
Google faces $5B lawsuit for tracking people in incognito mode - petercooper
https://www.cnet.com/news/google-faces-5-billion-lawsuit-for-tracking-people-in-incognito-mode/
======
dang
[https://news.ycombinator.com/item?id=23405022](https://news.ycombinator.com/item?id=23405022)

[https://news.ycombinator.com/item?id=23397045](https://news.ycombinator.com/item?id=23397045)

------
jedieaston
It'd be impossible for Google Analytics to not collect data from a incognito
tab without it knowing that it is incognito somehow (like if Chrome attached a
header to all outgoing requests that said incognito=1 or something). But then
websites would know you are in incognito, and find some other way to track you
without leaving cookies on your box (like logging the IP address for the
request and merging all incognito requests into one profile, which would be
accurate enough).

What do they want Google to do? They warn you specifically of this anyway when
you open an incognito tab:

"

You've gone incognito

Now you can browse privately, and other people who use this device won't see
your activity. However, downloads and bookmarks will be saved. Learn more...

Chrome won't save the following information:

Your browsing history

Cookies and site data

Information entered in forms

Your activity might still be visible to:

Websites you visit

Your employer or school

Your internet service provider

"

~~~
UncleMeat
I also wonder what makes Google unique here?

Is it the browser? Firefox has an equivalent mode.

Is it the web app? Virtually every single web app sets cookies even when you
are in incognito mode.

~~~
dahfizz
> I also wonder what makes Google unique here?

They have tons of money and they are politically popular to hate on. There is
no reason not to fine them.

~~~
BossingAround
They have also a ton of already existing information on you from platforms
such as Android and gmail, can track you on multiple levels including your
location, and serve you micro targeted ads.

Saying they are politically popular to hate on sounds as if the criticism is
not warranted.

~~~
dahfizz
> Saying they are politically popular to hate on sounds as if the criticism is
> not warranted.

The criticism is definitely warranted, but that is a very shallow take on
things.

Privacy issues with incognito mode have been known about for years[1]. But all
of a sudden, suing Google (and making a spectacle of it) is a big priority. I
think it is pretty likely that the government is trying to make some easy
money and publicity points after current events have left them hurting for
both.

Maybe the government is full of altruists, doing what is warranted when it is
warranted, but I think starting from that assumption is pretty naive.

[1] [https://nypost.com/2018/08/22/googles-incognito-mode-isnt-
as...](https://nypost.com/2018/08/22/googles-incognito-mode-isnt-as-private-
as-you-thought/)

------
random3
[https://www.google.com/chrome/privacy](https://www.google.com/chrome/privacy)

Incognito mode and guest mode You can limit the information Chrome stores on
your system by using incognito mode or guest mode. In these modes, Chrome
won't store certain information, such as:

* Basic browsing history information like URLs, cached page text, or IP addresses of pages linked from the websites you visit

* Snap shots of pages that you visit

* Records of your downloads, although the files you download will still be stored elsewhere on your computer or device

~~~
ping_pong
Does Chrome really take snap shots of the pages that I visit?

~~~
jedieaston
I think it does to put them on the new tab page, at least.

------
burnte
The filer is suing because they logged into things like GMail and third party
services while in incognito mode. If you wear a mask, but still have your
nametag on, that's not the mask makers fault.

~~~
lostmyoldone
If it was only third parties, then maybe. But if google analytics actually
tracks data from a logged in incognito session, then it's probably a
completely different in the eyes of the law.

It becomes more like: The mask maker put the name tag on your shirt. The tag
was also put on in the same booth where you bought the mask that promised
anonymity, and it was also the mask maker who supplied the record of your tag
number to a third party.

~~~
notatoad
>a logged in incognito session

you cannot sign into chrome while incognito, so i'm not sure what you mean by
a "logged in incognito session", that's not a thing. The only type of sign in
available while in incognito mode is to sign into a website, and the website
does not know that you're in incognito mode.

And if you've entered your username and password into the google login form,
_of course_ they're tracking you, how could they not be?

~~~
hrktb
Incognito stills works with sessions, keeps cookies. Which means if you login
to a google service, your whole session with all its tabs is logged in, and
not just that single site.

Not arguing this shouldn’t work that way, but the wording of logged in
incognito session seems fair to me.

------
rogerdickey
Google faces $5B _shakedown_ for _allowing JS to work_ in incognito mode

~~~
akersten
For real. Many of the anti-Google comments here are injecting their own
fantasies for what this lawsuit could be about, celebrating it as some kind of
victory towards user privacy - which, to be fair, is a discussion that needs
to be had - but this lawsuit isn't that.

