Why do you think Google Search still knows who you are when you search in Incognito mode? (Or, in Firefox, if you open a private browsing window.) How would it know?
There are advertising companies that use fingerprinting for ad targeting, but Google doesn't.
(Disclosure: I work at Google on ads, speaking only for myself)
How does it know to offer (in incognito mode) a list of your accounts you might want to re-login to? (Not always, but often enough to raise an eyebrow.)
Seems like a pretty good reason to think it still knows who you are.
Chrome is linked to your google accounts and saves your account auth tokens. When you use incognito, it doesn't immediately send that info. However, it does offer to sign you in. This is different from remembering login/passwords.
No. On login Google shows you your email address so you can click on it and only fill the password. Which means it knows you were logged in on that browser previously.
That shouldn't be possible in private browsing, unless you've previously logged into Google in that same private session.
One way you could see something similar to this would be if you opened a clean session, logged into Google, logged out of Google, thought you closed the last incognito window but didn't, and then opened a new incognito window? Then the user cookie would still be in client-side storage
I realize that the last time I liked at this was in the context of wireless devices on a private subnet - which is why I thought it might be relevant. However I am curious, why is it, then, that Windows 10 has gone for randomisation?
I don't think this happens. How do you think it's being transferred? A header sent only on requests to Google properties? A special JS API in Chrome that only Google knows to call?
Your link describes the Milan airport captive portal putting the MAC in the URL (don't do this). The referrer is automatically attached to any requests the page makes. This is a comically broken configuration, not something at all common.
Reading the link, it sounds like that's (a) fraud detection and not targeting and (b) a third party, IAS, that the advertiser is including in their ads
It’s in their best interests to also use it for ad targeting (in a plausibly deniable way so they don’t get in trouble).
We’ve seen them using dark patterns to coerce users into opting into more data collection, and another advertising company got caught using phone numbers for ad purposes even if they originally promised to only use them for 2FA, so why should we trust them this time?
Please don't bring up old arguments in order to harangue a fellow user, no matter how wrong they were or you feel they were. That kind of thing quickly gets bitter and nasty. We want good conversation here. That requires a collegial spirit and the ability to let some things go.
Also, people are more knowledgeable about the field in which they work, so it makes HN strictly worse if the environment becomes so poisoned that they're disincentivized to participate.
> You have defended Google in the past only to fall silent when presented with the actual study contradicting you.
That's not how I see that conversation:
* reaperducer was asking why it was useful for the browser to show that the page was one that usually loaded quickly/slowly
* As someone who had worked on an effort to speed up the web I replied with why I thought it was useful
* jfoster gave a good response describing why it might not have the effect I expected, since if users know a site is usually slow that may make them more patient
* I replied that this was still good, because users were in a position to make a better decision about whether to continue waiting for the site to load.
* You responded with something completely unrelated to what we were talking about.
* I tried to be helpful anyway, even though your comment wasn't something I knew much about.
* You continued in a direction that I don't know much about (how to communicate things like whether location tracking is on) and linked to a study which I didn't have time to read.
* This wasn't a discussion I was interested in, so I didn't respond. I don't see how the study you linked contradicted anything I was saying.
> I don't see how the study you linked contradicted anything I was saying.
Jeff, you defended Google once saying that their decisions are motivated by wanting to help users make informed choices. The study was just to show that they have a track record of doing the exact opposite. Your characterization of Google was misinformed at least on that occasion. I made an educated guess that if you were willing to defend one stance that was proven wrong (that Google has any vested interest in helping users make informed choices) then it's possible you may make the same mistake again.
But dang is right, in the spirit of collegiality I should have found a better way to point out this mistake or even not do it at all.
Apologies but I can’t really trust someone who works at a company whose best interests are to violate people’s privacy, confirmed by all the dark patterns (both on the web and in Android) and their lack of GDPR compliance.
I would be very curious as to how you’d prove this is or isn’t happening with a reasonable degree of accuracy considering all the factors involved in ad targeting. Unless you’re willing to give us access to all your source code and SSH access to the systems running it, it’s reasonable people have their doubts.
> considering all the factors involved in ad targeting
An external study to evaluate whether Google is using fingerprinting would be some work, but pretty doable. Targeted advertising is generally very blunt: if someone thinks you're especially interested in a valuable category they'll often pay a lot to advertise to you. So you could set something up where test browsers visit pages related to high-value categories (mattresses, asbestos cancer, credit cards, ...), clear client-side data, and then visit a site that loads ad scripts only from Google (to make sure you're not getting someone else's fingerprinting) and see whether the ads differ from a control group that never visited those pages.
While you can claim Google and its employees liars only to strengthen your own belief, but that only deteriorates the signal to noise ratio of this discussion.
And surprisingly for most of HN readers, Google has been pretty transparent on the policy of its ads business. In fact, Google has pretty strong incentives for transparency in this area due to advertisers, who give all the money anyway.
How is this information logged/preserved, and for how long? Just because it isn’t being used for ads doesn’t mean a person is comfortable filling up a database with their activity.
IMO, ads are probably the least worrisome way the data could be used. A boring but scary example is that aol search history leak (which is still searchable today):
So you're confirming that Google tracks you without using fingerprinting methods? That's not really surprising considering how much they data have on people.
