Google’s Chrome browser – private or not?

Apr 19, 2024

David Snell’s Tech Talk

If you still hold any notion that Google Chrome’s “Incognito mode” is a good way to protect your privacy online, now’s a good time to stop. Those of us using Chrome’s Incognito Mode were more than a little surprised when this first came to light in 2020. Incognito is NOT the private browser we all thought it was and many users were upset to learn that they were still being tracked and profiled while using Incognito Mode. Google’s defense was that its users had simply failed to read the fine print about what, exactly, Incognito Mode did – and mostly did not – protect them from.

Last week, The Hacker News carried a story about what’s been learned during the incognito lawsuit discovery. For years, Google simply informed users of Chrome’s internet browser that “you’ve gone Incognito” and “now you can browse privately,” when the supposedly untraceable browsing option was turned on — without saying what bits of data the company has been harvesting.

Google has agreed to delete everything they learned about their Chrome users while the users believed they were in fact “incognito”. That means Google is going to purge billions of data records reflecting users’ browsing activities to settle a class-action lawsuit that claimed the search giant tracked them without their knowledge or consent in its Chrome browser. Even when users are browsing the internet in ‘private browsing mode,’ Google continues to track them,” according to the suit. Google’s tracking occurred and continues to occur no matter how sensitive or personal users’ online activities are.

The class action filed back in 2020 alleged the company misled users by tracking their Internet browsing activity while they thought it remained private when using the Incognito or Private mode on web browsers like Chrome. In late December 2023, it became known that the company had consented to settle the lawsuit. The deal is currently pending approval by U.S. District Judge Yvonne Gonzalez Rogers.

A court filing just last week (on April Fool’s day) said: The settlement provides broad relief regardless of any challenges presented by Google’s limited record keeping. Much of the private browsing data in these logs will be deleted in their entirety, including billions of event level data records that reflect class members’ private browsing activities.’ As part of the data remediation process, Google is also required to delete information that makes private browsing data identifiable by redacting data points like IP addresses, generalizing user-agent strings, and remove detailed URLs within a specific website, retaining only the domain-level portion of the URL.

In addition, Google has been asked to delete the so-called X-Client-Data header field, which Google described as a Chrome-Variations header that captures the ‘state of the installation of Chrome itself, including active variations, as well as server-side experiments that may affect the installation. What’s significant here is that this header is generated from a random seed value, making it potentially unique enough to identify specific Chrome users. In other words, there’s a serial number in the query headers that Chrome has been using.

Other settlement terms require Google to block third-party cookies within Chrome’s Incognito Mode for five years, a setting the company has already implemented for all users. The tech company has separately announced plans to eliminate tracking cookies by default by the end of the year.” And of course that’s the whole Privacy Sandbox thing. Google has since also updated the wording of Incognito Mode as of January of this year to clarify that the setting will not change how data is collected by websites you visit and the services they use, including Google. Now they’re being more clear and more explicit. And here’s the biggie that came out of the depositions: The lawsuit extracted admissions from Google employees that characterized the browser’s Incognito browsing mode as a confusing mess, effectively a lie, and a problem of professional ethics and basic honesty. It further exposed internal exchanges in which executives argued Incognito Mode should not be called ‘private’ because it risked exacerbating known misconceptions.

Here’s the full 32 page lawsuit document – Brown v Google:

NPR’s take on this:

The Wall Street Journal:

Wired magazines take: