The issue I've described is about local eavesdropping, not only remote accounts.
It was a surprise to open an new Incognito window and find it had access to sessions active in a different window.
That defeats one of the expected use-cases of Incognito mode locally, which is when someone asks if they can borrow your computer to access their account. For example I've done this a few times in a library or hackerspace for someone I didn't know well. You open an Incognito window for them, and both you and they think it's safe for them to access their Facebook and Gmail or whatever, and then close the window. They think you can't browse their accounts after, and you think they can't browse your accounts if they stick to that window. Both turn out to be unexpectedly false - unless you know to kill all your existing Incognito windows first. Which you wouldn't do if you need to use them later, unless you know you have to close all the other windows first.
As for local vs remote tracking. Incognito documentation does not say local eavesdropping is the only feature. It talks about holding a separate session for "cookies and site data" and that those are deleted when the session is closed; and about restrictions on third-party cookies. From Chrome help:
> "Cookies and site data are remembered while you're browsing, but deleted when you exit Incognito mode. You can choose to block third-party cookies when you open a new incognito window."
Like anyone technically aware of how the web works, I don't expect this feature to prevent tracking in general, or to truly hide my identity. But I do expect a cookie session container, which Incognito mode does advertise, to allow me to login to separate accounts without ending up logged into an account unexpectedly.
The issue is not that tracking takes place. It's that the scope and duration of a session was surprising in a way I didn't expect from the UX, and it's not the most useful in situations such as the "make a window for a guest" situation described above. Getting this wrong also adds a security risk to those of us tasked with protecting other people's data via browser tools. I posted about it here because I think the behaviour will be a surprise to other people too; it should at least be more well known.
Incognito was meant to protect sessions closed out. You're inventing a use case not sold and being upset that it doesn't work as if that is somehow their fault.
I would expect the opposite behavior as you describe.
It was a surprise to open an new Incognito window and find it had access to sessions active in a different window.
That defeats one of the expected use-cases of Incognito mode locally, which is when someone asks if they can borrow your computer to access their account. For example I've done this a few times in a library or hackerspace for someone I didn't know well. You open an Incognito window for them, and both you and they think it's safe for them to access their Facebook and Gmail or whatever, and then close the window. They think you can't browse their accounts after, and you think they can't browse your accounts if they stick to that window. Both turn out to be unexpectedly false - unless you know to kill all your existing Incognito windows first. Which you wouldn't do if you need to use them later, unless you know you have to close all the other windows first.
As for local vs remote tracking. Incognito documentation does not say local eavesdropping is the only feature. It talks about holding a separate session for "cookies and site data" and that those are deleted when the session is closed; and about restrictions on third-party cookies. From Chrome help:
> "Cookies and site data are remembered while you're browsing, but deleted when you exit Incognito mode. You can choose to block third-party cookies when you open a new incognito window."
Like anyone technically aware of how the web works, I don't expect this feature to prevent tracking in general, or to truly hide my identity. But I do expect a cookie session container, which Incognito mode does advertise, to allow me to login to separate accounts without ending up logged into an account unexpectedly.
The issue is not that tracking takes place. It's that the scope and duration of a session was surprising in a way I didn't expect from the UX, and it's not the most useful in situations such as the "make a window for a guest" situation described above. Getting this wrong also adds a security risk to those of us tasked with protecting other people's data via browser tools. I posted about it here because I think the behaviour will be a surprise to other people too; it should at least be more well known.