"In this case, Google is accused of relying on pieces of its code within websites that use its analytics and advertising services to scrape users’ supposedly private browsing history and send copies of it to Google’s servers. Google makes it seem like private browsing mode gives users more control of their data, Amanda Bonn, a lawyer representing users, told Koh. In reality, “Google is saying there’s basically very little you can do to prevent us from collecting your data, and that’s what you should assume we’re doing,” Bonn said."
It doesn't seem like the complaint is that Chrome collects data on you in "Incognito" mode, rather that websites (e.g. Google Analytics) still collect on you in "Incognito" mode.
>Your activity might still be visible to websites you visit.
The error here is in treating all of Google and all of data as monoliths. The first paragraph of the article makes this... let's be generous and call it an honest mistake:
> The Alphabet Inc. unit says activating the stealth mode in Chrome, or “private browsing” in other browsers, means the company won’t “remember your activity.”
Yeah, I doubt anyone from Google says that, which is why they had to use phrases instead of sentences in quotes. Chrome won't remember your activity. That doesn't mean Google won't if they know who you are for some other reason.
If I turn on Incognito mode and then go to Amazon, Amazon can obviously see what I'm doing. If I log into Amazon, then Amazon knows it's me and can track that. I think that's reasonable, but people didn't understand that that's the case and that's why Google has that disclaimer there.
That's different from browser fingerprinting though. Fingerprinting techniques exist which can tell that you're you even if you're in incognito mode. For example, if you're visiting Pornhub every day in incognito mode, the company can still build a pretty reliable profile of you. If you then visit them not in incognito mode once, they may be able to take that incognito profile and associate it with you a lot more closely.
Likewise, if you visit Amazon from your browser all the time and then visit them in incognito mode, these fingerprinting techniques allow Amazon to know it's you already; they can "play dumb" by keeping you logged out, not showing you recommendations, etc., but they can still figure out it's you and use that to continue to build a profile on you.
The caveat here is that this is much more useful for some people than others. If I visit HN, then HN can fingerprint me in Incognito or not, but that's not extremely useful. If I visit literally anywhere else, Google/Doubleclick/etc. can fingerprint my browser, and since extensions like ad/tracker/etc. blockers don't work by default in incognito mode, they could potentially get an even better profile of you from Incognito mode than not.
Pretty gross, honestly.
Citation needed :)
2: I test most mainstream browsers as I already had them installed on Windows and Android devices for testing.
They have admitted to using those sorts of information for fraud detection to detect fake ad clicks, bulk account creation, or other malicious activity. I also suspect they do some clustering on this data to determine what accounts are related so if there is malicious behavior from a cluster of accounts that appear to be the same user they can act on the whole cluster.
But there is no evidence that they use fingerprinting for targeting advertising.
They definitely cluster fingerprints to block whole groups as does any decent antibot.
(esoteric science/technical topics which wouldn't come up by chance)
The issue is that they can
But the danger is that he/she can. Thats why guns are regulated. Information is not a harmless dingus. Its a weapon, just as the gun was in the last century. Do we need a war to discover this?
The web is still a gunslinging wild west. We need regulation. EU is light years ahead in this regard and might just save us all from the tyranny of the Greay whom we trust to act in good faith - because they say they will. This strikes me as quite naive on our part.
What technical thing can achieve the goal you want? No metaphors.
This is a silly analogy, what is Google doing or planning to do with this information that is dangerous, and how does that stack up against the potential benefits of Google and other tech companies collecting this type of data?
That is not the right question because if a rogue US administration, that is, an administration willing to defy US courts and the US Constitution wanted Google's data, there is probably nothing Google could do to stop them from getting it.
(Such an administration could probably only get away with that during a time of national emergency, e.g., a war or a massive solar flare knocking out most of that nation's electricity for a month, but there are undemocratic elements in every country who are basically waiting for such national emergencies.)
At least I've never heard of a plan, from Google or anyone else, that would allow Google to successfully thwart, e.g., a surprise raid by thousands of US law-enforcement officers.
In other words, Google's data-collection practices are a menace (to US residents at least) even if we could be guaranteed that Google would never willingly use it in any bad way.
if you mean, cant stop you considering it, then thats fair, but then the point has no value?
Claiming laws only punish actions taken so they can't be "preventitive" by preventing others from taking those actions is either naive or just plain intellectually dishonest.
I'd really rather not see companies like Google (it any other, for that matter) making laws. Lobbying is bad enough.
If they haven't, then you have nothing to complain about. If they change their privacy policies to allow it, then complain.