It's also a good example of their monopoly position; Android, Chrome, Chrome OS, advertising and analytics code on almost every website, ownership of multiple of the most popular websites and services on the internet puts them in a unique position that no one could ever hope to compete with realistically. Competitors have to rely on imperfect fingerprinting whereas Google can probably detect you with more accuracy than a DNA test.
> So you're confirming that Google tracks you without using fingerprinting methods?
That's literally the opposite of what s/he just said. The person you're responding asked "How would it know?", implying that they (while being on the Google ads team) think there is no way to know without fingerprinting (or cookies from non-incognito mode).
Right: fingerprinting is the general term for using something other than client-side storage (cookies, local storage) to determine identity. Incognito mode and other private sessions intentionally don't preserve client-side storage.
If I may ask you a personal question: how do you feel about working on ads
for Google, given that a lot of people find Google's tracking practices
(to make personalized ads possible) questionable at best? Did you
specifically choose that team, or was that just were Google needed more
hands?
Personally, Google ads give me mixed feelings. I see how personalization
is useful for everyone involved and, so long as only machines look at my
data, I don't have any personal issues with it. But at the same time,
Google collects everything on everyone worldwide to the point where I
feel like the USA would have an easy time conquering any country they
please (if a nation already has live data on pretty much all its enemy's
subjects, war would be exceedingly efficient for them to start and
quickly win), so that kind of threatens our freedom if you see what I
mean; and secondly the data is not necessarily 100% secure, so in the
event of a breach it might be seen by humans, specifically people that I
would not want to know what I searched for (or pages I visited that have
Analytics or an embedded YouTube video or ads or a map on their contact
page or ...). So it's a mixed bag of feelings and your position (job) seems
like the kind that would make one think about before accepting. I'm curious to
hear your thoughts on it.
"Many people would put ad tracking on this list of downsides: sites pass information to data brokers that build custom profiles for each user and allow personalizing ads. From my perspective, however, while having this information collected seems a bit creepy, it allows showing ads I'm more likely to be interested in. This makes publishers more money than showing untargeted ads, and I'd much rather fund them through better ad targeting (invisibly intrusive) than through more obnoxious ads (visibly intrusive)."
I chose this team because I thought the work would be interesting and I liked the people on it, and they were interested in me because of my prior work on mod_pagespeed rewriting websites so they would load faster.
> if a nation already has live data on pretty much all its enemy's subjects, war would be exceedingly efficient for them to start and quickly win
Lots of thoughts:
* I think you're dramatically overestimating how much data Google has and how well that is mapped to the kind of identity the military would care about.
* I don't think Google would share this information unless legally required to, and I don't think such a request would be constitutional.
* Many other countries are in similar positions; for example Criteo is based in France and has a similar ad tracking reach to Google.
* I'm still not sure how this is especially useful militarily. Military targets are mostly not in the data one of these companies would have, and none of these countries would go to war targeting civilians.
> I chose this team because I thought the work would be interesting and I liked the people on it
That is fair! I guess most people would make that decision if you already know people there and you think you'll enjoy the work as well.
> none of these countries would go to war targeting civilians
Not as if people in the army are somehow exempt from tracking though?
As for whether Google would share it in the first place: I don't think the government cares much what Google thinks if they're willing to kill (us) over something. Laws can be made by the same people that decide on this. I don't mean to pose it as a simple matter, but I'm pretty sure that's how it works in principle.
Now that I think of it: aren't "national security letters" exactly this? "It has something to do with the safety of the country, just give us that data [e.g. Lavabit private key]"?
Of course, the chance is remote in the first place. Much more likely, if it is ever used for this kind of purpose in the first place, it'll just be posturing and threats, and people will protect themselves better before it ever gets to armed conflict. Just imagine, though, if you're not in the USA, China, or Russia, and one of the three (the most democratic one of the tree, it is fair to add) has the rest of the world's data. That's kind of uncomfortable when I pause to consider it.
> how well that is mapped to the kind of identity the military would care about.
While not readily available, I expect that it's not hard to find a few datapoints to filter them out. Following someone for 10 minutes as they go through traffic and matching the coordinates against location history data is probably enough to find a subset of 1-5 possible accounts. But I doubt physical following is even necessary to find enough datapoints to find them in the data.
There are other ways to fingerprint users, though if Google is using them they’re certainly not making it obvious by allowing users in incognito mode the ability to sign in to their associated account.
The phrasing in his comment was vague. The first part "Why do you think Google Search still knows" can be read like a rhetorical question, especially when combined with the outrageousness of the alternative (that Google isn't tracking you)
And if he really is saying that Google doesn't track you in incognito mode, then I'm going to go ahead and assume he's either lying, or he's not in a position to know about that system. This is Google we're talking about here.
You're morphing their plain English into a different meaning and seem completely convinced that you're right. I'm not sure there is a point talking if you are already convinced to an extreme extent.
For the record, I'm not saying that I expect Google not to track me when they detect some privacy mode. It'll sure try to set cookies, and it may use my IP address and connect whatever that IP accesses as a weak indicator of interest for anyone else with that IP address (for a limited amount of time, since IPs change in many countries). What I don't think is that, when they say they don't do fingerprinting, they're lying. This person may not be privileged to know and say "I don't know", but that's different from saying "Google doesn't".
Also for the record, I didn't downvote you (and when you reply to me, I can't; I don't have an alt account with 1k rep or whatever it is one needs to downvote).
There are advertising companies that use fingerprinting for ad targeting, but Google doesn't.
(Disclosure: I work at Google on ads, speaking only for myself)