It would be great to know exactly what percentage of visitors had your same fingerprint. It uses clientjs  which I guess let's the "tracker" choose how strict to be.
While it uses a different library, this site  can show just how unique you are amongst other visitors. Again that fingerprint will not change even if you close your browser ,wipe your history, restart your computer, etc.
> A surprising 56.3% of participants believed that even while a user was logged into a Google account, their search queries would not be saved while in private mode. The large majority of participants (144) believed this to be the case
because private mode does not save search histories, conflating the browser’s local history with Google’s.
It should be obvious that after explictly signing in to Google Search after launching the Private window, Google will now record your history.
I started a new Private window in a logged-in Chrome and searched without logging in to Google again, nothing new showed up on https://myactivity.google.com/myactivity
They can definitely tell it’s the same user who just opened a new private tab, but they’re not saving that, right?
If you are logged into your Google account in the "private" session, your private session will carry session-level data (i.e Google's cookies) that will persist until the last private window is closed and that data can and will be associated with your account.
So if you are logged in to Google, even in a private window, they will be tracking you through and and all of their properties. If you don't want to be tracked as you in private windows, don't log in as you in private windows.
This part isn't Google (or anyone else in their position)'s doing, it is by browser design. Browsers do what they can to make it difficult to detect the difference between normal and "private" windows so Google can reliably detect is that at the start of the private session you have no Google cookies, which is the same behaviour if you had moved to using a fresh new browser (in private mode or not). It is currently possible to work out that you are in private mode in many browsers using various tricks (some browsers/versions disable cookies in private mode in a manner detectable via navigator.cookieEnabled, some disable all local storage options in a way that can be detected by exceptions firing when you try use them, some disable service workers, ...) but none of these tricks are 100% reliable (even, I suspect, if you try use them all) and may all become 100% unreliable at a later date. If they can't reliably detect you are in a private window, then they can't reliably turn off tracking of your logged-in activity in private windows.
> They can definitely tell it’s the same user who just opened a new private tab
This is a slightly different matter. Here the link may contain information that can be used to pollute the private island. So they know opening that advert link in a private window was done by you because the URL contains a code that was only given out to use (in a non-private window). But again, if they can't reliably detect the privacy settings they can't be expected to do anything about them.
> Google associates your browsing history with your Google account when your not logged in and using private browsing.
This could partly be the case, though not in a practically avoidable manner. This is the problem because people will assume that Google and their ilk can't continue to track you, not that it is difficult to know they should stop tracking you, when you do something like right-click-open-in-private-tab. The trick is to never log into your account in a private window and never follow links from non-private windows in private ones (without verifying they don't carry personal/session data first), but try explaining that to the average user who barely knows what a cookie is.
Nope. See, people are idiots and in this case that helps us. They absolutely will paste that URL (with the code in it) into an email to grandma, or their Slack channel, or Hacker News.
Now, Google _could_ try to figure out what happened here, and guess if it's still you to fill out the profile - but that would always be somewhat inaccurate, and it's also evil, so between those two factors it's not a huge surprise that they don't do this.
One thing Mozilla has done more recently in Firefox is make available a "Facebook container" extension, which isolates Facebook inside its own session. So whenever you follow a Facebook bookmark, or tab-complete it in the URL bar, or whatever, you get a tab that's inside this special session where it's logged into Facebook, but your other tabs aren't. So Facebook can't correlate your non-Facebook activity to Facebook activity. None of this works if you use the "Login with Facebook" feature on other websites, but too bad, might as well have labelled that "I hate privacy" when it was invented anyway.
In all those other cases the is likely to be a significantly larger delay between the link being generated and it being followed. So while it isn't 100% reliable they could correctly guess if it is you, or someone else you have passed the link to, significantly more often than not. Especially because, of the potentially many signals they get from a given link, the person or was initially generated for is likely to be the first to follow it.
Nah, they're probably saving it.
It does not; and since private mode disables the existing cache and cookies, there would be little point anyway (and even with DNT off cookies stored by tracking services will disappear as the private mode is ended). Though if you usually have DNT on, the header will still get sent in private mode.
More generally, I suspect having DNT on is a good way to radically increase the uniqueness of your browser's fingerprint, as it is likely a minority of users have it on; personally I ignore it entirely and just use ublock + privacy badger and similar solutions (that includes noscript - efficient fingerprinting is much much harder without JS).
It might be necessary to establish legislation that forces web server operators to respect this intention and deactivate any server side logging or tracking. But that is not going to happen because the government likes having access to this kind of information.
I've always felt browser security and privacy UI should be more obvios and verbose with the ability to view increased verbosity as needed. Ideally an average user should be able to view messages pertaining to privacy and security relates events on the page in plain english with increasing verbosity and this format would be a cross-browser standard.