The filer is suing because they logged into things like GMail and third party services while in incognito mode. If you wear a mask, but still have your nametag on, that's not the mask makers fault.
If it was only third parties, then maybe. But if google analytics actually tracks data from a logged in incognito session, then it's probably a completely different in the eyes of the law.
It becomes more like: The mask maker put the name tag on your shirt. The tag was also put on in the same booth where you bought the mask that promised anonymity, and it was also the mask maker who supplied the record of your tag number to a third party.
you cannot sign into chrome while incognito, so i'm not sure what you mean by a "logged in incognito session", that's not a thing. The only type of sign in available while in incognito mode is to sign into a website, and the website does not know that you're in incognito mode.
And if you've entered your username and password into the google login form, of course they're tracking you, how could they not be?
Incognito stills works with sessions, keeps cookies. Which means if you login to a google service, your whole session with all its tabs is logged in, and not just that single site.
Not arguing this shouldn’t work that way, but the wording of logged in incognito session seems fair to me.
It'd be impossible for Google Analytics to not collect data from a incognito tab without it knowing that it is incognito somehow (like if Chrome attached a header to all outgoing requests that said incognito=1 or something). But then websites would know you are in incognito, and find some other way to track you without leaving cookies on your box (like logging the IP address for the request and merging all incognito requests into one profile, which would be accurate enough).
What do they want Google to do? They warn you specifically of this anyway when you open an incognito tab:
"
You've gone incognito
Now you can browse privately, and other people who use this device won't see your activity. However, downloads and bookmarks will be saved. Learn more...
It has been a while since I was in js land but I do recall writing a browser extension that needed to know this, and in chrome it was made available to detect whether your script was running in incognito. It was a property of something.
So I imagine as a starting point the Google Analytics client js could utilize this to avoid interacting with the analytics server altogether.
The ability by websites to detect incognito cause real usability pains for users. (For example, certain news outlets refuse to show content when it detects that you're in incognito.) The mechanisms to detect incognito were/are unintended holes. Both FireFox and Chrome have been plugging them.
Well your information is outdated, because there's been a long game of cat and mouse between chrome and sites likes NYT about detecting incognito, with every alternating version a new method coming up, and it being patched in the following version.
It would be easy. They'd have to just not collect, collate, fingerprint, and otherwise acquire enough PII to de-anonymize anyone that touches a script that feeds back to their servers.
> "Google tracks and collects consumer browsing history and other web activity data no matter what safeguards consumers undertake to protect their data privacy," reads the complaint. The search giant surreptitiously collects data through Google Analytics, Google Ad Manager, website plug-ins and other applications, including mobile apps, according to the complaint.
The web worked fine in the days before Google started building a profile of everyone who interacts with the internet so that they can sell us garbage we don't need. So how about stopping with the voracious data collection feeding into a permanent profile? You know, like the web used to work?
Just because it is now doesn't mean it hasn't been deliberately built into the thing that presently exists.
edit: and if that makes certain ad-centric businesses obsolete, good.
Case 1. Fixed home broadband often allocates a single IP that the household might have for weeks, months or years. There might be only one person in the house, and even if not it's easy to build a profile across websites visited on how many live there, what time they're active, etc.
Case 2. Mobile broadband often allocates IP seemingly based on the tower you're connected to (in my country, I can notice this effect). So, looking at the surface of the you'd think it arguable that mobile IP is anonymised... Unfortunately, people are creatures of habit and ping the same towers repeatedly. So it's still possible to track.
In short, if there's value to be had in storing any value (like an IP) for ad related purposes, then there's more than a good chance personal information is leaking.
Right, that's the point. Chrome will send "enough PII to de-anonymize" no matter how careful they try to be, because your IP address is very often enough.
I wouldn’t and I’ve professionally sourced and brokered PII. It may be the case that you could match up IP’s with other fingerprinting and/or PII but I’m not sure how. I’ve never seen a broker with a PII data product that would even accept an IP as an input, and IP geolocation is famously inaccurate. This strikes me as theoretically possible but totally infeasible unless you have access to some very special data. I’ve always assumed it was possible and that someone was likely doing it but I was never able to determine how with data that could be acquired through the usual channels.
2) Switch to incognito mode, and go to some website that has Google ads on it
It would now be possible for Google to figure out that the ad was served to someone from the same IP address that recently was logged in with your gmail account.
Any health care website (for instance) that has PII on it probably stores IP addresses at some level, to try to detect DoS attacks, etc. If someone wanted to join that data, IP to PII, they could.
I can't disagree that's it's possible for Google to match up all the stuff it has on people and can get from others. In fact, I made that same assertion in another thread some time ago and got super down-voted over it.
However, there are lots of totally legal scenarios in which two parties match up and combine data on a user containing PII.
I also would like to know if you believe there's something ethically wrong with combining data, provided it's legal and doesn't violate a privacy policy. You haven't said so explicitly but that seems like the implication.
Espressosaurus made the assertion that it would be easy for Google to not collect enough PII to de-anonymize anyone (in Incognito Mode).
I'm pointing out that if you:
1) log in to your gmail
2) Switch to incognito mode and go to a website that has Google ads on it
And if Google has recorded your IP address in both those interactions (of course they have - everyone does), then Google has enough information on most people to de-anonymize them.
Therefore, what Espressosaurus said is absurdly wrong and should not be taken seriously by anyone.
Let's focus our efforts on saying how Google can analyze and use the data, rather than on whether they're allowed to gather it in the first place.
Because it's ridiculous to pretend you can stop Google, or any website for that matter, from collecting IP addresses of logged-in users.
> So how about stopping with the voracious data collection feeding into a permanent profile? You know, like the web used to work?
You're asking Google to stop making most of their money. Their whole business is built around selling advertisers a targeted advertising platform.
- Advertising revenue of Google for 2019 (in billion U.S. dollars): 134.81 [1]
- Annual revenue of Google for 2019 (in billion U.S. dollars): 160.74 [2]
Sure, they should stop, people should not get fingerprinted across sites, these companies should not track us, but good luck getting them to comply with just asking.
Why do these idealistic comments get voted to the top? As if Google could just simply change their entire business model if only they were enlightened how "easy" it would be.
