Class-Action Lawsuit against Google’s Incognito Mode

The lawsuit has been settled:

Google has agreed to delete “billions of data records” the company collected while users browsed the web using Incognito mode, according to documents filed in federal court in San Francisco on Monday. The agreement, part of a settlement in a class action lawsuit filed in 2020, caps off years of disclosures about Google’s practices that shed light on how much data the tech giant siphons from its users­—even when they’re in private-browsing mode.

Under the terms of the settlement, Google must further update the Incognito mode “splash page” that appears anytime you open an Incognito mode Chrome window after previously updating it in January. The Incognito splash page will explicitly state that Google collects data from third-party websites “regardless of which browsing or browser mode you use,” and stipulate that “third-party sites and apps that integrate our services may still share information with Google,” among other changes. Details about Google’s private-browsing data collection must also appear in the company’s privacy policy.

I was an expert witness for the prosecution (that’s the class, against Google). I don’t know if my declarations and deposition will become public.

Tags: , , ,

Posted on April 3, 2024 at 7:01 AM18 Comments

Comments

Q April 3, 2024 7:40 AM

I think it is important to state that it is incognito mode in Google’s Chrome browser.

Other browsers exist.

Grima Squeakersen April 3, 2024 9:33 AM

“Google has agreed to delete “billions of data records” the company collected while users browsed the web using Incognito mode”

Anyone who believes that Google will delete all such records collected must also believe in Santa Claus and the Tooth Fairy. I do note that the statement doesn’t say “all data records”, so I suppose there might be some plausibility to the idea that Google might delete, say 7 BLN records of 20 BLN collected, with every record deleted a redundant copy of one that remains.

Hugo April 3, 2024 9:59 AM

So amazing that people still use Google’s software. How many examples do we need to understand that Google is not an honest company? Don’t use their software. You have a choice.

Who? April 3, 2024 10:08 AM

How can we be really sure Google removes all that data?

Google is a data broker, one of the worst offenders in the field of privacy violations I would say; in the past, nearly two decades ago, I had an account on Google services like gmail, until someone working for Google at California contacted with me offering a job because “some emails I sent where tagged as important and one employee of the company read them”.

Now, I do not have a Google account anymore but, I am sure, even if I do not agree with Google’s terms of service THEY WILL CONTINUE READING ANY EMAIL I SENT TO PEOPLE USING GMAIL ADDRESSES.

Google should at least be banned in Europe. I have lost any hope about the United States doing the right thing with these data brokers.

Adrian April 3, 2024 12:46 PM

I keep reading that one aspect of the settlement is that Google will allow Incognito user to block third-party cookies for five years.

What does that mean? Does Chrome currently (or recently) prevent users from blocking third-party cookies? I’ve always blocked third-party cookies by default. What changes in five years?

Separately from this suit and the settlement, Google has already proclaimed that 2024 is the year they will phase-out third-party cookies altogether (while adding APIs that allow cross-site tracking through other means), so isn’t this part of the settlement a nothing-burger?

NoGoogle April 3, 2024 1:44 PM

According to https://www.mercurynews.com/2024/04/02/google-to-purge-private-incognito-mode-user-records-but-will-keep-snooping/ “Google will delete billions of records it scooped from “Incognito” mode web browsing of about 136 million U.S. users but will continue to collect data through the not-so-private browser setting — it just has to disclose the grab.”

Even if you trust that Google will delete the data -true anonymization is almost impossible to do-, they will be deleting data that is probably of little value going forward if they are allowed to keep collecting data from users in incognito mode.

In surveillance capitalism, more recent data is of higher value than older data because it has higher predictive value, in a statistical sense, on the ads users are likely to click.

Adrian April 3, 2024 1:52 PM

@NoGoogle: Is it irony that the Mercury News link you posted asks me to disable Incognito in order to read the article about how Google’s Incognito mode wasn’t as private as users thought?

Even funnier, I’m not using Incognito mode. I’m just blocking third-party cookies.

NoGoogle April 3, 2024 2:03 PM

To Who?,

“Google should at least be banned in Europe. I have lost any hope about the United States doing the right thing with these data brokers.”

As a former European -I was born in a European country but a couple of decades ago I immigrated to the United States; I have been making a living in tech during this time but I formally renounced my former European citizenship upon becoming an American citizen – I think that one key aspect in this whole debate that the European press gets wrong is that the United States doesn’t take on Google for traditional political reasons (ie, left/wing politics). The actual reality is much different.

Unlike what happens in Europe, paying politicians -and buying their vote- is legal in the United States. It’s called “campaign contributions” and while technically there cannot be “quid pro-quo” -check the case of former Virginia governor Bob McDonnell who was unanimously exonerated by the US Supreme Court.

Once the leadership of Google understood that their company was destined to be big – probably around 2005-2006- they made the conscious decision of participating in America’s political process the traditional way to avoid the destiny of Microsoft. As part of this strategy the company -not to be confused with their employee base- donated to politicians and political centers of power of both Democrat and Republican administrations.

Their strategy worked for a long time. It is well documented that the Obama administration set aside an antitrust lawsuit against Google its appointes had redied in 2013.

When Trump came to power, Google kept playing the same gain with entities such as the Heritage Foundation and the CATO Institute that you can think of as “cults of profit”, ie organizations that worship profitable companies.

I was very surprised when Biden decided to keep alive the antitrust lawsuit filed by the Trump administration a couple of months before the 2020.

Google also knows (check the anti trust cases against IBM and Bell Labs) that even if the company were to be broken up, things will take a long time and they (Google) have the best lawyers money can buy.

