[eloy]

I really do not like Google as a company, but this is one of those cases where I agree with them. It was always clear that websites could track you in incognito mode. Somehow people thinking that Google is not a website that can do that does not make it Google's fault. You still have to accept Google's cookie banner when opening the site in incognito, giving another indication they track you.

[balls187]

My understanding is that Google is tracking you across your browser sessions, even when you switch to incognito.

That’s problematic because Google (and others with such broad internet scope) tracks you regardless of whether you are interacting with Google services or not.

[fromMars]

I don't believe this is true. In incognito mode you don't have the same gaia or dblck cookie ids. Your traffic is logged in icognito mode by Google but as a different user under a different identifier.

Now certain websites could use tracking methodologies based on ip address and device signatures to identify you as the same user and set a cookie identifying you as the same user for purposes like remarketing, but Google itself doesn't join this data from their own logs.

This announcement is just clarifying that Google does log data in icognito mode as do other websites. It doesn't say that Google joins your icognito session data with your non-icognito session data.

[joshspankit]

> don't have the same gaia or dblck cookie ids

Google is incentivized to do “privacy theatre” and make sure your incognito session doesn’t show up as related to you even if the back-end systems have a clear association.

I don’t know the facts of Google’s systems either way, but I do know that absence of a visible join is not conclusive evidence that there is none.

[fromMars]

I do know facts about there internal system. Internally, strict separation is taken very seriously and the logs are keyed by cookies with separate access and physical logs for different cookie spaces and no joining is done based on ip addresses and device signatures in these logs.

It would take a determined and malicious employee to subvert these controls and possibly require multiple employees to get by code reviews to do such.

That said, I can appreciate the skepticism an outsider might have about such claims.

But, I also disagree that Google is incentivized to do "privacy theater" as you call it. For one, many already assume the worst of Google and also such theater could open them up to major lawsuits.

One could make the case that a company like Apple has invested a lot more effort in "privacy theater".

[raneocolg]

Their probabilistic systems appear to use the ip address for anonymous targeting. For example, when you watch YouTube videos using normal browsing mode on one device, it is quite obvious that they influence the Google Ads on other devices in the same household.

That doesn't mean cookies or logs are joined, and the targeting is always anonymous, so it is less precise than when using the cookie ids.

[jauntywundrkind]

Fear Uncertainty and Doubt springs eternal. People are desperate to believe in inherent badness and abuse.

[jart]

Here are the facts https://support.google.com/chrome/answer/7440301 Yes they still record your activity under some faceless uuid when you browse incognito. No they don't tie it with your gmail unless you login to gmail. Yes, it doesn't matter, since lawyers and government can access everything Google has, and put the pieces together. Policy will likely change in the future to make your full history of both gmail and anonymous browsing activity freely available to the public too.

[bemusedthrow75]

> Policy will likely change in the future to make your full history of both gmail and anonymous browsing activity freely available to the public too.

Eh? There is no chance of this. What leads you to this conclusion?

[jart]

Of course it's going to happen. Read The New Digital Age by Eric Schmidt. He talks a lot about how all the information Google records about you is permanent, can never be deleted, and any generation of lawmakers can decide to do whatever they want with it. Upcoming generations are going to want as much data as possible to train AIs, especially as the GPUs needed to do that become more affordable. You know how historians are always talking about what famous dead people wrote in their diaries and personal letters? Don't think for a moment that future generations won't do this to you.

[rudasn]

Yup. Absence of evidence is not evidence of absence.

[justsomehnguy]

Lol?

Google receives a ton of requests from IP 30.40.50.60 with cookies associated with fromMars@gmail.com.

Suddenly, there are a bunch of requests from:

- the same IP

- the same browser

- the same resolution

- the same OS

- the same WebSocket IP

- the same DNS servers used for resolving

- the same Adobe Fla^W^W well, not that, but I wouldn't be surprised what if you have still have it for whatever reason - it would be noted too

the same fingerprinting bits used by the most pervasive tracking company in the world

The most pervasive Internet tracking company in world: hmm, that's totes not fromMars@gmail.com!

[Kiro]

Your understanding is wrong. This is just an updated disclaimer that clarifies how it has always worked. Website owners have always had tricks to track you across sessions but Google is not granting itself any special privileges making this easier.

[gruez]

> My understanding is that Google is tracking you across your browser sessions, even when you switch to incognito.

Source? Also, can you clarify what exactly is mean by "tracking"? I would expect them to "track" me via anonymous cookies, but wouldn't expect them to tie my browsing history to my chrome login.

[spacecadet]

Yeah just watch your network traffic, browser open, no tabs open on google, amazon, facebook, no search bars set to google... tons of traffic to all 3.

[fromMars]

Also, different icognito sessions will be logged as different users since all the cookies are deleted when you close all your incognito browsers.