> The web worked fine in the days before
The web is the way it is today because there wasn't anything to stop it from becoming this way. There still isn't anything stopping it.
If you want to see change to some historical point in time, start working on solutions to get there.
I see these type of comments so often on HN but I really don't believe it reflects the majority opinion. I don't honestly think most people care about how the web used to be. It is the way it is because people don't know or care about the consequences of trading their privacy with a big company for free stuff.
If you mean respect for privacy in general by companies, I think this comes down to people needing to first want it more. Like a lot more. We only started seeing things such as GDPR and CCPA after Cambridge Analytica caused people to understand a bit more why privacy matters. But it wasn't enough to see drastic change since there isn't a clear problem and that's the crux of the issue: nobody really understands why it's a such a big deal. There isn't an easy to grasp response to "what is so bad if others know what I'm doing online." Start with justifications and education of why privacy matters, and if it's compelling, change will be demanded.
Regulation is the only thing that can work. The goodness of their heart is not something that can be relied on. Asking Google (and other advertisers) to just back off their biggest money-maker is a non-starter. The only solution is regulation. Insufficient regulation is what brought us to this point. The harm here is too distributed, too abstract, and not obvious to the people it's harming. The people it's harming are the product, the people buying the data are the customers. There is no way Google voluntarily makes those changes. It will have to be forced to via regulation, enforcement, imposition of fines or potentially even jailtime in order to get it to comply. Its business model demands nothing less.
Google could send the incognito flag to only their own websites to honor this setting while also preventing shady third parties from knowing you’re incognito. The point is that Google knows that you don’t want to be tracked, and has full control of both the server and browser, yet tracks you anyway.
It's not clear to me whether you're being sarcastic here. People often complain that Chrome gives Google special treatment. Here on HN, people (incl me) will definitely be outraged if Google does what you're proposing.
The article is very light on details, but am I understanding correctly that the problem is google analytics not honoring settings in chrome? If so, I can't think of a solution that doesn't involve a tighter integration between websites and chrome, and if anything I think we should be moving away from that.
Wow, I didn't realize google analytics doesn't respect the do not track flag. But I just independently verified that is correct. It sounds like this is a simple and elegant solution to the problem (and the moral solution too).
I used a google analytics plugin for Gatsby, and it had a respectDoNotTrack configuration option when you set it up, which does respect it - but I presume that just doesn't send the data to google in the first place.
Incognito isn't a setting, per se, it's a policy. It scopes the cache, cookies, etc. to a sandbox that's deleted once all incognito windows are closed. Google Analytics doesn't even know this policy is in place. The only websites that "honor" incognito are media outlets with paywalls using tricks (tricks Google's always trying to fix) to detect that you're in incognito mode.
The problem isn't a technical one per se, but rather a legal one. Google the company is offering a browser that purports to make someone "incognito" while simultaneously working to track people who are using it - the exact opposite of what one would expect.
Mozilla isn't getting sued for the failings of Firefox's private mode because Mozilla doesn't operate a surveillance system that exploits those failings, and Facebook isn't getting sued for their exploitative surveillance because they aren't offering a product that claims to protect you.
I hate to be defending Google on this, but their Incognito Mode repeatedly states that the only thing it does is hide your activity from users on your computer, and explicitly points out that web sites can still see your activity.
We're all familiar with "the large print giveth and the small print taketh away", but when a company uses the fine print to do the exact opposite of what the large print advertises, they are heading towards fraudulent behavior.
The current result only makes sense if you appreciate how the technical details work together, and view Chrome and Analytics as independent entities - like if you're involved in tech. Take a step back and look at the high level combination of the two as one offering - Google offers to make you "incognito" and then actually does the exact opposite behind the scenes.
Don't know why you're being downvoted. Whenever I've successfully explained how Google works as a company, with even the most favorable tilt while still being honest most non,techies see it as you describe.
And like it or not the non jargonated users outnumber the jargon filled by many orders of magnitude, and they don't tend to react favorably when people talk out both sides of their mouth unless there id's something even more dire at stake.
Yep, I'm pretty sure for the majority of users it's for watching porn or logging in with a different account to something, rather than any expectation of privacy at the other end
I also use it on the rare occasions where I need to log in on someone else's computer. This way, I know all my logins will be ended when I close the browser.
I don't know about "them" but I want Google to stop tracking me and building a secret profile of intimate and politically sensitive information on my person. Full God damn stop. I take as many steps as I can but even not using Google's services is no guarantee of protection and leaving the internet behind completely is not practical if you wish to succeed in modern society.
Adtech is the cancer that is forming the foundation for unprecedented human rights abuses. Look at the state of the country, imagine what either political extreme would do with access to even a fraction of the data that platforms like Google and Facebook collect. A wet dream shared by every dictator in history, from Stalin to Hitler to Mao.
> like if Chrome attached a header to all outgoing requests that said incognito=1 or something
Which, by the way, would be a disaster. There's already enough otherwise-legitimate sites that exploit browser bugs to detect incognito mode and replace all of their content with a paywall.
I would expect that no script would be loaded from google analytics/tag manager domains once I turn it on. But this is obviously not the case.
The article is too vague to actually understand more about what this lawsuit is but regarding:
Google tracks and collects consumer browsing history and other web activity data no matter what safeguards consumers undertake to protect their data privacy," reads the complaint. The search giant surreptitiously collects data through Google Analytics, Google Ad Manager, website plug-ins and other applications, including mobile apps, according to the complaint.
They are right. Google is doing that.
I think that incognito mode was mentioned due to this statement: safeguards consumers undertake to protect their data privacy.
They will probably build the case that they tried to protect themselfs but google was still tracking them.
And if chrome is sending to google servers flag that user has turned on incognito mode (which I bet they are/did), then they are having a serious problem.
"Poor user, this little girl with cute blue eyes, tried to protect itself from invasion of her privacy, they knew that but were still tracking her"
If this is the case they will have to pay or bribe the judge.
The law firm that is behind it is specialized into class action lawsuits with crew of around 300 lawyers so I expect a good show. I hope google wont settle outside the court.
