ

The baseline behaviour above is common to all of them, but the details vary.

  • Chrome (Incognito): the minimal version. It discards local session data and nothing more. It does not add tracking protection beyond Chrome's standard settings, and your IP and fingerprint are untouched. Chrome now shows a clearer disclaimer after legal pressure made the old wording misleading.
  • Firefox (Private Window): does the local cleanup and additionally enables stronger Enhanced Tracking Protection by default, blocking many known third-party trackers and cookies during the session. That makes Firefox private windows genuinely more protective against cross-site tracking than Chrome's, though still not against your ISP or your IP exposure.
  • Safari (Private Browsing): does the local cleanup and layers on Intelligent Tracking Prevention, isolates each tab's state, and on recent versions adds link-tracking parameter stripping and some fingerprinting mitigations. Stronger than Chrome, but the network and IP caveats still apply.
  • Brave (Private Window, and Private Window with Tor): a standard Brave private window does the local cleanup plus Brave's aggressive ad and tracker blocking. Brave also offers a Private Window with Tor, which is different in kind: it routes that window's traffic through the Tor network, so it does hide your IP from the destination site. That is the one private-mode variant that actually addresses the network and IP gap, because it is not really "just incognito" at all.

When incognito is genuinely useful

Used for what it is, private browsing is a fine tool:

  • Shared or borrowed computers. Logging into your email on a hotel or library machine, then closing the window so nothing persists, is exactly the right use.
  • Logged-out testing. Web developers and shoppers use it to see a site as a fresh visitor, with no cookies and no login.
  • A second simultaneous account. Because the cookie jar is separate, you can be signed into one account normally and another in incognito at the same time.
  • Avoiding personalised pricing or search bubbles, partially. With no prior cookies, some personalisation is reduced, though IP and fingerprint still allow a fair amount of it.

When it gives false confidence

The danger is using incognito for jobs it cannot do:

  • Hiding activity from an employer or network administrator. It does not.
  • Hiding browsing from your ISP or from legal requests to the ISP. It does not.
  • Becoming anonymous to a website or to advertisers that fingerprint. It does not.
  • Protecting against malware or a compromised device. A keylogger or managed-device agent sees everything regardless of window type.

The mental model to keep

Think of incognito as a notepad you shred at the end of a meeting. Nothing you wrote survives on your desk, which is genuinely useful. But everyone in the room still saw you, still knows who you are, and still saw which door you walked in through. The shredding is local cleanup. Your identity, your location, and your appearance to others are entirely unaffected.

If your goal is to change what the network and websites can see and recognise, you need the layers that actually operate there: tracker blocking, fingerprinting resistance, encrypted DNS, and IP-level protection. Run privacyscore.dev in a normal window and a private one and compare; the near-identical scores tell you, more honestly than any disclaimer, where private browsing's protection begins and ends.