Source: securityboulevard.com – Author: Richi Jennings
Class action attorney David Boies asked for $5,000 per user, but got nothing—except some assurances Google will delete data it no longer needs.
Google has agreed to purge some tracking information older than nine months, in case it was collected in Chrome’s “Incognito mode.” La GOOG is doing this to head off a class action lawsuit from people who believed Incognito was a majick talisman that made websites forget what you told them.
The deal has stopped the court from awarding damages—for now. In today’s SB Blogwatch, we wonder if Google’s opened the floodgates for more.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Robot swannees.
Short Term Gain for Long Term Pain?
What’s the craic? Erin Mulvaney and Miles Kruppa report: “Google Pledges to Destroy Browsing Data to Settle ‘Incognito’ Lawsuit:”
“Honesty and accountability”
Google plans to destroy a trove of data that reflects millions of users’ web-browsing histories, part of a settlement of a lawsuit that… accused Google of misleading users about how Chrome tracked the activity of anyone who used the private “Incognito” browsing option. … Google has agreed to destroy billions of data points that the lawsuit alleges it improperly collected.
…
The agreement doesn’t include damages for individual users. But the settlement will allow individuals to file claims. … Attorney David Boies, who represents the consumers in the lawsuit, said, … “This settlement is an historic step in requiring honesty and accountability from dominant technology companies.”
Horse’s mouth? David Boies and the other attorneys for the plaintiffs: “Plaintiffs’ Unopposed Motion for Final Approval of Class Action Settlement:”
[T]he Court’s rulings and Plaintiffs’ efforts to obtain them paved the way for Google to agree to settlement terms that are both sweeping and unprecedented. … The result is that Google will collect less data from users’ private browsing sessions, and that Google will make less money… losing nearly $500 million a year in global annual revenue.
…
Google must rewrite its disclosures to tell users that it collects private browsing data. … For every data source … that could include private browsing data pre-dating the disclosure changes, Google must delete or remediate all … data older than nine months … that might contain … private browsing data. … Google must delete all four of the identified private browsing detection bits … that Google was sanctioned for concealing during discovery (twice).
What’s next? And what’s Google’s side of the story? Natalie Sherman: “Google to delete records:”
“Old technical data”
The deal will now go to the court for approval. … Google is supporting the deal, though it disputes the claims. It has already made changes in response. … The data deletion will also apply outside of the United States.
…
“We are pleased to settle this lawsuit, which we always believed was meritless,” Google spokesman Jorge Castaneda said. … “We are happy to delete old technical data that was never associated with an individual and was never used for any form of personalization.”
What did Google actually say about Incognito mode? This: “Incognito keeps your browsing private:” [Emphasis mine.]
None of your browsing history, cookies and site data, or information entered in forms are saved on your device. This means … people who also use your device won’t see your activity. Websites see you as a new user and won’t know who you are, as long as you don’t sign in. [And] you can choose to block third-party cookies. … Chrome doesn’t tell websites, including Google, when you’re … in Incognito mode.
…
Incognito mode doesn’t … prevent you from telling a website who you are. If you sign in to any website in Incognito mode, that site will know that you’re the one browsing and can keep track of your activities. … It does not affect how Google collects data when you use other products and services, as described in the Privacy Policy.
Can you explain it like I’m five? nox101 does:
They were recording data from every user in any browser that accessed google.com and their other sites. That behavior is normal for the majority of sites on the internet. … Google is going to stop collecting data from all browsers/machines that connect to their websites and only collect data from browsers/machines that are logged in to a Google account.
Normal behavior? Yes, thinks MechR:
This all comes from a fundamental misunderstanding of what Incognito is for, despite the prominent explainer Chrome… puts on the new tab page. It’s made to avoid leaving tracks on your local computer, not to avoid leaving tracks on the Internet. The settlement is Google going, “Okay fine, we’ll expand the mission since you’re about to whack us on that basis anyway.”
…
It looks like the biggest gotcha was that the X-client-data header … revealed if the browser was in incognito mode, which made it technically possible for Google to distinguish such sessions, and for the court to say “delete all your old logs of incognito sessions.” … Ironically, the x-client-header is not sent in incognito mode. That’s the tell: a blank header instead of an id. No good deed goes unpunished.