I'm not sure if they do, but one potential reason not to do it is that setting DNT literally gives the server 1 additional bit of information about your configuration. This could be used to track you more effectively.
1 extra bit is the last of my concerns, there's plenty of bits to uniquely fingerprint a browser anyways. I'd gladly trade one inconsequential bit, which requires malicious intent to misuse, to keep my privacy safe when dealing with honorable entities like, I presume, Google.
Oh, there is so much more that can go into a browser fingerprint. There is no one, single "browser fingerprint." Basically any API your browser exposes can leak information that can be used for fingerprinting. See: https://panopticlick.eff.org/
I don't understand. There are dozens, if not hundreds, or even thousands of bits to use to identify any given browser, but providing one extra such bit that politely asks 'Do Not Track' is now a problem because it makes tracking slightly easier?
I don't think it does. One possible explanation is that they don't want the "Edge Effect". If the header is set by everyone than people will just ignore it. Since Edge started setting it for everyone the header is basically useless already.
It would also provide an interesting way to identify incognito users which chrome has been trying to prevent websites from doing it. Of course it won't be perfect, but probably more than 99% of DNT headers would be incognito if they did this because I would bet that very few people enable it manually.
It takes active effort to break into a house. It takes zero effort to ignore a header. It's more akin to everyone having a sign on their yard that says "Please don't break into this house."
> In a nutshell, no, door to door solicitation isn’t illegal. But if you have a no soliciting sign posted on your property, and the salesperson is refusing to vacate the property, they can be assessed trespassing fines and possible legal charges.
> But if you have a no soliciting sign posted on your property, and the salesperson is refusing to vacate the property, they can be assessed trespassing fines and possible legal charges.
How is this different from when you don't have the sign? Do they get to refuse vacating the property without trespassing in that case?
I am not a Google employee but Chrome does not send the dnt header in incognito mode. It only sends it when you have it turned on, in which case it will send it in both regular and incognito mode.
They have also a ton of already existing information on you from platforms such as Android and gmail, can track you on multiple levels including your location, and serve you micro targeted ads.
Saying they are politically popular to hate on sounds as if the criticism is not warranted.
> Saying they are politically popular to hate on sounds as if the criticism is not warranted.
The criticism is definitely warranted, but that is a very shallow take on things.
Privacy issues with incognito mode have been known about for years[1]. But all of a sudden, suing Google (and making a spectacle of it) is a big priority. I think it is pretty likely that the government is trying to make some easy money and publicity points after current events have left them hurting for both.
Maybe the government is full of altruists, doing what is warranted when it is warranted, but I think starting from that assumption is pretty naive.
Maybe because they are the creator of the most popular browser and the creator of a giant network of websites and services aimed at tracking you for their own profit.
> Is it the browser? Firefox has an equivalent mode.
I let you figure out which of the things above Firefox is not
> Is it the web app? Virtually every single web app sets cookies even when you are in incognito mode.
Why would Google be unique in that respect? You're not assuming you can only file a lawsuit against a company if they are the only ones who break the law, do you?
"It'd be impossible for Google Analytics to not collect data from a incognito tab without it knowing that it is incognito somehow (like if Chrome attached a header to all outgoing requests that said incognito=1 or something)."
Developer Tools allows users to block specific requests, e.g., to google-analytics.com, either by URL or by domain. It is possible (but not implemented by Google) to automatically activate such request blocking when an incognito tab is opened. This is one way to stop GA tracking when in incognito mode.
The quoted warning "Your activity might be visible to:" lists a few third parties, e.g., "websites you visit", "Your employer or school", "Your internet servive provider".
However it does not list Google, LLC or Alphabet, Inc. The complaint is against Google and Alphabet, not the other other third parties.
In addition to GA, the complaint alleges Google tracks users without consent via Google Ad Manager, the "Sign in with Google" button, including Google Approved Pixels, despite incognito mode or privacy settings.
It further alleges tracking without consent via Android, despite igcognito mode or privacy settings, as described in the following paper
Finally, it alleges Google conducts tracking without consent, despite incognito mode or privacy settings, via the "X-client-data" header in Chrome (formerly "X-chrome-variations") as described in the article
The complaint argues Google is representing to users that "You are in control" via Google's incognito mode and privacy settings however Google is nonethless tracking users via all of the above methods without user consent. This arguably constitutes misrepresentation.
To recover damages, the wiretapping laws require that there must be some injury. If users' privacy is violated, what pecuniary loss do they suffer? This is usually why these lawsuits always fail.
This complaint uses this source to try to estimate damages
The complaint also cites the "Google Screenwise Trends" program where Google pays users $3/week to be tracked.
The complaint mentions the websites Latome and Killi where users can voluntarily sell their personal data, noting that Google OTOH takes such personal data without asking for permission and without providing compensation.
The complaint also appears to suggest that the user's ability to obtain the maximum value from granting permission to collect and sell her personal data, e.g., via Latome or Killi, is decreased as a result of G...
Sure, they tell you websites could be doing it, but they don’t tell you that the one of the biggest websites in the world, from the same company that created the browser, is doing it. The fact that they even point that out means they know it’s an invasion of privacy (bad), but yet they do it anyway.
Also, now that many people's connections are IPv6, the server can identify individual computers behind a router. Though your laptop's IPv6 may not be a permanent address, it lasts long enough to track you.
If you're logged in to any web services on your computer, other web requests can then be correlated to non-authenticated requests from the same IP.
I feel like IPv4 with NAT was an accidental privacy win.
I think the solution for this is for operating systems to allow applications to request a fresh IP address, or something like that. Obviously that would be a highly difficult and disruptive change at multiple levels...
NAT only anonymizes folks behind that one router, and in a typical household that's down to just a couple of individuals. Combined with other hints (including browser fingerprinting), NAT provides very little privacy protection, especially given how long-lived the average IPv4 DHCP lease lasts.
> I think the solution for this is for operating systems to allow applications to request a fresh IP address, or something like that. Obviously that would be a highly difficult and disruptive change at multiple levels...
No, I don’t think privacy addresses as currently implemented addresses the problem. All browsers on my machine still share the same ipv6, whereas I think they should get unique ipv6 addresses if they want them.
Fingerprinting is more tractable to defeat by disabling all JS, for example.
