
Google plans to roll out their new IP Protection feature for Incognito mode users in July 2025 as part of its Privacy Sandbox — and businesses relying heavily on traditional IP-based fraud detection and cybersecurity measures need to prepare now for a major shift on how they identify their website visitors.
In this article, I’ll give a high-level overview of how IP Protection works; the ripple effects on tracking, fraud detection, and cybersecurity as a whole; how it compares to other IP masking tools like VPNs, Apple’s Private Relay, and Tor; and how businesses can adapt to a new, more privacy-forward world.
What is Google’s IP Protection?
Google claims that IP Protection will enhance user privacy and limit cross-site tracking. It will do this by hiding users’ IP addresses from third-party requests that come from sites on its Masked Domain List (MDL), but only when users are browsing in Incognito mode.
Here’s a brief overview of how it will work:
- Two-hop system: When users browse in Incognito mode, Chrome routes third-party requests through two separate proxy servers. The first is operated by Google, which knows a user’s IP address but not the destination. The second is run by a third party (like a CDN), which sees the site being visited but not the user’s real IP address.
- End-to-end encryption: Encrypted tunnels are used between Chrome and both proxies. A web request is encrypted all the way to the final destination, meaning neither proxy can inspect its contents.
- Blinded authentication: Chrome uses RSA blind signatures to ensure that only necessary information is provided for basic operation of the proxy to authenticate users, so that a user’s identity or browsing behavior remains concealed.
- Coarse geolocation: For instances where there’s a legitimate reason to know a user’s IP, such as content localization or to comply with local regulations, the exit proxy will use a regional IP that allows sites to approximate a user’s location without knowing exactly where they are.
IP Protection will initially be rolled out in only a few specific regions. It will also be limited to Chrome’s Incognito mode, and users can manually disable the feature if they wish.
Impact on tracking and browser fingerprinting
Historically, IP addresses and cookies have been used to identify and track users as they browse the internet. Over the past few years, however, the use of third-party cookies has decreased due to more stringent privacy regulations and as users have become more savvy about protecting their privacy. So businesses turned to other options to identify their users; namely, IP addresses because even dynamic IPs can persist long enough to be considered a stable identifier.
IP Protection breaks this linkability because multiple users will have the same proxy IP. For example, with IP Protection activated, a tracker embedded on multiple sites will no longer be able to stitch together a user profile based purely on the IP. Additionally, browser fingerprinting techniques that heavily rely on IP as a strong signal will also take a hit for obvious reasons.
How does IP Protection compare to Apple’s Private Relay, VPNs & Tor?
Using tools to conceal IP addresses isn’t anything new. Before IP Protection, there were Apple’s iCloud Private Relay, VPNs, and Tor. And while these options look similar at first glance because they all aim to hide a user’s IP address, they differ in scope and intent.
Apple’s iCloud Private Relay
Private Relay is the closest to IP Protection when it comes to architecture in that it also uses a two-hop system. Some key differences are that Private Relay is limited to Safari on Apple devices, can be used for all browsing sessions (not just incognito), and requires a paid iCloud+ subscription.
IP Protection, on the other hand, will be free and integrated into Chrome.
VPNs
VPNs have been around since the 1990s, and typically can be detected as traffic from data center IPs or known VPN nodes. VPNs encrypt and reroute all user traffic through a single server, hiding the IP from both websites and ISPs. Users can choose their location in order to gain access to region-restricted content, get better pricing, or simply mask their IPs for privacy.
Tor
The Tor browser is the ultimate privacy browser that masks a user’s IP by routing internet traffic through three or more random relay nodes in the Tor network. It encrypts data multiple times and peels off each encryption layer at each relay node, with the final decryption happening at the exit node. This provides extreme anonymity and resistance to tracking and censorship. The downsides are that it’s often slow and many websites block Tor traffic, so despite its strong focus on privacy, the browser hasn’t gained popularity with the masses.
Business impacts: What does this mean for security & fraud detection?
Compared to Apple’s Private Relay, which makes up only a small percentage of traffic since it requires a paid iCloud+ subscription, IP Protection has the potential to become the largest source of anonymized IP traffic and drive a tectonic shift for the industry for two reasons:
- It’s free to all Chrome users and
- Chrome has ~65% of the global browser market share. IP Protection will likely be welcomed by the majority of Chrome users because it means it’ll be much harder to track their browsing activity. On the other hand, risk and fraud teams will lose a signal they’ve long relied on to identify and differentiate legitimate users from malicious actors and bots.
For example, IP Protection’s two-hop proxy setup can mask the IPs of legitimate users. The flip side of it is that bad actors can also use it to mask their IPs. Tools that rely on known-bad IPs or IP behavior anomalies may lose effectiveness when attackers all appear to be coming from the same pool of IP addresses that Google is proxying requests through.
Additionally, many services use IP-based rules to detect suspicious logins. IP Protection could make it harder to spot unusual behavior or flag brute force attacks, especially if many users appear behind the same proxy.
To pre-emptively address some of these concerns, Google will require users to authenticate their accounts by logging in first while in Incognito mode. Users can then open another Incognito window, which is when IP Protection will kick in. In other words, no Google account authentication = no IP Protection.
How businesses can adapt in a new, privacy-forward online world
As using IP addresses to identify website visitors becomes less reliable, businesses need to find other solutions that don’t rely purely on IPs.
Other strategies to consider:
- Using a variety of device and browser fingerprinting techniques that collect and analyze signals exposed by browsers, along with hardware characteristics that are collected by advanced device intelligence solutions (such as Fingerprint) — all while respecting user anonymity and privacy.
- Investing in first-party data by building trusted user relationships. Encourage users to create accounts by offering benefits like easier future logins, personalized recommendations, or saved preferences.
- Strengthen authentication by implementing multi-factor authentication (MFA). To avoid causing unnecessary login friction, businesses can require MFA only when needed by using a device intelligence solution like Fingerprint, which assigns every user a unique visitor ID that persists for months or even years. Using this approach, previously authenticated, trusted users can easily log in without having to re-authenticate, reducing frustration.
IP Protection’s effect on Fingerprint’s accuracy
A few Fingerprint-owned domains have been included on Google’s Masked Domain List, which contains a list of domains where users’ IPs will be masked. However, these are all CDN domains, and inclusion in this list will not affect visitor identification accuracy, even in Incognito mode. Why?
Fingerprint domains on the MDL are CDNs, which only serve Fingerprint client-side libraries and don't play a role in identifying devices. Therefore, adding Fingerprint CDN domains to MDL does not affect accuracy. In the unlikely event Google adds Fingerprint API endpoints to the MDL, the accuracy will still be high because of the proxy integrations.
We’ve developed proxy integrations with Cloudflare, Fastly, AWS Cloudfront, Azure, and Akamai so businesses can easily integrate their websites with Fingerprint. These proxies process script loading and visitor identification requests directly through a company’s site, providing enhanced visitor identification accuracy, increased first-party cookie longevity, and more. (Read more about our proxy integrations in our documentation.)
Key takeaways: The future of IP Protection
Google’s IP Protection is part of a broader privacy movement alongside third-party cookie deprecation, Apple’s Private Relay, and growing public awareness about the importance of protecting personal data.
Privacy at Google scale means businesses that rely on IPs should start looking into alternatives now because a privacy-first web is no longer a hypothetical — it’s fast becoming reality.
This article was originally published in the July 2025 edition of Cyber Defense Magazine.
See how Fingerprint works without relying on IP addresses
Install our JS agent on your website to uniquely identify visitors.