This lawsuit is literally "I think incognito mode should specifically stop
Google Analytics, a website feature, from tracking me" even though the first
thing you see when you open an incognito window is that "this doesn't stop
websites from tracking you."

What do they want Google to do, lean in further towards monopolistic abuse and
give Chrome Incognito special treatment when its users are on a site using
Google Analytics?

------
etaioinshrdlu
Also, now that many people's connections are IPv6, the server can identify
individual computers behind a router. Though your laptop's IPv6 may not be a
permanent address, it lasts long enough to track you.

If you're logged in to any web services on your computer, other web requests
can then be correlated to non-authenticated requests from the same IP.

I feel like IPv4 with NAT was an accidental privacy win.

I think the solution for this is for operating systems to allow applications
to request a fresh IP address, or something like that. Obviously that would be
a highly difficult and disruptive change at multiple levels...

~~~
CarelessExpert
NAT only anonymizes folks behind that one router, and in a typical household
that's down to just a couple of individuals. Combined with other hints
(including browser fingerprinting), NAT provides very little privacy
protection, especially given how long-lived the average IPv4 DHCP lease lasts.

> I think the solution for this is for operating systems to allow applications
> to request a fresh IP address, or something like that. Obviously that would
> be a highly difficult and disruptive change at multiple levels...

IPv6 already has this capability:

[https://www.internetsociety.org/blog/2014/12/ipv6-privacy-
ad...](https://www.internetsociety.org/blog/2014/12/ipv6-privacy-addresses-
provide-protection-against-surveillance-and-tracking/)

That randomization occurs on a higher frequency than a typical DHCP lease
expiration.

For a home that has a /48, this is no better or worse than NAT, since you can
still only track devices to the home.

If your individual devices have their own IPs within the ISP address space,
then the best an outsider could do is track devices to a given ISP subnet.

Of course, again, the real threat is browser fingerprinting and similar
technologies, which are entirely independent of the underlying network.

~~~
etaioinshrdlu
No, I don’t think privacy addresses as currently implemented addresses the
problem. All browsers on my machine still share the same ipv6, whereas I think
they should get unique ipv6 addresses if they want them.

Fingerprinting is more tractable to defeat by disabling all JS, for example.

Also, you seem to be saying that because NAT doesn’t provide much privacy, we
shouldn’t care if we get even less privacy. I disagree with that.

~~~
CarelessExpert
> All browsers on my machine still share the same ipv6, whereas I think they
> should get unique ipv6 addresses if they want them.

Yup, sorry, I overlooked that part of your comment.

That said, I'm still not convinced it buys you much... maybe a bit of an
improvement, but...

> Fingerprinting is more tractable to defeat by disabling all JS, for example.

Sorry, that's just completely unreasonable. JS is basically table stakes at
this point for virtually any website to reasonably function.

Worse, it feels like an arms race between browsers and the ad tech giants when
it comes to try and defeat fingerprinting.

Now, imagine you could break the 1:1 connection between browser engine and
user. For example, imagine a bank of cloud hosted browser engines out in the
cloud. You have a thin "client" that uses this headless cloud browser using a
remote display technique of some kind (just batch up, serialize, transport,
and render DOM updates, while passing back user interaction events?). Between
sessions the state is wiped, and they're randomly shared among clients of the
system...

I'm sure there's a zillion legal and technical hurdles, but unless you break
the 1:1 relationship between browser and user, fingerprinting feels
inevitable.

> Also, you seem to be saying that because NAT doesn’t provide much privacy

No, I'm just saying IPv6 provides no less. And either way, while it's not
nothing it ain't that much.

------
estebarb
This lawsuit is absurd, and it should be rejected with a "please learn to use
a computer before owning one". So, what is next? lawsuits against car
companies because emergency lights didn't invoke emergency responders?

------
dehrmann
With how the web works, the degree of privacy the plaintiffs are asking for
isn't technically feasible without also advertising that you're in incognito
mode.

~~~
jackcosgrove
I'm willing to trade paywalls for privacy. And paywalls are easy to get
around, too, in this context. Just use a non-incognito tab to browse those
sites.

