| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by antonyl 298 days ago

Curious to get HN's take on this. I was pretty surprised at Google a few days ago. A family member had recently passed away, and so I Googled ("funeral homes <location>") in incognito on Google Chrome (I suppose it felt a bit sensitive and I didn't want my Google account associated with it). A few minutes later I opened up Google Maps on my phone (different device, but logged into my Google account) and there were a few ads for funeral homes (they looked like squares and were highlighted).

Obviously, this is technically feasible: I was on my home internet (both computer & phone), and presumably there are <5 accounts that share this IP address. So when I search, they ~know who I am, and so therefore could serve me ads when I'm logged in. But I was still surprised that Google would do it — I guess I would've thought that Google would drop incognito mode requests and not use them for ad targeting. (Since, well... it is quite trust destructive.)

Does anybody know if Google is doing this intentionally? It seems like this is pretty value destructive for them long-term? Or... am I just being paranoid and this is just a frequency illusion?

14 comments

antonyl 298 days ago

Actually — while I'm here: does anybody have recommendations for per-app or per-site VPNs, especially on iOS? That's basically what I would want here: a different IP address when I open an incognito window, or for each app on my phone (e.g. Brave should have a different IP address than Gmail). I ask because while system-wide VPNs help somewhat... if I ever open anything identifying, I can effectively be fingerprinted anyways.

For example, if I start a Mullvad VPN, and open up an incognito window, but am still signed into Google (on my non-incognito window), Google now knows who I am (in both windows). Then if I browse a website that has GA (within incognito), theoretically Google could figure out who I am. This would be avoided if I shared nothing (not IP address, not browser fingerprinting) between my two windows. Is there any way to do that at scale besides just... closing everything before I go into incognito?

mapt 298 days ago

It has been obvious that we were supposed to be sandboxing these browser sessions in the OS and sandboxing these Google Accounts in basic internet opsec. Being able to create and discard these identities at will is the only sensible, resilient way to function.

Google has actively fought against this, and many people haven't noticed. Things like requiring 2FA for new Google account activation are ridiculously destructive to the ability to maintain any privacy or security. My workplace started demanding 2FA phone/email activation and their response to "So give us a workplace email account then, I'm not using my personal phone" was literally "Just go create a free GMail", which isn't a thing any more without a personal phone.

And it goes beyond new accounts.

I have a 2006-vintage, realname, first.last@gmail.com forwarding account for formal uses that I can't access any more DESPITE HAVING THE PASSWORD AND CONTROL OF THE RECOVERY EMAIL because I refused to hook up 2FA, and moved from the old PC to the new PC which Google doesn't recognize session cookies on. Give Google the keys to the castle or fuck you, we're walling up the doors.

These are dark patterns that, if Google is going to fight us on, demand regulation. Consistent access to specific email & phone numbers were never supposed to be this important to a functioning life, and not supposed to provide a shady for-profit private entity with a permanent panopticon dossier on your activities either. We would flip the table and replace governments if they tried to do this to us. We have, in some cases.

Burn it all down and create some kind of nonprofit NGO to run email or to run the Google Empire, which needs to be simultaneously secure and feasibly pseudonymous in order for people to continue having the basic human rights they enjoyed in the 2010's and 2000's when Google was still in the "Be Less Evil" phase.

delta_p_delta_x 298 days ago

> a different IP address when I open an incognito window, or for each app on my phone (e.g. Brave should have a different IP address than Gmail)

Isn't this essentially Tor? Per-connection almost-random IP addresses.

radicaldreamer 298 days ago

iCloud Private Relay does this for private windows in the latest iOS versions (18 and up)

https://support.apple.com/en-us/102602

rogerkirkness 298 days ago

Highly recommend iCloud Private Relay plus Safari. Sites often think I'm in New England, or Montreal, or a bunch of places I'm not, seemingly at random.

ankit219 298 days ago

From Incognito window's note > Others who use this device won’t see your activity, so you can browse more privately. This won't change how data is collected by websites you visit and the services they use, including Google. Downloads, bookmarks and reading list items will be saved

Incognito does not hide your activity from Google. Especially when you googled in incognito and they likely use IP addresses as part of their targeting. I am also assuming it's different for different kinds of ads given you wont see ads if you look at something personal. They infact allow IP address targeting somehow. [1] Their privacy stance is more about 3rd party not having access to the data google has collected.

[1]: https://www.shopifreaks.com/google-to-allow-the-use-of-ip-ad...

dekhn 298 days ago

My assumption (I no longer work at Google, and I didn't have anything to do with this part of the infra) is that Google uses IP addresses for ad targeting (and other targeting). In fact I think they announced this recently, but I believe they were doing it before. It is also possible it was coincidence in your case, but I doubt it.

thfuran 298 days ago

I would be surprised if they weren’t. Incognito mode is for cleaning up cookies and browser history, not actual privacy.

user3939382 298 days ago

Google fully understands that users are reaching for incognito because they want their session to be 100% ephemeral they just don't care because they're paid to not care. Technical distinction between local and remote data is unrelated, Google could offer privacy if they wanted to.