Wait. Pause. But “Chrome doesn’t tell websites, including Google, when you’re … in Incognito mode,” said Google. That’s a head scratcher for rezonant:
It’s supposed to be impossible for a web server to know you are using Incognito, by design—for hopefully obvious reasons. So, by extension, it’s also impossible for websites to “respect” that you are in incognito and delete your server side session data afterwards.
So people were just being naive in thinking they weren’t being tracked? Yes, thinks swillden:
This is the heart of the complaint: … People assumed (even though Chrome told them otherwise) that they weren’t tracked in incognito mode, but in fact servers—including Google Analytics—were still tracking them. No cookies or other information from the non-incognito browser windows are sent, but it’s not hard to correlate.
…
A better outcome is what Google is already working on: Changing the online advertising business so it doesn’t rely on databases of user data. This is the “privacy sandbox” stuff. … If Google were shut out of it, the online data collection business … would almost certainly end up being dominated by companies that are less careful with user data than Google is. [Or] if even broader regulation managed to actually shut down the collection-based business, … many of the services we have now would no longer be available.
Or is Google taking us for fools? DS999 seems to reckon so:
So after they’ve used the data profitably, and it is becoming more outdated every day and thus much less valuable, they will delete it?
Meanwhile, what can we conclude from all this? rendaw compares and contrasts:
Incognito mode isn’t incognito,
Autopilot doesn’t automatically pilot,
Unlimited internet isn’t unlimited,
Buy a movie and you don’t own it.
But you’re the idiot if you expected words to have meaning.
And Finally:
If you have dogs in earshot, they might not like this
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: BSF LLP
Recent Articles By Author
Original Post URL: https://securityboulevard.com/2024/04/chrome-incognito-brown-v-google-richixbw/
Category & Tags: API Security,Application Security,AppSec,Cloud Security,Cyberlaw,Cybersecurity,Data Privacy,Deep Fake and Other Social Engineering Tactics,DevOps,DevSecOps,Editorial Calendar,Endpoint,Featured,Governance, Risk & Compliance,Humor,Identity & Access,Identity and Access Management,Industry Spotlight,Mobile Security,Most Read This Week,Network Security,News,Popular Post,Regulatory Compliance,Securing Open Source,Securing the Edge,Security at the Edge,Security Awareness,Security Boulevard (Original),Security Operations,Social – Facebook,Social – LinkedIn,Social – X,Social Engineering,Spotlight,Zero-Trust,adtech,Advertising,Advertising and AdTech,adverts,breach of privacy,browser,browser abuse,Chrome,cookie,Cookie Consent,cookieconsent,cookies,customer privacy,FLEDGE,FLoC,GOOG,google,Google Ad,Google AdSense,Google advertising,Google Chrome,Google Chrome Security,Incognito,Incognito Mode,Link History,Privacy,Privacy Sandbox,SB Blogwatch,Topics,tracking cookies,web cookie – API Security,Application Security,AppSec,Cloud Security,Cyberlaw,Cybersecurity,Data Privacy,Deep Fake and Other Social Engineering Tactics,DevOps,DevSecOps,Editorial Calendar,Endpoint,Featured,Governance, Risk & Compliance,Humor,Identity & Access,Identity and Access Management,Industry Spotlight,Mobile Security,Most Read This Week,Network Security,News,Popular Post,Regulatory Compliance,Securing Open Source,Securing the Edge,Security at the Edge,Security Awareness,Security Boulevard (Original),Security Operations,Social – Facebook,Social – LinkedIn,Social – X,Social Engineering,Spotlight,Zero-Trust,adtech,Advertising,Advertising and AdTech,adverts,breach of privacy,browser,browser abuse,Chrome,cookie,Cookie Consent,cookieconsent,cookies,customer privacy,FLEDGE,FLoC,GOOG,google,Google Ad,Google AdSense,Google advertising,Google Chrome,Google Chrome Security,Incognito,Incognito Mode,Link History,Privacy,Privacy Sandbox,SB Blogwatch,Topics,tracking cookies,web cookie