Google Analytics is the service that connects it all and google has convinced companies to give them this data access for free. (well, in exchange for visibility to parts of that data displayed on fancy trinkets)
Like fingerprinting, facial recognition is not perfect (e.g. you can have a lookalike, twin, etc.) but is still damn frightening.
Perhaps this viewpoint can convince some more people of Google's (potential) evilness.
Now, there is also fingerprinting techniques but at the time incognito mode was released these were not widely known and incognito meant: make me look like an anonymous user on the internet NOT make me invisible.
incognito mode is to hide from your browser history and tracking, it has nothing to do with the servers you visit.
There used to be a way to see your pornhub search history even if you were always incognito, right on the site. It worked really well but I never figured out how it worked.
They can twist the words to be technically accurate, but not everyone is going to understand this.
If you're in incognito mode, and you buy something on Amazon, post something on Facebook, purchase a NYTimes subscription, do you expect none of those entities to have information about what you did?
So that leaves us with "do not trust privacy protection of an ad company".
Replace the left side of the expression with "Google" and you'd have what most users might expect from Incognito. That is, that Google not know about the Amazon purchase, Facebook post, or Times subscription. That Google does know, essentially, even from Incognito, is the problem.
Of course, if Amazon or Facebook or the Times tell Google or at least hire someone to figure out who you are and tell Google then it's surely not Google who is tracking you.
And likewise, if Google Tag Manager and Google DoubleClick Ads make it easy to add and integrate with the one or two missing pieces from third parties to make this work, then it's not Google's fault either.
So then if you replace "Amazon" with "company that subcontracts to Google for analytics", you'd still expect Google to have the data.
Things have changed and perhaps Google should have changed as well, but to paint this as some sort of nefarious plot is a bit disingenuous.
Maybe the really advanced ones have PR statements that say "Oh, this feature sounds bad but it only really does this thing which is mostly okay" and then another one for "okay yeah you caught us it doesn't just do that okay thing but all the other not okay stuff you worried it did ahead of time".
I'm sure there are entire machine learning teams working out the best way to word these non-apologies and the best schedule for releasing them to best soften the impact of getting caught with their hands in the (literal or figurative) cookie jar.
But it’s our role as a society to not be gullible, and eventually organize against such behaviors, which this judge is doing.
I don't see why a website should be able to get information about my WebGL capabilities without me being asked first if I want to let them display content, or why they can get a list of audio and video input devices without asking to use them first.
Even on Firefox, which I think is generally doing a much better job about this stuff, there's so amazingly much data that shouldn't be shared without asking first.
I don't think they can do this without audio/video permissions (?)
Private mode never was meant to be a privacy feature against websites. Private mode is to prevent your LOCAL history from containing anything you searched/visited and the legit use case is sharing of the computer with other members of family, for instance. For websites, nothing really changes. They can still track you all the way they want.
Chrome is not, and it seems pretty clear that it's not because that would hurt Google's bottom line. There's no conflict here between "Google shouldn't track you" and "Google should be split up".
> Most websites and web services, including Google's, don't change their behavior when they receive a Do Not Track request. Chrome doesn't provide details of which websites and web services respect Do Not Track requests and how websites interpret them.
You got scammed by Mozilla if you think that.
Please have a deep look at the various documentation on how the Internet works and realize that sending that header does absolutely nothing for users. It is, as it has always been, up to the receiving server to decide whether to even consider that data point or not.
This means that Firefox is not "trying" to do anything there, and it's actually doing an incredibly hypocritical thing as a browser vendor, making non-technical users believe that Firefox sending that header is somehow proof that Mozilla cares.
Wow. I understand how the internet works, but thanks for the personal attack.
> ... and realize that sending that header does absolutely nothing for users. It is, as it has always been, up to the receiving server to decide whether to even consider that data point or not.
Of course, and Google controls the receiving server in this case. If they honored the Do-Not-Track header, and if Chrome sent it, users would be better off. Of course browsers can't control what all servers will do. But by sending it, servers that do honor it will.
> This means that Firefox is not "trying" to do anything there, and it's actually doing an incredibly hypocritical thing as a browser vendor, making non-technical users believe that Firefox sending that header is somehow proof that Mozilla cares.
You seem to be saying that because not all services honor the header, it should never be sent. I would say that sending it is better than not sending it, because some services do honor it. And the fact that Google doesn't honor it is telling itself.
Firefox obviously does try, and DNT is not the only proof. They have put in a ton of work to make fingerprinting harder.
1) Chrome should enable the Do Not Track header when in private browsing, as any reasonable person would expect they would.
2) Google websites and analytics should respect Do Not Track.
