Chrome incognito mode not so private: Google to settle in class-action lawsuit

[midian182]

What just happened? The fact that Chrome's incognito mode is pretty far from private is something most readers are aware of, but plenty of people think otherwise. That erroneous belief led to a class-action lawsuit in 2020, one that Google has said it is now ready to settle.

Florida resident William Byatt and California residents Chasom Brown and Maria Nguyen filed the lawsuit, writes Ars Technica. It accuses Google of violating wiretap laws and claims that sites using Google Analytics or Ad Manager collected information from browsers in incognito mode, including web page content, device data, and IP address. Google is also accused of taking Chrome users' private browsing data and associating it with existing user profiles.

Court documents from the case suggest that Google hasn't been in a hurry to correct misconceptions about Chrome's incognito mode. In 2018, one Google engineer said in a conversation "We need to stop calling it incognito and stop using a Spy Guy [the mascot with the hat and glasses] icon."

Elsewhere, a slide from a 2020 internal Google presentation stated that "Unless it is clearly disclosed that their activity may be trackable, receiving targeted ads or suggestions based on private mode [browsing] may erode trust." This slide cited a user survey on the incognito experience and suggested that Google was well aware of the feature's image among users.

A 2018 study showed 56.3% of respondents think incognito mode prevents Google from seeing their search history. Another 37 percent believe the privacy mode can prevent their employer from tracking their web browsing. The reality is that the mode merely automatically deletes a session's browsing history and cookies.

Google's main defense in the trial was to highlight the message that is displayed to Chrome users when incognito mode is activated: a warning that their activity "might still be visible to websites" that they visit.

In August, Judge Yvonne Gonzalez Rogers turned down Google's request for summary judgment, highlighting that the company failed to disclose to its users the ongoing data collection while they browsed in Incognito mode.

"Google's motion hinges on the idea that plaintiffs consented to Google collecting their data while they were browsing in private mode," Rogers ruled. "Because Google never explicitly told users that it does so, the Court cannot find as a matter of law that users explicitly consented to the at-issue data collection."

Google and the plaintiffs have now agreed to terms that will see the case dismissed once the court gives its final approval by the end of February. Neither side has made the details of the settlement public, though the complaint originally asked for $5 billion.

Permalink to story.

https://www.techspot.com/news/101354-chrome-incognito-mode-not-private-google-settle-class.html

 

[HardReset]

Anyone who understands where Googles revenue come from should also understand Google will spy you every way it can.

Looking at Chrome market share, perhaps most people are not wise enough.

 

[Vanderlinde]

I work for 15 years in the internet space. I've started to notice that relatively new domains, or even registered within the first hour, already where getting indexed while I was working on these domains.

I've figured out that both chrome, it's google DNS and such do send the URL's you visit for it's googlebot to crawl. Now in 2024 almost I'm more privacy minded, and I'm being more aware of the things that I do or not do with chrome.

I suggest every user to start using Cloudflare DNS which is a privacy based DNS. Just goto network settings, click on your adapter, click on IPV4 settings, set a manual DNS into the DNS tab and type in "1.1.1.1" > click OK.

Your ISP, Google, all of those pretty much collect data through DNS requests your making. A DNS request happens when you type in a website adres, the DNS will resolve the IP adres behind the website.

Also, installing UBLOCK Origin for your browser, and on mobile Adguard. Cram down any privacy related issues - it's really worth it to deep dive into that. For years company's have bin using data without us even knowing. It's time to take that back.

 

[user556]

Dear Mr Rob Thubron,
The point of this lawsuit presumably is to get Google to fix Incognito Mode, not to just shrug and say yeah we knew that.

 

[brucek]

Google can not "fix" incognito mode - the destination website needs to know what HTTP request(s) you are making and the IP address you made them from - and unless it is a Google property, Chrome/Google have zero control over what that destination site is going to do with that information. It also can't stop your ISP and/or DNS provider from having this information either. And if you're using a device that is ultimately controlled by another party, such as your school or employer, there may be device-level logging it can't stop either.

What it maybe could have done is come up with a better name for the feature, although I think that's easier said than done. If the user doesn't already understand what's happening under the hood, no clever name is going to suddenly teach them the distinctions between the client, server, ISP, and DNS server roles.

