What you need to know about privacy and Google’s Incognito mode

16 Jun 2020

Image: © prima91/Stock.adobe.com

As Google faces a major class action suit, AdGuard’s Andrey Meshkov delves into what we know about data privacy and Incognito mode.

In California, a new and unprecedented class action suit against Google has been filed. The claimants are demanding $5bn from the internet behemoth, with the accusation that the corporation continues to collect personal data even when Chrome users browse the web in Incognito mode.

Whatever the court’s decision turns out to be, the process can be very useful in terms of raising awareness. Most importantly, it might make large corporations finally start paying serious attention to the issue of privacy, specifically why Incognito mode in Google Chrome doesn’t make you anonymous and how web analytics services such as Google Analytics continue to process personal data.

Incognito and tracking

You can learn a lot about a user from the Google Chrome browser history. In normal mode, Google Chrome collects data about your online activity non-stop. When you use a regular tab, all the information about the websites you visit and the web pages you open is added to your user profile.

Dozens of gigabytes of your personal data, including every image you see, are stored on Google’s servers and can be provided to you on request. If desired, the entire archive can be downloaded using the Google Takeout function.

A screenshot of Google data and how you can download the files.

Example of data export. Image: AdGuard

You can set privacy controls in your Google account, including specifying what information will be stored and collected. There, it says you can use private browsing, or Incognito mode, if you don’t want Google Chrome to remember your activity. But what does that mean?

When you open a Chrome tab in Incognito mode, you might have the reasonable expectation that you’re disabling tracking, but Incognito mode doesn’t guarantee full protection from tracking. For example, using the method of browser fingerprinting, you may still be identified.

If you open an Incognito tab, you will be informed about the restrictions immediately and quite clearly. For example, your activity will still be visible to the websites you visit, your internet service provider or your employer. If you are logged into your Google account, your identity may also still be visible.

According to a 2016 MIT Technology Review article, Google Analytics is used by approximately 70pc of websites around the world, and technical data, in one form or another, manages to make it to Google or to third parties.

Users of Google Ad Manager also receive this information in some form. In Incognito mode, personal data continues to flow to Google Analytics, but Google doesn’t link it to your user profile if you haven’t logged in.

The claimants in the $5bn lawsuit allege that Google is thereby misleading users, since personal data is still being collected in Incognito mode. Google has denied the claims in the lawsuit, saying Incognito gives users a choice to browse the internet without activity being saved to the device but clearly states that websites might be able to collect information about that activity.

The problem is that we know that user data continues to get to Google servers, but we don’t know what happens to it after it goes in Google’s ‘black box’. A lot depends on how this personal data is further processed.

Everyone knows that advertisers want to get their hands on as much user data as possible and Google is making it easier than ever before. For example, Authorized Buyers (formerly DoubleClick Ad Exchange) is part of the real-time bidding (RTB) technology of digital display advertising.

Purchasing display advertising via RTB includes processing of user data, which may fall under the GDPR definition of personal data. This definition includes ‘online identifiers’ and therefore covers website users who can be identified by a cost request sent by the webpage to ad vendors.

A report from the UK Information Commissioner’s Office about adtech says that the nature of RTB processing makes it impossible to meet the criteria laid out by GDPR. Using the information received from users, automated systems calculate how much money to pay for an ad space. Simultaneously, they may collect and retain information from Google Analytics and track users indirectly.

That means your personal data isn’t just going to Google’s servers, it’s also becoming available to third parties.

Tracking and cookies

In terms of tracking, Google Chrome is lagging behind the rest of the popular browsers. The company did announce that it will eliminate third-party cookies in the Chrome browser by 2022, albeit after Firefox had already done so.

Many experts say that Firefox has the most private incognito tab. When you open the private browsing tab in Firefox, you stop sharing data with Google. Firefox also enables enhanced tracking protection, which can block most of the popular web analytics systems. That is, it creates additional obstacles for tracking, unless you log into a Google account using Firefox.

Microsoft Edge also has a sufficiently advanced tracking protection mode, which is enabled by default. Safari’s intelligent tracking prevention system is always enabled, regardless of the tab you open it in and what you do in the browser.

So, what does all this mean?

We don’t know a lot about how data is processed inside Google, but we do know that some activity data is still available to Google and third parties even in Incognito mode. But how exactly does Google use the data it receives from Google Analytics? What kind of personal data is transmitted and to which third parties?

Google claims to use differential privacy when collecting data. However, your whole browsing history is linked to your profile, which you can see by using Google Takeout, and this could include very sensitive information.

This class action lawsuit against Google could turn into a high-profile case. If it has enough impact, we may have a chance to get some answers. Google may have to reveal how it processes all its user data. And a very serious precedent may be set, which will elevate the discussion around privacy.

By Andrey Meshkov

Andrey Meshkov is a co-founder and CTO of AdGuard ad blocker and has worked in IT for more than 15 years.