Almondsetat 298 days ago

Google has specifically created an entire page telling users exactly what to expect from incognito browsing: it's the first page that opens when you go incognito mode, every time

Lammy 298 days ago

Relevant Scott McCloud Chrome comic: https://www.google.com/googlebooks/chrome/big_22.html (2008)

Jensson 298 days ago

Do you think browsers should send to the server that it is in incognito mode? Because that is what you are asking for, that would just reduce privacy not increase it.

Dylan16807 298 days ago

That's not the only way it could be done.

But sure, sending that extra tidbit of information specifically to servers that they can verify won't track you would be a good tradeoff.

Even worse is that they probably do try to detect if you're in an incognito session, but only for their benefit.

Edit: Here's an easy thing they could do. Even if we accept or pretend to desire cross-browser correlation at all, new-seeming browser profiles could have their information siloed for a few days and if they disappear in that time it all gets treated as an incognito session.

Lammy 298 days ago

https://www.skeletonclaw.com/image/710734055173472257

foresto 298 days ago

> Curious to get HN's take on this.

I don't think there is consensus on HN regarding privacy issues.

I'm with the author. I view Google as a mass surveillance operation that has grown so large and invasive that I no longer want anything to do with them. I avoid their services as much as I can, and try to minimize and isolate cases where I can't.

ipython 298 days ago

It used to be worse. I operate a vpn for my extended family, some of whom are deployed overseas at any time.

They would google for things and suddenly my ads would show nightclubs near them (thousands of miles from me) and google’s default language would even change to the country they currently reside in. Just because the outgoing ip is shared across both users.

It’s actually gotten “better” but one could argue maybe they’re able to perform more precise targeting instead of throwing away signal.

ajross 298 days ago

> I guess I would've thought that Google would drop incognito mode requests and not use them for ad targeting

How would that work without unmasking the use of incognito mode? All the backend[1] knows is that it got a request for a search. There's (by design!) no way to know that that came from an incognito window in a browser that is otherwise logged in to a Google account.

[1] I know I know, this is a(nother) anti-Google rant. But Facebook and Microsoft and TikTok and everyone else does this too. If you flag your interest in $THING on the internet to $SITE, then $SITE will try to show ads for $THING to your roomates, kids, grandparents, etc...

Eji1700 298 days ago

While it very much could be a frequency illusion, i also think it's naive to assume this is remotely value destructive for them in the longer term. The number of people who will notice or care is obscenely small in comparison to their larger population.

Personally I wouldn't put it past them to absolutely do it on purpose/by design.

tobias3 298 days ago

Had the same thing happen to me and I am wondering how this can be legal (here in Europe). It is basically indirectly leaking search information to other users of the IP. I can think of not so bad information where it e.g. shows engagement ring ads. But I can also think of quite bad scenarios.

jeffbee 298 days ago

You search for xyz and that goes into some online system with associated features like ip subnet or whatever. Then you load gmaps from the same subnet. It's not about "knowing who I am" it is just a distance metric in a hyperparameter space.

antonyl 298 days ago

Hmm. Good point; agreed it's likely just getting ingested by online system. I guess I would've thought that Google would drop non-logged-in requests from going into their online system, or that at least they would do so for incognito requests from their own browser. Haha. How naive I am!

jeffbee 298 days ago

Incognito, as is explained thoroughly on the new tab page, exists to stop the browser from leaving data on your computer.

AstroBen 298 days ago

> it is quite trust destructive

the common narrative is that they're gathering as much ad-targeting data as possible. No-one seems to care. What do they have to lose?

zenmac 298 days ago

I also heard many similar stories. Seems like we may all need to run Tor Browser now!

colordrops 298 days ago

I have a separate phone with location off and always on mullvad VPN, and separate accounts for everything, and I still see ads on my main phone for things I search for or interact with on my VPN phone. It's infuriating.

lurking_swe 298 days ago

your phone knows which Wi-Fi networks are nearby. This alone can be used, in theory, to uniquely identify your location.

something to think about…

antonyl 298 days ago

How would this happen? Are you sure it's not just the frequency illusion? DNS? (Although that I think would only give you domains.)

baby_souffle 298 days ago

Proximity to other rf emitting devices? I always assumed this is how those "I googled x and discussed it with a friend over dinner and now my friend sees adverts for X" type things work.

colordrops 297 days ago

It's not frequency illusion, it happens daily with very specific things, like obscure climbing gear for instance.

NewsaHackO 298 days ago

For some reason, this reads like a elaborately fake post to indirectly bring up search interest groups (google's ridiculous alternative to third party cookies).