I'm repeating what others have said but I think it's important to separate these out as different issues, because it completely nullifies everything you just said -- both are strong arguments on their own, and Chrome being a Google product is completely irrelevant to both.
I also disagree that "any reasonable person" would expect the header to be used in private browsing. Safari invented private browsing in 2005, and Chrome Incognito mode launched in 2008. Do Not Track didn't even exist as a concept back then.
Incognito mode was never intended to be anti-tracking. It's only ever been intended to hide your browsing history locally, e.g. from family members.
Tracking protection has an entirely different purpose. And if you want protection from tracking, you'd presumably want it in all windows, not just incognito windows, right?
These are the important issues to be kept separate. Anti-tracking is something that should be consistent across all browser windows. It has nothing to do with Incognito. Incognito is about not saving browser history locally. Totally separate.
They're totally separate now, but it's not clear that they should be, and it seems pretty clear that they're not separate in the minds of users.
I'm having a hard time imagining a scenario where a user would want to hide their local history, but are totally cool with people who don't have physical access getting access to their activities.
Let's be honest, incognito mode is generally used for watching porn without worrying that it will pop up in the autocomplete box or history later.
But you log into the porn site, in incognito mode, in order to access your saved videos, subscriptions, etc. The porn site knows exactly who you are, tied to your credit card number, etc. Your ISP knows you visit the porn site. Your credit card knows you pay for it.
That's the main use case. The privacy is ONLY regarding local history. That's the only expectation there's ever been.
Given that the judge in this case had different expectations, that's clearly false. That may have been the intention of the feature, but I can easily see why it may not be the expectation of users.
The judge in this case is simply seriously misinterpreting the feature. There are always going to be some percentage of users who misunderstand a feature no matter how explicit and clearly it's been described. Even if they're a judge.
Google isn't misleading anyone here. Every time you open an Incognito page it says EXACTLY what it does and doesn't. If some users and even some judges can't read, that's their problem.
"Your honour, I can prove I didn't rob John, I had my brother do it for me!"
is google going to wait until there's regular street fighting in cities across the nation before they change their surveillance behavior?
My account has been around for a long time and I agree with them. It's a well-reasoned explanation. It is correct on the purpose of incognito mode (to protect privacy locally only, e.g. from family) as well as the obvious point that if you're using Google.com while in incognito mode (very common), it's tracking you as it would anywhere. Websites aren't even supposed to know you're in incognito mode.
Incognito means and has always meant "fresh browser tab with no history". It has never meant no tracking.
I somewhat agree with the point they made and this is not a throwaway if that helps.
I think any judgement saying that Incognito/Private Browsing/etc are lying unless they somehow prevent websites from knowing that you accessed the website would be downright technologically impossible, short of perhaps Tor browser, and even Tor Browser doesn't make this kind of guarantee.
They've changed the wording a few times, but as far back as I can find screenshots, it's always said that websites can still track you.
I think there will have to be some kind of large-scale privacy crisis with real and visible consequences for the public to ever become alert to what surveillance capitalism REALLY means for them.
Some folks are aware that these practices are bringing us down as free people (rather than as individuals), but these voices just sound like nitpicking to most people. I am just concerned about what kind of tragic consequences we'll have to see before people get wise to this.
I don't think that's an error. There is a material difference between me promising you "I won't eat your berries" and my neighbor eating your berries, and my making that promise and then eating them.
If Google is promising not to track you, Google shouldn't be tracking you. “We are bad at coördinating” isn’t a valid excuse. Coördination is the cost of the conglomerate.
Something that is under Google's control.
Maybe the problem could be solved by using a description other than "incognito" and an icon of a spy, generally considered a person who would be hidden or stealthy.
Maybe "Reduced Tracking Mode," or something more honest.
It's just a temporary separate browsing session with history turned off.
The only thing that makes it less tracking is that it might not be associated with the profiles you're logged into in your normal browsing profile.
There's even a warning about that
This has always kinda bugged me. I don't know what the hell I was doing yesterday at 13:42, but chances are Google does. Likewise, my phone company (and by extension, the government) knows where I was at any given moment in the last 15 years.
This disclosure is a bit weak, really. I could visit no Google websites and still be tracked by them, and god knows who else, and that's where it gets really fuzzy around what things mean, I think.
Private browsing doesn't save your search history, clears your cookies/sessions, doesn't save auto-complete suggestions. This is more about keeping things private from other people who might use your computer.
But as far as websites' ability to track you this isn't really all that effective. Yes, logging out of all your other accounts goes a long way but there's still plenty of ways to track people. Incognito mode does little against sites that try to fingerprint browsers.
