Frankly, I'm not sure about the current state of things, seeing as it likely has changed several times in the past few years. However, a) I'm not sure why Goog would want to bother with browser accounts otherwise, and b) my use of Chrome ceased soonish after I had the following experience in the early 2010s:
- set up a new empty site, listed absolutely nowhere, on quite dedicated hosting.
- open it in Chrome.
- a couple minutes later, observe Googlebot appearing in the visitor logs of the site.
Lastly, if you go to the ‘My activity’ settings on Google, you can see: “Include Chrome history and activity from sites, apps, and devices that use Google services”, which I guess can still be dissected further. And I have some website visits from 2016 listed there: including Wikipedia, which doesn't seem to use Google Analytics currently (not sure about 2016)—though these could be visits through Google search.
Also, text in the linked tweet directly says that Google tracks users on third-party sites through Chrome.
It is far more likely that Google found the new site from telemetry from Chrome than it is a random bot, owned by Google scanned the site within seconds.
Google also runs their own public DNS servers which afaik Chrome defaults to. They can just sit server side waiting for DNS lookups of domains they've never seen before and queue them up for the Google bot. No browser telemetry needed.
> Google also runs their own public DNS servers which afaik Chrome defaults to.
The statement that Chrome does not honour the networking stack's DNS settings does not agree with my observational data. I run pi-hole DNS and Chrome absolutely fails to load domains blacklisted there.
Because they see their solution as more secure. Intranet sites still work because Chrome only prefers their DNS first, it will still use your system settings if it doesn't work.
Seems testable by setting up randomized subdomains hosting http and visiting with different browsers. Also, make sure you aren't using Google's DNS services to resolve or managing your domain's DNS through their registrar.
Yes, whois is public but not all TLDs publish a list all domains and those lists of are usually updated only once per day. On the other hand it is very possible that they used the TLS transparency logs from the CA.
Yes, and claims still require evidence. I'm quite anti-Google but I'm not going to just start believing in random theorizing of evil things they could conceivably be doing without evidence.
tl;dr If logged in to Chrome, your Google Account can be used as an "identity signal" in place of a first-party cookie. This allows cross-domain and cross-device tracking.
Or they only let you turn off tracking for google products, because those track you internally anyway and it makes no difference, while there's no way to turn off 3rd party tracking...
Last time I checked, they also removed the "identity consistency between browser and cookie jar" flag that controlled automatically signing into Chrome if you signed into a Google service like YouTube. It is no longer possible to turn it off.
Yes, they also probably have also an AI collecting what makes your activity a unique profile even if you are not logged in. Thanks to google search, map, analytics, android, dns, amp, google fonts and the like, you almost always load something from a google server if you browse the web.
- set up a new empty site, listed absolutely nowhere, on quite dedicated hosting.
- open it in Chrome.
- a couple minutes later, observe Googlebot appearing in the visitor logs of the site.
Lastly, if you go to the ‘My activity’ settings on Google, you can see: “Include Chrome history and activity from sites, apps, and devices that use Google services”, which I guess can still be dissected further. And I have some website visits from 2016 listed there: including Wikipedia, which doesn't seem to use Google Analytics currently (not sure about 2016)—though these could be visits through Google search.
Also, text in the linked tweet directly says that Google tracks users on third-party sites through Chrome.