Google Settles Lawsuit Over Tracking 'Incognito Mode' Chrome Users

We Keep you Connected

Google Settles Lawsuit Over Tracking 'Incognito Mode' Chrome Users

Google tracked privacy-conscious Internet users, and now it’s paying for it.
January 2, 2024
Google is settling a class-action lawsuit over how it tracks data from individuals using browsers in "private" or "incognito" mode.
The plaintiffs in Brown et al v. Google LLC alleged that Google violated US federal laws regarding wiretapping and invasion of privacy, by continuing to track, collect, and identify browsing data from users of "Incognito Mode" in Google Chrome, and other private browsing modes in other browsers. They initially sought at least $5,000 for every individual infringed upon in the four years prior, a number which could, in theory, tally up in the end to many billions.
On Dec. 28, the two parties reached an agreement to settle. The exact terms of the settlement are not yet public, so it remains to be seen how much Google will suffer for its transgressions, and how exactly Chrome might change as a result.
"Google is in an interesting position, maintaining a popular web browser that offers a privacy mode and at the time being highly motivated to serve relevant ads to users," says Robert Duncan, VP of Strategy at Netcraft. "A settlement in this case merely highlights this challenging position."
Google declined a request to comment on this story.
The plaintiffs did not mince words in their original complaint, filed over two and a half years ago.
"Google's practices infringe upon users' privacy; intentionally deceive consumers; give Google and its employees power to learn intimate details about individuals' lives, interests, and Internet usage; and make Google 'one stop shopping' for any government, private, or criminal actor who wants to undermine individuals' privacy, security, or freedom," the attorneys wrote. "Google has made itself an unaccountable trove of information so detailed and expansive that George Orwell could never have dreamed it."
In this particular case, the concern was with private browsing, and the promises made to users who wished to browse in peace and quiet. "Google promises consumers that they can 'browse the Web privately' and stay in 'control of what information [users] share with Google.' To prevent information from being shared with Google, Google recommends that its consumers need only launch a browser such as Google Chrome, Safari, Microsoft Edge, or Firefox in 'private browsing mode.' Both statements are untrue."
The company, meanwhile, attempted to get the case dismissed, on the grounds that it never actually lied about what its own browser's Incognito Mode offers. "As we clearly state each time you open a new incognito tab, websites might be able to collect information about your browsing activity during your session," a Google spokesperson reminded The New York Times back in 2020.
In denying that motion, Judge Yvonne Gonzalez Rogers of the US District Court for the Northern District of California wrote how "Google's motion hinges on the idea that plaintiffs consented to Google collecting their data while they were browsing in private mode. Because Google never explicitly told users that it does so, the Court cannot find as a matter of law that users explicitly consented to the at-issue data collection."
Private modes in most popular, user-friendly browsers today are not the one-stop solution for online privacy that some assume they are.
"Even when perfectly implemented, it is still possible for ISPs, corporate networks, and other network services to track usage. This also applies to websites visited: while browsers may indicate to websites visited in private browsing to not track using the Do-Not-Track HTTP header or through other means, this is very much a request and can be ignored by websites and other online services," Duncan explains.
Still, some do it better than others. Claude Mandy, chief evangelist of data security at Symmetry Systems, points to the Electronic Frontier Foundation's Cover Your Tracks project, which anyone can use to see what their browsers collect about them. "Their research indicates that while Firefox provides some protections against trackers when using their Private Browsing setting, it does not provide the level of protection that Tor Browser or Brave Browser can provide through anonymizing or randomizing the fingerprint that the browser provides."
Whether lawsuits like Brown v Google LLC will bring mainstream browsers any closer to that higher standard remains to be seen.
"The threat of lawsuits and further large settlements like this will force incremental changes to the transparency and optionality provided to consumers to avoid further settlements when using incognito modes," Mandy says. "This is a welcomed change but ultimately they provide limited incentive to reduce tracking for advertising purposes."
Nate Nelson, Contributing Writer

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" — an award-winning Top 20 tech podcast on Apple and Spotify — and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.
You May Also Like
2024 API Security Trends & Predictions
What’s In Your Cloud?
Everything You Need to Know About DNS Attacks
Tips for Managing Cloud Security in a Hybrid Environment
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Cyber Resiliency 2023: How to Keep IT Operations Running, No Matter What
Passwords Are Passe: Next Gen Authentication Addresses Today’s Threats
The State of Supply Chain Threats
How to Deploy Zero Trust for Remote Workforce Security
What Ransomware Groups Look for in Enterprise Victims
How to Use Threat Intelligence to Mitigate Third-Party Risk
Threat Terrain of the Modern Factory: Survey of Programmable Assets and Robot Software
Pixelle’s OT Security Triumph with Security Inspection
IT Zero Trust vs. OT Zero Trust: It’s all about Availability
2023 Snyk AI-Generated Code Security Report
Understanding AI Models to Future-Proof Your AppSec Program
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Cyber Resiliency 2023: How to Keep IT Operations Running, No Matter What
Copyright © 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.