In a situation like this, the best anyone can do is to take matters in his/her own hands: delete all your Google accounts, use Signal and use ProtonMail/ProtonVPN. And if you family/friends use Gmail, convince them to do otherwise.

lurker April 3, 2024 2:03 PM

@Adrian
“Does Chrome currently (or recently) prevent users from blocking third-party cookies?”

No, but to block them the user needs to know that third party cookies exist, and how to dig down through Chrome’s Settings submenus.

@NoGoogle
“Google will delete billions of records it scooped from “Incognito” mode web browsing of about 136 million U.S. users”

Meanwhile G will continue munching on the records it gained from all non-US users, icluding Europe before the GDPR smacked them.

@ Bruce
‘Google must further update the Incognito mode “splash page”’

And of course the release note for the update will say in total, as always,
This update contains bug fixes, and performance improvements.

Dominick April 3, 2024 2:07 PM

That’s rather anti-climactic. I guess Google must have been really against deleting the data, to let the lawsuit go on for 4 years before offering this nearly-meaningless settlement. And the class took it! It must’ve been a really weak case. I wasn’t necessarily expecting money, but they should’ve pushed for Google to stop collecting data from people using privacy modes—for example, have Google modify Chrome to set the do-not-track flag when “Incognito”, and require Google to respect the flag from all browsers.

Re: Adrian’s mention of irony, Wired and Mercury News are both working fine for me in Tor Browser (excepting that the Mercury byline is overlayed on top of the article’s text; disabling the stylesheet helps).

NoGoogle April 3, 2024 2:11 PM

@lurker

No question. Just to be clear, as a Silicon Valley resident I understood early on what Google was about circa 2004/2005. Back then I was studying engineering as a graduate student at Stanford and Google was in a huge hiring spree. I rejected their hiring requests but the classmates I recall being the most enthusiastic about joining Google were people who couldn’t care less about violating people’s privacy as long as they enjoyed the perks of being a Google employee (well paid, free food, stock options/RSUs).

Google has been buying the will of a lot of smart people for a long time. It won’t be easy to take on them. This lawsuit is a great example. Google has settled. Is the settlement impacting their ability to continue to make money with surveillance capitalism in any meaningful way? Obviously no.

Thank you for your comment.

lurker April 3, 2024 2:27 PM

@Mercury News

No, it’s not irony, just the American way: the Blocker splash says

DISABLE INCOGNITO OR SUBSCRIBE TO CONTINUE

I’m not willing to pay a subscription just to check that option, but I too am not using Incognito, or Chrome. I have an adblocker, and block 3rd party cookies, but MN loads text only and messed up css with .js OFF. Some papers, NYT is notable, now demand adblockers OFF, .js ON.

lurker April 3, 2024 2:38 PM

@Dominick

BSF, Attorneys for the Plaintiff, in an historic flashback, were also Attorneys for the Plaintiff in the casee of SCO vs. Everyone re. Who owns Unix/Linux?

http://groklaw.net/

Boris Reitman April 3, 2024 2:45 PM

I prefer being tracked via 3rd party cookies in order to see good, relevant ads. And, I prefer seeing ads than paying for subscription. When I use the Incognito mode, I know that URLs that I browser are logged at the ISP. I can’t expect this data not to be leaked out. It’s fine with me.

NoGoogle April 3, 2024 4:42 PM

@lurker

I have never used Chrome as my personal browser -when I am in hotels or similar places without my computer I have used it on occasion but I don’t recall having used it with my personal credentials.

For a long time, my personal browser was Firefox. When Brave came out, I switched and I haven’t looked back. Because Brave is kind of aggressive, when things don’t work out well there, I use Microsoft Edge as my backup.

When it comes to VPNs, I used to use AirVPN -given that their central legal location is Italy- but around a couple of years ago I tried ProtonVPN. I still keep AirVPN as a backup, but I love the Proton ecosystem.

In short, Google is a very untrustworthy company. If you are a security conscious person, the last thing you do is to use their services with your real id (or even a fake ID).

David Levine April 3, 2024 7:20 PM

Congrats on the win! At the same time, I am a well educated person who reads this blog regularly. Nevertheless, I have no idea what it means to my privacy that Google collects data from third-party websites “regardless of which browsing or browser mode you use,” and that “third-party sites and apps that integrate our services may still share information with Google.” Unless we know the uses of the data at the intermediate stage (as in famous examples of who is pregnant or who is gay) and at the final stage (as in raising prices on a website, telling the FBI whom to investigate, etc.), we are still giving up privacy in ways we cannot understand. I appreciate your leadership in this larger fight.

Who? April 8, 2024 12:33 PM

@ lurker

Meanwhile G[oogle] will continue munching on the records it gained from all non-US users, including Europe before the GDPR smacked them.

I have serious doubts GDPR works as intended; last time I tried to remove my data from a broker they answered that “GDPR is designed to allow them to preserve any information collected forever”.

Who? April 8, 2024 12:46 PM

@ NoGoogle

In a situation like this, the best anyone can do is to take matters in his/her own hands: delete all your Google accounts, use Signal and use ProtonMail/ProtonVPN. And if you family/friends use Gmail, convince them to do otherwise.

Completely agree, our only chance is taking matters in our own hands. These days even Linux distributions are playing the “data brokers game”. A true BSD operating system (Free, Net or OpenBSD), never MacOS or similar, with as few installed applications as possible, configured in the most secure way, is the only chance we have to get some privacy.

For those that need to use smartphones, tablets or similar, and need some sort of messaging service, perhaps Signal, I am not really sure.

My choice for a serious platform, is running an ICB service in the loopback interface of an OpenBSD server, logging into the machine using an SSH tunnel while forwarding required ports (-L and -R options), so any “client” will communicate to that OpenBSD server under our control.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.