------
jedimastert
I've seen several people mention the Do Not Track header, but it comes with a
downside: it paints a giant target on your back.

If, say, 5% of user agents have DNT enabled, then it's becomes extremely
effective as a fingerprinting vector on the people who specifically don't want
to be fingerprinted.

If, on the other hand, a majority of people use it, then most people will
simply ignore it or perish. This is mostly why people ignore it nowadays,
because IE turned it on by default. No one uses it anymore because there's no
reason to trust that it'll do anything and no reason to actually follow it.

~~~
thelean12
To be clear, you can already detect if people are in incognito with JS (you
can google it and find plenty of articles).

So DNT doesn't seem to add much if someone cares enough about this variable.

------
nova22033
_Boies Schiller & Flexner_

The law firm that help Harvey Weinstein smear his victims is going after a
target with deep pockets... This is news?

------
jka
Bloomberg Law has a copy of the docket filing here:
[https://www.bloomberglaw.com/public/desktop/document/Brownet...](https://www.bloomberglaw.com/public/desktop/document/BrownetalvGoogleLLCetalDocketNo520cv03664NDCalJun022020CourtDocke?1591132864#)

------
treebornfrog
As far as I know FB also does this. They create 'shadow profiles' around users
who are not signed up to FB too.

[https://www.cnet.com/news/shadow-profiles-facebook-has-
infor...](https://www.cnet.com/news/shadow-profiles-facebook-has-information-
you-didnt-hand-over/)

------
cfitz
According to their history of Terms of Service changes, it appears that they
made changes to the language surrounding information collected while "private
browsing" between September 1, 2015 and June 21, 2016. Just do a Cmd+F or
Ctrl+F for "snap" (part of snapshot/snap shots; they do not spell it
consistently).

In that case, it's been in their terms since 2016.

I do not agree with this practice nor do I condone it, but who is ultimately
"in the wrong here"? Is it Google or is it the users, the latter of whom are
supposed to read these Terms prior to agreeing to them?

Are "Terms" too long these days? I can't imagine most people have the time to
read through all - if not any - of the Terms of Service (etc.) for all
products and services they're utilizing in their life.

~~~
grawprog
The idea that companies can dictate terms that can be arbitrarily changed at
whim where the only consent users need to give is the continued use of their
product is pretty ludicrous as far as I'm concerned. I realize people should
read terms and I do tend to, but often companies will make their policy
changes obscure, they intentionally downplay when the make changes to terms.

If i enter into a contract with someone, specific permission is required from
both parties on any changes. I personally don't understand how these terms of
services, which are effectively contracts, get out of following contract law.
If I agree to a terms of service, I an agreeing to a contract set out by that
business at that time. Refusing to allow service for not agreeing to later
changes put out by the service provider is illegal in any other form of
business contract. I can't write a contract for some consulting work, get a
customer to sign it, change the terms then refuse to hand over my completed
work until they agree. I'd be taken to court.

~~~
korethr
IIRC, Terms of Service usually have a clause with language that states that
the provider of the service may change the terms of the contract at any time
without prior notice. If the user doesn't like the new terms, they can quit
using the service.

Take-it-or-leave-it changes contracts are a thing in negotiated contracts
between businesses as well. But rather than taking effect immediately, they'll
happen when the contract is up for renewal.

As an example, an employer of mine used to have a software product offered for
on-prem self-hosted use, or as a hosted service. Then, they decided to stop
offering the self-hosted option and to only offer the software as a hosted
service to reduce development and support costs of having to support the
myriad configurations that come of a number of customers running their own on-
prem setups. Customers had the option of converting to the hosted service
option, or taking their business elsewhere. And so, when their existing on-
prem contracts were up for renewal, those customers made the choice to find
another solution, or convert to the hosted service.

So, IMO, these ToSes are following contract law. It just sucks that the
contracts are so one-sided and the consumers of services offered really don't
have an easy means of negotiating the terms to something better for
themselves.

~~~
grawprog
>Terms of Service usually have a clause with language that states that the
provider of the service may change the terms of the contract at any time
without prior notice. If the user doesn't like the new terms, they can quit
using the service

This is the issue I speak of. Part of contract law makes this illegal.

