Which there is a warning of every time you open an incognito window. It's not fine print either, it's one of about six bullet points. "Your activity might still be visible to ... Websites you visit." This one is going nowhere I suspect. Just because a lawsuit asks for big damages does not mean the plaintiffs are likely to prevail on their claims.
That's not quite how the law works. If I tell you to get off of my property, and you stand on my lawn, you're trespassing, even if I didn't put up a military-grade wall. Or if I have a basic chain link fence, and you climb over it, you're clearly trespassing in situations where without the fence, if you were to incidentally walk across my lawn, you'd be okay.
The point of digital trespass laws is very similar. Just because your technological measures are imperfect (as the bullets say) doesn't authorize you to circumvent them.
What's damaging in this case is that Google created the signalling mechanism, gave it to users, and then intentionally chose to circumvent it.
Courts are also not machines. A lot of this comes down to intent and reasonableness. If you're fingerprinting my browser when I'm in incognito, that feels like an intentional digital trespass which courts would probably recognize. If you're incidentally collecting my IP in your server logs, that feels okay. Programmers get caught up in this all the time -- they read laws and contracts like code (strict literal meaning). Lawyers read them looking at things like impact, intent, whether things are substantially similar, and so on.
> What's damaging in this case is that Google created the signalling mechanism, gave it to users, and then intentionally chose to circumvent it.
Absolutely not.
Incognito mode, as in every browser, means you're history isn't recorded on your machine. And as GP said, Chrome even explicitly explains your ISP or websites may still track you.
And Chrome isn't doing anything to circumvent it.
Intent and reasonableness here is perfectly fine on Google's part. Incognito mode successfully prevents storing history on your machine. Analytics successfully track you. And nobody's being misled. Incognito mode has never been advertised or marketed as anti-tracking, because it's not supposed to be. It's just a convenience to clear cookies and history, nothing more.
If there is a law against Google collecting analytics data, then it's going to be illegal whether in incognito mode or not. That would be the situation with trespassing. There's a law against it.
But there is no such law against collecting browsing data. So there has to be some other legal theory under which Google would be liable. One example would be deceptive practices or fraud, where Google says one thing then does another. Unfortunately, we don't have the full text of the complaint yet as far as I can tell. But your "that's not how the law works" dismissal is actually going to be totally irrelevant to the complaint, because there's no legal comparison between trespassing and collecting browsing data.
With trespassing, if I cross your lawn, I'm probably okay. If I cross your lawn and there's a "no trespassing" sign or a fence, I'm probably not okay. It's vague.
There are equivalent laws for technology. For example, you have the confusingly vague CFAA. If I've indicated to you that I don't want you grabbing files from my computer, and you do, you've likely broken it. It's even called digital trespass. On the other hand, if you have a public FTP server up, I can grab files. If you have a public FTP server up, and you've told me I'm not permitted to access it in person, or in an automated banner, or in an automated banner which my browser never shows me, things get legally complex.
Pretending "private browsing" or "incognito mode" doesn't act like such a sign isn't very honest. Google disclaims this information might be visible to web sites, which is honest, but most indications are given that it's intended to help screen some of that. Intentionally working around incognito mode is almost certainly at least somewhat illegal.
While I share your skepticism of the suit, I think that that line may be seen as misleading. Google Analytics is NOT a website I visit, in general. Still, despite the Incognito mode, GA may well track me across the internet.
Personally, I always took Incognito/In-Private browsing to be just a "delete cookies and history on exit" mode. But the way it is presented may suggest to many people that it is significantly more than that, even with the disclaimers in Chrome. I would not hold my breath for a successful suit based on that, though.
Saying that "Google Analytics is NOT the website I visit" is the same as saying "React is NOT the UI I'm using" or "Stripe is NOT the store I'm buying from".
Modern day websites use readily available modules to build out functionality. Just because those modules were originally built by someone else doesn't mean that it's not part of the website you visit.
I am aware of this as a developer. But as a regular user, when I am told that visiting HackerNews in incognito mode won't prevent HackerNews from tracking me doesn't tell me that it won't prevent Google and Facebook and who knows how many others too.
Basically, this is one of the key ideas behind the GDPR: that I should have a legally-enforced expectation that when I'm agreeing to share my data with X, I'm not implicitly agreeing to also share it with Y and Z; and that it is X's responsibility to see to this.
So sure, X is free to use GA, but as a User I shouldn't have the expectation that Google knows I've visited X's sight.
And comparing GA to React is really disingenuous, especially in this context. One is an active monitoring solution that hoovers up data and sends it to a 3rd party, the other is a static library that is entirely run in my own browser, or sometimes on the origin server as well.
> My argument was that drawing a distinction between a "site" and modules that are part of that "site" but are from other parties is dubious.
It is not only not dubious, it is in fact enshrined in law. I brought up the GDPR explicitly to highlight this. Specifically in the context of tracking and personal data, there is a distinction between the site I am visiting and the legal entity that is controlling it on one hand, and other entities that it contracts to achieve its purposes.
If your understanding of 'a website' includes all of the 3rd party trackers that it may be using, then the wording becomes obviously correct. I would venture though that this is not the common connotation of the phrase 'you may still be tracked by the website you are visiting', which I believe most people would take to mean more 'the origin server', i.e. 'I may still be tracked by the 1st party entity who owns the site I am directly visiting, but I will no longer be tracked by other parties'.
In fact, by your definition of 'the site I am visiting' , incognito mode offers no more tracking protection than regular browsing, as I can never be tracked by anything but the site I am visiting, including Google analytics, Facebook, and any other ad networks that they chose to use; I am never tracked by any site that I am not currently visiting, obviously.
Incognito Mode states plainly that it DOES NOT prevent the website you are visiting from tracking you.
Another commenter said that this wording implies that it DOES prevent Google Analytics, since it is not part of the site.
My argument was that drawing a distinction between a "site" and modules that are part of that "site" but are from other parties is dubious (also, likely impossible).
Google is not the website being visited, and if it's not a big deal, then why doesn't it say, "Google will still track you using third party analytics, font requests, ad pixels, single sign on, and recaptcha"?
I mean, if nobody really cares, why not be more direct about it?
while they do warn you, it is about time that they implement a real incognito mode, maybe using Tor by default... The current incognito only protects your privacy from other people that are using the same computer which is not really that helpful since you could just create another user to achieve basically the same (if your disk is encrypted)
They should because it would be the right thing to do... and Firefox is more popular then the Tor browser, so it would help spread Tor adoption... a lot of people don't understand the benefits of hiding your IP... so they aren't going to download the Tor browser
It is for me. Tor runs as a daemon, then I have my Firefox proxy settings to always hit Tor.
Onion addresses work, and Firefox refuses to connect if the Tor daemon isn't running.
Paired with Firefox actually honoring my requests to purge all information upon exit (instead of chrome only "kind of" doing it), it certainly works out quite well for me.
It is based on Firefox but it is not Firefox... but anyways, unlike the Tor browser, maybe Firefox should not use Tor in regular mode (only in incognito).
Yes, it's quite interesting, and it borders on semantics. I.e. someone misunderstood privacy in this context as understood in general, that you keep things for yourself. But private/incognito browsing on Chrome means privacy from other people using your computer, not from the biggest user-tracking company.
Maybe instead calling it "incognito mode", which is totally inadequate, they should call it "temporarily disable browsing history" instead.
It looks like this is mainly about the fact that Google Analytics still works even if you are in Incognito mode.