That leaves the middle ground of the non-Chrome Google assets that maybe could have some special integration so they know to act differently, although I'm not aware of any current internet standard that would let all these pieces know Chrome was in incognito mode, and if it was a proprietary solution it would be confusing that other browsers incognito modes worked differently. Without a major development in this space, the request is probably going to end up somewhere in the vast cloud of non-Google user-tracking / ad-serving databases, from where it will likely bleed into Google databases eventually anyway.

 

[user556]

Huh? The complaint is about Google tracking where you go. Google doesn't have to see that under any circumstance.

 

[brucek]

Huh? The complaint is about Google tracking where you go. Google doesn't have to see that under any circumstance.

"Google" is a) the distributor of Chrome; b) the operator of search site google.com (and many other properties); and c) the operator of a vast network of infrastructure related to ad-tracking and serving (and associated user tracking). Google's version of (c) is probably the global leader although there are other big networks too.

Even if (a) Chrome did nothing to log anything in Incognito mode; and (b) you are not visiting Google.com; that has nothing to do with (c). If your incognito Chrome visits pornhub.com or ford.com, then, absent ad-blocking, you or others in your household are at increased chance of seeing vehicle and/or dating site advertisements in the immediate future. This is thanks to those third party websites, which Google has no control over at all, seeking revenues from those ad/tracking networks. Google may have control over its own version of (c) but the inputs that network operates on, if it is coming from those third party sites, may have had no way to know you were in incognito mode anyway; and those third party sites had no obligation to respect incognito mode even if they could tell you were in it.

Edit: I didn't mention your ISP, DNS provider, operating system, or software and/or malware installed on your computer, any or all of which might also be contributing to you perceiving that your incognito activity was not as incognito as you thought it was. My point is until and unless Google is in full control of all those roles, it can never offer an Incognito experience that is what users want/expect it to be.

 

[kiwigraeme]

Google can not "fix" incognito mode - the destination website needs to know what HTTP request(s) you are making and the IP address you made them from - and unless it is a Google property, Chrome/Google have zero control over what that destination site is going to do with that information. It also can't stop your ISP and/or DNS provider from having this information either. And if you're using a device that is ultimately controlled by another party, such as your school or employer, there may be device-level logging it can't stop either.

What it maybe could have done is come up with a better name for the feature, although I think that's easier said than done. If the user doesn't already understand what's happening under the hood, no clever name is going to suddenly teach them the distinctions between the client, server, ISP, and DNS server roles.

That leaves the middle ground of the non-Chrome Google assets that maybe could have some special integration so they know to act differently, although I'm not aware of any current internet standard that would let all these pieces know Chrome was in incognito mode, and if it was a proprietary solution it would be confusing that other browsers incognito modes worked differently. Without a major development in this space, the request is probably going to end up somewhere in the vast cloud of non-Google user-tracking / ad-serving databases, from where it will likely bleed into Google databases eventually anyway.

I took incognito mode to be private only in sense of from rest of your household - ie no cookies, or history etc
The big accusation here is Google incorporating this info into more public profile - if so they should be hammered

But those users are stupid - if they are going onto say reddit pron sites , or elsewhere - have separate emails, accounts from those they use in public - Use a privacy email provider to boot

I mean google could still associated - that rando looking at this or that - could be this gmail account - but then that means they really pushed the boat out.

Think is probably cheaper to settle even if have good court argument - as discovery is expensive and painfull

 

[brucek]

I agree that Chrome writing your Incognito activity into Google server history but not local client history is sketchy and I'm not defending that. Sorry if I muddied the waters. Funnily enough I think not even Google wins by doing this - if they are showing my wife an ad for an adult dating site based on my incognito activity instead of the new microwave she was shopping for, that's counter-productive for them too.

The big point I was trying to make was that even if Google got religious about not doing anything wrong with Chrome itself, the Incognito experience will still not be nearly as Incognito as anyone wants and there's little Google can do to fix that.

 

[Hotlynx16]

My preference is Brave with DuckDuck go, not perfect but better than chrome *****s!!

 

[user556]

Bruce,
You sound like you are saying nobody should bother caring just because there is more than one problem in the world.