Also, you seem to be saying that because NAT doesn’t provide much privacy, we shouldn’t care if we get even less privacy. I disagree with that.
> All browsers on my machine still share the same ipv6, whereas I think they should get unique ipv6 addresses if they want them.
Yup, sorry, I overlooked that part of your comment.
That said, I'm still not convinced it buys you much... maybe a bit of an improvement, but...
> Fingerprinting is more tractable to defeat by disabling all JS, for example.
Sorry, that's just completely unreasonable. JS is basically table stakes at this point for virtually any website to reasonably function.
Worse, it feels like an arms race between browsers and the ad tech giants when it comes to try and defeat fingerprinting.
Now, imagine you could break the 1:1 connection between browser engine and user. For example, imagine a bank of cloud hosted browser engines out in the cloud. You have a thin "client" that uses this headless cloud browser using a remote display technique of some kind (just batch up, serialize, transport, and render DOM updates, while passing back user interaction events?). Between sessions the state is wiped, and they're randomly shared among clients of the system...
I'm sure there's a zillion legal and technical hurdles, but unless you break the 1:1 relationship between browser and user, fingerprinting feels inevitable.
> Also, you seem to be saying that because NAT doesn’t provide much privacy
No, I'm just saying IPv6 provides no less. And either way, while it's not nothing it ain't that much.
Is anything stopping you from using NAT with IPv6? I really see no reason to assign every device on a network their own public address when I can just keep the pool of addresses on my router to be assigned for whatever and be able to assign devices huge swaths of private IPv6 space if I want.
Does not using NAT really help anything when the firewall still wont let you in without an existing outbound connection?
This holds only when with IPv4 NATs that are fronting masses of people, such as in ISP or bigcorp NATs - otherwise the privacy effect is weak enough to be negligible and it can be weaker than IPv6 use of rotating privacy addresses.
Is this not an issue with any private browsing mode? How is Chrome Incognito different from Firefox Private? If you login into Gmail on Firefox Private, you still get tracked, no?
I'm curious, every other browser has a similar mode. Is the same thing not an issue in other browsers? Do analytics packages not track you in Firefox Private browsing? Do other non-Google analytics not track you in Chrome?
What's specific to Google/Chrome here that's not true with every other browser/analytics platform?
I imagine anyone who tries to brand it as "I can't be identified" might be sued too. Who knows how successful they will be.
I doubt it would be worth the effort for browsers that don't have a huge market share. For example, a suit against Opera would be ineffective in the grand scheme...as most aren't aware of its existence.
Where is the "can't be identified" line come from? The branding is, word for word:
> Now you can browse privately, and other people who use this device won't see your activity
and
> Your activity might still be visible to: Websites you visit
Where does that piece of branding you mention come from? I don't see it anywhere? Did Google remove it recently? Or is it just what people, through the telephone game, have come to think it means?
I use chrome and I notice things that, for example I'll watch a youtube video in incognito mode then, shortly thereafter like, like some minutes. Those things I searched for in incognito mode show up as recommendations in regular browsing.
Cookies are still stored and shared among other Incognito tabs. This makes Incognito more usable: you can login to an online store, open a few product pages in new tabs, add items to your cart from all these tabs and check out in the end. If each tab had its own cookie store, they'd have separate carts as well.
AFAIK, you need to close all Incognito tabs for the session to end.
Incognito mode and guest mode
You can limit the information Chrome stores on your system by using incognito mode or guest mode. In these modes, Chrome won't store certain information, such as:
* Basic browsing history information like URLs, cached page text, or IP addresses of pages linked from the websites you visit
* Snap shots of pages that you visit
* Records of your downloads, although the files you download will still be stored elsewhere on your computer or device
> "As we clearly state each time you open a new incognito tab, websites might be able to collect information about your browsing activity during your session."
With how the web works, the degree of privacy the plaintiffs are asking for isn't technically feasible without also advertising that you're in incognito mode.
I'm willing to trade paywalls for privacy. And paywalls are easy to get around, too, in this context. Just use a non-incognito tab to browse those sites.
According to their history of Terms of Service changes, it appears that they made changes to the language surrounding information collected while "private browsing" between September 1, 2015 and June 21, 2016. Just do a Cmd+F or Ctrl+F for "snap" (part of snapshot/snap shots; they do not spell it consistently).
In that case, it's been in their terms since 2016.
I do not agree with this practice nor do I condone it, but who is ultimately "in the wrong here"? Is it Google or is it the users, the latter of whom are supposed to read these Terms prior to agreeing to them?
Are "Terms" too long these days? I can't imagine most people have the time to read through all - if not any - of the Terms of Service (etc.) for all products and services they're utilizing in their life.
The idea that companies can dictate terms that can be arbitrarily changed at whim where the only consent users need to give is the continued use of their product is pretty ludicrous as far as I'm concerned. I realize people should read terms and I do tend to, but often companies will make their policy changes obscure, they intentionally downplay when the make changes to terms.
If i enter into a contract with someone, specific permission is required from both parties on any changes. I personally don't understand how these terms of services, which are effectively contracts, get out of following contract law. If I agree to a terms of service, I an agreeing to a contract set out by that business at that time. Refusing to allow service for not agreeing to later changes put out by the service provider is illegal in any other form of business contract. I can't write a contract for some consulting work, get a customer to sign it, change the terms then refuse to hand over my completed work until they agree. I'd be taken to court.
IIRC, Terms of Service usually have a clause with language that states that the provider of the service may change the terms of the contract at any time without prior notice. If the user doesn't like the new terms, they can quit using the service.
Take-it-or-leave-it changes contracts are a thing in negotiated contracts between businesses as well. But rather than taking effect immediately, they'll happen when the contract is up for renewal.
As an example, an employer of mine used to have a software product offered for on-prem self-hosted use, or as a hosted service. Then, they decided to stop offering the self-hosted option and to only offer the software as a hosted service to reduce development and support costs of having to support the myriad configurations that come of a number of customers running their own on-prem setups. Customers had the option of converting to the hosted service option, or taking their business elsewhere. And so, when their existing on-prem contracts were up for renewal, those customers made the choice to find another solution, or convert to the hosted service.
