The amount of people who apparently don’t get this is insane. Incognito mode is always, and has always been, about preventing your browser from saving history locally, so other users on your computer won’t see what you’ve done. There’s a reason they always use examples like going engagement ring shopping or planning a surprise party. Of all the underhanded things Google has done, this is not one of them. Chrome has always been very upfront that websites, ISPs, and network administrators can still gather information about your browsing.
Chrome has always been very upfront that websites, ISPs, and network administrators can still gather information about your browsing.
Notably absent from this list is Google itself. It has not been upfront about how the browser itself is collecting information from incognito browsing.
I’ve seen mixed reports about it, but the best I can find leads me to believe this is a slight misunderstanding, and that the browser itself doesn’t do tracking, but that Google does all of its normal tracking while Incognito, like cookies, browser fingerprinting, etc.
It was my understanding that the chrome browser “phones home” all the time, but maybe i was mistaken because I can’t find a reference. I did find this from wired:
Other steps Google must take will include continuing to “block third-party cookies within Incognito mode for five years,” partially redacting IP addresses to prevent re-identification of anonymized user data, and removing certain header information that can currently be used to identify users with Incognito mode active. ¹
So it looks like chrome was configured to pass along identifiable header information?
Agreed. I am as anti-Google as most users here, but I have no problem admitting that I don’t think I have ever seen a browser misrepresent what its private mode is doing. If a user misunderstands how it works, that is really just their own misinterpretation of the description on the label. That, or perhaps another mistaken user explained private mode to them, overselling its capabilities because they assumed it works that way.
Non-technical users are still likely to assume incognito mode gives them a greater degree of digital privacy from trackers purely from the fact that cookies aren’t kept between sessions. For that same reason, Google has made false overtures about protecting user privacy by potentially deprecating third-party cookies when there are many tracking methods less well-known than cookies.
Google has made false overtures about protecting user privacy by potentially deprecating third-party cookies when there are many tracking methods less well-known than cookies
That’s true, but Google has also been trying to introduce new non-tracking ways to have targeted advertising directed by your browser. The Topics API actually seemed like a really cool idea, but unfortunately it didn’t get the take-up from other browsers or from websites that it would have needed to actually replace third-party cookies. They weren’t “false overtures”, they were sincere, but relied on the broader ecosystem picking up non-tracking alternatives like Topic (or working constructively to develop even better systems). Since that failed, Google’s backed down and is allowing third-party cookies to remain indefinitely.
Wasn’t there some scandal in which Chrome was caught recording specifically the urls people visited with incognito mode though?
Maybe. I’ve seen reports each way, but the best I can tell is it’s misleading headlines and people subsequently spreading accidental misinformation based on that. For example, this article is quite reasonable and does not (in the body) say anything of the sort, but the headline makes it sound like what you said is confirmed correct.
More likely, Google, like other advertising/tracking companies, still tracks you using cookies, browser fingerprinting, etc., using scripts that run on the pages you load. And it does this whether or not you are Incognito.
I think I was mistaken about data harvesting specific to incognito mode, but the lawsuit mentioned does seem to make several allegations about Chrome itself directly spying on you, in addition to their other products used by websites spying on you:
Perhaps most troubling is Google’s ability to match its web tracking capabilities with its Android operating system data and various Google application data on mobile devices. In a 2018 white paper entitled “Google Data Collection,”3 Professor Douglas C. Schmidt of Vanderbilt University concluded that Google’s Android operating system, and several of Google’s mobile applications, are constantly sending system and location data to Google’s servers. Specifically, Professor Schmidt wrote:
Both Android and Chrome send data to Google even in the absence of any user interaction. Our experiments show that a dormant, stationary Android phone (with Chrome active in the background) communicated location information to Google 340 times during a 24-hour period, or at an average of 14 data communications per hour. In fact, location information constituted 35% of all the data samples sent to Google.
Indeed, media outlets such as The Register recently exposed Google’s practice of using a browser level unique persistent identifier (a “X-client-Data Header”) for individuals using Chrome, even when users clear their browser cache. Google reportedly sends this persistent identifier whenever the Chrome browser is viewing a page with Google Analytics or Ad Manager—presumably even when the user is in private mode.
Google is a nightmare!
Not just google, but all of big tech.
True indeed!
True
