Google Sued for Tracking Private Browsing

Posted on June 3, 2020 by Paul Thurrott in Google, Google Chrome with 29 Comments

A proposed class-action lawsuit claims that Google has been tracking users even when Chrome is set for private browsing. The lawsuit is seeking at least $5 billion in damages.

“Google tracks and collects consumer browsing history and other web activity data no matter what safeguards consumers undertake to protect their data privacy,” the complaint explains. “Indeed, even when Google users launch a web browser with ‘private browsing mode’ activated (as Google recommends to users wishing to browse the web privately), Google nevertheless tracks the users’ browsing data and other identifying information.”

Surprisingly, Google achieves this tracking in part via Chrome’s secret advertising-related functionality.

“When an internet user visits a webpage or opens an app that uses … Google Analytics, Google Ad Manager, … [or] the ‘Google Sign-In button’ for websites (over 70% of all online publishers use such a service), Google receives detailed, personal information such as the user’s IP address (which may provide geographic information), what the user is viewing, what the user last viewed, and details about the user’s hardware,” the complaint continues. “Google takes the data regardless of whether the user actually clicks on a Google-supported advertisement—or even knows of its existence. This means that billions of times a day, Google causes computers around the world to report the real-time internet communications of hundreds of millions of people to Google.”

As the complaint notes, Google’s tracking is a serious violation of privacy and because it’s done secretly, it’s also deceptive to consumers and is both intentional and unlawful. “Federal privacy laws prohibit unauthorized interception, access, and use of the contents in electronic communications, the suit explains.

Because there are likely millions of people impacted—this is just in the United States, as Chrome’s worldwide usage is in the billions—the plaintiffs are seeking class-action status. They are also seeking $5000 in damages per user.

Google has quickly denied the charges, which come amidst heightened antitrust scrutiny of the firm and its biggest rivals.

“We strongly dispute these claims, and we will defend ourselves vigorously against them,” a Google statement reads. “Incognito mode in Chrome gives you the choice to browse the internet without your activity being saved to your browser or device. As we clearly state each time you open a new incognito tab, websites might be able to collect information about your browsing activity during your session.”

Join the discussion!

BECOME A THURROTT MEMBER:

Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Register
Comments (29)

29 responses to “Google Sued for Tracking Private Browsing”

  1. crunchyfrog

    Oh Google, here we go again...

  2. earlster

    And this is why I use Firefox and never use my google account on FF either, and also use DuckDuckGo, not google for search. I do use chrome to browse google domains, when I need to.

    • richardbottiglieri

      In reply to earlster:
      You can also use Mozilla's Multi-Account Containers Add-On (https://addons.mozilla.org/en-US/firefox/addon/multi-account-containers/) to keep data from Google and Facebook (or any other sites you'd like) completely separated from your other browsing activity. If you're going to use Firefox full time for privacy concerns, this add-on is a must have. It's free.

      It's a pretty awesome tool, and I wish it was available for Chrome/Edge. Yes, I know that we can have multiple profiles in Chromium browsers, but it's more convenient to have everything in the same browser window and just flip between tabs which are really separate containers.


  3. eric_rasmussen

    Some parts of Google are so great (the teams that work on Firebase, Flutter, Dart, and Google Maps for example) that it saddens me when other teams are not so great. The company does some amazing stuff, some of it much better than Microsoft does, but there's that bit about 80% or more of their total revenue comes from advertising that taints everything.


    Microsoft took a huge nose dive with UWP and the effort to turn PCs into large phones. I wanted to change the font size in Sticky Notes just this week and found that while the earlier versions of the app could do that, the newest UWP app in Windows 10 can't. This is a small example of the things that are super aggravating as a Windows user and developer. The Google ecosystem is in continuous improvement and feels much more like the Microsoft ecosystem of the 90's, which is a very good thing. The only bad thing is that 80% ad revenue thing. :(

  4. SvenJ

    Incognito or Private or whatever browsers call that, have always meant nothing is stored on the machine you are on. That way your Dad, Wife, Boss, can't see where you have been. It doesn't necessarily mean the site you went too, or things on the path that got you there don't know about it. Think about it, your browser makes a request. The results need to be provided back to your browser. Says right in Googles caveats, not stored in your browsing history, doesn't store cookies/ site data (on your machine), doesn't store info entered on forms (for easy reuse). This may not be clear to everyone, but this is how it has always been.

  5. note-book

    Google is being deceptive with incognito mode. I use new Edge, and when using InPrivate mode I am still being tracked, but as a new user. In Chrome, Google seems to access stored cookies and to save site data, just not on the local device but on its own servers. Not long ago I had to use Chrome, and it recognized me when I accidentally accessed its login page in incognito mode. With Google's incognito I appeared as a new user to all except Google. Chrome saves browsing history, cookies and site data to Google, contrary to what they say ("won't save").


    I cannot see how VPN or even TOR can preserve privacy here. If Chrome always logs in, Google will always be able to identify you, so you cannot "browse privately".


    A final thought about the data. What is the reason for such tracking? I use InPrivate/incognito only for sensitive websites, my bank or medical/private stuff. It accounts for 1% or less of my browsing. Statistically, that is insignificant and does not warrant this strict tracking. And Google also has Android feeding data from cell phones. Facebook and Cambridge Analytica come to mind.

  6. bmcdonald

    Chrome (and Google as well ) is gone here now completely.


    After following some of Paul's commentary on browser privacy a while back - I first moved everyone to Brave - but that browser - while VERY private - still has too many quirky interactions with websites that I need to access - like online banking - so I moved all PCs to the new Edge


    While MS has it's own issues with telemetry and data usage - I am a lot less concerned with them than with Google.


    Anything I can do to see Google fail is worth trying. Plus the new Edge is so much faster.


    B

  7. kfriis

    I do not understand why anyone is using Chrome. How did that privacy-invading browser become the "standard" for even IT professionals? The fact that "regular" people are using Chrome is understandable, but anybody with just limited IT knowledge - which probably includes just about anyone reading this - really have no excuse.


    Would be interested in hearing from any IT pro using Chrome explaining why ... ?

    • yoshi

      In reply to kfriis:

      I know in my IT shop, a lot of our 3rd party vendors build their products around Chrome. A lot of them won't even bother giving support unless you are using Chrome with their product. We tried many times to get everyone on Firefox, Edge(old version), and even just plain old IE. Eventually we just deployed Chrome to everyone. Maybe the new Edge will change that for us eventually.

    • SvenJ

      In reply to kfriis: Because for years, pundits, site hosts, bloggers, etc have said, 'the only thing IE is good for is to download Chrome'.


    • PanamaVet

      In reply to kfriis:

      Some people enjoy not being private and Google strokes their fancy in return. I expect they will also be first in line to collect their Google class action settlement.


      I run my browsers in a Sandbox. Among other things I store the Sandbox, temp files and temporary internet files on a RamDisk.


      I flush that toilet.


    • dftf

      In reply to kfriis:

      If you deploy Google Chrome in an Enterprise, the Group Policy settings do allow some of the data-collection features to be turned-off, plus you can always block them at a proxy / firewall level. Also, as it's the most-popular browser, makes-sense to give users software they are already-familiar in using, to reduce training issues, compared to say introducing Firefox (and I couldn't also say for Firefox whether it's Group Policy support is as-extensive in what you can configure?)


      Brave and Vivaldi are both relatively new, so most enterprises won't bother with them, given they already settled on either Google Chrome or Firefox when deciding how to get users off IE11 or older (plus, do either of them have Group Policy support?)


      One other reason for some companies when choosing software can be whether it is closed-source or open-source: there is still a belief that "closed-source" means "safer", as the code (unless leaked) is never made intentionally public. If you do work for Government or military, open-source stuff, like 7-Zip or LibreOffice, can be an automatic no, and Firefox of-course is open-source.


      I imagine in the future though, you'll see Google Chrome less in businesses as they just use Microsoft's new Edge, especially once it comes built-in (likely in 20H2 or 21H1).

      • kfriis

        In reply to dftf:

        Thanks dftf. A lot of that makes sense. Good perspectives.


        I also wonder though why IT pros themselves are using Chrome. I understand the enterprise viewpoint regarding regular users, but I see a lot of IT pros using Chrome personally as well which I do not understand. Usually IT pros have very sharp opinions about software and have thought through pros and cons of their choices. Still, Chrome seems to be widely used ...

  8. lvthunder

    "Surprisingly, Google achieves this tracking in part via Chrome’s secret advertising-related functionality."


    Who is surprised by this? I'm not.

  9. wright_is

    “We strongly dispute these claims, and we will defend ourselves vigorously against them"

    So, Chrome's privacy mode recognises Google tracking domains and blocks them from loading? No, didn't think so.

  10. doubledeej

    Interesting that Google’s response doesn’t deny that they are collecting the data.

  11. dftf

    If you wanted a genuine case of a browser being misleading, I'd suggest looking at Opera and Opera Mini: they say they have a built-in VPN, but it's actually just Secure DNS -- the traffic still goes via your ISP, and non-HTTPS sites are not encrypted in any sort of tunnel, they're still just raw. That to me IS a genuine case of being misleading!

    • MikeCerm

      In reply to dftf:

      I'm not sure where you heard this, but it's not true. It's not just Secure DNS. It's a proxy that sends all your data through Opera's servers, so the endpoint (the site you're connecting to) cannot see your IP address. Your ISP also can't see where you're going, because all they see is that you're connecting to Opera. You're right that there isn't any encryption, so it's possible that ISPs could glean additional info using deep-packet inspection, but it's not true that all Opera is doing is providing DNS.