So, IMO, these ToSes are following contract law. It just sucks that the contracts are so one-sided and the consumers of services offered really don't have an easy means of negotiating the terms to something better for themselves.
>Terms of Service usually have a clause with language that states that the provider of the service may change the terms of the contract at any time without prior notice. If the user doesn't like the new terms, they can quit using the service
This is the issue I speak of. Part of contract law makes this illegal.
>The parties must usually mutually agree to alter or modify the contract. In some circumstances the underlying contract might give one party a unilateral right to make certain limited changes, but agreement is normally necessary.
>The parties must intend the alteration/modification permanently to affect their rights. If there is no such intention, then the change is likely to amount only to a temporary forbearance or concession, rather than a permanent variation of the contract.
>The parties must comply with any requirements as to the form of the variation. These could be specified by legislation, or set out in the original contract which is being varied.
>The agreement to vary a contract will need to be supported by consideration - something of value must be given in exchange for the alteration. If there is no such consideration, then the variation will need to be effected by deed.
For real. Many of the anti-Google comments here are injecting their own fantasies for what this lawsuit could be about, celebrating it as some kind of victory towards user privacy - which, to be fair, is a discussion that needs to be had - but this lawsuit isn't that.
This lawsuit is literally "I think incognito mode should specifically stop Google Analytics, a website feature, from tracking me" even though the first thing you see when you open an incognito window is that "this doesn't stop websites from tracking you."
What do they want Google to do, lean in further towards monopolistic abuse and give Chrome Incognito special treatment when its users are on a site using Google Analytics?
What is with this consistent gas lighting? These articles mention Chrome Incognito, and the laser focus gas lighting is consistently that "of course you can be tracked in Chrome Incognito, why are these people SO STUPID?"
This has nothing to do with the fact that you can theoretically track users in Incognito mode. You could be using Firefox Privacy mode, and the problem would be exactly the same. It's that Google's services are tracking users who are clearly indicating they don't want to be tracked. If Google built their whole company around relying on bad faith encounters with their customers, and it's going to be painful for them to unwind, then boo-fucking-hoo. Do dumb shit, get dumb rewards.
This is a problem with the article. "for tracking people in incognito mode" would almost certainly indicate that they claim incognito mode is an end-all for GA/Ads tracking, yet the actual case complains about (in broader terms of course):
> To prevent information from being shared with Google, Google recommends that its consumers need only launch a browser such as Google Chrome, Safari, Microsoft Edge, or Firefox in “private browsing mode. Both statements are untrue. ”
This type of comment is prevalent in this thread because neither this article nor the original article makes this distinction or goes into depth about what the lawsuit really targets. The average HN user doesn't have a pacer account or the patience to go searching through pacer, so we can only rely on news sites to provide good information (especially when they don't even upload the complaint to document cloud).
I've seen several people mention the Do Not Track header, but it comes with a downside: it paints a giant target on your back.
If, say, 5% of user agents have DNT enabled, then it's becomes extremely effective as a fingerprinting vector on the people who specifically don't want to be fingerprinted.
If, on the other hand, a majority of people use it, then most people will simply ignore it or perish. This is mostly why people ignore it nowadays, because IE turned it on by default. No one uses it anymore because there's no reason to trust that it'll do anything and no reason to actually follow it.
The legislators will be delighted to learn how google's
* reCaptcha
* 8.8.8.8 et al DNS
* google fonts hotlink
* google JS cdn hotlink
* etc etc
store data and how that data is "anonymized" by random teams' arbitrary definitions, and used all over their ecosystem.
I guarantee you at the very minimum reCatpcha contributes to some "isBot" or "hasGoogleAccount" attribute that is then used by Advertising systems. And that is assuming the best of the best of the best case scenario.
This lawsuit is absurd, and it should be rejected with a "please learn to use a computer before owning one".
So, what is next? lawsuits against car companies because emergency lights didn't invoke emergency responders?
121 comments
[ 3.7 ms ] story [ 82.2 ms ] threadIt becomes more like: The mask maker put the name tag on your shirt. The tag was also put on in the same booth where you bought the mask that promised anonymity, and it was also the mask maker who supplied the record of your tag number to a third party.
you cannot sign into chrome while incognito, so i'm not sure what you mean by a "logged in incognito session", that's not a thing. The only type of sign in available while in incognito mode is to sign into a website, and the website does not know that you're in incognito mode.
And if you've entered your username and password into the google login form, of course they're tracking you, how could they not be?
Not arguing this shouldn’t work that way, but the wording of logged in incognito session seems fair to me.
What do they want Google to do? They warn you specifically of this anyway when you open an incognito tab:
"
You've gone incognito
Now you can browse privately, and other people who use this device won't see your activity. However, downloads and bookmarks will be saved. Learn more...
Chrome won't save the following information:
Your browsing history
Cookies and site data
Information entered in forms
Your activity might still be visible to:
Websites you visit
Your employer or school
Your internet service provider
"
It has been a while since I was in js land but I do recall writing a browser extension that needed to know this, and in chrome it was made available to detect whether your script was running in incognito. It was a property of something.
So I imagine as a starting point the Google Analytics client js could utilize this to avoid interacting with the analytics server altogether.
[0] https://boingboing.net/2019/07/20/cookie-managers-r-us.html
> "Google tracks and collects consumer browsing history and other web activity data no matter what safeguards consumers undertake to protect their data privacy," reads the complaint. The search giant surreptitiously collects data through Google Analytics, Google Ad Manager, website plug-ins and other applications, including mobile apps, according to the complaint.
The web worked fine in the days before Google started building a profile of everyone who interacts with the internet so that they can sell us garbage we don't need. So how about stopping with the voracious data collection feeding into a permanent profile? You know, like the web used to work?
Just because it is now doesn't mean it hasn't been deliberately built into the thing that presently exists.
edit: and if that makes certain ad-centric businesses obsolete, good.
Why not?
Case 1. Fixed home broadband often allocates a single IP that the household might have for weeks, months or years. There might be only one person in the house, and even if not it's easy to build a profile across websites visited on how many live there, what time they're active, etc.
