> Wow the number of people on this thread claiming websites should be able to opt people out of logging based on whether they’re using a “private window” (which websites should have absolutely no idea about) makes me question if I’m even on Hacker News.
Especially since "Websites shouldn't be able to tell if you're in incognito mode" has been highlighted in the past as a privacy ask, yes.
People can at least agree "website shouldn't be able to tell if you're in incognito mode" and "website should not track you if you are in incognito mode" are two mutually exclusive features, right?
How about: "Websites shouldn't do digital fingerprinting to intentionally circumvent incognito mode." Does this make sense to you as a legal argument?
And yes, this does mean that if it comes to litigation, a lot of this will depend not just on what you did but why you did it.
If you write analytics, unaware of incognito mode, you're probably okay.
If you write that same exact code because your boss comes in and says "shad, we're losing A LOT of user data to users in incognito mode. Could you do some kind of digital fingerprinting so we can still track them?" then you might be criminally liable for digital trespass -- you've intentionally bypassed my security mechanism.
That's the kind of feel-good law that ends up very unenforceable because it ignores technical reality. Not a fan.
If the exact same action does the exact same harm and is legal or illegal based on intent, enforcing that law is going to enrich a lot of lawyers but isn't going to practically rope in many company's behaviors.
That's not a proposal for a law. I'm not arguing about how the law ought to work. For better or worse, that's a description of how the legal system in the US works RIGHT NOW.
And yes, it does enrich a lot of lawyers.
Look up the CFAA cases, for a great set of example of how these laws can explode in this exact domain -- people charged with digital trespass who bypassed no or minimal technical measures. And it doesn't feel good either in most of those cases.
To be frank, though, if this gets applied to Google, it will feel pretty good.
Correct; it does not. Which is why steps were taken to minimize remote servers' ability to use secondary signals (such as access to localstore APIs) to make an educated guess about whether the user was operating in incognito mode.
It's not me who doesn't know how it works; it's the people who think "New York Times shouldn't be able to whine at you if you're in incognito mode to go buy a subscription" and "servers should be required to modify how they handle your traffic if you're in incognito mode" are compatible protocol features.
Especially since "Websites shouldn't be able to tell if you're in incognito mode" has been highlighted in the past as a privacy ask, yes.
People can at least agree "website shouldn't be able to tell if you're in incognito mode" and "website should not track you if you are in incognito mode" are two mutually exclusive features, right?