As far as I understand it, Incognito appears just like any other chrome browser. It seems like you want Aplhabet websites to specifically exempt Incognito browsers from data collection. That would require building mechanisms to identify incognito browsers. That makes it easier for websites to block content if they detect private browsing, which is a valid concern.
And it's really hard to call it fraud when Incognito mode explicitly tell it's users what it does:
Chrome won't save the following information:
- Your browsing history
- Cookies and site data
- Information entered in forms
Your activity might still be visible to:
- Websites you visit
- Your employer or school
- Your internet service provider
Even before I knew how to program I understood that Incognito didn't save browsing history but websites could still see your IP address, and your ISP could see what domains you hit. I'm really not seeing anything remotely close to fraud here. This headline makes it sound like they're breaching people's privacy, when in reality it's just the fact that Incognito mode is a setting on your browser to clear cookies and not save browsing history - not some magically spell that prevents websites from tracking you.
Privacy is hard
AFAIK that's already trivially detectable on most (all?) browsers.
I think the complaint is that in this case, Google wrote the code that is commonly used to do both. I think the lawyer is arguing that since Google gives the option in one product, they should honor it in the other. Honestly, I'm not sure how I feel about that argument, but it reminds me of the character Ned from 17 Again: "I wrote the software the prevents people from stealing music. Of course, I also wrote the software that helps people steal music..." Selling weapons to both sides and all that.
I do generally think it's quite fair to view Alphabet as an unreasonably large company that needs to be subjected to anti-trust laws - there are many companies with far too broad a breadth of market control in the modern world. So maybe that's the better tactic, actually dust off our anti-trust laws and break up some of these tech giants.
But it can't, because websites, in theory, aren't and shouldn't be able to detect if someone is in incognito mode. There's sometimes hacky ways, but so far Chrome has patched those as they've come up.
I wrote software that will track you on the net, not matter where or when. I also wrote the software the gives you the impression that you can do something about tracking.
Google has been blurring that line between browser and content ever since single sign on in Chrome 69. I think it's a fair exercise to explore the relationship between Chrome and Google services just because they put themselves in this position for a reason. We deserve to know what that reason is. I don't trust Google at their word.
With Firefox there's no question because Mozilla lacks the ability to leverage anything they might incidentally collect in private browsing. Google does have that ability and we should know if they are abusing it.
If you asked Google employees and Google fans if they thought Google was reading their Gmail for advertising they'd probably roll their eyes at you. And alas they turned out to be mistaken.
Maybe you weren't around at the time or don't remember, but that was part of the launch announcement and never hidden and was mildly controversial at the time, for instance: https://www.nbcnews.com/id/wbna4732385
Isn't that a distinction without a difference though? It's not Chrome, it's Google Analytics. It's all Google in the end, isn't it?
A good lawyer could quite successfully argue that all three being "Google" is not sufficient for the public to reasonably expect that "private browsing" means Google will still be monitoring you. And while Google would argue that its EULA no doubt contains a clause along those lines, the deception is still there, and can still be litigated (even if the verdict ends up being "this is deceptive and you must change this aspect of your product" without this particular thing, among many many others, requiring punitive measures)
Edit: the parent has since been edited. It had said only "Not in court, no. In court that is a huge difference."
The intent of the user is clear.
To a web server incognito mode isn't a thing. It's a client only thing. You don't know if a user is using incognito mode, or if they just cleared their cookies / cache. There's no way to know the user's intent.
But I still see a problem with Google's control of both sides of the connection, and with fingerprinting in general.
Expecting laypeople to understand that distinction is probably a bit optimistic.
What is interesting is that they do explain this more clearly in some of their help articles -- but the leave out some of those details in description embedded in chrome. It takes 4 clicks to get to this from the "learn more" link -- it's pretty buried.
> Your activity, like your location, might still be visible to: * Websites you visit, including the ads and resources used on those sites * Search engines
Yet, the first click from "learn more" has even more confusing language:
> Chrome doesn’t tell websites, including Google, when you're browsing privately in Incognito mode.
It seems that you really have to dig to get to the parts that tell you clearly that Google is one of the "websites that track you" that they're talking about.
No they aren't. It's spelled out entirely when you just open incognito mode. It specifically says "Chrome won't save the following information" and also specifically says "Your activity might still be visible to websites you visit"
You don't have to dig into any help articles or have deep technical knowledge of how Google Analytics works. Open up incognito and it's all right there right in front of you.
0: For example: ask anyone who works at a helpdesk what it means when someone says "my Google doesn't work"
1: For example: Regulatory action against AT&T for "unlimited data" claims
Let's remove computers from laypersons because they can't understand simple English. /s
Seems to me that the end result of such a lawsuit, if it moves forward, is that Chrome will drop the feature. It's not like it has any legal requirement to provide a feature like Incognito and if the courts decide that it can be easily misunderstood (and if it costs Google actual money because of that decision) then why spend engineering time providing such a feature.
Its basically like insider trading. You are playing both sides.
But suppose I were to take your argument - are the entities actually separate? Is Chrome development not funded by revenue from google ads? They would not pass any kind of test for 'independance'
The reasonable expectation to have is that nobody is monitoring you in the first place. This is doubly true when using private browsing features. Anyone violating this assumption is obviously guilty: the first group did not explicitly consent and the second group explicitly did not consent.
"Chrome will not save the following information"
"Your activity might still be visible to websites you visit"
Takata is a company. They produced defective airbags...
Google Analytics is installed by the owner of the website; it makes a promise to them: it collects everything it can.
If Google Analytics actually ignored data from Chrome in Incognito mode, it raises some questions:
* How does it detect that, exactly?
* Is there an unfair competition aspect to it? What about other browsers, not from Google?
The most honest implementation would be to set the DNT header in incognito mode (as Firefox apparently does) and to have Analytics honor it. Does not require anything shady/anticompetitive
If incognito mode is undetectable, there’s no way for Google Analytics to distinguish between “cross-device” traffic from an incognito window vs. from a phone and a laptop. Whether or not cross-decide tracking is good or bad, it’s irrelevant to this question.
I'm pretty sure incognito is detectable right now. I'm always going to assume it is.
Huh, maybe the level of integration here is just inherently problematic and companies shouldn't try to fulfill every role in the market.
Detect that chrome didn't send the x-client-data id it sends to every google owned domain. Oh, wait, it probably still does that in incognito mode.
Sure, but chrome does not do this in incognito mode, same as any other private mode browser, there's nothing specific about chrome that allows GA to collect your analytics in incognito mode, GA can do so in any browser.
So the same people saying Google is a monopoly would say they must then further abuse their monopoly position to stop Google Analytics from tracking specifically Google Chrome users in incognito mode?
The only correct outcome of this case is for those involved to realize that a browsers' "private browsing" mode is referring to a completely different type of privacy. It has nothing to do with whether Google Analytics is present in a website. Unless they want to rule that websites can't track users at-all (and what does that even mean?) when they're browsing in private mode (and how would they know?), but that would be omnibus legislating from the bench.
I don't have a legislative outcome in mind, but I would like to point out that "Do Not Track" program was an attempt to do exactly what your second paragraph suggests, it just had no teeth and was entirely voluntary. I really don't think it's too big of an ask to not track someone flagging they don't want to be tracked, and if it takes regulation to do that then so be it. Ad-tech needs a wake up call to start behaving more ethically.
The reason it would be abusing their monopoly is that Firefox and Edge private mode browsers would not get the same treatment. Google Analytics would still be active for them in private mode.
The only ways out for parties here are:
* Accept the way technology works, that browsers are separate from code that runs on websites, and acknowledge that users can be tracked regardless of what their browser chooses to do
* Mandate that Google devise a way to stop tracking for all browsers in private mode (not a technically possible solution; judicial overreach), or just for Google Chrome (possible; but amplifies their monopoly because it would be a privacy incentive for users to switch to Chrome, a Google product; is also judicial overreach)
* Mandate that browsers have a standard way to indicate to websites that they do not want to "be tracked" and websites must respect that (and I don't have to tell you that this one is judicial overreach :) )
So, that's why I say the only way forward that makes sense for this case is for the plaintiffs to drop it. There's no acceptable judicial recourse for them here. They can lobby the legislature if they want to make it mandatory that ad networks respect the abandoned Do-Not-Track header.
Furthermore, wouldn't a reasonable person expect when a company offers a product with a privacy feature, that at the very least it would provide privacy from trackers that the very same company controls?
It was always doomed to fail. You're asking the wolves not to eat you by setting an HTTP header. If these companies were the kind to care about the honor system, they wouldn't be tracking you in the first place.
Is it though?
I'd say Do-Not-Call is a failure. Much like CAN-SPAM. Both are 2003. Check the calendar. I'm still wading through more spam than ever in my inbox and getting an ever increasing number of scammers calling my cell phone.
The problem is always going to be that you need a watchdog with teeth. As we've seen in recent years, all of these government three letter agencies can be gutted simply by swapping in some corporate patsy at the top. Maybe you can beg the government mommy for your freedom and law enforcement back in 4-8 years. Antitrust laws exist. How many decades have we gone now since actual, serious enforcement?
