$5bn+ sueball bounces into Google's court over claims it continues to track netizens in 'private browsing mode' Google has been sued for billions of dollars in a proposed class action alleging the adtech company identified and tracked users who adopted its browser's incognito mode to avoid such tracking. The complaint, filed in Northern California yesterday [PDF], claims that through a combination of means ranging from "Google Analytics …
Where as I am no fan of Google tracking your every move, how has this law suit even got started since at no point does Google claim that Private browsing/incognito mode makes you anonymous on the internet?
Both Chrome and Firefox warn you that your ISP and website that you visit can still track your activity. It only the local PC that isn't logging any history or keeping cookies after you close the session.
I agree, actually. Incognito mode doesn't mean there's any more protection from Google. The case as it is needs to be changed. Instead of pointing out the incognito mode problem, they should point out that Google is gathering information by sneaky means without disclosure no matter what, with little ability to stop it short of aggressively blocking all Google services. That takes the potential plaintiffs list from those who use Chrome in incognito mode up to the entire population of the country, and that's mostly because I don't think U.S. courts make it easy to include most of the internet users in the world in a class action.
You perhaps are focusing too much on the wording. They warn about the ISP, but they never warn about what Google themselves are doing. They don't offer any way to stop their tracking. But they do have a button that tries to imply that it might help. Just as they have switches that imply they stop collection of location history from Android phones but in actuality do nothing. It's dishonest, misleading, and harmful. If some lawyers can find a way to make that cost Google, I say go ahead.
"With Disconnect.me's strict filtering it'll block all Analytics, including Google."
Except when you need to enable something like gstatic.com so the site will work. Only Google knows how much analytics is happening through that and other "necessary" URLs you might, even temporarily, need to whitelist. You can't rely on the name of the URL being descriptive as it may be a bit like "incognito" or "private", ie just a word, not a description.
That's the bad part of it. The reason why it's done that way may surprise you. It's to reduce the bandwidth for the server, and to reduce the cache space on the client. "How?" one might ask. Well, I will tell you:
Taking my website for instance, it uses jQuery 3.3.1. The file is 84.8kb. I also use Bootstrap 3, which has multiple files totaling 1.56mb. Now since I'm a software engineer, I have all these files and frameworks locally on my server and sends them to the client without having the client pull anything else from anywhere else. So for every client that connects to my server, I'm sending the entire framework to the client. That takes up network bandwidth. My network bandwidth. So websites, in an effort to save on that bandwidth, have the clients pull the frameworks from the framework publishers, thereby saving bandwidth on the server. Furthermore, the browser caches files based on where the file came from. So if 100 websites all use the same frameworks from the same publishers, then the client only needs to download it once from the publishers for the 100 websites that use those frameworks. That saves bandwidth on the client, the server, and the framework publishers. Furthermore, it reduces the amount of disk space used on the client. The reason for this is that only one copy of the framework is in the disk cache. On the flip side, if each of the 100 sites sent their own copy of the frameworks, the client would have 100 copies of the same files on their computer.
That is the main reason why websites pull files from other servers. It reduces total bandwidth consumption on the internet and makes things faster (which is a good thing). As you pointed out, now the framework publishers can track all the users of those 100 sites. So like everything else in life, there is a trade off.
Any reason why they can't? No. It would be straightforward. Any reason why they won't? Several. They include these:
1. Administrative hassles keeping the libraries up to date.
2. Cost of the bandwidth they're now using.
3. Getting website developers to use their system.
4. Convincing developers and users that their system is secure and won't result in malware-laden versions of those libraries being injected.
5. Convincing developers that the system isn't going to go down without support at some point, requiring emergency edits to their pages.
It's quite unlikely, but it is possible.
When I took a class on digital forensics, my team's semester long project was browser forensics. I personally focused on the abilities of Google Chrome's incognito mode. What I found was that this mode was actually quite good. Starting from a clean browser profile, opening incognito mode, and then browsing the internet visiting quite a few different sites, then fully closing the browser. Using Autopsy, I performed an analysis of the browser profile before and after. Nothing, and I mean NOTHING was saved in the browser profile. Now some information was saved in the operating system's paging file (Windows), but that is outside the control of the browser. However, Windows (and others I'm sure) can be configured to clear the page/swap file on shutdown, so when the machine turns off, there is no trace on the machine at all. The instructor asked if I tested that. And yes, I did.
