Incognito Detection
Incognito detection is the identification of visitors browsing in a private or incognito window, inferred from the behavior of storage APIs and other browser characteristics that differ in private mode. It reveals when a user has disabled the persistent state that fraud controls often rely on.
How Incognito Detection works
Private browsing modes change how a browser behaves in observable ways, and detection keys on those differences. Historically, storage APIs such as IndexedDB, the FileSystem API, and quota limits behaved differently or were restricted in private windows, and probing them revealed the mode. Browsers continually adjust these behaviors to close such gaps, so detection techniques evolve alongside them.
The detection runs entirely from within the page using standard web APIs, without any special permission, by observing responses to specific storage and capability checks. Because vendors treat private-mode detection as something to frustrate, reliable detection requires keeping pace with each browser's implementation rather than relying on a single fixed trick.
Crucially, detecting incognito is separate from identifying the visitor. Even in private mode, device fingerprinting still produces a visitor identifier because it draws on device characteristics rather than stored state, so the same visitor can be recognized and flagged as being in private mode at the same time.
Why Incognito Detection matters for fraud prevention
Incognito mode is frequently used to evade controls that depend on cookies and local storage: claiming a promotion again, creating extra accounts, or circumventing metered paywalls all become easier when stored state is wiped each session. Detecting private browsing is a useful signal because a legitimate user rarely needs it for these actions, so its presence in an abuse-prone flow raises the appropriate suspicion, especially when paired with a device identifier that private mode cannot reset.
How TRACIO handles it
TRACIO exposes incognito detection as one of its Smart Signals, and pairs it with an identification approach designed to keep working in private mode. Because the visitor ID is derived from device signals rather than stored cookies, a user cannot escape recognition simply by opening a private window, and the incognito flag tells teams when that evasion is being attempted.
Related terms
Frequently asked questions
Identify every device with confidence
Start with a free plan of 2,500 API calls per month. No credit card required.