Google execs knew 'Incognito mode' failed to protect privacy, suit claims

A lawsuit alleging Google misled users to believe their privacy was protected in "Incognito mode" says internal corporate emails prove executives knew it did anything but. The suit seeks at least $5 billion from Google.

Google Chrome icon

A federal judge in California is considering motions to dismiss a lawsuit against Google that alleges the company misled them into believing their privacy was being protected while using Incognito mode in the Chrome browser.

The lawsuit, filed in the Northern District Court of California by five users more than two years ago, is now awaiting a recent motion by those plaintiffs for two class-action certifications.

The first would cover all Chrome users with a Google account who accessed a non-Google website containing Google tracking or advertising code and who were in “Incognito mode”; the second covers all Safari, Edge, and Internet Explorer users with a Google account who accessed a non-Google website containing Google tracking or advertising code while in “private browsing mode.” 

According to court documents first uncovered by Bloomberg, Google employees joked about the browser’s Incognito mode and how it didn't really provide privacy; they also criticized the company for not doing more to provide users with the privacy they thought they had.

Another hearing occurred on October 11, which could have major consequences for the lawsuit. The plaintiffs’ motion for class certification was argued and they’re currently awaiting a decision, according to Boies Schiller Flexner LLP, the law firm representing plaintiffs in the class-action suit.

US District Judge Yvonne Gonzalez Rogers will decide whether tens of millions of Incognito users can be grouped together to pursue statutory damages of $100 to $1,000 per violation, which could put the settlement north of $5 billion.

The definition of the word “incognito” is to disguise or conceal one’s identity. 

Privacy settings in web browsers are intended remove local traces of what websites a user visits, what they search for, and information they’ve filled out in online forms. In simple terms, privacy modes like Incognito are expected to not track and save data about online  searches and websites users visit.

Google also faces lawsuits related to user privacy from the Department of Justice and attorneys general in several states, including Texas, Washington, DC, and Washington state. Earlier this month, Google settled a lawsuit filed by Arizona's AG for $85 million.

From a trust perspective, offerings like Incognito mode place users into a false sense of security as it's assumed that Incognito, and private browsing generally, will protect them from the collection of their data, according to Grace Trinidad, research director in IDC's Security & Trust research practice.

"These private browsing modes protect your browser history from snooping family or household members, but not from the ultimate collection of where you’ve clicked, what you’ve liked, where you’ve purchased – especially if users log into streaming, financial, or any personally identifying account," Trinidad said.

Originally filed in June 2020, the class-action lawsuit seeks at least $5 billion, accusing the Alphabet unit of surreptitiously collecting information about what people view online and where they browse, despite using Incognito mode. Lawyers for the plaintiffs say they have a large number of internal Google emails proving executives knew for years “Incognito mode” doesn’t do what it claims.

When a user chooses to use Incognito mode, Google’s web browser is supposed to automatically delete browsing history and cookies at the end of a session.

The plaintiffs, who are Google account holders, alleged the search engine collected their data and distributed and sold it for targeted advertising through a real-time bidding (RTB) system.

The plaintiffs allege that even in Incognito mode, Google can see what websites Chrome users visit and collect data “through means that include Google Analytics, Google ‘fingerprinting’ techniques, concurrent Google applications and processes on a consumer’s device,” as well as Google’s AdManager.

Ad Manager is a Google service allowing businesses to deliver and report on a company’s web, mobile, and video advertising.

According to the lawsuit, more than 70% of all online websites “use one or more of these Google services.” Specifically, Plaintiffs allege that, whenever a user in private browsing mode visits a website that is running Google Analytics or Google Ad Manager, Google’s software scripts on the website "surreptitiously direct the user’s browser to send a secret, separate message to Google’s servers in California.”

Google learns exactly what content the user’s browsing software was asking the website to display, and it also transmits a header containing the URL information of what the user has been viewing and requesting online. The device IP address, geolocation data and user ID are all tracked and recorded by Google, the lawsuit alleges.  

“Once collected, this mountain of data is analyzed to build digital dossiers on millions of consumers, in some cases identifying us by name, gender, age as well as the medical conditions and political issues we have researched online,” the suit argues.

In March 2021, a California judge denied 82 motions by Google’s lawyers to dismiss the lawsuit and ruled against the company, allowing the lawsuit to go forward.

In July, Google was ordered to pay nearly $1 million in legal fees and costs as a penalty for not disclosing evidence in a timely manner with regard to the lawsuit.

Google did not respond to a request for comment.

A Google spokesman told the Washington Post this week it has been upfront with users about what its Incognito mode offers for privacy and the plaintiffs in the case “have purposely mischaracterized our statements.”

Jack Gold, principal analyst at J. Gold Associates, said Google makes the majority of its revenue tracking everyone and selling ad space. “If they really create a fully private browsing experience, then the revenue stream goes away,” he said. “So, I suspect there is a ‘balancing act’ going on internally as to where the borders are around privacy vs. tracking. No company builds a free browser without being able to generate revenues somehow.”

The plaintiffs in the case said they chose the "private browsing mode" to prevent others from learning what they’re viewing “on the Internet.”

For example, users often enable private browsing mode in order to visit especially sensitive websites that may reveal things such as a user’s dating history, sexual interests and/or orientation, political or religious views, travel plans, or private plans for the future (e.g., purchasing of an engagement ring).

To engender or maintain trust, the limitations of privacy modes should be announced at the outset of the browsing experience, according to IDC's Trinidad.

"Some browsers are increasingly pointing out this fact once an Incognito or private browser tab is opened, but the practice is not universal," she said.

While not yet labeled an interface design “dark pattern”, improvements to the design and communication of similar private modes would help users better understand and navigate the choices made available to them.

In the meantime, the bottom line when it comes to using Google Chrome and other browsers, "let the user beware,” Gold said.

“You have to trust the maker to take care of your privacy, but it’s not always in their best interest to do so," he said.

Copyright © 2022 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon