Update April 4, 2024
In December 2023, Google agreed to a settlement with the plaintiffs in this case, the day before it was set to go to trial. And on April 1, 2024, the terms of that agreement were made public.
The settlement terms(new window) reveal the truly massive scale of the company’s data collection even when users were in Incognito mode. It turns out Google collected and stored hundreds of billions of browsing records of at least 136 million people who assumed their online activity was private.
Google was also using secret “private browsing detection bits” to track people’s decision to enter Incognito mode, despite never disclosing this.
And Google’s top executives knew their Incognito mode splash page was problematic but continued to use it anyway. In an email to CEO Sundar Pitchai, the chief marketing officer cautioned that the Incognito disclosures used “really fuzzy, hedging language that is almost more damaging”. Employees described it as “effectively a lie”.
Under the deal, Google will not pay any money to the plaintiffs, but individual class members can still sue for damages. Instead, Google agreed to delete the browsing records, clarify the limitations of Incognito mode on its splash page, remove the private browsing detection bits, and block third-party cookies in private browsing mode by default for the next five years.
Experts estimated the value of the data Google will lose from these changes to be between $4.75 billion and $7.8 billion.
If a web browser tells you you’re “incognito” and can “browse privately”, you might assume your online activities are private and no one is collecting your data. But you’d be wrong.
It’s precisely this ambiguity that has landed Google in the crosshairs of a $5 billion lawsuit. In August, a federal judge paved the way for this high-stakes case to go to trial, where Google’s attempts to redefine the meaning of privacy(new window) will once again face reality.
Privacy washing is Google’s attempt to portray its services as private, even as it sweeps vast quantities of your personal data into its profitable advertising engine. According to investor reports(new window), the company has recognized the public appetite for privacy. Recent marketing and product decisions reflect efforts to address privacy in ways it hopes will pacify consumers and regulators without changing its lucrative business model.
But as we’ve shown in a previous article(new window), privacy washing may work for marketing, but it doesn’t work in the courts. When Google’s notion of privacy conflicts with legal principles, Google consistently loses.
The battle over Incognito Mode is a decisive challenge. Because Chrome is the hands-down favorite web browser, with over 3 billion users globally, the product is a window into human browsing activities. If even something called “Incognito Mode” doesn’t offer meaningful privacy for Google users, then it’s worth closely examining what privacy actually means to Google and how far you should trust the company’s claims.
What the Incognito Mode lawsuit is all about
In 2020, a group of five plaintiffs sued Google with multiple allegations, including violations of the federal wiretapping law, California privacy laws, breach of contract, and other counts. Seeking “at least” $5 billion in damages, they say Google promised not to collect their data while in Incognito Mode but did so anyway.
Google asked a federal judge in California to throw out the case, which is the typical response to such lawsuits. The company argues that Incognito Mode tells you that websites can still track you whenever you open a private tab, a spokesperson told The Verge(new window).
“We strongly dispute these claims and we will defend ourselves vigorously against them,” he said. “Incognito mode in Chrome gives you the choice to browse the internet without your activity being saved to your browser or device. As we clearly state each time you open a new incognito tab, websites might be able to collect information about your browsing activity during your session.”
The judge disagreed. You can read her ruling here(new window). She said Google’s claim that people consented to letting the company collect their data while in Incognito mode is questionable. “Google never explicitly told users that it does so,” she wrote. And crucially: “By browsing privately, plaintiffs could be said to have asserted their expectation of privacy. Google is welcome to make the counterargument at trial.”
In other words, the judge believes that when people activated a feature explicitly named “incognito”, they were relying on the common-sense meaning of words to assert an expectation of privacy. It’s a direct rebuke of privacy washing.
The plaintiffs further claim that Google still collects data during private Chrome sessions that the company can de-anonymize and use to target you with ads. They say the company stores people’s browsing data in the same logs, whether they’re in regular or private mode. When combined, “Google can use them to ‘uniquely identify a user with a high probability of success.’”
The technical details of this system will certainly come up if the case goes to trial, which still isn’t a guarantee. Google has historically preferred to settle privacy lawsuits out of court rather than face real scrutiny of its data practices.
How Incognito Mode works
Google has at least one thing working in its favor: Chrome isn’t the only browser with a misleading “private mode” feature. Safari, Firefox, and others offer similar options. It may be that tech companies simply take for granted that people understand how private mode works, but that’s certainly not the case.
The proliferation and complexity of online tracking technologies mean it’s not reasonable to expect even tech-savvy internet users to understand who is tracking their behavior and what data is collected at any given moment.
So here’s what actually happens when you switch to Incognito Mode:
- First, the splash page of a new private tab lets you know that Chrome won’t see your browsing history, cookies, site data, or information entered in forms. This means Chrome won’t save any of this data locally on your device.
- This does not mean that other websites or even Google itself can’t see and log your data. Other websites will still be able to see that you’ve visited their page. Although they can’t see any tracking cookies previously associated with you, they can still see your IP address, what browser you’re using, and what device you’re using, among other potentially personally identifying data. Google Analytics and Google’s ad network will still see you.
- If you log in to any accounts while in Incognito Mode, this will also reduce your privacy. For example, if you log in to your Google Account to check your Gmail, Google will know that you’ve visited Gmail. If you stay logged in and search for something in Google, the company will know about that search.
- The Incognito Mode start window also informs you of some other limitations of the feature. As mentioned above, it doesn’t protect you from other websites you visit monitoring your activity. And it doesn’t prevent your internet service provider (ISP) or local network administrator from seeing what websites you visit.
We’ve also published a more in-depth explainer on private browsing here(new window). In summary, Incognito Mode prevents your local device from remembering anything about your browsing session. But it doesn’t stop remote servers from watching what you do.
Alternatives to private mode browsing
To block trackers from other websites, you’ll need to install a browser extension that blocks third-party cookies or use a VPN that blocks trackers and malware. Proton VPN(new window) does this. A VPN also prevents your ISP and network administrator from seeing your activity (apart from the fact that you connected to a VPN).
To prevent Google from having a monopoly on your personal data, the only way to do this is to leave Google. Because even if you turn off personal ads(new window) and block ad tracking, Google will still have access to all your data in Gmail, Google Calendar, Google Maps, Google Drive, Google Photos, and more.
That’s not only creepy, it’s completely unnecessary. With Proton’s end-to-end encryption(new window) and zero-access encryption(new window), you can take back control of all the data you would otherwise hand over to Google. Our encryption methods mean no one can access your data, including us. Your emails(new window), calendar events(new window), files(new window), passwords(new window), and other data are encrypted locally on your device before they’re uploaded to our servers. So you still have access from anywhere, but we never do.
Considering the amount of data Google still collects from you, even in Incognito Mode, it’s fair to question what Google thinks the word privacy means. As courts and regulators have suggested, privacy for Google does not mean what it means for us at Proton. With Proton, your data is encrypted and private by default. With Google, your data is Google’s by default.
Google is still the dominant tech company, but its business model is on borrowed time, and they seem to know it. Just as oil companies burnish their eco-conscious initiatives while extracting carbon from the earth, Big Tech is offering morsels of privacy while extracting data from your every move.
In all likelihood, Google will settle this latest lawsuit. But you don’t have to settle for Google. Switch to privacy and build a better internet.