Shouldn't Do-Not-Track be the default anyway? Why must we opt out of tracking, spam calls, and spam emails?
And, of course, the elephant in the room is: who wants spam calls, spam emails, and tracking in the first place? No one! No one would opt in to any of that crap. Which is why the laws are carefully designed for apathy and toothless enforcement.
If you want to talk legislation then talk legislation. If you want to talk tech solutions then talk tech solutions. But an HTTP header is neither of those things.
Imagine we all just drop encryption. Instead we just pass a flag in the TCP header that says "please don't look at my data passing through this network." Yeah that sounds insane, right?
It's as silly as if I ran an "anonymous" clinic where you didn't have to give your name, but my employees were instructed to figure out who you were by running in-house facial recognition software and to place the results in your file. That's materially different than warning people that "although our clinic is anonymous, you may be recognized in the waiting room by other patients" which is the way people understand Chrome's warning.
To a layperson, there is a marked difference between activity and identity - there is nothing on the tab that states that the identity of the user is still discoverable.
Did Incognito give anyone any indication that it was somehow making you untrackable? It just meant that the browser itself wasn't storing what you were doing.
> Now you can browse privately, and other people who use this device won't see your activity. However, downloads and bookmarks will be saved.
> Chrome won't save the following information: Your browsing history, Cookies and site data, Information entered in forms
> Your activity might still be visible to: Websites you visit, Your employer or school, Your internet service provider.
I'm normally a pretty pro-digital privacy person, because I believe the odds are stacked against average consumers to an unimaginable degree. That said, I don't believe incognito mode is misleading about what it achieves. I think it's pretty upfront about what it does and what it doesn't do.
The example is not theoretical:
But what if the browser is Incognito Chrome, and the analytics is another company, say Adobe? Does the browser industry need a universal way to signal browsing is in "incognito" and then all analytics and tracking software MUST adhere to that, or what?
Also, does it mean that Amazon shouldn't log general traffic, that they later decide the analyze? Even Anonymized, that data holds value to the target site, even if it were never traded/sold/etc.
Lot of room for improvement beyond DNT, GPC, etc.
The fact that the link to Google's servers is on "other websites" doesn't really change the basic reality of what is happening.
And then people go "but it was the landing, not the fall that killed you! The contract didn't say anything about that! "
I guess I should modify my comment above. You can't sue them for the plane being broken, which is what this suit is.
So one can browse the finest pornography without one's cohabitants finding out.
Not to mention the double standard google have. Long ago they fixed chrome to detect auto-installed extensions when you installed other software and yet google is doing the same bloody thing themselves. Try it yourself on a fresh new profile and check the extension page and the extension folder. Extensions are auto installed without permission. Manually removing them doesn't work either. They will be reinstalled.
Edit: Speaking the truth will get you down voted. It's hilarious people down vote instead of coming with a counter argument. Perhaps they are so annoyed because they can't make a legitimate excuse for that nasty malicious behavior.
Is it unreasonable to want, or even expect, an incognito window to disable all forms of tracking?
Wouldn't the world be far better if a phone alerted me to an app scanning my local area network or contacts? Or if I got warnings when it took such actions?
I think us tech folks need to, collectively, stop defending companies reasoning and explanations for the world they created, and start standing with and for a world which matches common folks expectations. It really seems like a better world.
EDIT: Ask what the layperson would think tracking is! Imagining the answer is pretty simple "a website [or the web at large] learning or remembering anything about me." If we start from there, rather than the mumbo-jumbo thrown at us, we can make progress.
"Tracking" is a nebulous term. If a company records your visit in their logs, is that tracking? If they increment a counter every time someone visits a page, is that tracking? If a user logs in under Incognito Mode and the site records their new last login IP and timestamp, is that tracking? These questions would have sounded facetious years ago, but now nearly every form of user tracking has come under scrutiny.
The common confusion is that Incognito mode isn't equivalent to using Tor or a VPN. For 99% of cases, that doesn't really matter. Explaining the distinction to the average user is a challenge, though.
> Wouldn't the world be far better if a phone alerted me to an app scanning my local area network or contacts? Or if I got warnings when it took such actions?
Modern phone OSes will ask for permission if an app wants to access your local network, your contacts, or your photos. That's not the concern here, though.
Essentially you can boil "tracking" to two main sources: when there's data collected without a legitimate purpose for doing so, and when data is collected to the point that could identify a user, but no explicit consent is given.
Take for example a Facebook comment section on a third party site. It'd be fine to click the comments and have a quick prompt for Facebook to interact – the comment is public, so it's known to all. But if the user never comments, Facebook has no right to be aware the user was ever there; that's tracking.