So the TLDR, is that yes data is being logged for an incognito session by Google, but that data isn't tied together by Google across icognito sessions or icognito and non-icognito sessions.

[bazil376]

Are you relatively tech savvy though? This was also obvious to me but I develop web apps for a living. It may likely not have been very obvious to others.

[GuB-42]

Tech unsavvy users probably don't know what that tracking thing is, that's if they are aware of its existance. In fact, even people who are familiar with computers often get it wrong.

Incognito mode always had a rather clear explanation of what it is about. It is somewhat complicated to those who are completely new to it, so I guess it can be misinterpreted, but I see nothing misleading in the explanation. Also, Chrome is not the only browser with that kind of feature and they are all essentially work and are presented the same way.

That some browsers tie it to some kind of tracker blocker actually make things even more confusing because on one hand you have "private/incognito/whatever" tell you that websites can still track you (because it is not what it is designed to do), and then, just below, you have a tracker blocker. So what is really blocked?

[karaterobot]

> It was always clear that websites could track you in incognito mode.

Why call it incognito mode, if not to imply you couldn't be tracked? It's absolutely not unreasonable for the average Chrome user to draw this conclusion.

[mattlondon]

Um isn't it completely obvious that this is about local history?

Let's say that you are using the internet to "buy your wife some jewellery". You want to be sure that she won't see your search history for "jewellery" or visiting "jewellery" websites.

It is perfect for that. Anyone who thought this somehow made them anonymous on the internet is probably the sort of person who thinks that wearing dark glasses or growing a beard is going to let them hide from the police too.

[brandensilva]

I don't think the average user understands that but for us more tech driven folks we've known this for ages and probably take it further with VPNs and not using Chrome at all for any serious privacy searching where we want to avoid cookies saving, advertiser fingerprinting, DNS and ISP tracking, etc.

[andromeduck]

If you can sign in accross sites in incognito, there's clearly some tracking going on.

[imiric]

I reckon that the average Incognito user is not even aware of "tracking" in the cookie/advertising way, and it's not why they use the mode. It's merely to not leave traces of their browsing history on their computer, which they may share with others.

To tech-savvy users it was always clear that sites would still be able to track you, whether or not you clear your local history and cookies. Cookies are just one, quite outdated at this point, way of tracking.

[shadowgovt]

Because it made it harder for your family to track what you were doing with the browser on the one desktop computer the whole family shared.

Then usage patterns drifted but the term didn't change.

[streamfunk191]

It’s still unclear whether google is trying to associate the activity in incognito mode with the activity in the logged in account, this ambiguity makes me distrust them as a company

[freeAgent]

I think the only reasonable thing to do in the face of this ambiguity is to assume the worst. Google have lawyers smart enough to write clear explanations of functionality if that would be to their benefit.

[WhackyIdeas]

The vast majority of users would have taken Google’s incognito mode at their word.

The kinds of geeks that use HN wouldn’t have been so naive.

It’s really quite a shocking lie they were selling to the uninformed, it morally reeks, even for Google’s standards.

[tapland]

When/where has it been marketed as anything but a "hide history from local users" feature?

All I've seen is the marketing for "buying gifts for your spouse in secret"-feature.

You are saying they have marketed it as a total privacy feature, like the VPN companies do?

[Ukv]

I think wording like "browse the web privately", the disguise icon, and the name of "incognito" can very easily suggest that the purpose is hiding your identity from websites.

[notyourwork]

Reminds me of Tesla full self driving. It’s not really fully autonomous but we will call it that anyway.

[WhackyIdeas]

I’d go further - people would think it meant that not even Google would be recording their browsing.

[ricardobeat]

Even the “buying gifts for your spouse in secret” case is thwarted, you may end up seeing retargeting ads or YT suggestions for the products you were looking at, in your main account.

[mindslight]

What techies really don't seem to get is that this has nothing to do with whether Google can track you in incognito mode due to the technical details, along with every other website. Rather the problem is that Google (the company) is offering a product that is marketed based on protecting your privacy, but then Google (the same company) is continuing to track you despite use of that product! Firefox "private window" suffers from similar technical vulnerabilities (cf the additional lengths Tor Browser goes). But failing to be perfect and/or perfectly inform their users of the vulnerabilities doesn't create the same type of liability for Firefox, because there isn't another division of Firefox actively working to track users despite their use of private window!

[cma]

I've never seen a cookie banner from Google in incognito, do they only do that for the EU?

[Zinu]

I'm from Germany and see it every time in incognito

[theropost]

A definition of the word "Incognito" is to: avoiding being recognized, by changing your name or appearance. So, the name of the mode itself implies you are not being tracked. Yes, those who understand technology recognize this, however those who are not in the know would likely assume it means something different than what it actually is. This is at minimum disingenuous, and at maximum fraudulent.