[https://gowlingwlg.com/en/insights-
resources/articles/2018/h...](https://gowlingwlg.com/en/insights-
resources/articles/2018/how-can-i-vary-a-contract/)

>The parties must usually mutually agree to alter or modify the contract. In
some circumstances the underlying contract might give one party a unilateral
right to make certain limited changes, but agreement is normally necessary.

>The parties must intend the alteration/modification permanently to affect
their rights. If there is no such intention, then the change is likely to
amount only to a temporary forbearance or concession, rather than a permanent
variation of the contract.

>The parties must comply with any requirements as to the form of the
variation. These could be specified by legislation, or set out in the original
contract which is being varied.

>The agreement to vary a contract will need to be supported by consideration -
something of value must be given in exchange for the alteration. If there is
no such consideration, then the variation will need to be effected by deed.

------
mseidl
I use chrome and I notice things that, for example I'll watch a youtube video
in incognito mode then, shortly thereafter like, like some minutes. Those
things I searched for in incognito mode show up as recommendations in regular
browsing.

~~~
andor
Cookies are still stored and shared among other Incognito tabs. This makes
Incognito more usable: you can login to an online store, open a few product
pages in new tabs, add items to your cart from all these tabs and check out in
the end. If each tab had its own cookie store, they'd have separate carts as
well.

AFAIK, you need to close all Incognito tabs for the session to end.

------
parhamn
Can any lawyer comment on the fact that this is the same group from the Uber v
Waymo trials?

I’m curious how this sort of thing works. Grudges? An Achilies heel you found?
Is it common for a firm to hit again with something unrelated?

I’m fine with it either way, just curious.

------
ikeyany
The term "incognito" doesn't always mean "I can't be identified", but it looks
like those are the grounds.

I wouldn't be surprised if they get an inconsequential slap on the wrist.

~~~
ehsankia
I'm curious, every other browser has a similar mode. Is the same thing not an
issue in other browsers? Do analytics packages not track you in Firefox
Private browsing? Do other non-Google analytics not track you in Chrome?

What's specific to Google/Chrome here that's not true with every other
browser/analytics platform?

~~~
ikeyany
I imagine anyone who tries to brand it as "I can't be identified" might be
sued too. Who knows how successful they will be.

I doubt it would be worth the effort for browsers that don't have a huge
market share. For example, a suit against Opera would be ineffective in the
grand scheme...as most aren't aware of its existence.

~~~
ehsankia
Where is the "can't be identified" line come from? The branding is, word for
word:

> Now you can browse privately, and other people who use this device won't see
> your activity

and

> Your activity might still be visible to: Websites you visit

Where does that piece of branding you mention come from? I don't see it
anywhere? Did Google remove it recently? Or is it just what people, through
the telephone game, have come to think it means?

------
brokencode
Sure, they tell you websites could be doing it, but they don’t tell you that
the one of the biggest websites in the world, from the same company that
created the browser, is doing it. The fact that they even point that out means
they know it’s an invasion of privacy (bad), but yet they do it anyway.

------
a3n
> "As we clearly state each time you open a new incognito tab, websites might
> be able to collect information about your browsing activity during your
> session."

And we're happy to facilitate that.

------
joeblow9999
dont use chrome. anyone even marginally concerned about privacy should be
using firfox or brave or tor browser.

~~~
ehsankia
Is this not an issue with any private browsing mode? How is Chrome Incognito
different from Firefox Private? If you login into Gmail on Firefox Private,
you still get tracked, no?

~~~
shirshak55
from what i have heard they insert some headers or something like that. So
this should be non issue for firefox private user.

~~~
kyazawa
The "X-Client-Data" Chrome header that I think you are referring to is not
sent in Incognito mode according to this article:
[https://9to5google.com/2020/02/06/google-chrome-x-client-
dat...](https://9to5google.com/2020/02/06/google-chrome-x-client-data-
tracking/)

------
gcbw3
The legislators will be delighted to learn how google's

    
    
      * reCaptcha
      * 8.8.8.8 et al DNS
      * google fonts hotlink
      * google JS cdn hotlink
      * etc etc
    

store data and how that data is "anonymized" by random teams' arbitrary
definitions, and used all over their ecosystem.

I guarantee you at the very minimum reCatpcha contributes to some "isBot" or
"hasGoogleAccount" attribute that is then used by Advertising systems. And
that is assuming the best of the best of the best case scenario.

