In this paper, we investigate why users of private browsing mode misunderstand the benefits and limitations of private browsing. We design and conduct a three-part study: (1) an analytic evaluation of the user interface of private mode in different browsers; (2) a qualitative user study to explore user mental models of private browsing; (3) a participatory design study to investigate why existing browser disclosures, the in- browser explanations of private mode, do not communicate the actual protection of private mode.
We find the user interface of private mode in different browsers violated well-established design guidelines and heuristics. Fur- ther, most participants had incorrect mental models of private browsing, influencing their understanding and usage of private mode. We also find existing browser disclosures did not ex- plain the primary security goal of private mode. Drawing from the results of our study, we extract a set of recommendations to improve the design of disclosures.