You could make the extended argument that overcorrelation of data for advertising is tracking in a sense, as this would cover intra-site tracking (e.g. a shopping site knowing you're pregnant before you know yourself.) This is a little more nebulous to define, as it's hard to define who it benefits If your phone launcher suggests an app, or Uber suggests a location, that's because it wants to save time. But if a shopping site suggests a product, that's advertising, and should be given explicit consent.
Some laypeople would disagree.
That's what it means to be "nebulous". A term like "tracking" needs to be defined in technical/legal language. You can't simply ask a random sample of the entire world's population and expect to get a consistent answer about what should be allowed and what should not.
Who gets to decide what's legitimate? Most people would agree that detecting and fixing crashes is a legitimate usecase, but most of HN is probably staunchly against Windows telemetry.
if you track my incognito sessions but what gather makes you unable to (statistically) associate me with my non-incognito sessions that is not tracking.
incrementing a counter for the number of visits is not tracking, recording my mouse move patterns to a precision where you are able to identify me "biometrically" is tracking.
it is not about what technology you are using it is about your data gathering is being used/can be used to populate a personally identifying profile about me
(I admit that tracking is nebulous in one sense: suppose that I have recorded internet usage patterns of 20% of the population with complete and accurate data collection, using sophisticate AI models I am now able to identify your age/gender just by how you scroll a page, even without remembering anything about your session, I can calculate this on the fly. this is essentially what Cambridge Analytica did and it is nebulous "who" they were tracking, the original users or you?)
> Ask what the layperson would think tracking is!
No. No no no no no. There is a serious problem with this line of thinking. Lay people cannot dictate how technology must work. Because they don't understand what is possible.
This post is like the famous quote from that Australian politician
> The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia
It's simply not appropriate to assume that just because a lay person wants something to be true, that it must somehow be possible to actually do.
That's an extraordinarily elitist view that, frankly, raises my hackles. It's worth remembering that the entire framing of entire political systems was and is done by non-technical "lay" people.
> It's simply not appropriate to assume that just because a lay person wants something to be true, that it must somehow be possible to actually do.
That's got everything backward. Regulation is about limiting technology's intrusion into our lives, technology that did not exist just short years and decades ago. Since we lived without this technology (by definition) since the dawn of man, clearly it is technically feasible.
The attitude above is basically arguing for a technocracy where the "lay" people just have to suck it up and accept whatever their overlords thrust on them. Hint: it's gonna be heavily weighted to those overlords making money and taking choice away.
There's more than one problem here, but one main one seems to be that users don't understand that incognito is more about your own computer (cookies, history) than the web's ability to do its thing.
Solutions could be anything, from do not track toggles and added incognito funtionality, to a simple visual indicating the point of incognito, to some trivial copy/branding changes.
We hire scientists, doctors and lawyers to do those things. No one thinks it's "elitist" to say that lay people's opinions on how to do those jobs is worse than irrelevant.
We need to accept that "computer technology" is one of those things that is simply too difficult for most people to simply intuitively know about without actually putting in the effort to understand it.
What the "lay people" want, if we are going to use this term, is the same privacy that the internet had 2 decades ago. It's not like things didn't work this way previously.
Isn't this true though. If a country decided one day that 2+2=5 and wrote laws around it and enforced it then in that country you have to say 2+2=5 even if the laws of mathematics would disagree. It would be a dystopian place to live but that's just how laws work (assuming we're talking about some sort of authoritative regime where you can't challenge this law).
I think programmers are at a much greater luxury though because there is not really a thing called the laws of computer science. There are certain problems like P=NP or the halting problem but ad tracking is so far removed from that to the point that if we decided one day that it made sense to outlaw tracking, it could be done. It would kill a lot of businesses and would probably be a bad thing but to say that we shouldn't take into account lay people's wants when designing software systems is wrong.
Suppose that Australia enacts a law that says: passwords must only be accessible to the government but no one else. How can Australia reliably enforce that? Regardless of what the government decrees, other people can exploit the same backdoors that the government uses to access passwords. At most, they can punish people who do that against their wishes, but only after the password has already been accessed and only if they find out. Governments aren't omniscient or omnipotent, what they can enforce is limited by natural laws. We have yet to find a way to overcome natural laws.
It'd be easiest to just not provide incognito mode at all, than allow another footgun into the hands of the public at large in a way that only benefits Google.
I think though that people can be made to understand with better education and examples in a reasonable time period.
Yes, because the product explicitly says it does not do that.
No, because incognito doesn't have power over what sites do with request data.