I'm not one to sing Google's praises, but in this case, the lawsuit is flawed. Google Analytics is used by many websites regardless of the browser that is being used. Therefore, they are going to track you no matter what. Browser fingerprinting is a thing. The ISPs can see what IP addresses you are connecting to, and possibly your DNS queries. If you are using HTTP instead of HTTPS, then they can see that too. The websites themselves gets a whole slew of information when you connect to them. I know because I see it in my server's logs. I also see it in the application logs as well. I don't use adverts on my server, but Google does because that is how they make their money.
While nothing is left on the device that initiates the request over the internet, you don't say anything about the plethora of sites used during the request and how much data is leaked to Google etc.
Did you ever put a tool like Wireshark on your network when doing your tests?
The logs from that are a dead giveaway. I block over 400 google owned domains at my firewall.
From time to time I have to enable google.com in order to get those stupid captcha things to work.
You can avoid most of google or at least dramtically reduce your exposure to them if you take a bit of time.
Oh, and having worked for an ad slinger (on a temporary basis) I saw how bad it could get so I started blocking google in 2009. I have no intention of going back.
Posting AC just to keep the google sniffers at bay for a while longer but one day they'll come knocking at my door. Such is life with the Borg (aka Google) in control of the internet.
The sites themselves were beyond the scope of the examination. The examination was done to see if any information was saved to the computer using incognito mode, which there wasn't any. Yes, I did run a Wireshark session. The only thing the browser did when starting up was phone home to Google to check for updates. Apparently Chrome does this every time it starts up. Go figure. As for the other stuff, everything is becoming encrypted so it's very difficult to see what exactly is being sent.
The real threat to privacy today is browser fingerprinting, which can more or less uniquely identify you, even in a browser's privacy mode. Plugins such a Privacy Badger work to stop this, but it's quite rampant. You could delete all cookies when you close the browser, and Chrome has such a setting. But fingerprinting is hard to defeat.
If network traffic was out of your remit, then you're completely unable to make a claim about the case being flawed. The case concerns data going to Google. You only know about data going to the hard disk. Those are not the same, and you've now admitted you have little information about what Google did or didn't collect at the time. Given that they are known to use Chrome to report back to Google with extra identifiers and you have admitted that you don't know whether they're still doing that, your comments seem entirely without merit.
In addition, I wonder about several of the things you talked about. You mentioned data storage. How about data retrieval? Did you check if data from the profile was read off the disk, potentially leading to transmission? Did you check methods of exfiltrating data that should not be visible from an incognito browser? Did you check whether any fingerprinting methods were successfully prevented; if the mode works as even Google claims, there are some that should have been blocked. From the sound of it, you only used a clean profile, so by definition you could not check that latter point, but I only saw the summary so you might have. If your only concern was data left on the disk after use, I'm afraid I think you focused on the simplest and least concerning aspect.
"Therefore, they are going to track you no matter what. "
Ok, fine. So don't have an "incognito mode" then. Chrome says:
Your activity might still be visible to:
Websites you visit
Your employer or school
Your internet service provider
It doesn't say anything about "and we [Google] will still track you"
...Google Meet. The amount of information it collects for the admins in GSuite admin and I think sends to Google directly.
I've removed my GSuite details.
Client logs upload
Applied at 'DOMAIN NAME HERE'
Include web-browser and mobile app logs with diagnostic data sent to Google.
Logs include users' email addresses and additional info.
https://support.google.com/a/answer/7304109
Client logs upload Users’ web browser and mobile app log information is sent to Google. This includes users’ email addresses and other information. Google uses it to help troubleshoot support requests from your organization.
When a meeting is going on you can see who is in it, even if they aren't related to your company. See their e-mail address and if the score they give the meeting at the end if they reply.
Meeting code
Organizer
Started
Duration
Size
participants
Network congestion
% of meeting
Packet loss
average (max)
Jitter
ms avg (max)
Score
lowest
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