Case 2. Mobile broadband often allocates IP seemingly based on the tower you're connected to (in my country, I can notice this effect). So, looking at the surface of the you'd think it arguable that mobile IP is anonymised... Unfortunately, people are creatures of habit and ping the same towers repeatedly. So it's still possible to track.
In short, if there's value to be had in storing any value (like an IP) for ad related purposes, then there's more than a good chance personal information is leaking.
2) Switch to incognito mode, and go to some website that has Google ads on it
It would now be possible for Google to figure out that the ad was served to someone from the same IP address that recently was logged in with your gmail account.
Any health care website (for instance) that has PII on it probably stores IP addresses at some level, to try to detect DoS attacks, etc. If someone wanted to join that data, IP to PII, they could.
However, there are lots of totally legal scenarios in which two parties match up and combine data on a user containing PII.
I also would like to know if you believe there's something ethically wrong with combining data, provided it's legal and doesn't violate a privacy policy. You haven't said so explicitly but that seems like the implication.
I'm pointing out that if you:
1) log in to your gmail
2) Switch to incognito mode and go to a website that has Google ads on it
And if Google has recorded your IP address in both those interactions (of course they have - everyone does), then Google has enough information on most people to de-anonymize them.
Therefore, what Espressosaurus said is absurdly wrong and should not be taken seriously by anyone.
Let's focus our efforts on saying how Google can analyze and use the data, rather than on whether they're allowed to gather it in the first place.
Because it's ridiculous to pretend you can stop Google, or any website for that matter, from collecting IP addresses of logged-in users.
You're asking Google to stop making most of their money. Their whole business is built around selling advertisers a targeted advertising platform.
Sure, they should stop, people should not get fingerprinted across sites, these companies should not track us, but good luck getting them to comply with just asking.Why do these idealistic comments get voted to the top? As if Google could just simply change their entire business model if only they were enlightened how "easy" it would be.
> The web worked fine in the days before
The web is the way it is today because there wasn't anything to stop it from becoming this way. There still isn't anything stopping it.
If you want to see change to some historical point in time, start working on solutions to get there.
I see these type of comments so often on HN but I really don't believe it reflects the majority opinion. I don't honestly think most people care about how the web used to be. It is the way it is because people don't know or care about the consequences of trading their privacy with a big company for free stuff.
The only solution I see is enforced regulation to respect DNT, or something like it. Do you have something else in mind?
Mozilla isn't getting sued for the failings of Firefox's private mode because Mozilla doesn't operate a surveillance system that exploits those failings, and Facebook isn't getting sued for their exploitative surveillance because they aren't offering a product that claims to protect you.
The current result only makes sense if you appreciate how the technical details work together, and view Chrome and Analytics as independent entities - like if you're involved in tech. Take a step back and look at the high level combination of the two as one offering - Google offers to make you "incognito" and then actually does the exact opposite behind the scenes.
And like it or not the non jargonated users outnumber the jargon filled by many orders of magnitude, and they don't tend to react favorably when people talk out both sides of their mouth unless there id's something even more dire at stake.
Assuming someone hasn't installed a key logger or OS tracker :(
I don't know about "them" but I want Google to stop tracking me and building a secret profile of intimate and politically sensitive information on my person. Full God damn stop. I take as many steps as I can but even not using Google's services is no guarantee of protection and leaving the internet behind completely is not practical if you wish to succeed in modern society.
Adtech is the cancer that is forming the foundation for unprecedented human rights abuses. Look at the state of the country, imagine what either political extreme would do with access to even a fraction of the data that platforms like Google and Facebook collect. A wet dream shared by every dictator in history, from Stalin to Hitler to Mao.
I did not consent.
They could also modify the warning text:
"
Google won't save the following information locally:
Your browsing history
Cookies and site data
Information entered in forms
Your activity might still be visible to:
Google
Websites you visit
Your employer or school
Your internet service provider
"
Which, by the way, would be a disaster. There's already enough otherwise-legitimate sites that exploit browser bugs to detect incognito mode and replace all of their content with a paywall.
The "DNT" header already exists for this purpose, it's just that Chrome does not actually set in when incognito.
I would expect that no script would be loaded from google analytics/tag manager domains once I turn it on. But this is obviously not the case.
The article is too vague to actually understand more about what this lawsuit is but regarding:
Google tracks and collects consumer browsing history and other web activity data no matter what safeguards consumers undertake to protect their data privacy," reads the complaint. The search giant surreptitiously collects data through Google Analytics, Google Ad Manager, website plug-ins and other applications, including mobile apps, according to the complaint.
They are right. Google is doing that.
I think that incognito mode was mentioned due to this statement: safeguards consumers undertake to protect their data privacy.
They will probably build the case that they tried to protect themselfs but google was still tracking them.
And if chrome is sending to google servers flag that user has turned on incognito mode (which I bet they are/did), then they are having a serious problem.
"Poor user, this little girl with cute blue eyes, tried to protect itself from invasion of her privacy, they knew that but were still tracking her"
If this is the case they will have to pay or bribe the judge.
The law firm that is behind it is specialized into class action lawsuits with crew of around 300 lawyers so I expect a good show. I hope google wont settle outside the court.
https://blog.mozilla.org/internetcitizen/2018/07/26/this-is-...
What goes into one's fingerprint:
1. navigator.userAgent, 2. navigator.language, 3. navigator.doNotTrack, 4. screen.width, 5. screen.height, 6. screen.colorDepth, 7. Intl.DateTimeFormat().resolvedOptions().timeZone, 8. navigator.platform, 9. navigator.hardwareConcurrency, 10. GPU vendor and renderer, 11. isTouch, 12. storage types, 13. font-list, 14. canvas-hash
The lawsuit is ridiculous. Incognito mode is extremely clear about what it does and does not protect against.
The irony brought up is that for Google to respect incognito they would have to then break it even more.
It would also provide an interesting way to identify incognito users which chrome has been trying to prevent websites from doing it. Of course it won't be perfect, but probably more than 99% of DNT headers would be incognito if they did this because I would bet that very few people enable it manually.
Ftfy.
https://banneradviser.com/no-soliciting-signs
> In a nutshell, no, door to door solicitation isn’t illegal. But if you have a no soliciting sign posted on your property, and the salesperson is refusing to vacate the property, they can be assessed trespassing fines and possible legal charges.