As for the layperson, I think they hold the (reasonable) model that an incognito session is just like using a burner phone that you throw away after: it creates a dummy identity separate from your normal one. So at worst, the places you call can compare notes and see that the same number called both of them, and they might also secretly log or record the calls. A burner phone doesn't prevent any of that, and neither would incognito (prevent the analog of).
However, if the phone companies somehow learned which people bought which burner phones, and shared their "normal" info with anyone who asked about a particular burner phone, then yes, that would break the expectation/agreement, and it sounds like Google does something similar to that.
Again, this is just a description of how the world works. It says nothing about how the world could work. Incognito could turn your browser into a Tor client, or use a random sequence of VPNs to tunnel your traffic, or both, for example.
A mode like you describe is great, but I wouldn't expect a browser's built-in privacy mode to do all of that by default.
(And, FWIW, even then my statement is true. Even with the max privacy protections, once your request data has reached their servers, you can't do anything about their data storage by technical means. So even with a Tor client, if you've logged in and have to persist cookies to maintain session state, you can expect that the site to match identities across VPNs/Tor endpoints.)
Because if you're just a website, you do what you can with the information provided to you by the user agent (browser).
But if you're also the browser manufacturer which provides an "incognito" option, and your other (main) property explicitly goes around it as much as it can... that smells bad.
Neither of these features is meant to address the use-case you outline: browsing the internet free of tracking. I do think there is a market for such a mode, but both "incognito" and "private browsing" are meant to hide your activity from _the physical computer you are using._ You would want to use this mode if you are using a shared computer, like in a library or a computer lab.
"Now you can browse privately, and other people who use this device won't see your activity."
It goes on to list other technical specifics about what is not saved, but those are pretty much just sub-points. I'm not sure it's fair to expect Incognito to do something it's not meant to do.
Yes, it's an add-on and not built into Chrome... and yes you have to know about it to install it in the first place. I'm not exactly sure that's a problem though - if you are technical enough to navigate through settings menus in your browser, understand what the settings mean and toggle options (presumable to enable some built-in version of uBlock Origin), then you clearly have the capability to install the add-on.
Browsers filtering "known trackers" is a very quick slide into "known malware", "known spammers", "known foreign propaganda", "known conspiracy theories", "known fake news", and more.
It's the exact path that social media and other online platforms took, and guess what? The same companies build browsers.
With that, I also agree that Google couldn't be trusted to editorialize.
Related: I don't understand why people choose to work for Google
"You've gone incognito" doesn't mean what it says on the tin.
It means "You've gone incognito... from other users of this computer, not from us. From us you're still plenty cognito."
By that regard, you aren't buying Apples, you are buying "Golden Delicious Apples certified organic by the State of California and could contain random chemical that might cause cancer to you"
Still apples, but now you question whether they are truly edible or safe, which you used to assume about all apples
Now that it is known google can track you outside of stored cookies it should probably be relabelled to no persistant cookies mode and leave the idea of incognito. Using that word makes it seem like you are using tor.
The disclaimer put front and center is designed to tell you exactly what is going on. But, I'm not at all surprised that most people assume incognito/private modes provide far more protection than they actually do.
This is a fairly difficult and important technical communication problem: To make sure that most people after reading something understand what is meant. It's why you end up with all those really stupid sounding disclaimers on various products not do stupid things that seem obvious not to do.
What is actually communicated is dependent on both parties in the communication. An entirely accurate statement can be made by one party, intended to communicate the facts in good faith. However, depending on what the second party knows, the statement may not actually communicate what was intended or what is true and accurate.
The difficulty then is saying something which is short enough to actually get read and still communicates to a large majority of people an accurate understanding of the situation.
Again, this is the best case where the people making the statement are acting in good faith. It all goes down hill from there though, if they are actually trying to mislead.
"you can browse privately, and"
"you can browse privately, in the sense that"
What does a user think browse privately means?
Do they think it means "your browsing is shared with third-party data brokers that aren't displayed in the UI at all and you might not know exists?
It's one thing to say "well obviously we can't control what you choose to do with foobar.com"; it's another to say, "the same legal person who told you 'you can browse privately' is buying your browsing data from foobar.com".
"Now other people who use this device won't see your activity."
What does the bit before the 'and' mean?
To paraphrase it another way, it says "what you do on your browser is hidden, specifically it is hidden from other people who would try to find out using this device"
Further, given the overall ambiguity of English, and given the goal is something casual, not legalese, the way it is phrased is reasonable.
Actually, that raises an interesting point, how is this phrase rendered by chrome for other languages, and do any of them phrase it in a less ambiguous way?