Private browsing mode has a branding problem. People see the word “private” and assume it means something it doesn’t. Your ISP still sees every domain you request. Your employer’s network admin sees the traffic. Incognito just keeps your spouse from finding your search history on a shared laptop. That’s basically it.
The actual privacy gaps in browsers are way less obvious, and most people have never heard of them.
WebRTC Leaks Your Real IP (Even on a VPN)
I spent $12 a month on a VPN for almost a year before I learned about WebRTC leaks. Felt pretty dumb when I found out my real IP address had been visible the whole time on certain sites.
WebRTC is the technology that lets you do video calls in your browser. Zoom, Google Meet, Discord in a browser tab. It works by establishing direct peer-to-peer connections, and for that to happen, browsers need to share IP addresses. The problem is they share your real one, not your VPN’s. Sites can pull this information with basic JavaScript and you get zero notification. This vulnerability has been public knowledge since 2015 or so, and security folks have been complaining about it ever since. A decade later, Chrome still ships with WebRTC fully enabled by default.
You can check browser leak exposure to see if your setup is affected. Most VPN users who run the test get an unpleasant surprise.
The fix in Firefox is straightforward but buried: go to about:config, search for media.peerconnection.enabled, set it to false. Chrome doesn’t give you that option natively. You need an extension like WebRTC Leak Prevent, which adds another piece of software you have to trust.
Browser Fingerprinting
Cookies get all the attention. GDPR made cookie banners mandatory, so now everyone clicks through consent popups and assumes they’ve handled the tracking problem.
Fingerprinting is different. It doesn’t store anything on your computer. Instead, websites collect data points about your browser configuration: what fonts you have installed, your screen resolution, your timezone, your graphics card, how your browser renders a canvas element. Individually none of this identifies you. But stack 30 or 40 data points together and the combination is often unique.
The EFF ran a study on this. Research published by the Electronic Frontier Foundation found 83.6% of browsers tested had a unique fingerprint. Not “somewhat identifiable.” Unique. And you can’t clear a fingerprint like you clear cookies. It regenerates every time you load a page.
Chrome has roughly 65% of the browser market, and Google has done almost nothing to address fingerprinting. Firefox added some protections in Enhanced Tracking Protection. Brave randomizes fingerprint values, which is probably the best defense available. Most users don’t know fingerprinting exists.
DNS Tells Your ISP Everything
Here’s one that’s easy to overlook. When you type a URL, your browser sends a DNS request to convert that domain name to an IP address. By default, that request goes to your internet provider’s servers. Unencrypted.
So your ISP has a log of every website you visit. Doesn’t matter if the site itself uses HTTPS. The DNS lookup happened before you even connected, and they saw it. They can sell that data, use it for targeted advertising, and hand it over to law enforcement.
The Wikipedia entry on DNS over HTTPS has technical details if you want them. The short version: encrypted DNS exists, Firefox enabled it by default for US users back in 2020, Chrome makes you configure it manually. Switching to Cloudflare (1.1.1.1) or Quad9 helps but the setup process is different depending on your OS.
Third-Party Cookies Still Exist
Google announced they were killing third-party cookies in Chrome back in January 2020. They set a deadline, missed it, set another one, missed that too. The Guardian reported in 2024 that Google scrapped the whole initiative. Third-party cookies are staying.
This matters because third-party cookies are how ad networks track you across websites. You look at a product on one site, see ads for it everywhere else. Meta, Google, and dozens of smaller ad tech companies embed tracking pixels across millions of sites. They build profiles covering your health searches, shopping habits, political reading, financial interests.
Safari blocks third-party cookies by default. Firefox does too. Chrome, which makes Google most of its money through advertising, doesn’t. Users can flip the setting manually but the default favors tracking.
What You Can Do About It
Browser defaults favor advertisers over users. Privacy requires opting in rather than opting out.
Test your browser for leaks periodically. Switch to Firefox or Brave if Chrome’s defaults bother you. Turn on encrypted DNS. Disable WebRTC if you don’t need it. These aren’t complicated steps, but browsers aren’t going to do them for you.