How is this different from when you don't have the sign? Do they get to refuse vacating the property without trespassing in that case?
With sign: Unassailable evidence that tresspassers are informed they are not welcome.
Without sign. Owner word vs tresspasser word.
The latter is a weaker stance.
Or blackmail him, because obviously they have his profile too.
Is it the browser? Firefox has an equivalent mode.
Is it the web app? Virtually every single web app sets cookies even when you are in incognito mode.
They have tons of money and they are politically popular to hate on. There is no reason not to fine them.
Saying they are politically popular to hate on sounds as if the criticism is not warranted.
The criticism is definitely warranted, but that is a very shallow take on things.
Privacy issues with incognito mode have been known about for years[1]. But all of a sudden, suing Google (and making a spectacle of it) is a big priority. I think it is pretty likely that the government is trying to make some easy money and publicity points after current events have left them hurting for both.
Maybe the government is full of altruists, doing what is warranted when it is warranted, but I think starting from that assumption is pretty naive.
[1] https://nypost.com/2018/08/22/googles-incognito-mode-isnt-as...
Maybe because they are the creator of the most popular browser and the creator of a giant network of websites and services aimed at tracking you for their own profit.
> Is it the browser? Firefox has an equivalent mode.
I let you figure out which of the things above Firefox is not
> Is it the web app? Virtually every single web app sets cookies even when you are in incognito mode.
https://blog.mozilla.org/blog/2019/09/03/todays-firefox-bloc...
`DNT=1` would have done the job. Unfortunately, the standard was not widely adopted and subsequently abandoned.
Developer Tools allows users to block specific requests, e.g., to google-analytics.com, either by URL or by domain. It is possible (but not implemented by Google) to automatically activate such request blocking when an incognito tab is opened. This is one way to stop GA tracking when in incognito mode.
The quoted warning "Your activity might be visible to:" lists a few third parties, e.g., "websites you visit", "Your employer or school", "Your internet servive provider".
However it does not list Google, LLC or Alphabet, Inc. The complaint is against Google and Alphabet, not the other other third parties.
Here is a copy of the complaint:
https://www.classaction.org/media/brown-et-al-v-google-llc-e...
For those who will not read the complaint:
In addition to GA, the complaint alleges Google tracks users without consent via Google Ad Manager, the "Sign in with Google" button, including Google Approved Pixels, despite incognito mode or privacy settings.
It further alleges tracking without consent via Android, despite igcognito mode or privacy settings, as described in the following paper
Douglas C. Schmidt, Google Data Collection, DIGITAL CONTENT NEXT 1 (Aug. 15, 2018), https://digitalcontentnext.org/blog/2018/08/21/google-data-c...
Finally, it alleges Google conducts tracking without consent, despite incognito mode or privacy settings, via the "X-client-data" header in Chrome (formerly "X-chrome-variations") as described in the article
Thomas Claburn, Is Chrome Really Secretly Stalking You Across Google Sites Using Per-Install ID Numbers? We Reveal the Truth, THE REGISTER (Feb. 5, 2020), https://www.theregister.co.uk/2020/02/05/google_chrome_id_nu...
The complaint argues Google is representing to users that "You are in control" via Google's incognito mode and privacy settings however Google is nonethless tracking users via all of the above methods without user consent. This arguably constitutes misrepresentation.
To recover damages, the wiretapping laws require that there must be some injury. If users' privacy is violated, what pecuniary loss do they suffer? This is usually why these lawsuits always fail.
This complaint uses this source to try to estimate damages
Tim Morey, What s Your Personal Data Worth?, DESIGN MIND (Jan. 18, 2011), https://web.archive.org/web/20140703174004/http://designmind...
Contact info: $4.20/yr
Demographics info: $3.00/yr
Web browsing histories: $52.00/yr
The complaint also cites the "Google Screenwise Trends" program where Google pays users $3/week to be tracked.
The complaint mentions the websites Latome and Killi where users can voluntarily sell their personal data, noting that Google OTOH takes such personal data without asking for permission and without providing compensation.
The complaint also appears to suggest that the user's ability to obtain the maximum value from granting permission to collect and sell her personal data, e.g., via Latome or Killi, is decreased as a result of G...
If you're logged in to any web services on your computer, other web requests can then be correlated to non-authenticated requests from the same IP.
I feel like IPv4 with NAT was an accidental privacy win.
I think the solution for this is for operating systems to allow applications to request a fresh IP address, or something like that. Obviously that would be a highly difficult and disruptive change at multiple levels...
It is complex, but doable.
Which resulted in this Chrome bug: https://bugs.chromium.org/p/chromium/issues/detail?id=108566...
> I think the solution for this is for operating systems to allow applications to request a fresh IP address, or something like that. Obviously that would be a highly difficult and disruptive change at multiple levels...
IPv6 already has this capability:
https://www.internetsociety.org/blog/2014/12/ipv6-privacy-ad...
That randomization occurs on a higher frequency than a typical DHCP lease expiration.
For a home that has a /48, this is no better or worse than NAT, since you can still only track devices to the home.
If your individual devices have their own IPs within the ISP address space, then the best an outsider could do is track devices to a given ISP subnet.
Of course, again, the real threat is browser fingerprinting and similar technologies, which are entirely independent of the underlying network.
Fingerprinting is more tractable to defeat by disabling all JS, for example.
Also, you seem to be saying that because NAT doesn’t provide much privacy, we shouldn’t care if we get even less privacy. I disagree with that.
Yup, sorry, I overlooked that part of your comment.
That said, I'm still not convinced it buys you much... maybe a bit of an improvement, but...
> Fingerprinting is more tractable to defeat by disabling all JS, for example.
Sorry, that's just completely unreasonable. JS is basically table stakes at this point for virtually any website to reasonably function.
Worse, it feels like an arms race between browsers and the ad tech giants when it comes to try and defeat fingerprinting.
Now, imagine you could break the 1:1 connection between browser engine and user. For example, imagine a bank of cloud hosted browser engines out in the cloud. You have a thin "client" that uses this headless cloud browser using a remote display technique of some kind (just batch up, serialize, transport, and render DOM updates, while passing back user interaction events?). Between sessions the state is wiped, and they're randomly shared among clients of the system...