[zilti]

No. Your second sentence is not in the slightest implied by your first. Try again.

[1vuio0pswjnm7]

"It was always clear that websites [including Google] could track you in Incognito mode."

These users thought differently.

https://ia801705.us.archive.org/7/items/gov.uscourts.cand.36...

Google was being sued over this surreptitious data collection while in so-called "Incognito Mode". When it tried to have the case dismissed, it failed. (Judge Koh) Then it moved for summary judgment. That failed, too. (Judge Gonzalez-Rogers, who some may recognise form the Epic v Apple case). So just as we were getting ready to let a jury decide whether Google is at fault, Google pays off the plaintiffs' counsel. Why are these so-called "tech" companies willing pay anyone and everyone to prevent precedent from being created. Surely the precedent would work to protect them in the future, right? These meritless lawsuits over privacy would be nipped in the bud.

But Google will almost invariably stop these cases from going to trial by paying out settlements. Will we ever see Google go to trial for alleged wiretapping. No. But that's not because the cases get dismissed or because Google wins on summary judgment. Quite the opposite.

There were seven counts in this case. Google's request for summary judgment was denied on every single one. Even the usual defence of no injury-in-fact, e.g., no user lost money as a result of the surveillance, failed. "Tech" workers want to keep on pretending that every other person using a computer is an easily manipulated, ignorant fool. Good luck.

https://ia601705.us.archive.org/7/items/gov.uscourts.cand.36...

Here is what the court said about consent.

"The analysis starts with the Privacy Policy17 wherein Google advises at the outset and in bold, larger print:

When you use our services, youre trusting us with your information. We understand this is a big responsibility and work hard to protect your information and put you in control. (12/15/22 Google Privacy Policy.)

Immediately after, Google advises:

This Privacy Policy is meant to help you understand what information we collect, why we collect it, and how you can update manage, export, and delete your information.

...

We build a range of services that help millions of people daily to explore and interact with the world in new ways. Our services include:

Google apps, sites, and devices, like Search, YouTube, and Google Home Platforms like the Chrome browser and Android operating system Products that are integrated into third-party apps and sites, like ads and embedded Google Maps (Id.)

Notably, Incognito mode is not mentioned in this list of services. (Id.) Rather, Google shifts and in the next paragraph advises users: You can use our services in a variety of ways to manage your privacy. . . You can also choose to browse the web in a private mode, like Chrome Incognito mode. And across our services, you can adjust your privacy settings to control what we collect and how your information is used.18 (Id.) That is the only mention made of the privacy mode. The Privacy Policy is silent as to any data collection specific to private browsing mode. The Court rejects Googles argument that the Privacy Policy unambiguously discloses the at-issue data collection. The silence noted above combined with Googles surrounding statements regarding what it means to browse privately, means that a material dispute of fact remains regarding the scope of users consent. For instance, the way Google presents Incognito mode could be read to contradict its suggested interpretation of the Privacy Policy. When users first open Chrome, they are greeted by a bright, white screen and the colorful Google logo. When users navigate to Incognito mode, the screen goes from white to black, all text is rendered in gray, and users are met with a spy guy icon. (PAF 9.) They are told they have now gone Incognito, which, Google explains on the next line, means that they can browse privately, and other people who use this device wont see your activity. (PAF 30.) Plaintiffs have evidence to show that, internally, Google understood that the framing of the feature as Incognito (or, for other browsers, Private) made users overestimate privacy mode protections, including that Incognito hides browsing activity from Google. (Dkt. No. 924-36, Ex. 80; Dkt. No. 924-48, Ex. 44.)

Googles arguments otherwise do not change the result. Its reliance on this Courts finding in Calhoun is misplaced. That case did not involve Incognito mode. See Calhoun, 2022 WL 18107184, at *10. The reasoning therefore does not extend here. Next, Google argues that to obtain consent effectively, companies should not have to enumerate every mode, setting, or circumstance impactingor not impactingthat data collection. See Smith v. Facebook, Inc., 745 Fed. Appx 8, 9 (9th Cir. Dec. 6, 2018) (holding that Facebooks tracking of publicly available health data fell within the scope of users general consent to its data tracking and collection practices). It is true that such enumeration is not always necessary. The fundamental issue, however, returns to actual consent. Google chose both to use a general disclosure and yet promote the privacy afforded by Incognito over regular mode. Having made that distinction, Google itself created a situation where there is a dispute as to whether users consent of Googles data collection generally is substantially the same as their consent to the collection of their private browsing data in particular. See Restatement (Second) of Torts 892A (1979) 2(b), 4.

For those reasons, the Court DENIES Googles motion for summary judgment on the grounds of express consent."