      • dftf

        In reply to MikeCerm:

        What Opera are doing is providing a secure proxy-server, but they misleadingly label the feature as "VPN" inside the app.


        Here are some quotes from reviews which all say they are wrong to refer to it as a VPN:


        RestorePrivacy.com:

        "Opera VPN is a browser proxy that encrypts traffic between the Opera browser and a proxy server [...] in other words, Opera’s "free VPN" is not a VPN at all, but rather just a browser proxy."


        TheBestVPN.com:

        "Calling Opera VPN a VPN is not accurate at all. It’s not a VPN, it’s a proxy."


        GitHub:

        "It's an HTTP/S proxy which requires auth. This Opera "VPN" is just a preconfigured HTTP/S proxy protecting just the traffic between Opera and the proxy, nothing else. It's not a VPN."


        ProPrivacy.com:

        "OperaVPN is proxy, not a VPN service. Connections are secured using HTTPS, the encryption scheme which protects sensitive websites, making OperaVPN an HTTPS proxy."


        ArsTechnica review:

        "Sounds to me like this is more like a pre-configured proxy server than a VPN."


        It's clearly NOT a VPN as if I connect to say a torrent website, my ISP will say "Sorry, a high-court order requires this website to be blocked in the UK". This would not be visible to my ISP were it a real VPN.


        Therefore I stand-by my original post that Opera calling the feature "VPN" is misleading

  12. dftf

    Personally I can't see Google not winning this -- unless you can prove that most the general-public reasonably expected Incognition Mode to function akin to a VPN, then I can't see any-other argument here. The wording on the page when you start the mode clearly says "Your activity might still be visible to [...] websites that you visit". And if you click "Learn more", then click "How Incognition mode protects your privacy" on the next page, under "What Incognito mode doesn’t do" it clearly states "[it does not] prevent the websites you visit from serving ads based on your activity".


    If you use Private Browsing mode in Firefox, it gives you a similar warning: "Firefox clears your search and browsing history when you quit the app or close all Private Browsing tabs and windows. While this doesn’t make you anonymous to web sites or your internet service provider, it makes it easier to keep what you do online private from anyone else who uses this computer."


    The only possible way this could succeed, I can reasonably think-of, would be to prove that they maintain a profile of you as a unique user between different Incognito sessions -- i.e. it doesn't discard your previous data and treat you as new each time. But if it's simply "Users expected when using Incognito that Google gets no data whatsoever, and does no targeted ads" then I can't see the case progressing very-far, especially since Microsoft, Mozilla and Apple will all still receive personalised data in their respective private modes too.

  13. dcdevito

    I strongly urge everyone to stop using Chrome. Edge, Firefox, Brave and Safari (Mac) are outstanding alternatives that have distinct advantages.

  14. Daekar

    No pity from me, Google.

  15. GCalais

    As we clearly state each time you open a new incognito tab, websites might be able to collect information about your browsing activity during your session


    This is true. Google never implies incognito mode is like browsing the internet anonymously. I support internet privacy as much as anyone but this is pretty naive.

    • christian.hvid

      In reply to GCalais:

      Well, according to Merriam-Webster, incognito means "with one's identity concealed". Which is just another word for anonymous. I get that Google can't stop other web sites or web services from collecting information about you, but they sure could prevent their own services from doing it. And that, I believe, is the core argument of the lawsuit.

      • IanYates82

        In reply to christian.hvid:

        The thing is though, the browers deliberately go out of their way for a site to not be able to tell that a browser is in incognito mode.


        Some sites had heuristics they enacted to detect this (I think Washington Post, for example, uses the fact you're on a Chromium browser but with limited local storage to infer that you're using a private browsing mode).

        It's a game of walls and ladders.


        And by using the principal that the browser is to behave as though it's a brand-new, out of the box, browser that's not been on the internet before, and to restore to that state when you close it, there's not much more they can do. The Google services will see the incognito Chrome just the same way they see a brand new version of Chrome with no one signed in. The fact you visit 10 sites and then close the tab, and those 10 sites use Google Analytics, could mean that 10-site session is tracked somewhat.


        The thing is though, when you close that browser session, the local state is gone, and all that remains for servers to track the next session is fingerprinting based on IP, user agent, etc. Google (and many others) does that to everyone - private mode or not.

  16. RonV42

    So many "hidden" clauses in usage of the Chrome browser. There is what the industry generally agrees what incognito mode is and then there is Google's definition that twists it to their advantage.

  17. youwerewarned

    Yet another example where being clueless has undesired consequences.


    Most recent instance was 11/8/16. It was a doozy!

Leave a Reply