I’m a bit surprised Chrome developers went the route of an in memory filesystem instead of trying to sandbox and clear real disk access. Silently using up to 120MB without realizing sounds pretty bad.
I wonder if the privacy threat model includes being able to prove that you used incognito mode at all, when, or how much. I can imagine all sorts of leaks in that regard (how many incognito disk files were created, size/ctime/mtime, system logging, indexes etc). None of these would require physical access to the machine at the time of incognito browsing, just subsequently.
Might seem like an incidental concern, but being able to vacuum up a pattern of incognito sessions from a seized laptop (at a border crossing, say) and correlate it with the activity of an online pseudonym could be pretty useful.
> "You can't allow for bytes to sit around on disk in case of crash."
Just check periodically (at startup?) for orphaned temporary storage data. I'm sure there are other parts of the browser that need to do this sort of thing anyway - expired cache data, for example.
Why not just use a temporary file system like /tmp?
EDIT: I suppose these are often backed by memory anyway, so not sure if this would solve the problem, but interested in hearing arguments around it nonetheless.
The point of incognito was never to hide that fact from the sites you're visiting. The point was to not leave a trace on the machine you're doing it from. Basically, it's for porn, not news.
Yeah, it's weird to do this strategic about turn on it. It feels very much like the personal grievance of someone on the Chrome team rather than a thought through feature.
If it were actually the case that these detection methods were not known when they shipped the in-memory storage solution.. I would find that incredible.
Maybe they could encrypt with a key kept in memory? That'd still allow detection of use though.