I'm sure there's a zillion legal and technical hurdles, but unless you break the 1:1 relationship between browser and user, fingerprinting feels inevitable.
> Also, you seem to be saying that because NAT doesn’t provide much privacy
No, I'm just saying IPv6 provides no less. And either way, while it's not nothing it ain't that much.
Does not using NAT really help anything when the firewall still wont let you in without an existing outbound connection?
I wouldn't be surprised if they get an inconsequential slap on the wrist.
What's specific to Google/Chrome here that's not true with every other browser/analytics platform?
I doubt it would be worth the effort for browsers that don't have a huge market share. For example, a suit against Opera would be ineffective in the grand scheme...as most aren't aware of its existence.
> Now you can browse privately, and other people who use this device won't see your activity
and
> Your activity might still be visible to: Websites you visit
Where does that piece of branding you mention come from? I don't see it anywhere? Did Google remove it recently? Or is it just what people, through the telephone game, have come to think it means?
AFAIK, you need to close all Incognito tabs for the session to end.
Incognito mode and guest mode You can limit the information Chrome stores on your system by using incognito mode or guest mode. In these modes, Chrome won't store certain information, such as:
* Basic browsing history information like URLs, cached page text, or IP addresses of pages linked from the websites you visit
* Snap shots of pages that you visit
* Records of your downloads, although the files you download will still be stored elsewhere on your computer or device
And we're happy to facilitate that.
I’m curious how this sort of thing works. Grudges? An Achilies heel you found? Is it common for a firm to hit again with something unrelated?
I’m fine with it either way, just curious.
In that case, it's been in their terms since 2016.
I do not agree with this practice nor do I condone it, but who is ultimately "in the wrong here"? Is it Google or is it the users, the latter of whom are supposed to read these Terms prior to agreeing to them?
Are "Terms" too long these days? I can't imagine most people have the time to read through all - if not any - of the Terms of Service (etc.) for all products and services they're utilizing in their life.
If i enter into a contract with someone, specific permission is required from both parties on any changes. I personally don't understand how these terms of services, which are effectively contracts, get out of following contract law. If I agree to a terms of service, I an agreeing to a contract set out by that business at that time. Refusing to allow service for not agreeing to later changes put out by the service provider is illegal in any other form of business contract. I can't write a contract for some consulting work, get a customer to sign it, change the terms then refuse to hand over my completed work until they agree. I'd be taken to court.
Take-it-or-leave-it changes contracts are a thing in negotiated contracts between businesses as well. But rather than taking effect immediately, they'll happen when the contract is up for renewal.
As an example, an employer of mine used to have a software product offered for on-prem self-hosted use, or as a hosted service. Then, they decided to stop offering the self-hosted option and to only offer the software as a hosted service to reduce development and support costs of having to support the myriad configurations that come of a number of customers running their own on-prem setups. Customers had the option of converting to the hosted service option, or taking their business elsewhere. And so, when their existing on-prem contracts were up for renewal, those customers made the choice to find another solution, or convert to the hosted service.
So, IMO, these ToSes are following contract law. It just sucks that the contracts are so one-sided and the consumers of services offered really don't have an easy means of negotiating the terms to something better for themselves.
This is the issue I speak of. Part of contract law makes this illegal.
https://gowlingwlg.com/en/insights-resources/articles/2018/h...
>The parties must usually mutually agree to alter or modify the contract. In some circumstances the underlying contract might give one party a unilateral right to make certain limited changes, but agreement is normally necessary.
>The parties must intend the alteration/modification permanently to affect their rights. If there is no such intention, then the change is likely to amount only to a temporary forbearance or concession, rather than a permanent variation of the contract.
>The parties must comply with any requirements as to the form of the variation. These could be specified by legislation, or set out in the original contract which is being varied.
>The agreement to vary a contract will need to be supported by consideration - something of value must be given in exchange for the alteration. If there is no such consideration, then the variation will need to be effected by deed.
https://www.cnet.com/news/shadow-profiles-facebook-has-infor...
This lawsuit is literally "I think incognito mode should specifically stop Google Analytics, a website feature, from tracking me" even though the first thing you see when you open an incognito window is that "this doesn't stop websites from tracking you."
What do they want Google to do, lean in further towards monopolistic abuse and give Chrome Incognito special treatment when its users are on a site using Google Analytics?
This has nothing to do with the fact that you can theoretically track users in Incognito mode. You could be using Firefox Privacy mode, and the problem would be exactly the same. It's that Google's services are tracking users who are clearly indicating they don't want to be tracked. If Google built their whole company around relying on bad faith encounters with their customers, and it's going to be painful for them to unwind, then boo-fucking-hoo. Do dumb shit, get dumb rewards.
> To prevent information from being shared with Google, Google recommends that its consumers need only launch a browser such as Google Chrome, Safari, Microsoft Edge, or Firefox in “private browsing mode. Both statements are untrue. ”
This type of comment is prevalent in this thread because neither this article nor the original article makes this distinction or goes into depth about what the lawsuit really targets. The average HN user doesn't have a pacer account or the patience to go searching through pacer, so we can only rely on news sites to provide good information (especially when they don't even upload the complaint to document cloud).
complaint: https://i.judge.sh/specific/Sia/520-cv-03664-LHK-1-main.pdf
If, say, 5% of user agents have DNT enabled, then it's becomes extremely effective as a fingerprinting vector on the people who specifically don't want to be fingerprinted.
If, on the other hand, a majority of people use it, then most people will simply ignore it or perish. This is mostly why people ignore it nowadays, because IE turned it on by default. No one uses it anymore because there's no reason to trust that it'll do anything and no reason to actually follow it.
So DNT doesn't seem to add much if someone cares enough about this variable.
I guarantee you at the very minimum reCatpcha contributes to some "isBot" or "hasGoogleAccount" attribute that is then used by Advertising systems. And that is assuming the best of the best of the best case scenario.
The law firm that help Harvey Weinstein smear his victims is going after a target with deep pockets... This is news?
https://news.ycombinator.com/item?id=23397045